• ARTICLES
SEARCH

How-To Geek

How To Remove Antivirus Live and Other Rogue/Fake Antivirus Malware

If you’ve got a PC infected by the Antivirus Live virus, you’ve got a tough job ahead of you to remove it. And we’ve got the instructions to help.

Antivirus Live is one of many fake antivirus applications like Advanced Virus Remover and Internet Security 2010, that are really rogue viruses that take your computer hostage—then they tell you that your computer is infected by viruses, and you have to pay them to get rid of the fake viruses that aren’t really there. It’s a huge problem, and they are not easy to remove, because they block virtually everything you try and run, including real anti-malware tools.

Rogue/Fake Antivirus Live

Removing Rogue Fake Antivirus Infections (General Guide)

There’s a couple of steps that you can generally follow to get rid of the majority of rogue antivirus infections, and actually most malware or spyware infections of any type. Here’s the quick steps:

Those are the rules that normally work. Note that there are some malware infections that not only block safe mode, but also prevent you from doing anything at all. We’ll cover those in another article soon, so make sure to subscribe to How-To Geek for updates (top of the page).

Let’s Remove Antivirus Live

The first thing you’ll want to do is reboot your computer, and hit the F8 key right before Windows starts loading (you can hit it a bunch of times). Then select the Safe Mode with Networking option.

image

Before you do anything else, you’re going to need to fix the internet connection to work, because Antivirus Live changes IE to use a fake proxy server that prevents you from getting to anything else—and will also prevent you from installing and updating a real anti-malware software.

image

Now you’ll want to install SuperAntiSpyware (linked above), which you have hopefully downloaded via another computer already, but safe mode with networking should allow you to download and install it.

Once you load it up, it’s going to do some analysis…

image

Then you’ll see the full application screen, where you’ll want to use the Check for Updates button to make sure you have the latest definitions. Once you’ve done that, click the Scan your Computer button.

image

Select your primary drive at least, though you should pick all the drives, and then click the Perform Complete Scan button.

image

It’ll run for a long time, detect a bunch of stuff, and then you can proceed through the wizard to actually removing it all…

image

Once it’s all done, you can reboot the PC again (just make sure to go back into Safe Mode again).

image

Next you’ll want to install Malwarebytes, make sure to check the Update tab for the latest definitions, and then perform a full scan of your system.

image

Malwarebytes will find even more malware that SuperAntiSpyware missed (seems like you always need more than one util to get it all). Just be sure to click the Remove Selected button to get rid of the rest.

image

At this point you’ll want to reboot your system, and then install Microsoft Security Essentials and run another full scan. Can’t hurt to be too cautious!

Note: If you used a thumb drive at any point during this process, you should make sure and scan that as well—I’ve had viruses hop over to the thumb drive, ready to infect the next machine.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 01/5/10

Comments (294)

  1. PhoenixPath

    A small suggestion:

    Before booting into safe mode, try booting to another “user” account. Some of these “rogue” anti-malware apps are stupid enough (thankfully) to only infect the active user. I’ve been able to, on several occasions, simply log out and onto another account (works even better if it’s an AD account that hasn’t been used previously on that PC as it creates a new profile) and check it out first. Could save you a lot of time.

    This worked on some, but not all of the ones I have run into in recent memory, so as always, YMMV.

  2. Ashutosh Mishra

    MalwareBytes offers a small free tool called RogueRemover, which removes infections like this one.

  3. Ashutosh Mishra

    Hey just checked the site that RogueRemover has been discontinued! Sorry for the previous comment. :)

  4. Spydey

    Great advise on how to get rid of those nasty fake anti-virus programs. I just helped a friend get rid of a few from her computer, although I did it differently. All the attempts that I made to clean it via safe mode were met with failure. It was a tough little bugger. So I took out her HDD and put it in my machine. I used my anti-virus (MSE)to scan it and it found and cleanded all of it. The only problem that I have now is that after I put her HDD back into her computer, anytime I try to log on to her desktop, it logs in, shows the desktop background, and then immediately logs out again. Something it up with the registry I believe so I will have to figure this one out too.

    Great article and thanks for the tips!

    -Spydey

  5. Ronny

    In my experience, a much better solution is to load from an alternate Windows installation and then fix the issue.

    When you boot into Safe Mode, you still run the same Windows that’s infected.
    If you use something like the Ultimate Boot CD for Windows (www.ubcd4win.com), you can create a bootable rescue media with all the tools you need.

  6. Brent

    I ran across someone about a week ago who actually purchased one of those fake anti-virus programs. I guess they wouldn’t create those things if people were not buying them.

  7. tommy2rs

    Might want to dump all the system restore points also. They can get you reinfected if you happen to use the wrong one. First step I use in cleaning any malware infection is to turn off system restore and dump the restore points. Hard part’s remembering to turn it back on afterwards…;)

  8. sam

    or run combofix once… cleans 80% of the computers i’ve used it on, the last 20% have securities in place to prevent executables from running.

  9. The Geek

    @Ronny

    Yeah, actually I do that sometimes, or use a linux live cd (my favorite method). For this article, I was trying to explain the simplest method for regular users – even with a guide, most regular users won’t be able to figure out UBCD.

    You’re right, usually Safe Mode is also infected – I’ve got another article coming up this week on how I dealt with one of those situations without requiring a boot CD, but I’m going to cover your method in the near future as well.

  10. Oldphart

    Using ComboFix first paves the way so that you can install the AntiMalware program since in most cases you will find yourself looking at a “corrupted file” or lack of “administration rights” needed for install. Also using X-RayPC allows you to selectively kill active processes from the Malware that rebuild creating an environment needed for further cleaning. And most important, most versions of the FakeAlert malware hide within the System Restore, therefore it is imperative one DISABLES System Restore prior to the actual cleaning. XP machine cleaning is easier than attempting it on Vista or Win7, and on those last two mentioned, I will use a file recovery program to save the owners important files, reformat, and then reinstall the operating system.

  11. Julien

    Too bad this article wasn’t done a couple of days ago, one of our computers got infected by this and I had to put it inside another of our computers, took a couple of hours. So time consuming these things are.

  12. lexcen

    Although I’ve been using Malwarebytes for some time, I found the current version to be buggy and causing fatal system error.

  13. Michel

    Tried to follow the procedure, but I got an error when trying to install SuperAntiSpyware in Safe Mode.

  14. Santo

    I had tried Malwarebytes to remove similar kind of infections in normal mode. It works most of the time but when it fails I end up by reinstalling the OS. I reinstall only if none of the steps works which includes the safe mode scanning too.

  15. Robert

    We’ve been dealing with this issue at my work for several months now – off and on. One thing I’ve found that makes life easier, is if you can manage to install / run SuperAntiSpyware on the infected account shortly after that user reports the issue **WITHOUT** rebooting / logging off. I’ve noticed that once the user has logged off(?) or the computer is restarted, the virus digs itself in a bit deeper.

    Often a error message will pop up saying “This file is infected and can not be ran.” – or something equivalent to. Just move the message box to the side (don’t click OK or close it, just move it), try re-running the setup file for SuperAntiSpyware, and it should actually run just fine – tho you may have to right click on the program and “Run As” an administrator.

    These pesky infections are such a thorn in my side anymore. The procedure posted in this article is right on the money, though I would highly recommend trying to run SuperAntiSpyware as that user BEFORE they reboot the computer. Once the computer has been rebooted, it often takes longer to completely disinfect. That’s just been my experience with it anyway.

  16. piagetblix

    I used to run Super Anti Spyware from ubcd for win but stopped cus’ i figured it didn’t do anything due to the fact that it needs to reboot to remove and rebooting flushes the ram so nothing happens….right???

    cheers,

  17. PC-Mat

    Geek! Way to give away the ticks of the trade. ;-)

    I do a lot of repair via remote connection, so UBCD is not really an option. I would say these programs are the foundation for quick Malware removal, but not for a full repair. Hence, your proxy fix.

    Keep up the good work Geek!

  18. Titan Boo-Boo

    @piagetblix

    That is more or less the point of the reboot. It allows the deletion of files before they can be loaded into RAM. Reboot to remove works, trust me.

  19. piagetblix

    @Titan Boo-Boo

    Are you referring to running Super Anti Spyware from within safe or normal modes OR are you referring to using it withing the UBCD PE environment, where I am under the assumption, it cannot script the startup removal since it is running in a RAM Disk and that will be flushed upon restart….

    Cheers,

  20. Titan Boo-Boo

    Safe mode would work, UBCD most likely not.

  21. Dexter

    Call me paranoid but once a computer is infected with malware I’ll never fully trust it again. Reformat!

    Or better yet, keep a clean backup image and of your system and just revert to that.

  22. Powderpuff04

    Thank you OLDPHART for the tip on trying ComboFix it worked for me while running in normal mode! Just remember to change the file name when you download it to your desktop, otherwise the virus will recognize it and prevent you from opening the file.

  23. AC

    I find that this method/procedure usually is a winning combination.

    Step 1 – Turn off system restore.
    Step 2 – ComboFix in safe mode.
    Step 3 – MalwareBytes, SpyBotSD, and SUPER AntiSpyware in safe mode.
    Step 4 – Rerun MalwareBytes in normal mode.

    If you’re locked out of the OS, use SpyBotSD and Avira from UBCD4Win to get a head start.

  24. GB

    I know my bits and pieces about computer/laptops, but not as much as I use to a few years ago, hence why I totally freaked out and got stressed last night trying to sort this little problem out, thank god I came across your article! My only problem is, how do you fix IE? This slightly confused me, can you try and explain this to me, in nice and simple language, the jargon confuses me these days, thanks

  25. Cort

    Just thought I would mention… the first step in the article mentions to boot to safe-mode and install Superantispyware. The Superantispyware installer uses the “Windows Installer,” which is almost always disabled in safe-mode. I imagine just a typo, though.

  26. Bobby digi

    I had the Antivirus Live problem. It’s not a virus. It acts differently than a normal infection. It has coding in it that breaks down your restore settings and therefore must be replaced. So unless u have a backup, you can’t relplace those system restore settings. I used Malwarebytes but had to change the exe. name to just m. Otherwise this rogue program erases it and any other such programs. My advice is to relax, you’ve got a long frustrating battle ahead

  27. BigDaddy

    I was not able to access safe mode at all, so i chose “last known good config” and it loaded windows without the virus. I had SuperAntiSpyware, Malwarebytes and Microsoft Security Essentials loaded on my flash drive, so i installed and ran them from there. They located/deleted the rogue agent and a lot of other crap….works like a charm!

  28. Garbinski

    I have tried “EVERYTHING” suggested on your website as well as many others over the last few days trying to get rid of ANTIVIRUS LIVE and nothing works! I was able to get into “safe mode”, but then my arrow keys wouldn’t work. I contacted STAPLES technology department and was told that this was definitely a virus that only they could remove…$129 for virus removal and another $29 to install an Anti-Virus program. I was told I could follow all the instructions found on the Internet to remove it, but I wouldn’t be successful. Again, I’ve tried changing the LAN settings, tried to download software on USB stick and transfer into infected computer but computer won’t even allow me to execute control panel. Is there anyway or other suggestions out there to resolve this without taking the entire computer in to someone like STAPLES? I’d appreciate any further assistance. Thank you in advance.

  29. Alex

    Just a quick thing to try that worked for me if the virus has disabled safemode and task manager and the ability to add or remove any program on the computer like it had for me i was able to “beat” the virus by restarting windows and the instant my desktop popped up opening task manager and ending the process that is the virus (is will always begin with a random word/letters but looks like this [random]sysguard.exe) this allowed me enough time to take the other steps to remove the virus without it blocking everything as it takes a few moments to put into place all of its blocks.

  30. Megachains

    Hey, I just ended up with the rogue virus this week. It is really making me angry. Thanks a buttload for the tips. If this doesn’t work I can at least take it in for repairs. All I have to say that ANTIVIRUS LIVE is really one tough mother. Thanks again!

  31. Quisquose

    Ditto what Alex said. I rebooted when Antivirus Live started overwhelming me with “Infected!” messages, and noticed that there were a few seconds’ lag between when my desktop popped up and Antivirus Live appeared. So I rebooted a second time and as soon as the desktop appeared I immediately hit Ctrl+Alt+Del to pull up Task Manager and as fast as I could ended all the processes under the local user (i.e., not the user called “System”) that I didn’t recognize (of course, I was reasonably familiar with what that list is supposed to look like; I wouldn’t recommend people trying to do that if they’ve never been in Task Manager before). Antivirus Live didn’t load this time, so I downloaded SuperAntiSpyware and Anti-Malware, updated by anti-virus program (Avast), and started following the instructions in this article. Scans are still running, we’ll see how it goes!

  32. Quisquose

    I almost forgot to mention: Can someone please write about where this program came from in the first place? I’m generally very safe with my browsing. Antivirus Live popped up when I was browsing the reasonably-popular Blue Mountain online greeting cards site (www.bluemountain.com), which I’ve been to before and never had problems with, and I don’t recall doing anything there other than playing some greeting cards… I suppose it came from there, but HOW?

  33. Summer

    First of all, I’ve had Antivirus Live twice! The first time I had no idea what the crap was going on because I had Norton. I shut my computer down for about a month, meaning to get it fixed. That time I turned it on to see what was going on and it had somehow miracously gone away. This time however, I do not have the luxury of being computer-less. Did some research and found out it was fake wehich really frustarted me! This directions were awesome! Straught-forward, easy and very understandable. Thank you so much! The only question I have now is the Antivirus Live is gone, but I am unable to connect to the internet using my wireless or my DSL cable. Any suggestions as to what try or do next?

  34. Ctripp

    I got this this morning, I was going crazy seeing how it wouldn’t let me into taskmanager or the control panel. I followed the steps on here. After I was in safe mode It wouldn’t let me install SuperAntiSpyware saying I didn’t have administrator rights to do it. I then tried the MalwareBytes and it installed. I let it run on my system drive & fixed the problems it found. I then rebooted & everything seems to be fine. I am now starting scans with Microsoft Security Essentials which the running immunizer already cought a couple & am work now waiting to go home. I have checked with home and the scanner has finished fnding 4 more registration keys which I’ll take care of when I get home. I just want to thank all of your for all the great advice. What a bitch. lol

  35. getridofantiviruslive

    Quisquose-

    I was also attacked by antivirus live and i too was searching for an e birthday card on blue mountain. Sometime during my playing of cards, thats when the error messages occured. Confirmed- blue mountain is the culprit.

  36. Garbinski

    To Quisquose…I didn’t know where or when I got ANTIVIRUS LIVE, but when you mentioned “Blue Mountain Cards” that hit home. I was on “Blue Mountain” when my computer went into a “STALL” and then completely “FROZE”. I wasn’t able to review or send the card I intended and I had to press the power button to shut down the computer. I sent the Blue Mountain card via my laptop. When I returned to my original desktop computer, I was faced with ANTIVIRUS LIVE. I now believe it came about during my “BLUE MOUNTAIN CARD” experience. I’m going to give “Alex’s” suggestion a shot. If unsuccessful, I’m going to give “Summer’s” method a shot…LET IT SIT FOR A MONTH!!! This should be ILLEGAL!!! Good Luck to All who dealing with this pain in the #%& VIRUS.

  37. Garbinski

    Alex or ANYONE…is there any other name to identify the ANTIVIRUS LIVE in Windows Task Manager besides (random) sysguard.exe? I’m able to bring up Task Manager, but there’s no sysguard.exe under Image Name for Processes in order for me to “END” Process and continue.
    Thanks to all in advance for any assistance.

  38. Chuck vdL

    I”m in the process of repairing a friends system that was infected with this bugger.. I was able to nuke the process by using ctrl-alt-del as early as possible after initial login to bring up task manager while all the ‘autorun’ stuff was still starting up.

    Before that, once the ransomware had been loaded, it intercepted any effort to start any process killer apps (for that matter, ANYTHING I tried to run) so you really have to ‘get there first’ as it were in order to kill it. I just watched the tasklist in task manager as the various autorun stuff loaded and as soon as I spotted ‘sysguard’ I nuked it.

    Gabrinski, it is illegal, companies doing this kind of things in the US have been sued and shut down by various states attorney generall. However these particular folks appear to operate out of Russia. (at least according to the whois data on the URL they use to take your money and ‘activate’ their bogus ‘antivirus’ product)

    Summer, did you follow the directions and remove the checkbox in the network section of internet settings? The directions above could perhaps be clearer on this,, but what you want too do is REMOVE the checkbox next to “use a proxy server for your lan…” They show a screen shot with it enabled (as it will be when you open the UI) but could perhaps be a bit clearer in the picture that you need to uncheck that option.

  39. getridofviruslive

    I fixed the problem. i visited several sites to learn what worked in fixing the problem and also to make sure that the advise being given on the internet was accurate and wasn’t an attempt to trick me into dowloading a dangerous virus. After much research, I followed the above steps up to the change the LAN settings. After changing the LAN settings, i did not download the super antispyware program suggested only because this was the only site i came across that suggested it. Instead, I downloaded the malware bytes antimalware program because i saw that it got good reviews on cnet. After downloading it it wouldn’t launch and it was then that i shutdown my computer and restarted it in safe mode and then it did launch. I did a full system check and 4 trojans were found. I had the program remove it and now I’m golden. Problem solved. I just don’t know if the malware antimalware program will protect against spy ware so i will have to do additional research on that. In the meantime however, no more annoying false “i have an internet virus” messages and no interuptions.

  40. PABLOoOoO

    Um quick question when i attempt to download SuperAntiSpyware in safe mode my windows installer is unavailable during safe mode why is that?

  41. Adi Inbar

    I was infected with this scumware, it’s one of the nastiest I’ve seen in terms of preventing the user from removing it. There is apparently more than one version, and the new one blocks ALL executables (other than Internet Explorer, which give you a message saying that the web site you were trying to access is dangerous, and providing links to “protect your computer” regardless of what web site you try to access), so you’re crippled in any attempt you make to remove the virus. Note that Firefox can browse the web unobstructed, *if* you already have it running when you’re infected, but that doesn’t do much good, because you can’t run any removal utility you download.

    If you have another computer running Windows on your network, you can kill the virus remotely using the following procedure. This method doesn’t even require rebooting.

    1. You will need the psexec, pslist, and pskill utilities from Sysinternals. If you don’t already have it, download the Sysinternals Suite (on your uninfected computer, of course) from:

    http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

    Unzip the file into a directory of your choice. No further installation is necessary.

    2. Open a command prompt and navigate to the directory containing your Sysinternals utilities.

    3. Enter the following command:

    psexec \\[infectedcomputer] cmd /c net start remoteregistry

    [infectedcomputer] is the name of your infected computer (do not add the brackets).

    This starts the Remote Registry service, which is necessary in order for the next step to work. You should receive a message saying “cmd exited on [infectedcomputer] with error code 0″.

    4. Enter the following command:

    pslist \\[infectedcomputer] | find “sysguard”

    You should receive a single line of output in the following format:

    ####sysguard 5344 13 1 173 2704 0:00:00.203 0:00:02.359

    The #’s are some random characters. The first number following the name of the process (5344 in this case, but yours will be different) is the process ID (PID).

    5. Enter the following command:

    pskill \\[infectedcomputer] [PID]

    Again, don’t include the brackets, just the computer name and the PID number (e.g. “pskill \\HAL9000 5344″). You should receive a message saying “Process [PID] on [infectedcomputer] killed….”

    (Yes, I snuck in a “2010: A Space Odyssey” reference in honor of the new year. I am a geek, I admit it…but if I weren’t, I wouldn’t know how to defeat this virus.)

    6. On the infected computer, you should now be able to run applications. Remove any of the following registry entries that you find:

    HKEY_CURRENT_USER\Software\AvScan
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1″
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[RANDOM CHARACTERS]”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[RANDOM CHARACTERS]”

    7. Delete the virus’s files. The location depends on which version of Windows you’re running.

    Vista: C:\Users\[username]\AppData\Local\
    XP: C:\Users\[username]\Local Settings\Application Data\
    2000: C:\Documents and Settings\[username]\Local Settings\Application Data\

    In this location you will find a file called sysguard.exe, and a subfolder whose name is some random characters and contains ####sysguard.exe. Delete them both. I recommend using Shift-Delete, so that the virus’s files don’t live on in the Recycle Bin.

    OFF-TOPIC PUBLIC SERVICE ANNOUNCEMENT: Always make regular backups of your personal files. If you don’t, you WILL lose those files sooner or later. It’s not a question of whether, it’s a question of when.

  42. Grovesprof

    I shut down the computer and turned off my Internet connection (shutting off the wifi). I rebooted with no problem. I then renamed malwarebytes “m” as one commented suggested. My scan found three Trojans.

    I downloaded superantispyware on another computer and was able to install it. It’s running now.

    I did not have to boot into safe mode to do this. Thanks so much for the advice here! Very much appreciated.

  43. Caesar24

    Alex or Anyone Else

    Alex’s suggestion listed below worked like a charm for me. Thanks alot for the help.

    “Just a quick thing to try that worked for me if the virus has disabled safemode and task manager and the ability to add or remove any program on the computer like it had for me i was able to “beat” the virus by restarting windows and the instant my desktop popped up opening task manager and ending the process that is the virus (is will always begin with a random word/letters but looks like this [random]sysguard.exe) this allowed me enough time to take the other steps to remove the virus without it blocking everything as it takes a few moments to put into place all of its blocks.”

  44. Mike

    I am trying to run superantispysoftware but it tells me the administrator won’t let me.
    what todo?

  45. Bob

    I was able to kill with task manager. Didn’t even have to kill it before it started doing stuff, just had to get task manager up before it prevented that. Just finished superantispyware scan and moving forward.
    Thanks for help from multiple posts!

  46. Garbinski

    Chuck vdl and ALL…UPDATE, SUGGESTION and POSSIBLE FIX to ANTIVIRUS LIVE….After researching and trying to accomplish the various ANTEDOTES provided on this site and other sites, my computer sat “POWERLESS” for 2-3 days, thankfully I have other computers to utilize. When I turned on my computer (WITHOUT ACCOMPLISHING ANY OF THE SUGGESTED REMEDIES)…the ANTIVIRUS LIVE was no longer present?!?!? I immediately turned off the computer and restarted it to see if it would return…..”NOTHING”. It was as though the ANTIVIRUS LIVE had DISAPPEARED!. I searched the Internet (on a different computer) to seek a “FREE” download for virus protection and ended up choosing Panda Cloud Antivirus Free Edition 1. I downloaded and installed (only chose the 20 free fixes). Today I went and purchased Norton Internet Security 2010 (STAPLES $59.99 for 3 PC’s — it was on sale up until 1/16/10 with a $40 Rebate…I got $20 off today from Asst. Mgr…3 PC’s for $39.99). Installed and haven’t experienced ANTIVIRUS LIVE since. SUMMER above stated a “MONTH” of no usage and ANTIVIRUS LIVE had “miraculously” disappeared…possible fix may just be turning the power off the computer for at least “2 or 3″ days to see if this virus will disappear. No harm in giving that method a shot if you can afford being without your computer that long. Just another suggestion/experience…GOOD LUCK!

  47. Alesha

    Thank you so much for your guidance! You put an end to my tears fairly quickly!

  48. Howie

    Thank you so much it worked like a charm for me :)
    Now I don’t have to wait for my comp-tech friend. This really saved my ass. Thanks again!

  49. Mala

    Many thanks. Running SuperAntiSpyware and Malwarebytes each in safe mode appears to have cleared up the problem. I’m still running McAfee now, but I’m taking it as an excellent sign that I can even access the program.

    I’m definitely going to have to do some reading up on how one gets infected. I hadn’t been to Blue Mountain like several other people had mentioned. Right before the attack, I’d been trying to remember a joke and Googled up a joke site. It’s not the type of site I normally visit, and I don’t even remember what it was called. I’m feeling like a bit of a moron for even going, but I get the feeling that’s where I picked it up.

  50. Bruce Roberts

    Another tool to try – if you know how to build it is BartPE – or VistaPE. Boot into these CD OS environments – you will not have any virus active – and you can begin to look thru your C drive.
    This virus in a tricky varriant leaves many references to ******sysguard.exe on your system – but i found on my last machine the ******* was the same everywhere for that machine.
    So with a clean boot – find the reference in msconfig (if it exists) – look for new folders in c:\program files\…… and identify the exe file from there, open up a DOS window and from c:\ do a dir *******.* /s to search your whole c drive for files with the same first few letters. You might find them in temp areas, c:\windows, c:\windows\system32. Delete them wherever you find them.
    Then boot back up in real mode, fix your IE proxy, dump your restore points, dump your temp files, and load up all of the scanners mentioned and run a full scan.

  51. Ctripp

    After 2 days of working fine, it reappered while I was at work. After finding out it wouldn’t let me run anything again, I rebooted, This time my computer wouldn’t let me into safe mode & just rebooted windows. It seemed to be working fine. I ran all three progs here & spybot. After that I was getting a couple of small popups with the usual warnings from a website. After a couple of popups the Microsoft Essential started catching things in the IE temp files. After about a half a day of clicking clean computer & running the progs acouple of times, Spybot still comes up with the same 2 problems everytime, but all the other ones come up clean. So far, fingers crossed, I haven’t gotten the popups for about 5 hours now. If they reappear, I’m just formatting.

  52. Michelle

    I have this virus on my laptop. Window task launcher will not allow me to follow these instructions. I’m going to power down for a few days to see if what Garbinski suggests to do will work.

  53. Odeho19

    @ the Geek, you said,” Note that some malware will block you from using safe mode. That usually requires another set of steps that we won’t cover here.”

    Are you going to cover this soon, or have you already, and I can’t find it?

    Thanks for the article, and there have also been some helpful tips in the comments section here too!

    Odean

  54. The Geek

    @Odeho19

    Yeah, I’m writing that up, got a whole series planned on this.

  55. BrainySmurf

    I just had this nasty virus invade my laptop about 90 minutes ago! Took the IT techs an hour to remove it.
    -Restart – hitting F8
    -safe mode with networking
    -deleted all temp files/cookies/history
    -returned internet settings to default
    -ran malwarebytes and removed all infections detected
    -restarted – hitting F8
    -System Restore to previous day
    -Restarted in normal mode and problem was fixed!

  56. kris

    i followed the instuctions but now opera cant accses the internet google and firefox can
    but not opera help me

  57. used2malware

    I have actually found if you simply log off or restart your computer, as soon as you can see your desktop, try opening malwarebytes’ or any program you need to that the virus doesn’t let you, for some reason you can open programs shortly after your computer is back to the desktop and the virus doesn’t interupt, i’ve found this useful hope you did aswell.

  58. BrainySmurf

    You have to reset the internet settings….one main problem this virus causes is it blocks the internet. And do a system restore while in safe mode.

  59. Lenah

    THANK YOU SO MUCH!!!!!!!!!! Helped me a lot!!!! I don’t even know how do i get this viruses?

  60. Rob

    Woo Hoo!!!!! 4 FRIGGIN HOURS Later It looks like the dreaded ANTIVIRUS is gone. I will keep my fingers crossed. Thank you Geek :). I ran both Superantispyware and Malwarebytes in the safe mode. I could not for some reason get the Microsoft security Essentials to run but things still look good. This was huge for a non-computer savvy person like me to make this fix. Thanks again!!!

  61. silverthefox

    ANTIVRUSLIVE!!!!! Why don’t you just revert your drive to a time before you had the virus. Malwarebytes does ziltch to get rid of antiviruslive. I used system restore on my XP Pro system and voila antiviruslive was no more.
    I can’t understand why no one has mentioned this method before but I must admit it took me a while for the idea to come to me as I had used it before but ages ago. Thanks

  62. jamie

    January 22, 2010 1:07 pm jamie
    Hello- SORTED AT LAST!!

    I’VE FINALLY SORTED THE PROBLEM after a very frustrating day! I’m not a techie in any way so I was literally trying to read forums from this as well as other websites. Please excuse any lingo below that seems amateurish!

    The biggest problem I had was that even though I had downloaded the super antispyware the virus would not allow my laptop to run the application! It kept just coming up “The application etc etc etc is infected”.
    When I restarted the laptop, I noticed that there is a period of approx 30 seconds to 1 minute immediately after the desktop appears before the virus actually kicks in. Once the virus has reopened or kicked back in, I am completely powerless to even connect to the internet.

    If I connected quick enough after re-starting I was able to get online at least where I could check forums such as this one as well being able to download the Super antispyware.

    As mentioned above though, once the virus has kicked in on your OS, any subsequent applications will be prevented from running. Save the SAS to your desktop for speedy access. Once you have successfully downloaded the SAS, re-start your system and run the SAS immediately when the desktop appears and go through the recommended steps, ie, scan the entire computer (my scan took 35 minutes), remove all viruses and then roboot- and then hopefully you’ll be back in action- Hope this helps!

  63. Bruce H

    Thanks a lot for being there for me when I needed you. When Antivirus Live kicked in yesterday I was fortunate to have Firefox already running and so was able to find this web page and – especially – the invaluable information I found in the Comments section. Otherwise I’d be unhooking my PC this morning to take to my local friendly geek shop because this virus/malware/whatever had me completely blocked and dead in the water.

    Key to my getting a handle on this were the tips about intercepting it at startup by ending the —-sysguard.exe process. Thanks to those of you who shared that crucial information.

    And secondly, thanks to Chuck vdL who clarified what to do when resetting the internet LAN connections, i.e. ” REMOVE the checkbox next to ‘use a proxy server for your lan…’”** I am exactly the kind of computer semi-illiterate who needed that to be spelled out. This page’s LAN instructions need to be corrected right now. That the screen shot provided shows the settings as they shouldn’t be is completely misleading to an idiot like me, especially w/out any helpful accompanying text about the process.

    **Let me be even more clear:
    REMOVE the checkmark next to”Use a proxy server…”.
    PLACE a checkmark next to “Automatically detect settings”.

    Now I’m up and running and apparently clean. SuperAntiSpyware apparently found most everything – 40 items. MalwareBytes found a couple more. Good luck to everyone who’s unfortunate enough to catch this thing.

    P.S. I, too, caught this thing during what I thought was fairly unrisky web activity. I was visiting tourist sites and blogs re. a possible trip to Buenos Aires.

  64. Tyrell K

    Desktop running Windows XP Pro:

    SILVERTHEFOX, after I was able to log on with my laptop(uninfected) and found this page and others to find out what this thing was… I downloaded the 2 programs recommend above and went to my desktop(infected). Safemode was disabled with the standard methods, so I restarted and (could’ve opened taskmanager right away to kill the Antivirus Live process as it loaded, but didn’t need to) I went to the start menu and then Run. Typed in msconfig, and changed the boot options manually to safemode. I then restarted, computer went to safemode, and was going to go through the entire process. A pop-up window in safemode however said something about restore, and then a light bulb turned on in my head.

    I restored to 2 days ago before the problem started. Restarted and no virus!!! Just to be safe I ran the Avast scan and did find one trojan so far as I am at 52% done with the scan, I am not sure that this was still left over from Antivirus Live, but figured it was a good time to do a little clean up.

    To everyone that said they left their computers alone for a few days and then came back to find no problem… If I was the programmer of this virus, I would have it go and HIDE if the fake software purchase wasn’t made in 24 hours. Being that if you don’t shell out the money right away, you probably will find other means to get rid of this. And then a week later… BOOM it comes out of hiding for another 24 hours and the cycle continues.

  65. Jim

    I had this stupid, stupid virus yesterday. I went into Safe mode, deleted the sysguard.exe command that was causing all the problems and then went back in normally. I downloaded Malwarebytes and Superantispyware and spent the rest of the evening running them. I think I’ve got rid of everything – quite proud of myself for doing it all on my own (albeit while consulting message boards on my wife’s laptop).

    Firefox runs on the computer, but Internet Explorer doesn’t. I shall have a look at the checkmark settings from two posts above this when I get home tonight.

  66. Adam

    FWIW … I restarted my computer four times in a row (I didn’t make any changes to anything), and amazingly the virus has not shown up this time. I am installing spyware programs to perform scans now, but at the very least, I’m not getting bombarded with fake messages, and I am able to install and run all programs again. I’ll update if something changes…but it never hurts to give the computer the ol’ restart.

  67. XT

    Jim,

    Start Internet explorer, I’m assuming Internet Explorer 8. In the browser, near the top, click on tools, then go down to internet options. Once in there, click the connections tab. On the bottom you should see LAN settings. Click that. Use a proxy server should be checked. Uncheck that. Click ok. You should be all set and able to surf.

    The virus/malware set this to connect to localhost which was changed to redirect to the rouge websites.

    I hope this works for you.

  68. Nick

    XT,

    I try to uncheck that but the internet still not working anyone had any idea?

  69. G

    Heads up. The aforementioned scourge/malware also took over my “toolbar”. Meaning that the icons in my tb are no longer what the once were and my audio drivers were erased/corrupted. Any other possible missed consequences of this bug. Many thanks for all the previous help and info.

  70. Diane

    Thanks to all that mentioned rebooting and hitting ctrl-alt-del and stopping the program from the task manager. We were infected at work and was able to access this site from another computer.

    We still haven’t fixed the problem as we have a computer guru that is a “friend” of the owner and only shows up when he feels like it but gets furious if we try anything on our own. Forget that I have a masters in computer programming. But we won’t go there. Still the above trick has at least got the infected computer up and running for now.

    For those curious about how you might have got the virus:
    Usually these style of fake spyware attacks come in from pop-ups asking if you wanted a free virus scan but no matter what you click “yes” or “no” it automatically starts downloading as if you said yes. Your best bet if you get any unsolicited pop-up is to stop the process from the task manager. Odd thing in our case is that only suspicious thing the supervisor remembers is a pop-up appearing while reading his e-mail asking if he wanted to download a free program to read the attachment which he clicked “No” to despite my past warnings.

  71. Novice

    Thank you very much! I was able to run the scanner in safe mode and remove antiviruslive while following it step-by-step.

  72. BigLou

    Is it a coincidence or does it just seem that since I have been using Google Chrome as my ONLY browser choice I have had no problems with malware at all. Comments?

  73. samantha

    I have that damn virus I have had it for 3 weeks now(I got the new version too, btw if you have firefox browser it is not affected by it) and all I can do really is halt it’s progress, it won’t let me download anything in safe mode or do anything really. I can’t download the software you prescribed(I have tried) and it is officially making me want to break my computer. I am able to delete the main file outside of safe mode though so I was just wondering if there were any other files/servers I could kill while not in safe mode?

  74. djkc

    Thank you so much for these instructions!!! I have them bookmarked now. Yesterday, I got the AntiVirus Live prompt and wasn’t sure what it was about because the window closed itself. (Hmm, as I think about it, I think my work computer has this too.) The virus must not have taken effect because I was able to research about it and find these instructions. I also was able to download Super Antivirus Spyware onto a CD, and same with Malware Bytes. When I ran SAS, it found 276 threats (adware – cookies), I cleaned and removed them. Nothing was found when I ran Malware and my normal anti-virus tool.

    I still suspected the virus lurking about – dormant, if you will – so I ran both SAS and Malware again today. SAS found 10 threats (adware – cookies), and nothing on Malware and my normal anti-virus tool. SO instead of doing the Combofix as mentioned, I ran Microsoft Security Essentials. Voila – virus found. It is VirTool:JS/Obfuscator.G I’m not sure if this is related to AntiVirus Live, or what. But I can say, I have spent the past two days trying to get the booger off my computer. Am I in the clear, or should I run the Combofix too? I think I have got it? Have I? I hope. At least for now.

  75. Gil

    Garbinski,

    I cannot stress enough how important it is to not do business with anyone who proclaims they are the only one’s who can fix a problem. Places like the Geek Squad and Staples should be avoided – IMHO. If you must take your PC somewhere, consider seeking out a local computer shop in your area. Talk with them first and ask for references, then check the BBB. Overkill? Maybe, but doing this leg-work upfront could save you lots of headaches in the long run. Besides, finding a local shop, who is reputable, to do your computer repairs is the start of a good business relationship.

    I shouldn’t complain though – about Geek Squad and Staples. There “professional” work has allowed me to make some good money, fixing people’s computers where it was taken to one of these “expert” repair locations.

    As to the problem at hand? Read the steps and posts in this article – or do some Google searches on the topic. There are people here, and elsewhere, who are more talented at helping with problems than you’ll find at Best Buy or Staples.

    Good luck!

  76. Derek

    I contracted this malware and it was able to somehow get my card details. (I didn’t enter them in).
    Trying to remove the program just made it worse, It got to the stage when I couldn’t even search for the .dll files and it has since fried my pc and now I’m on the search for a new one.

  77. Seen it

    In-law got desperate, paid the $49.99. They charged his card three times. Had file a complaint. SO it ends up more trouble that just messing up your PC.

  78. brook

    OK, so cleanup of these viruses is really great. BUT how are they getting through IE in the first place? IE’s are patched to the hilt, so it’s not thru old vulnerabilities, and it’s in the Internet Zone so should not really run nsty stuff. We do know they’re in the Ads and we know the users are not explicitely clicking (or at least not that they notice), so what mechanisms is being used, any good ideas? I’m mainly refering the the ones that recently were on the “Star Tribune infecting web readers with a computer virus.” A bunch of people got caught by that.

  79. MarcoPolo

    Thank you. Followed directions and everything worked out just fine.

  80. Alia

    I got the virus and didn’t know how to remove it until I found this page. Thank you for the directions on how to remove this virus. I followed them and everything on my computer is working back to normal.

  81. damiththa

    one of my roommates got infected one time.
    I did a regular virus guard check from AVG then, quarantined them, they I figured it was something with the registry key, instead of messing with all that, I uninstalled the internet browser he had, and installed a brand new browser on his machine and it is working ever since.

  82. Connie Drye

    What a mess the virus made of my computer but after I downloaded I followed your instructions I was able to clean my computer completely of this malware. My desktop was infected so I downloaded the spyware program on my zip drive and then booted my desktop in safemode with networking ran the scan and it cleaned it. Wonderful wonderful program. Thanks so much!!

  83. Pat

    Contracted antivirus7. Took me an hour to stop it. It hijacked my computer, my administrator over rides, would not let me delete or get out of the program without buying this bogus product, etc. I checked my system startup programs window (got lucky the icon for this window appeared in my toolbar and I opened it and ran down my list. AV7 was listed and checked to run. I unchecked it and another that began with E and was listed as unknown. Not sure the 2 were related. I restarted. Once windows was restarted I went back to c drive, program files and deleted the AV7 file. I was able to delete the shortcuts, and delete the av folder in the all programs list. Sent all to trash and permanently deleted from there. I checked my registry and could not find any related keys that other people suggested to remove. I then ran McAfee (it found nothing), SuperAntiSpyware (free download) it found 7 trojans and a zillion adware cookies, and finally MicrosoftSecurityEssentials (free down load) it came up clean too. Makes me wonder about McAfee. So far so good. Not savvy enough to figure out all the other suggestions. I am keeping my fingers crossed. I suggest everyone check thier start up windows program and see if these other virus’s are listed there.

  84. david

    You have a few moments when you startup your PC to hit ctrl+alt+delete and end the fake antivirus programs. This allows you to run Malware,Spyware Removal programs. There are usually about 30 processes running and you have to find which one the virus is by checking the process name with google and verifying its authentic. My latest one started with ppv.

    Make sure you also open up a browser right away before the virus disables it.

    Good Luck

  85. john

    many people don’t know how to get back the internet connection from Proxy Settings. They will think their computer still infected by virus even after they cleaned up.

    Good catch on this.

    Malwarebytes and Superantispyware are my two favorite tools

  86. Snoman27

    Just a friendly reminder to run your SAS and Malwarebyte scans in SAFE mode. I was able to run the scans in normal mode before the AntiVirus LIVE virus became active which as stated in other posts – was about a minute after start-up. It would actually detect the problems and “remove” them. Unfortunately, it did not really get rid of it until I ran the scans in SAFE mode. Thanks again for all of the assistance. BTW – the MS Security Essentials scan would get hi-jacked by the virus before even starting its scan in normal mode. Not sure where I picked the bugger up, but it kept me busy for awhile.

  87. Pete

    This malware will make a cry-baby out of a man. It’s amazing that we can put a man on the moon but can’t completely stop this virus without these great tools. The steps at the top of this page are 100% correct. You might have to act fast as your computer is starting in order to stop the process. Make sure the “(random).exe” file is not only deleted from the C: drive but also from the recycle bin. BUT use Malware Bytes and Super Anti-Spyware to rid yourself of the Trojans, HiJacks, and Registry entries. A RESTART is essential after Malware Bytes finishes scanning. It won’t delete the files unless you restart.

    I use Vista 64-bit and McAfee Anti-Virus and got two different versions of this virus. Back in January I got Anti-Virus Live. What a pain! That exe is “sysguard.exe”. I did get rid of it. Two months later I got Vista Defender. It does the same thing as Antivirus Live but is a different infection. That exe (if you’re looking for it) is ave.exe. My brother’s pc got it as well and I tried for 4 hours to fix it and everything was locked on it. Granted it’s a 10 year old computer. So he just decided to leave it off for 3-4 days and turned it on and the virus didn’t start. He was able to run Malware Bytes and Super Anti-Spyware and they got rid of a few things.

    In addition, after reading and doing a lot of research on this, it affects everyone differently and everyone has a different story on how they got it and what it does to their machine. I couldn’t even use ComboFix because I run Vista 64-bit and ComboFix is NOT compatible with it (go figure). I got the Vista Defender from Mediafire…not the site itself but a pop-up on the site. It was a pop-up for Futon Critic?!? I read some of you got it from Blue Mountain. I read on another forum about someone who got it from myspace. I don’t know this for sure but i don’t think this is a virus that lies dormant. It couldn’t really run dormant because you’d see new exe files on your pc that weren’t there before. And if you run Malware Bytes and Super Anti-Spyware often (twice a week) you’ll find the bad stuff in your computer. I think as you soon as you get it from a pop-up you’ll know right away.

    My advice is just be careful of which websites you are visiting. Stay away from file-sharing sites. Don’t open emails or click on anything you don’t recognize. If you get it from a particular site, contact that site (ie Blue Mountain) and mention you received a pop-up from their site that caused a virus. Also contact Microsoft and the company whose Anti-Virus software you use. Let them know their Anti-Virus didn’t do it’s job. Ask Microsoft and your anti-virus company what steps they are taking to prevent this.

  88. Toni

    I was seriously thinking about paying Best Buy $200 to remove all rogue malware infections. After finding this wonderful site and following directions I am able to use my computer again. After I ran the SuperAntiSpyware it removed 193 viruses/malware. 30 minutes later my computer was still under siege so I then ran Malwarebytes and removed 649 malwared to my surprise my computer is back as before. Now to be caution I am going to run the MicrosoftSecureEssentials and wait if any other malware is detected. Thanks so much for this wonderful site and advice.

  89. Toni

    My advice to anyone who’s computer is infected with malware. Follow the directions above “Removing Rogue Fake Antivirus Infections” and you to will be surprised and happy.

    Best Buy told my husband it would cost $200 to remove the malware virus plus they would have to rebuild the registry; and they would keep our computer for 3 to 5 days. After running the Malwarebyte Antimalware it found 4 infected registry keys; 2 infected registry values; 6 infected folders and 635 files infected. Now thats 279520 files 47 min 17 sec later.

    We just connected our 2 external hard drives for another scan from malwarebyte to make sure we have capture all. This site is the best
    “How to GeeK” Love you.

  90. Pepin

    If you realy want to make sure you and your loved ones dont get hit by these sorts of programs again. Kill them from the source tell everyone you can contact to never under any circumstances pay these guys. The one thing I can see in common with all of these programs is they require you to pay with your credit card to remove them. If no one pays them their will be no incentive to hold peoples computer hostage anymore. Put this up on your myspace, facebook, hell even your twiter. If we spread the idea like a virus to dry these guys out no one will take the risk again to make these programs again.

  91. ToraScotia

    My PC was infected with this virus a few days ago.

    I tried numerous ways to eradicate it before coming up with the solution which worked for me. My Windows 7 Repair Disc had already proved ineffective.

    I inserted the Windows 7 Installation disc into the PC, then booted up the machine.

    A message later appeared regarding Country Keyboard etc., so for me it was UK.

    The next message which showed up was to ask if I wished to Install Windows or do a Repair.

    I chose Repair and I soon found myself at System Restore.

    After I had chosen the option I wanted, I was quickly back in business with a restored PC.

    Just to make sure that everything was OK, I ran a full disc scan with Avast!, then SUPERAntiSpyware, followed by MalwareBytes and Windows Defender.

    The PC got a clean bill of health.

    I also downloaded and installed the free version of Macrium Reflect. This excellent programme allowed me to create a backup of my boot drive and place it on a different partition on my PC.

    The whole process took about 10 minutes to backup 24 gigs of data and resulted in a file of 8.8 gigs. If something should go wrong in the future, I can always restore a clean backup to the PC.

    I noticed a comment that the Firefox browser is not affected by this virus. I’ve used Firefox for years and have the current version installed on my machine.

    I’ve taken a tip from this site and now have a copy of the free, portable version of SUPERAntiSpyware on one of my Flash Drives.

  92. jimfixit

    01 Go to – http://www.howtogeek.com/howto/8693/how-to-remove-antivirus-live-and-other- roguefake-antivirus-malware/
    02 Scroll down to – Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
    03 Select – use the free, portable version of SUPERAntiSpyware
    04 Download this program to a usb removable drive
    05 Start your infected computer
    06 Right click the Start Icon bottom left
    07 Select – open
    08 Open – Program folder
    09 Open – Startup folder
    10 Select – Start
    11 Select – Computer
    12 Select – portable usb drive
    13 Now drag the portable SUPERAntiSpyware from your usb removable drive
    14 Drop the program into the Startup folder
    15 Restart the infected computer
    16 The Antispyware program will start up before the infected virus kicks in
    17 As the program comes up select – Click here to start
    18 Select default language – English (US) – Press ok
    19 In the main menu select – Scan your computer
    20 Select – the drives that need to be scanned
    21 At the end the problem will be gone
    22 Run the scan twice just to make sure
    23 As with this computer all should be ok

  93. nipsy

    Well I might as well add our story of victory against this evil virus. We caught the virus from a trusted site, but through a pop up ad. We tried running SuperAntiSpyware, it said removed but of course it wasn’t. We couldn’t get into task manager in regular mode, and in safe mode the virus wasn’t showing. So here are the steps we did to get rid of this:

    1. Booted into Safe mode
    2.In Start bar, typed msconfig
    3. Under start up programs we found an unknown program running, hover over the program to find file path.
    4. Ours was NOT labeled sysguard.exe. It was under the name :gjsevuvea\cayartistssd.exe
    5. Went to our C: drive and followed the file path we had seen in the start up
    6. Found file and shit + delete to kill it without sending to our recycle bin
    7. Went through same path and killed any and all folders created on same day virus was caught
    8. Go back to msconfig and unchecked the unknown program from starting
    9.Rebooted and ran SuperAntiSpyware scan. So far it is NOT showing up in the registry scans like it did before.
    10. Reboot again and run Microsoft Essentials Security Scan
    11. Reboot again
    12. Run msconfig and check start up programs

    So far we seem to be clean and clear. I’m running more scans right now and plan on doing an entire drive search for any and all new and unknown programs.

    Thank you so much for all these tips and different pieces of info. We took some from everyone and that seemed to work in our situation. Fingers crossed this worked.

  94. matt

    OMG got this today… I didnt really take any of these steps. I Shut all bad programs down in Task manager and a alternative task manager and deleted each infected file. i am currently scanning with AVG and will try that malware program just in case….

    yay for computer :|

  95. Jeff W

    Hey all. Just cleaned this off my wifes Win XP pc, or I am cleaning it.
    Ran SuperAntiSpyware, that found most of it and allowed me to use the pc.
    Ran Malware and it found 3 registry entries SuperAntiSpyware missed.
    Ran Norton and it found a couple more “fragments”.

    One thing I did notice that hasn’t been mentioned here yet, it seems to have changed the group policies settings so I am not able to access system restore settings to delete old restore points.

    Is this a new feature or am I missing something?

    Thanks

  96. carl

    all I did was log in safe mode used internet options deleted cookies temp files…the used restore…and bing bang done took all about 5 minutes then used my anti virus and spy bot to check and all was ok..peace.

  97. YAX

    Strange to see all these comments with so many different ways to try to fix the issues. As a computer support tech, I’ve always just asked the person when they first saw the fake antivirus appear, then do a systems restore to a date prior to the infection and it has always worked just fine for me. Takes but a few minutes. the fake antivirus was removed and doesn’t do any more damage. If you want, you can try to look for the files of that program and manually remove any you find, but I haven’t found any computers misbehaving after I used system restore.

  98. Kelley

    I just got this virus the day before yesterday it would’nt let me look at anything in my computer or let me log off it was just stick on my desktop. I had run many virus scans and system restore but my internet still directs me to pages that are ads I cannot rid my computer completely of it.I had my same laptop since 2002 use it daily all day and night and never has anything like this happened to me before!My question is if it comes back again is there a way to make it stop what it is doing and get off your computer? you can’t just sit there and watch it happen so what should you do?

  99. Nate

    I have tried to follow this process, but after I disabled the proxy and ran superantispyware, I have been unable to connect to the internet via my wireless. As such, I cannot get access the malwarebytes, anyone had this problem or any suggestions?

  100. Vincent

    HELP OK so I’ve tried to do this but I’m not sure what to do to the LAN thing I tried to uncheak the box and hit OK but apply didn’t light up I’m lost with what to do can some one tell me exactly what to do

  101. Jl

    Just a warning to those getting this virus or in danger of getting it. Over the passed 2 days I’ve had a problem with this. Day 1 when I originally got it I followed a link on Wikipedia. I ended up getting rid of it, totally forgot about Wikipedia went to look something else up there about an insect the following day and ended up getting it again. Watch out for that site right now, anything, links, pics whatever can give you malware. Must resist Wikipedia habit.

  102. spotty the dalmatian

    had thge virus and unfortunately after 5 hours and before reading all these very helpful fixes—I used a day old image (thank goodness I have an imaging program) to overwrite the damn thing!

    I came accross a 99.9% solution–it is software called sandboxie (sandboxie.com). Tak a look see—been using it now for over week and ALL attacks are immediately reversible!

    peace

  103. G of E

    I used the “Super” program in SafeMode. It seemed to work well. I rebooted and ran the Malware program; more ‘stuff’ was found and deleted. Then I reconnected my MagicJack and voila! It all went to CRAPOLA again!! Argh!
    After stewing for a day or two with no computer or time to fart with it, I sat down and reloaded with a new download of “Super” in SafeMode. Faster finding of the crap (duh – the computer was on for less than five minutes when it came back after the first “repair”), then it rebooted.
    This is crazy! The trojan is still here, the malware program can’t be opened (its infected), the MagicJack is still infected, everything is still infected, can’t be opened – total trashed waste of time.
    I’m going back into SafeMode to see if I can use any System Restore dates or not.
    I wish I still knew the Russian phrase equivalent for “Bl*w Me”. If they had stayed Commie, this would not be happening.

  104. Tasha

    Hi, I have some viruses on my laptop & I have attempted to remove them w/ the Norton 360 4.0 version software. I installed it on my computer, but was only able to run a quick scan not a full complete scan because of my internet connection, it scanned and found 103 threats and some viruses and said they were removed but that little red and white box keep poping up saying windows has detected harm malware trojans trying to steal passwords , etc., I hit ignore each time and keep trying to register my software but when I tried to complete the registration & activation of my software, I gets a message saying, my software activation is not complete because I’m not connected to the internet/ symnatec doesnt detect a internet connection, How do I fix this issue w/ my internet connection ? I think the virus has blocked me from connecting to the internet.Please help!!!.

  105. tomas

    hi, beware of “ANTIVIR SOLUTION” “AVSolution” just got one:/

  106. Bethany

    My brother just got the ANTIVIR SOLUTION yesterday and I have been trying for hours to figure it out. Even when I follow ALL instructions I can’t get on the internet (even in safe mode with networking). I obviously can’t download any of the amazing programs to get rid of it. Any solutions???

  107. Abbe

    @Bethany: I guess you have tried to uncheck the “use a proxy server” option in Internet Options of Internet Explorer? You can also try putting the software on a USB drive or CD…

    I got this very annoying Antivir crap yesterday. This article helped me fix it. Thanks a lot!

    The only problem I got was booting into safe mode. When I pressed F8 I could only choose between boot devices. But I think it’s a setting in my bios that does this.
    Just disconnecting the power of my pc while in Vista and then starting the machine up again got me the screen to choose for safe mode.

    The problem was gone after running a full scan with SUPERAntiSpyware. Malwarebytes also found 6 threats and I’m running Microsoft Security Essentials now.

  108. popa_dopalus

    Gotta tell ya “You really helped me out”…just bought a new HP pavilion lap top and got this very same virus on it…darn thing cost but I picked it up for half the price…HP has had it for the last 6 months because it “CRASHED HARD” and really “rebuilt” the “refurbished” HP for free (got the 4 year warranty)…but now when I, a simple minded nurd try to use the F11 key to reset it back to factory it freezes mid process (I refuse to leave the store when they call me to pick it up because I know it will still freeze with F11)…HP techs can reset it because they are not using the simple F11 laymans ke but their tech stuff…”Im no tech?!?!” …Its gowing on 8 months an I have not watch a BluRay disc yet… and many work orders later an it still freezes because of the virus I think…any ideas?…This one is a loner and I was able to bypass most of this because I liked the older virsion of foxfire 2.0 an was not lock out from the net although it did lock my out of Google chrome…Thanks foxfire.

  109. jackp9067

    Hi. I got this virus a couple weeks ago on my sisters laptop. I shut down her laptop and waited a couple days as I did some research. When it booted up the virus appeared to be gone. I did a system restore to a date before the infection. I then installed Microsoft Security Essentials because her Norton trial expired a while ago and she didnt tell anyone(which is probably why she got the virus in the first place). I ran a full scan with MSE and it found some stuff ( I dont remember what exactly but one was something like “fakespypro”) and removed it. I thought i was good until a couple days ago it came back while i was on the internet. This time it doesnt seem like its going to go away. I plan to stop system restore because of comments that say it also gets infected and follow the steps in this article. However I am wondering why it magically “disappeared” the first time and if i need to do something extra to get rid of it. I will post my progress. Thanks

  110. Birn_AZ

    This virus was like my in-laws: showed up uninvited and was next to impossible to get rid of! After reading all of these posts, my plan of attack was to load SUPERAntiSpyware, Malwarebytes, and Microsoft Security Essentials on my jump drive. I booted up my infected laptop (safe mode was disabled, so I had to do a regular boot), immediately hit ++ to bring up Task Manager, and ended all unfamiliar processes as quickly as possible. There was no process called sysguard.exe. Next, I tried running Malwarebytes.com but got an error message. So I ran Microsoft Security Essentials, which found and removed two worms: Orbina and Sirefef. Next step, reboot. Next step, run SUPERAntiSpyware. Hasn’t found anything yet. Hoping I’m good at this point. Will post an update tomorrow. Thank you, thank you, thank you, howtogeek for the helpful information and the opportunity to learn from others’ experiences.

  111. Birn_AZ

    The combination of Microsoft Security Essentials and SUPERAntiSpyware worked like a charm. Never did get Malwarebytes to work, even after uninstalling and reinstalling.

  112. shltstalnwayne

    can i do this from my administrative acount or from the infected acount. it popped up on one of my avg scans on my other acount wich is not infected and i put it in the vault and checked remove this threat as power user. that means i can remove it from that acount right.

  113. ozo

    hello. thanks for the tips..led me in the right direction. jumped to task manager and could not find a process w/sysguard.exe., loaded a flash drive with malwarebytes(on another computer) and went to safe mode on the infected computer. it found 2 infected files called rogue suite. dumped them and went to connections to see if proxy was on- it wasn’t. re-booted and had to go back to connections as proxy was now on…unchecked it and eveything is back to normal so far…..
    thanks again

  114. ozo

    sad to report it is back. rogue antivir suite is the entire name. trying some other things now..adding msessentials now. seems(?) to have detected other viruses…. who knows. i’ll keep you posted

  115. WastedWeekend

    I may have gotten this fake antivirus infection by watching a DVD on my computer- maybe something to do with a codec needed to watch the movie.
    Anyway, I didn’t find anything named xxxSYSGUARD.EXE. Instead, the offending file probably was qbvvagltssd.exe, which bears some resemblance to the name another poster mentioned that was like xxxssd.exe (having ssd.exe in common).
    This malware seems to have modified my Firefox and I.E. browsers to use proxy servers.
    I’ve read the suggestion elsewhere that the virus may have entered through Javascript.
    I bet the authors of that malware read sites like this and continually modify their malware to be even more difficult to deal with based on what victims like us are doing to get rid of it.

  116. mjmackay

    All you have to do is reboot, press F8, click on – safe mode with networking, once in system, restore system to a previous date…. problem solved

  117. Alex

    Hey guys, I just got this nasty virus this morning, even though I had the real Avira running.

    Here’s how I fixed it, you can do this without even rebooting once! It closes every window that you open, including the task manager, but it doesn’t close any windows that are already open when the virus loads. So press Ctrl-Shift-Esc immediately after you log in, you know, at that phase where you can see your desktop, but before your taskbar starts filling up with those little icons of all the crap you have installed on your computer.

    Then you can just kill the process for the virus. Note that there’s several of them, I had a civiy.exe, a bfn.exe (that calls itself BitDefender), and something else called ndgxpmptssd.exe. (Tip: if you see something you don’t recognize in your list of processes, regardless of how legit the name looks, right click it and see the exe location. If it’s running from a Temp or AppData\Local directory, it’s not legit.)

    BUT, before you kill the processes, right-click, look at properties, and find out where the exe lives so you can delete it.

    I also went in and fixed the proxies on my browser.

    Anybody know where the virus comes from? If you have any idea, email me alexisme999@yahoo.com

  118. Brian

    Hey all,
    I too have had my laptop infected by a rogue/fake antivirus running as ANTIVIR PRO which locks me out of all executable programs. I have taken the steps above both in the guide and from tips in the comments, primarily running malwarebytes and SUPERantispyware in safe mode. Each time I attempt to run the programs I get about 10 minutes into the scan, which finds about 3-4 infections, and for some reason the laptop shuts down abruptly without warning, taking no action on the discovered infections. This particular laptop is a Toshiba Satellite L305D-S5868 running Windows Vista 64bit and it has never had this abrupt shutdown issue before. I have read other forums citing heat buildup issues as the culprit, but I’m somewhat doubting that here since I never had a problem before and it seemes to pop up only when I attempt to clear out this virus.
    Any information or guidance on this matter would be greatly appreciated.
    Thanks in advance!

  119. Patrick

    Let me share something that worked for me on one occasion, as the computer was booting up I immediately went to system resore and was able to use it – of course once the computer boots up it prevents you using system restore.

  120. Mark T

    Hats off to the guys at SUPER Anti-Spyware.

    Family member had a severe infection due to fake antivirus trojan. MalWareBytes didn’t shift it as the AV would reboot the computer before it was finished. But SAS run with Windows in Safe Mode under the Administrator logon did the trick.

    Great work guys. Thank you.

  121. jackie

    So, if this is so prevalent, why has Microsoft not created something to solve it? I have had it twice on a networked computer. I have not had it on the system that I only use Firefox on.
    I just directed my daughter who has about four hours of work to do to call microsoft–didn’t find your website until after I told her to call.
    Thanks for the clarification on the server window–I was confused on that one.

  122. Magnus

    Dude, thank you! You have saved mye day :) i followed the tutorial and it made my pc 100% clean! Thank you, again!

  123. Clay

    I just had this same problem on my girlfriend’s computer so I was freaking out. All I did was reboot in safe mode and go back to a safe point like someone else earlier had commented. I did try to sweep it several times in safe mode with networking as advised. It would catch it every time and I would delete it. Then when I would re-boot I would be right back to where I was with this pain in the ass virus going crazy. I finally just reverted back to an earlier state using safe mode and windows troubleshooter. So if you come across this virus I would recommend doing this first before following all the other steps.

  124. attacked chick

    I got the dreaded antivirus software virus last night and followed your advice. I wanted to say thankyou so much it was sinple and to the point. You are my Geek hero!!!

  125. Steveo

    Hi, i have been attacked by some rogue anti virus that fits all the descriptions above, i have downloaded the super anti spyware and run it on safe mode however it is not picking up the rogue virus. Please help me and advise what i should do next? thanks

  126. emmie

    Hey,
    My sister’s pc had a malware attack. I ran the superspyware program and it was all good. When i went back to the internet to download malwarebytes, the internet search engines wouldn’t work. Anytime I clicked on anything on the internet, the link took me to random and obscure sites. When I went into internet options, it said it didn’t have a folder connection and that I would have to go into folder options to create a link or something. I don’t know what to do at this point. I eventually managed to download Malwarebytes but whenever I tried to run the program the same message appeared as it did for the internet options. I really don’t know what to do at this point.

  127. Francis

    Thank you so much, I’ve been up all night trying to kill this thing, and this article helped. One piece of constructive criticism though, in the picture of internet options, is this what it’s supposed to look like on a clean system? You just say “We need to fix this” and post a picture, then move on. I went to the advanced tab and just reset IE’s settings, and what I got in the LAN settings was the “automatically detect settings” box checked. I don’t use IE (Firefox ftw!), but just trying to make a great article better.

  128. SFH

    Followed the advice in the article and it cleaned my system. Booted in Safe with networking, ran the ASA scan, deleted the Rogue Anti Virus infection. Great help. Thanks.

  129. Eric Common

    This software seems to be helping me so far and was easy to download and quickly started on my computer. It checks memory items, Registry Items, File items and then records it all for you to see. GREAT FREE VIRUS FIXER…..Defenatly recommend using both mailwarebites and superantispyware.

  130. Eric Common

    Seems to be that after i used those softwares the virus was still there….im sad now. I now went into safe mode and clicked no when it logged in and asked me to log in on safe mode.
    I CLICKED NO
    NO SAID TO RESTORE TO A POINT
    You should click no and it will force to restore to a point. Try and get it back about a month or so as long as you wont loose too much data but trust me life of your computer is way more important than some data lost. Hopefully this will work for me…..

  131. Diddy 2.0

    THANK YOU to whoever wrote this! This literally saved my laptop. Only thing I would suggest and I don’t know if this happens to everyone, I wouldn’t even both trying to run anything without being in Safe Mode because the killer for me was the “Task Manager_Hijacker” and the some other one that killed any access to getting to my Home Page of Internet Explorer let alone any sites to download malware and spyware removers

  132. dnolen

    I am trying to get this virus off of my son’s computer and am having trouble getting it off of all user accounts at the same time. I run all of these steps on my user (administrator) account and clear it, but any other account I log in to re-infects all the accounts, including mine. They all have the proxy LAN step removed on IE, but I can’t get the SAS and Malwarebytes to run on the other users. I can’t get rkill.com to run on anything but the admin account.

    Does anyone know how to make SAS and Malwarebytes search all users at the same time to get rid of this?

  133. djlight

    Trying to clean a studio computer at my church. All malware progs say the computer is clean now….however…when I try to go to Google or Yahoo, etc…I see that something is still hijacking IE and Firefox. Any suggestions?

    //djlight

  134. Believer

    I was incredibly doubtful to say the least, but I already had a virus, so If this had turned out to be one I wouldnt have lost too much, but it DID work

  135. Walt

    Many thanks. The virus seems a bit smarter as even in safe mode parts of it ran. (I don’t know how that’s possible, but we just watched it happen. A phoney virus warning popped up, but I was able to ignore it without more popping up.) However, we were able to run malwarebytes, which was the only program out of the group I tried that got rid of the virus. (Nasty!)
    Spybot identified it, but couldn’t remove it… So I have a new fave malware protector!

  136. Lia

    MY son had this rogue virus it was a real pain and stopped us opening marlrebytes and Norton 360 didn’t even recognise it was their!!!! Even stopped us opening internet explorer trying to scare us into paying for an expensive spyware.

  137. Lia

    ooops spelling mistake Malwarebytes on previous mail

  138. Joan

    Thank you very much. For this Post. Fix my NETBOOK from the FAKE ANTI VIRUS. It SAVE ME big COST of Fee Virus Removal. Thank you.

  139. zach

    hey, i got one of these things and i think i got rid of it through a numerous amount of scans by various programs, but my system tray icons (the ones on the bottom right of the taskbar) have disappeared and i cant get them back, i have tried restarting explore.exe, i also tried a regestery trick, but the most luck i have had is getting them to come back but in the wrong positions, please help.

  140. Nathan

    Arg.. I hate those just got one today… I normally boot my computer, and hit F9, and then do a system recovery.. Does that delete it forever?

  141. Amit

    Add me to the list of users who got rid of it with a system restore. I restored to around 1 week ago. Running SUPERAntiSpyware, and it’s not reporting any problems

  142. Kara

    I used malwarebytes & another one and it found 33 infected files. I have deleted them all appears fine, however, I cannot for the life of me get back my internet connection! I have a linksys and motorola modem and reconnected all the wires correctly, but can’t establish my network. ANy thoughts??

  143. Clumpy

    Windows 7 (all retail versions) has software which enables you to make a system image. Once you have your computer set up the way you like it, including email settingss set up, make a system image.

    As time goes on, make backups to a USB harddrive of your docs and photos etc. etc.

    If you get infected, simply reapply the system image then import your docs from a backup. In minutes you can be back up and running.

    It so easy it’s a no brainer. And it makes you impervious to this malware cr*p.

  144. Randy

    I’ve run into this ‘fake antivirous’ and have a minor issue with removing it via a downloaded program – it blocks the start up of any .exe file… so I am right now in my Linux (I dual boot Kubuntu/XP SP3 black)

    I need a Linux based method to fix this – I have full access to all drives on the system (including several external USB drives) – Any help here would be appreciated greatly.

  145. Clumpy

    KARA, if it is just the web try:

    Open your IE, goto Tools > Internet Options> Connections> Lan Settings and uncheck “Use a proxy server for your LAN”.

  146. Robin

    This totally saved me last night, I had some Antivirus IS trying to run. The instructions were great! Then I too didn’t have the web afterwards and I did what Clumpy just said and it’s back! Yeah! Thanks so much! Everything is back to normal!

  147. Claypoolgal

    I have the same problem. I have this rogue antivirus, called antivirus IS, I have tried the superantispyware and the malwarebytes and neither have worked. Any suggestions?

  148. Craig

    Hi, I got one of these viruses on my laptop. I ran SUPERAntiSpyware to delete the infections but after it had removed the files it asked me to reboot. So I rebooted thinking it was okay, but then it never loaded windows back up.

    It gave me blue screen of death, so I attempted to run TheTechGuys repair system thing. I tried clicking onto the next step but it just didn’t allow me. So I tried running in safe mode, all the file names popped up but once again it gave me blue screen of death.

    I think the operating system (Windows Vista Home Premium) has been blocked from opening. My laptop had vista pre-installed and never came with a vista disk… The only solution I can think of is going to buy Windows 7 and installing that, but in doing so i’ll lose all my data.

    Can anyone give me a solution, please? It’s pretty drastic and would really like not having to lose all my data.

  149. Richard

    THANKS, THANKS, THANKS!!!!!!!!! yOU FIXED MY COMPUTER THAT I WAS READY TO THROW OUT THE WINDOW

  150. Nathan

    craig try doing a system restore

  151. Paul Lichtenstein

    Thank you for your posting. These attacks would be frustrating and expensive without this kind of help.

  152. Karen

    The instructions seemed to work for me. Just wanted to point out that after cleaning and restarting a few times, I still could not connect to my home WiFi. However, after a cold reboot I could enable it and it’s working fine now.

  153. cat

    HI,
    I got the the ANTIVIRUS IS version of this rogue. I tried the above instructions (they had worked for me before on a different system). Neither SUPERAntiSpyware, nor MBAM nor Combofix seem to find anything in my system. I can’t find anything in the registry either that looks like any of the things given in the manual removal instructions? This virus must have mutated.

    Any suggestions?

    Thanks
    Cat

  154. Sam

    I’ve got the ANTIVIRUS IS problem too, trying to figure out how to get rid of it. I’ve tried spydoctor, CCleaner, MalwareBytes, and SUPER AntiSpyware, nothing is getting rid of it. I’m locked out of everything, task manager, any programs i try to run, regedit, nothing. Can’t access anything. Even with the updated versions, nothing is detecting it. Only glimmer of hope I keep having is upon restart, if I manage to get task manager up in time, i can end a process called “nvsdeetlanw.exe” and it stops the problems from starting up, but after i restart, same mess all over again.

  155. Sam

    Dirty buzzard!
    Ran superantispyware and malwarebytes in safemode. Still there. Anyone with fresh ideas. Files are not in the registry either.
    Thank.

  156. zoneman2000

    THIS IS WHAT I DONE TO GET RID OF THE VIRUS.
    1st download ccleaner for free before you get a virus.
    Next restart your machine. as it is booting up into the normal windows screen (on xp) you have a 60 second window before the ANTIVIRUS IS terminates your regular programs when you click on them.
    So don’t mess around and click START > RUN > and type msconfig. Choose the start up tab and uncheck anything that looks suspicious (jxuapbxua etc). Then restart your comp.
    Once restarted, ANTIVIRUS IS doesn’t boot up.HOORAY!
    Next press ctl-alt-delete and run task manager and kill anything that looks suspicious. Delete items from the folder and registry as stated in the previous comments above. Then run ccleaner and do a full registry clean and TEMP APP file clean. Then delete suspicious startup items. Next click no proxy for all your internet apps under the connection advance tabs. This gets you back online.

  157. Robert

    Some of you are making this far more complicated than it is. I have been hit by this three times. The first time I nearly cried at first. The second time I was merely annoyed. The third time I just laughed because I wasn’t worried at all. Each time I fixed it quickly by restoring to a previous date. The first time, however, I got real frustrated for about a half hour because it was blocking me from going online to find solutions, and it was blocking me from going into the Control Panels to perform the restore. So, I had to go into safe mode.

    However, the next two times it happened, I didn’t have to go into safe mode at all. On the second occasion, I restarted the computer and managed to quickly get to the restore thing before the attack started to disable me again. On the third occassion, I was now so familiar with this thing that I got to the control panels to restore to a previous date so fast I didn’t have to do anything else. There seems to be a little bit of time where you can get it out of there before it gets worse and worse, and if you act immediately you won’t have to go to the trouble of going to safe mode.

    In any case, go to Control Panels, type “restore” in the search box and you’ll see where to click to restore to a previous date. Just go back a day or whatever. Takes 5-10 minutes for it to restore, and after that you are totally in the clear. No need to delete cookies, run antivirus scans, or anything else.

    As an additional note, I’ve only been hit by this when I’ve been browsing on shady web sites of the pornographic ilk. LOL My advice is, either stay away those sorts of sites, or have your control panels up already before you go to one of these shady web sites, so that restoring your system to a previous date is a click away and the attack won’t be able to block you.

    Really, this only seems like a big problem, but it looks a lot worse than it is. It’s designed to make you panic and think something truly awful is going on. But trust me — don’t go through all the complicated stuff to fix it when the solution is simply to restore your system to a previous date. Again, if you are being blocked from doing that, try restarting and getting to the control panels before the attack starts up again, or go into safe mode as explained above. In all of these situations, you are just 5-15 minutes away from victory against this evil attack, so don’t panic. :)

  158. Jim

    I fixed this problem yesterday. I used the kill it before it starts running method. You do not need to start in safe mode to do this. Just be ready to open task manager as soon as your desktop appears. Then end the process. Mine was named sespgddyhsn.exe. There is enough time to end this process before it locks you out. Once you have ended the process, you are free to use any and all anti-malware programs. However, the program will have disabled internet access so go into control panel internet settings and uncheck the use proxy box. Then update those programs. I ran both super antispywware and malware bytes and neither found the evil program. So I ran msconfig and there it was. It was a piece of cake to uncheck it from the start up list and find out where it was hiding. Just expand the command section and you will see exactly where the program is located. Most likely, it will be in a hidden file so be sure “view hidden files” is open. Then find it and delete the program. Mine was in a temp file in my user file. It’s now gone for good and all I had to do was be quick to stop it and run msconfig to find it.

  159. Sean

    I’ve started web browsing in a vmware of my machine. When I got infected by this (looking for a web site on solar power of all things) I just deleted the vmware image and recopied it from backup.. 9 minutes of my life gone, but virus only took over a vmware host. With the web as dangerous as it is today might even consider wiping the vmware image and starting fresh each time to make sure no hidden malware gets caught and propagated out without your knowledge. They need to find the people who make these and hang them at the yard arm so we can watch the crows pluck out their eyeballs. They the Internet equiv of Pirates and should be hung the lot of them.

  160. Tracey

    YAY!! Thank you so much for these detailed instructions. We had this nasty virus and spent several hours going through the steps. I could not believe the amount of viruses and crap that was on our computer, whether related to this antivirus hoax or not, I’ll never know, but regardless it is clean now and we are so thankful. We are in Canada and could not use the Microsoft Security Essentials (not sure why) so I used the AVG 2011 trial version instead as the last step.

  161. Theresa

    Very very headache! Can I know ANTIVIRUS SAFEBROWSER is same as ANTIVIRUS LIVE? I couldn’t find any solution as this virus has trouble me for the whole night until I still unable to sleep. If they are same, then I will do according to the above! Please advice ASAP. Cheers!

  162. Nik

    Worked like a charm, thanks so much for this! My antivirus programs that I’ve paid for and renew every year didn’t even detect all the junk that was infecting my computer. Took very little time and effort to fix my pc. Thank you again!

  163. TB

    I had this bugger a few weeks ago and man was it nasty. Took me about three days to finally get my computer clean (after a lot of crying and screaming and wanting to throw my laptop through a window). I think I finally got rid of it thanks to all the tips here (I used my thumbport to run the antivirus proggies first while in safe mode since I could’t find the process to end it).

    My question is, once it’s gone, how do you get IE to stop redirecting your web searches? I can always click the back button but it takes a few tries and is totally annoying. Anyone know how to solve that one? Please help because it’s becoming increasingly difficult to search through the web with this damn redirect!

    Thanks in advance.

  164. ckc61

    I had this too. Checked the properties on this bugger and found where it was. ( oscb://c:\docume~1\user\local~1\temp\xkygaobfa\ayiyngidlta.exe\htmlmain.htm#} I went into safe mode, and got in file and deleted it. it worked …but took all my pics, documents, settings, favorites. It is almost like I reinstalled Window xp. several app remained ie. AVG, winutilities, I guess I should have found this site sooner.
    Oh well.
    Thanks for the info, abet late(my fault). Too bad you cant send this back at them and screw up thier computer/ server.

  165. Jan

    Removal of AntiVirus Live Virus

    Your suggestions are good but didn’t work fully on my computer. What I did as:

    Restart in Safe Mode

    Run SUPERAntiSpyware followed by MalwareBytes.

    This cleared the AntiVirus Live Virus but I needed to reset the Firewall proxy settions to restablish connections with the Internet – From the Start Menu go into Settings> Control Panel>Internet Options>Connections Tab>LAN Settings button. Make sure the Proxy Server – Use a Proxy server tick box is unchecked.

  166. Joe Hoville

    bought several licenses of rogue software and i love it.

  167. Tim Hagen

    To remove this malware, go to ‘documents and settings’ in Xp or ‘Users’ directory in vista and search by date to a date just before the infection. Look for files named oddly, I’ve seen names like 82640.exe, or aji.exe, atalaa.exe. Delete the ones you can, move the others to a temp directory outside of ‘documents and settings’ like c:\temp. Restart the computer, delete the remaining files from the temp dir and download and run CCleaner from piriform software, use the registry cleaner to remove the registry entries for the files you deleted.

  168. dewa

    Thank you very much for the instruction! My little netbook now is clean again and I have microsoft security essentials now.

    I should be careful visiting blog sites, that’s how I got the fake antivirus malware. I was trying to search photos of my hometown that is covered with volcanic ash. A lot of blog sites from my home country seems to be containing a lot of malware!!!

    I wish I still had my ca internet security.. it labels all internet links whether they’re suspicious or not… that way I know not to click any suspicious website address.

  169. Helper21

    I just got this virus today and had me freaking out. I thought I was gonna have to reformat my HD but itis much easier than that.

    I tried the Safe Mode w/ Networking method and did the MalwareBytes Scan but it didnt get the virus removed.

    I was able to get rid of the virus by luck because I have the AVG anti virus installed. This virus takes a minute or so to start running so I opened my AVG anti virus from the taskbar on the bottom right hand side of the monitor to try to do a scan before the virus could block my access. But luckily as soon as the virus was about to begin running, AVG was able to identify the virus and asked me if I wanted to get rid of the infection. And I did click on the removal of the virus. It was pretty lucky and thanks to AVG for finding the virus as it was about to run.

    I would advice you guys to immediately run any major anti-virus program you have on your PC before this virus starts itself. Hopefully your software will ID this virus on the spot and remove it.

  170. Helper21

    PS. I did not have to begin my Anti-Virus scan in order for my software to recognize the virus to ask me to delete it.

  171. Jamonts

    YEAH… I used malewarebytes it was already on my computer. I had to click it immediately when turning on my computer and run it. AWESOME. Took about 45 minutes to do. Well the virus went away but INTERNET EXPLORER wasnt working. Did just what Clumpy said.
    Go to Internet Options. LAN settings and uncheck remove proxy server. Save. and then you’re done…

  172. eetwo

    I got rid of this exact program completely by following a few easy steps, this tutorial is way over most peoples heads.
    1. Define the program by name when it opens up (ie. Antivirus Live)
    2. Unplug from the Internet (really, pull out your cable from your tower)
    3. Control/Alt/Delete to kill the process, computer will hang, or the process will kill (mine hung)
    4. Reboot, program can’t start up without an active connection
    5. Go to Add-Remove Programs, find infection, remove it
    6. If not in add-remove, run a Malwarebytes or some other legit program
    7. Reboot

    Done, problem solved.

  173. Jen

    Thanks so much for guide! Knock on wood, but malwarebytes seems to have removed that stupid fake antivirus hellware, and super antisptware got rid of a bunch of tracking cookies. Thanks for lending your techie smarts to careless idiots like myself – I should have known better than to use stumbleupon,

  174. Mike

    just got it today, unfortunately it blocked all my programs including internet access, i managed to get rid of it in the end by locating the file through right clicking the pop up window and properties, starting 3 seperate anti virus and malware programs all at once it managed to block two, thank god the third one got through in the confusion which just so happened to be malwarebytes pressed the file assassin to delete, selected the file restarted when prompt and it was gone after that. my proxy settings is still screwed up at this point though, had to just disable it completely till i find out what the right address is.

  175. Ric

    Thanks for the instructions above. It worked great. I followed it to a T and the computer runs well.

  176. jac

    I also followed the instructions exactly – and it worked like a charm! Thank you, thank you, thank you!!!

  177. Tonya

    Thanks everyone for all of your help. I got this virus from FACEBOOK! Who would have known!? I clicked on one of their features and got a pop-up. After I clicked ‘no’ the thing just went crazy. I was on someone else’s computer at the time, so I feel so guilty!! So glad I found this site… I hope it works :):)

  178. Harrison

    i had that antivirus live on my laptop it keep shuting down when ever i loged in it popped with ‘your computer in infrcted when i tries to open up task manager’ and after a few minutes my computer would come up with a blue screen and shut down so i diddent use my laptor fro a few weeks and its working good

  179. Bruna

    I just removed this thing from your computer. Or so it looks like… Thanks for posting this! But as I was running the super antispyware on the safe mode, my computer shut off and it wouldnt restart on safe mode anymore! Then I used our second laptop (for research and downloading the programs, cause it wouldnt work on mine) and found another forum about it, with specifically the trojan I had in my laptop (called “system tools 2011″), so I followed their instructions: first, as soon as the computer starts (normal mode), open the task manager (ctrl+alt+del), and look for a 10-digit “exe” file, and end the task. Apparently, the name of this program is random – I didnt find the one they said, so I ended whatever name I could find with 10 digits…and it worked! The fake messages stopped right away. Then I ran TFC (temporary file cleaner), let it finish and ran the MalwareBytes. Looks like its all good now, but just to be safe I will also run the super antispyware now, and then will install the Microsoft Security Essentials – which in many sites was being suggested as well…

    I have NO idea where this thing came from! :/

    Again, thank you so much for sharing this!

  180. Bruna

    OPs – I meant: I just removed this thing from *MY* computer! :P

  181. Megan

    Thank you so much! 4 hours later, it seems like the virus is gone. I just hope it stays that way.

  182. Computercolombus

    Hey there thanks for all the info. After running system restore, changing proxy settings, downloading malwarebytes and superantivirus I located the corrupted files and took care of them but! Still when I started my computer the stupid antivirus thing still came up. I read a post from someone that said to go to msconfig, under the startup tab and look for a weird filename with unknown author. Then look under the command column to find where it leads which is most likely under user/local/appdata/temp/random/random. Find the application in windows explored and delete it. And finally after six hours of bs my computer is back to normal. Thanks everyone

  183. derek

    combofix was only thing that knocked it out! I ran all the other stuff before and after but combofix is the only thing that worked for me.
    thanks for all the help

  184. Kasey Green

    I want to THANK YOU for helping me with the internet virus ” AntiVirus Scan ” . It was so annoying & i was starting to get frustrated because i didnt know what to do! But you guys helped me! (: Now my tears are gone <3 THANKS SO MUCH!

  185. Lisa

    No one write how to fix the blue screen that appears after the use of Malware?

  186. Susan Davis

    I tired the Spyware approach but it did not work, I then resorted to the ComboFix method and it worked like a charm! I had the Antivirus Scan malware bug… hate that stupid thing… Crashed my hard drive once before on another computer. Thanks for posting these instructions!

  187. Susan Davis

    @Lisa, If you have a blue screen error, unfortunately you probably need a new hard drive. Best advice, take it to a pro!

  188. Debi

    After having a run in with one of these last year, I immediately rebooted my computer to safe mode, jumped on my laptop and installed malwarebytes onto my flash drive, updated it, then put it in my desktop which i am signed on under administrator on there with no issues. Started malwarebytes scan and it is currently going smoothly, so far. Just thought I would put my two cents in. I will give you an update as soon as I am done.

  189. John B

    I want to say thanks for this great article. I had the Antivirus Scan malware, stupid thing. At first i tried McAfee which obviously didn’t pick it up. I used the internet on my Ipod and found this which worked a treat. Thanks for all the comments aswell

  190. Shane D

    An excellent article and so are the comments and other suggestions people provided. Just letting you know that the only program I tired (and that included the very good Malwarebytes) that managed to find the sysguard file was Spybot. Agree with other suggestions, the time lag for this scummy antivirus live software after starting the computer allows one to launch genuine software before it is blocked.

  191. Shane D

    Thanks to Tim Hagen, his advice was the one that finally enabled me to get rid of the software; by checking the .exe files, I was able to find one that was installed just as my problems started – it was called pkhpwoolajb – its ‘origin’ was xmmsjmsiv and it was 316KB of sheer frustration. Deleting this solved my problem.

  192. erub

    omgggg. i got the first part done , but the malwarebites lagged my computer…….. it had been scanning for likee over an hour .. and out of nowher it stopped o_o like the whole software froze , and then everything lagged and then yeaaaaaa FAAAAHHKKK LOOL i couldnt even turn my laptop off/restart so i had to take the fkkkn battery out –

  193. John

    Hey guys,

    My pc just downloaded this rubbish on only one profile – will running the antivirus on another profile remove it?

  194. Gary

    ComboFix worked fine. Thanks for the help

  195. amitay

    דבר ראשון
    תודה רבה שיש אתרים כמו שלכם ותודה לכם
    כי ביזכותכם הצלחתי להוריד מימני את הטפיל הזה

    1 כיביתי את המחשב וניכנסתי במצב בטוח מוגן f8
    אח”כ עשיתי שיחזור מערכת לכמה ימים קודם לכן
    מה שלא יכולתי לעשות במצב רגיל כי זה לא נתן
    וזה עובד זה מחק אותו יש לי ווינדוס 7

    האים זה מספיק אני לא רואה אותו
    או שהוא מיתחבה לי ?

  196. Jeff

    Hi,
    I have this problem and I hardly know anything about computers – the “internet options” screen shown in the removal instructions, how do I get to that when in safe mode?

  197. Glyn

    I found this guffiqtlajb.exe

    go to start….run… type in regedit in the box hit enter…go to edit, find….type in the .exe given above and do the search. Highlight it in the right hand pane of the regedit window and delete it. Do it again and again on find again, until nothing is found. If it is delete it. Reboot. Then run combofix now you can get on the net.

  198. Liv.

    @ Jeff : the internet options is under Tools button when internet explorer is open.

    Thanks a billion for this article. the superantispyware worked amazingly and everything was back to normal. ran the malwarebytes too just in case.

  199. Sharon

    I’m going crazy! I got the virus a day ago but after several attempts to delete it I failed. Symptoms. No access to Internet/control points yadayadayada. So when I saw this site on my iPhone(thank god for decent phones) I immediately sprang into action. One big draw back. Windows starts up but all I have is the background both in last good setting and normal. I had to walk away from the pc as destruction crossed my mind. I’m just wondering did I do something wrong as I deleted most of the files in my temp file but couldn’t get rid of the main beast as it was already running. Now all I’m seeing is my goddamn background. Argggghh. I’m gonna kill my husband!

  200. Sharon

    Ok. It runs in safe mode but not with networking or last cogfig. So basically all I need is to get the anti-malware on a cd or flash and download from there right? I tried to install norton in safe but it gave up after 2 hrs saying norton got problems.

  201. Matt, WA

    I am currently in the process of attempting resolve this issue. Let me guess – those responsible for this internet extortion racket are Russians? Gotta be, as usual. Their economy is a total basket case so they turn to internet crime because they seem incapable of making an honest living. I will attempt to resolve this issue with the advice provided, otherwise it’s a reformat for me thanks to a bunch of people who should never have been born in the first place. They are lower than cochroaches.

  202. --M--

    I got no idea how i got hit by this virus. I i tried the safe mode steps and it didnt work. I’m now trying the combofix but it says somthing like “combofix cannot run with antivirus desktop (that is the actual virus). Please disable it before proceeding.If you proceed problems like machine damage can occur.” not the exact words but something like that. what should i do now? anyone please help. i’ve got alot of work to prep for and exams are around the corner.

  203. --M--

    I can’ disable the virus.. and thats the problem really.. i tried the task manager thing as well but couldnt find which was the process to shut it down.. bad start to a new year..

  204. JustinMiller

    So after getting this stupid virus, I frantically searched for solutions on Google, and was directed to this site. Thanks for all of the great advice. Eventually, I ended up rebooting, but leaving the computer in standard mode and whacking the virus via the task manager. Once I’d done that, I changed the LAN settings per your instructions (unchecked the boxes), went online and downloaded malwarebytes. I ran it, it found four viruses, and now they’re gone. That was just with the quick scan. I’m running a full scan now.

    However, I have a question if anyone can help-when I initially opened my internet connection settings, the boxes were checked, and my internet had been working. Now, I can’t get it to work without unchecking them. Is this a serious problem? Help!

  205. --M--

    I managed to fix it.. I didnt go to safe mode this time but read through some steps suggested above in the comments. I looked for a 10 letter/digit process name under the task manager and stopped it. After that maleware picked it up and cleared it for good in normal mode. (it picked it up and deleted it in safe mode but it came back after rebooting). If anyone has been trying the steps suggested and they don’t work, my suggestion is to take your time, read through the comments and try every suggestion that comes out. It might work for you. Thanks guys!

  206. Kingz

    What if your computer wont start in safe mode or safe mode w/networking or w/command prompt ? what do you do then ?

  207. Ellie

    I GOT IT!!! I ALSO LOGGED IN TO MY BLUE MOUNTAIN ACCOUNT AND THEN EVERYTHING HAPPENED!!!!

  208. Jenny

    My computer will not see the CD drive or the USB drive. Also can’t get Explorer working, even in Safe Mode with Networking. Any suggestions on how to get the Antispyware working?

  209. pra

    I used SUPERAntiSpyware and Malwarebytes now its gone!!! It took me over three hours to get it removed and it was totaly worth it!

  210. Emily

    I just wanted to say thank you so much. I got this terrible virus yesterday and didn’t know what I was going to do. I am a college student who completely supports my self and at the moment has no money to take my computer in to be fixed.

    I came across your site when I was searching for how to get rid of this rogue and am so glad I did!

    Thank you so much for offering this help. It really meant a lot and saved me a ton of hassle and money!

    Thank you thank you thank you!!!!

  211. wendy

    system restore work for me

  212. Anish

    Thank you so much for this step by step guide, I just got rid of a rogue “Antivirus Scan” from my wifes computer.

  213. nick

    Hi, I just got the virus and I was able to install malwarebytes, but unfortunately the virus won’t let me run any programs at all. What do I do?

  214. JJ

    Worked perfectly, no hassle at all. cheers gents!

  215. Chris

    All of you are right (except shutting down the computer for a couple of days). I’m sorry I just don’t see how that one can work, but if it did congrads and I will try it if and when the time comes and I can’t get anything else to work.
    Everyone will eventually get that annoying fake anti virus or something of the sort at some point in time and there is know way that I know of to stop it from happening. You really have to give it to these people there work is trully remarkable, they are just on the wrong side of the tracks. However if your dumb enough to use your credit card to buy just one of the programs they created then there job has served it’s purpose and your credit card is maxed out or your bank account is now empty so DO NOT BUY ANYTHING OF THE SORT!! Do your own research or ask someone here before spending money on software or programs.
    If you do call me and I’ll take your worthless computer off of your hands, fix it, and then give it to someone who can use it or donate it to charity.
    Sorry….back to the resolution.

    I have used several ways to get rid of these. It seems the trick is to beat it at start up with whatever you choose to use. You know, run msconfig (only if you know what you are doing) to shut everything down except the program your going to use and let it start with the computer. I used Unhackme 5 on one tonight. The comp using Vista would boot after log in with nothing showing but the fake anti virus and no button to choose but run scan. It would still let me use the task manager though (most shut it down as soon as it opens). I installed Unhackme 5 (30 day trial) with an external HD and terminated the files it considered bad at start up. Then rebooted and all was back to normal. I know it seems simple but there all different types out there and this was just an easy one. Some do take quite some time to figure out.
    They have a program out now called fake anti virus remover (freeware), I have used it and it seems to be removing something but it didn’t fix my problem tonight.

    Read….someone has posted your solution.
    Thanks all for your hard work and then sharing it with us, and Good Luck to all with your issues.
    You might want to save this page in your favs, you will get a fake anti virus at some point in time and then need a solution.
    I did.

  216. Matthew

    So i ran malwarebytes and found some viruses and ideleted them. It didnt stop. So what i did was i went into msconfig and under services i found some program called nluperne. Using command itraced it back to a file named mabfujuuerb.exe i promptly deleted the file. It said it was still there in msconfig so i simply disabled it and now my computer works fine. Im not sure if i actually got rid of it so will somebody tell me the risks of simply just disabling it?

  217. Mfoley

    I have the antivirus so i proceeded to try this suggestion. Unfortunately, the virus closes me out of everything within seconds. I cannot get to the internet options because of this.. Im clueless and have no idea how to get rid of this like everyone else is.. HELP!!!!

  218. Shizzle

    For people that have trouble launching into any antimalware program, I highly recommend that you download a copy of RKILL. This will kill are the virus processes and allow you to run antimalware scans.

  219. Nick

    If you’re having trouble making the internet work, try these:
    For Internet Explorer, go to Tools>Internet Properties>Connections>LAN settings>uncheck “Use a proxy server”. Usually, the virus just re-checks this. I would go with the Firefox method.
    For Mozilla Firefox, go to Tools>Options>Advanced>Network>Settings>click “No proxy”. The virus usually doesn’t interfere (never did for me, and this has happened to me multiple times)
    Download RKill to end processes that aid the virus (download Explorer.exe). After this, you shouldn’t see the annoying messages in your toolbar.
    Then install an antivirus program (I use Malwarebytes from download.com). Hope this helped anyone…

  220. Gman

    Hey guys,

    I tried following these steps and i rebooted once i had done the scan.

    It booted uo the bios and motherboard but then it just goes to a black screen which has one white flashing dash or underscore and i can get into windows.

    Any suggestions?

  221. Gman

    Sorry guys numerous typo’s
    I tried following these steps and i rebooted once i had done the scan.

    It booted up* the bios and motherboard but then it just goes to a black screen which has one white flashing dash or underscore and i cant* get into windows.

    Any suggestions?

  222. Adrian

    I just rubbed my balls on the monitor and scared the virus away

  223. Shannon

    I have followed the directions you listed after my computer was infected with this virus. There are multiple users set up as admins on that computer. When the computer was infected, the user name that was affected now does not have internet capabilities. When it logs onto the internet, it recognizes the site it the bar, but then ie displays a message saying it doesn’t recognize. It can however use the network drive. All other user accounts can access the internet and use the network drive. Is it possible the virus corrupted the user account being used at time of infection? Or do you think the computer is still infected? Thank you.

  224. Deb H

    Thank you! Worked perfectly! Was tearing my hair out as we thought we’d lost everything. Access to everything was cut off with the malware in both normal & safe modes. Breathing a big sigh of relief now, so we owe you a huge thank you for your advice! Thanks!!

  225. Joe

    I managed to infect my manager’s work computer with this rubbish virus yesterday. Thought everything was screwed and I was freaking out. Tried these fixes today, seem to have done the job (fingers crossed anyway!). Thanks so much for your help, now I won’t get sacked!

  226. Justyna

    Thank you so much! You saved my computer and my sanity. Your steps worked like a dream. Going to Safemode and using SuperAntiSpyware and Malwarebytes was enough to get rid of it.
    Keep up the good work!

  227. blackwolf340

    what if you ran the virurs remover not in safe mode. thats what i did after it ran it as if i wanted to reset i did and now it will not load up the main screen cant even get into safe mood now

  228. dan

    hey thanks everything worked at first, week later its back and antispyware can’t find the virus =[
    i tried malwarebytes and norton too nothinggs working =[

  229. Fayne

    Thank you SO MUCH for your help. Saved me from my miserable days without my laptop.
    I skipped the last step where it said to run it through Windows Security Essentials. When I try to install it it says having too much antivirus programs going on will slow down my laptop and it may restart suddenly. I got the SUPERantiSpyware and MalwareBytes and also a crap antivirus program going on right now…should i still install Windows Security Essentials??

  230. Tom

    Thank you, the malware remover actually worked. Had to run it in safe mode, but it only took 1 scan to fix. AWESOME!

  231. Austin

    What i do is i have a second acount on my comp and i log off and log into my backup acount run Malawarebytes anti-malware program and it usaly finds it and deletes it. then i can log off into my other log in

  232. Jeffk

    OMG I’ve tried everything recommended (short of the real high tech stuff like messing with directories) and I cannot get rid of this SOB. I ran Superantivirus and Malwarebytes both in safe mode and regular mode (MWB found 9 virus files but could not delete them, SAV found nothing but some harmless cookies) I ran both programs several more times and they both show the computer “clean” but when I log on the regular mode the warnings still pop up. I tried disabling the proxy server option which did allow me to surf again, but the virus is still there and I’m concerned that if I continue to use my computer more damage will be done. I’d pull my hair out, but I don’t have any!!!! Any more ideas?

  233. Bella

    Thank you so much for this information !! I tried the SUPERAntiSpyware because my computer was so badly infected that I could not even get into the control panel.. and IT WORKED!!!

    Found over 500 infected files and viruses and removed them all, computer is working great! thanks again what a life saver.

    Bella

  234. Andrew

    Awesome! You rock man. I thought I might have to reinstall windows.

  235. jeffk

    Freedom!! Finally I found the right combination. For me if was “Combo Fix” followed by a scan by Antimalware and finally Superantivirus Pro. Wiped out everything nasty and I’ve got my PC back.

    Kudos to “How to Geek” and contributors!!! THANK YOU.

  236. jakes

    Thanks for the post Geek! Worked just like you said

  237. Ginger

    I’ve found a quick way to block the rogue. they all love to put an icon on the start menu or desktop. i’ve been going into the properties of the icon and use Find target to lead me to the executable and delete it. Than I update and run Malwarebytes. Reboot and run my installed antivirus software.

  238. Kunmaru

    This makes me laugh, I used this process time and time again (not safe mode but the programs) for any virus and use it to fix computers around here. These are the best free tools I use daily and could not use any other, Combofix is a last resort though, once you start it DO NOT MES WITH IT! This program can mess your computer up big time if messed with, gets rid of the viruses though. These programs are getting smarter and will act like a normal anti virus and infect your computer. Thanks for putting this on here, now I can credit you guys for a school project, using the same method any everything!

  239. Kunmaru

    Also except I disagree with the Microsoft security essentials, it hardly does anything for any computer, I just have it on my computer so that I dont have to pay for one.

  240. Christian

    I just got this thing too.

    Was able to disable it via task manager, barely, as the the task manager only showed for about a second before it would close each time. Then restored to yesterday, and things are working. Ofc need to now run a full system scan to be sure.

    CURIOUS

    How is it these guys are getting away with this, while their blooming website sits in everyone’s plain sight saying ‘We are infecting hundreds of thousands of computers with a virus, and some of you might actually pay us to try to get it fixed’.

    Considering the fact they are doing this to people’s computers without their consent, afaik that is ILLEGAL.

    Isnt it time TO PROSECUTE, i mean good grief, it’s not like some stealthy hacker, their just sitting there in the wide open doing this.

    Well either way, I sure hope to God these guys get fried.

    And thanks hugely for this topic, and everyone that has contributed, I have bookmarked this just in case it happens again.

    FRY EM.

  241. Terri

    Thanks Howtogeek- your steps seemed to do the trick! :-)

  242. Ron

    I have been battling this for several days. I ran Malwarebyes, it finds stuff and deletes it. The first time it found 806 infections when the first fake virus program came up. I was already using MB at the time. Everything was fine and then a different one popped up a couple days later and MB found nothing the first run, I updated it that morning too. Then I updated it again even though I had done so that morning and it found 5 problems. Now today I have the Internet Security Fake and I was prevented from doing anything. I tried one of the tricks above and logged in on safe mode and a different user and it is now cleaning it. It found one thing so far, but I don’t trust it. How do I keep it from coming back again and worse tomorrow?

  243. Ron

    Some advice was to shut off the system restore. How do you do that?

  244. Erik

    I got into safemode then ran MSconfig and stopped it from loading that way. Once in regular logon I followed the path and removed it manually. But as said earlier I partitioned and formatted as I never trust stuff being really gone.

  245. Lori

    Thank you!!! This worked for me. My son’s computer was infected with the Anitvirus Live and I just happend to go onto your site and was happy to see all this information. This procedure also captured 378 other bad items! Thank you!!

  246. Edit_Reality

    Ok, so this process works perfectly for getting the stupid thing off my computer, but it seems to find its way back on the second I open a file transfering site such as media fire or image shack (not when I download, but simply opening a page from the site).
    My question is: How do I stop it targeting me like this!?
    Its not on my computer (Malware bytes, SAS, AND Microsoft essientials confirms this) but it always sneaks back in on sites like this. I like using these sites for their convience, but I dont want to put up with this problem anymore.
    So my question is: Is ther something hidden on my computer having it track me, or is it just lurking on my hard drive? (which I completely doubt, because it never opens unless I open one of the sites listed above, and theres the alert of a download from the site.)

  247. Julie

    ok, so I am inept at all this & had major issues on our laptop. My stepdad, who knows computers & should know better, downloaded AntiVira VA. My suspicion was that it was a scam to get us to purchase the program when it was the only thing showing on the laptop & that we’d been locked out of everything else by it. Has anyone heard of AntiViraVA before? Also, before I “clean-up” the laptop, do I need to save my documents & photos on a disc? My fear is that I will lose all of them while removing the antivirus. Thanks for any help!

  248. Asa Ellison

    I was just at a friends house trying to help them get ride of a FakeAV Very frustrating indeed. It’s an older computer with a strange setup so I wasn’t able to get into safe mode. In the main administrator mode, I had many problems getting the AVG to run. As someone on this comment board suggested, I went in after a reboot under one of the other ID’s on the computer and I could get get AVG to run it’s full scan. It was catching all kinds of Trojans, fake alerts, and fake corrupted EXE warnings. I didn’t know how long it would take for AVG to finish it’s scan so I came home,,,and I’m waiting for a phone call to tell me it they still have the problem of the fake warnings. Hopefully it’s gone…but I’ve learned that I need to go fix the network connection because it makes it work on a proxy to stop me from going to anti malware sites. I guess I’m going back there tomorrow. Thanks for all the advice to everybody here.

  249. josh-v

    hey guys is i got the virus and Download the reccomended Software but now my internenot working any exploer is tips?? and i know that my interenet is connecte?

  250. TechLab

    To: Josh V

    check your proxy settings by opening internet explorer and go to Tools, Internet Options. Click the Connections Tab. Click LAN Settings and uncheck everything. Sometimes the fake antivirus adds settings in here that will make your Internet explorer lose connectivity.

  251. Locochat25

    hi everybody, I need help with a rogue antivirus which is installed on my laptop, i tried to restore to a day earlier and served well so far, but has come back and do not know how to delete it. I’ve been reading about how to remove fake anti-virus but I have to say blogs reboot my computer and it will not do, I appreciate your help. thanks

  252. josh-v

    to: Techlab

    Hey iv already done that and its still now working any ideas???

  253. Bone

    I have this “Windows Tool” program that identifies itself as a antivirus program like mentioned above. Im able to start the computer, but once I log on, it automatically goes to a black screen which says, “safe Mode” and then the “antivirus” software starts up and says I have a problem. I am not able to get rid of the screen and go to my desktop or anything. I try Ctrl-Alt-del, but the task manager option is taken out. Does anyone have a solution to this problem?

  254. Armando

    How to stop my internet explorer from showing up erro pop up’s like Internet explorer has encounter a problem and it needs to close, I tryed to send the problem to Microsoft but it keeps comming the pop up’s. What should I do please could you help me?
    I have a softwear protection called Trend Micro, I did a scan on it and it found no problens it says all problens are fixit. But it keeps saying that it found a problem with the intenet Explorer and it needs to close, But I egnore it and I am able to do my work stil. But how to stop it from comming up?

  255. Kev

    Thank you so much for the procedure. Not too sure which virus I had but all the icons were “Windows Media Center” I ran the 3 softwares SuperAntiSpyware, MalWareBytes and Microsoft Security Essentials. I then ran my Avast software as a final scan.

    Strange how they all pick up different things ….. All icons are back where they should be and no data lost.

    Kev

  256. james

    where is the download button???

  257. Kitty

    Can someone please tell me how I can use the Internet while in safe mode [networking]? it’s on but it cannot connect to the internet completely. I cannot download anything to get rid of this virus, whenever I try to use the malwarebytes it stops at a certain point so I can’t even use that to get rid off of it

  258. Mike

    I used all three programs to try to get rid of the antivirus virus, and it still won’t go away, and I do have all the programs updated as much as they can be.

    Help, please?

  259. Nik

    I have the fake Anti Vista virus remover…it’s not allowing me to use internet on safemode, what do i do. it also will not allow me to refresh my laptop.

  260. yewnohoo

    THIS FIXED IT FOR ME…..

    I got this virus several days ago on an older laptop with Windows XP. I found this forum using another computer and tried EVERYTHING that was suggested. I finally saw one posting where the writer tells you to use another profile (not the one you normally use or the one you were using when you got the virus).

    I turned on my machine and selected another profile, other than the one I was using when the virus took over. I could not believe my eyes when windows opened normally. I immediately ran Malwarebytes and the software worked. I then rebooted, signed onto my normal profile and ran Malwarebytes again. The software found the virus again (??) and removed it.

    So far, the laptop is working fine. Hope this helps. Good luck to all of you!!

  261. MARY

    I have tried to remove the virus on my parents PC. I installed SuperAntiSpyware free edition on safe mode. Everything was going fine, until forty minutes into the scan the Windows Security 2011, which is the virus popped up. The scan continued, and I was able to reboot the computer into safe mode. When I logged into the user account, the virus was still there and this time did not let me search the internet on safe mode. So I went to another user account, this time I was able to access the internet on safe mode and download malwarebytes. I clicked to run malwarebytes and nothing happened. Next, Windows Security 2011 infects that user account and will not let me run the malwarebytes scan. So SuperAntiSpyware did not remove the virus and now I can’t run malware bytes. I have no clue what to do next.

  262. wlk

    Thanks so much! it works like wonder!
    I downloaded SuperAntiSoftware and Malwarebytes. Will Microsoft Security Essentials slow down because there are 3 systems on at the same time?
    Also, how can i be sure that it is gone for sure?

  263. Nancy

    Thanks you, thank you!! This did the job! Amazing!!

  264. stephanie

    This is the second time in the last 6 months that i have gotten the fake antivirus! I use the combofix and it worked both times! Thank you guys!

  265. Derek

    I had this virus last night. Used Superantispyware Which detected 4 Trojans. I used the Microsoft program, Norton, Avast, and Malwarebytes. None of which detected anything. (I don’t usually use that many)
    Running Superantispyware today in normal mode and it is showing no virus. Nothing is showing any kind of virus. I tried going in safe mode, but it took forever.
    I don’t know if this is completely gone, or just covered up. I’m not good with this kind of stuff.
    -I tried restoring, and it said that it could not restore correctly, but several things have been erased.
    Last night, if I tried going to a search engine, it would say “Information you send can be seen by other people” (Basically) Today, it hasn’t said anything in those lines.
    I want to know if this is gone, or if it just seems that way. Thank you!

  266. Tom

    I picked up this virus yesterday and found this website by chance while searching for solutions. Downloaded Superantispyware on a different computer and copied it to a USB drive and then ran it on the infected computer. After an hour or so scan it detected a number of viruses and cleaned them all including this virus. After the removal this some of the .exe weren’t recognized (still not sure if it was something the virus did or the removal process), but I was able to run WinXP_EXE_Fix which resolved this problem easily. The computer is now running as it did before (if not slightly better) and I also ran Malwarebytes which found two addtional viruses.

    I can’t thank you enough. We got this virus last spring and we took the computer in to be fixed to the tune of a couple hundred dollars and a week without it. Saved both time and money without having to worry about who was seeing what on my hard drive.
    Thanks

  267. Andrew

    Tho I didn’t get the exact fake av here, this guide proved amazing. Thankyou very, very much

  268. Jessica

    I have been trying to open the superantispyware on my infected computer and it will not allow me to. i read the next option to reboot the computer in safemode but i am unsure if i am doing that correctly. do i just hold down F8 while windows is loading. Also, when i try to use the combofix do i need to be doing that on the infect computer? If so, then how do i get to download combofix if i am unable to open anything on the infected computer?

  269. Frustrated

    I have been trying to run this fix for days now. I could not get my pc to recognize the flashdrive w/ the malware removal files. So I re-started in safe mode & was able to save them to my desktop. Then I restarted & went to windows normally. Well the window didn’t pop up. I ran the malware removal anyway. After more then 18 hours of scanning (it was still scanning when I finally stopped it) & 64,000+ objects scanned & nothing found, I stopped it.

    I have tried running the quick scan & it went fast for the first few minutes then slowed down & was barely moving for like an hour. Stopped that scan. So now I am running another NOD32 scan which has been going for nearly 3 hours & is only 43% done. It has found a bunch of files that it said it can’t open but that there are no “threats”.

    Yet my pc still runs slow. WHAT the heck is going on? How do I speed this up? Suggestions please…..I am beyond frustrated.

  270. Marlene M

    I spent two days trying all of the above suggestions : safe mode, task manager, msconfig but the virus wouldn’t let me run anything no matter wheat I did. I finally decided to find the infected file & delete it. Before deleting something that may be essential for your computer to run, check to see when the file was created, it should be the day the virus was discovered. The file you’re looking for has lots of numbers, maybe letters followed by a sequence of numbers. After deleting what I though was the corrupt file, I rebooted & finally the rogue scan stopped popping up. I then ran malwarebytes & removed whatever infections it found. Finally, my computer was back to it’s old self! Here you go and I apologize but I am running XP so you’ll have to improvise for other O/Ss:

    click start

    for xp type in C:\documents and settings\all users\application data and click ok
    A window will open containing some folders. One of them is your rogue virus
    Find the folder & delete it
    Don’t forget to remove it from your recycle bin just in case

    Restart your computer & run malwarebytes
    It should be okay now.
    Good luck!

  271. Amin

    Ok. Followed the instruction for removing Rouge virus issue. Rouge issue gone, But i still i have problem. I am using windows 7, my users folder does not show in explorer, BUT i can go to directory structure from DOS prompt and my computer. I can even open file if i know the the exact file name.

    To Resolve issue this is what i did:
    Also at this point i got rid of virus but was still missing icons on desktop and my programs, so i did reboot with F8, and ran restore program with an option of factory default with keeping my users folder to “Backup”

    After this process, my Windows 7 is back to normal as it was on day one. I created a new user account

    Questions:
    1. By doing this process i lost all the new softwares i had installed over last few months. Can it be brought back?
    2. Most important. My users folder is now copied to C:\Backup folder, but again i still cannot see the files or structure in explorer, BUT i can still open from DOS prompt or my computer if i know the exact path and file name. So i know my documents are still there in the hard drive

    Can you guys assist me at least for second question. how can i copy all the files from C:\backup to new user or display back in explorer. Note: from Dos prompt as well i can only go upto directory struture and when i do DIR it shows nothing, but i can open file if i know the file name.
    Please help
    Thanks
    Amin

  272. Edit_Reality

    Hey. A while back I posted that I was plagued by reinfection after initial removal.
    I have good news: I found the root of the problem, and the greatest solution for future prevention.
    You MUST, and I cannot stress this enough, immediately stop using Internet Explorer. This is the most suspecitble to infiltration, and re-infiltration. I have been using FireFox since my last encounter and have yet to re-encounter this issue again. Chrome also has a similar usefulness.

  273. Ely

    My parents computer has fast windows antivirus 2011 rogue pop ups, nt installed, doesnt prevent anything being used but I can’t stop the pop ups, superantispyware already was installed and running, scanned pc, picked up rogue.securityshield, removed, still there.

  274. Mark VanGelder

    Hitman Pro by Surfright has saved me more than once. Run it in safe mode with networking. If it crashes in the middle of scan or removal, start it right back up again. I’m on my second year subscription for just under twenty bucks. The scan it does is quick and shows you what it finds.

    Suggestion: Unless you plan to buy a subscription, you can use the free version for 30 days fully functional, but for just a one time rogue anti-whatever removal choose custom install and “one time only” type of install.

  275. marc

    I have used these instructions before when my computer was infected about a month ago and again two weeks ago. everything worked very helpful step by step guide, i appreciate this. I got infected again
    but this time it was a different more aggressive alert popped up. It blacked out my desktop, deleted my desktop icons and i though deleted some applications but when i ran search: firefox, a faint firefox icon appeared so i was able to right click; run as administrator. this is how i was able to write this comment but my icons on my task bar shows up as paper icons not firefox ones.
    also when i was in shock and searching for a solution i could hear auto play commercial spam adds playing with no browser on at the time since this virus blocked or deleted it. the virus also deletes combo fix downloads in my documents.

    thanks in advance. i hope you can help me and maybe we can prevent more infections from happening.

  276. Dweeb1981

    I just wanted to say thank you all from the bottom of my heart! After wanting to pull my hair out for three hours i came upon this and everything you suggested worked!

    I could start in safemood but was unable to get on the internet with the proxy setting changes. I used one of the other comments and was fast enough to use the task bar manager to end the task.. Downloaded the programs you suggested. The first program found 37 issues and the second found 2! restarted and it worked without fail! im running the Malwarebytes program again. and then i will download the last one and run it as well!

    I run a Mac and have never had these issues.. lets just say.. i own my roommate after this! He owes me and all of you a very big THANK YOU!!!

  277. Katie B.

    I just used the superspyware remover on a rogue virus that infected my husband’s laptop. The only problem is, now that the suspect files were quarantined/removed, most of his applications don’t work including IE and Firefox, amongst others. We can’t even click a link to get web access, and system restore is even broken so we can’t use that to restore to an earlier date. He has a partitioned hard drive with Windows Vista on the other partition, and XP the infected one on this partition, but the Vista he has isn’t very user-friendly and he was hoping to save XP since he doesn’t have restore disks (and his CD rom is broken anyway). Can anyone help, or did the rogue infect parts of the registry or essential parts of those files and that’s why the computer isn’t recognizing them now? Most of his apps, unless it was disk-installed software, don’t work and aren’t recognized by the computer now.

  278. Katie B.

    This message is for Tom, whose reply is dated April 17. How did you get winxp_exe_fix to work? I tried it in the run box and it isn’t recognized. No exe files on my husband’s computer are currently being recognized. Any assistance is appreciated, thank you.

  279. Lyn

    After hours of trying to get rid of this virus. We managed to delete the files in safe mode with networking, When the virus box popped up we right clicked on this and then clicked properties and took a note of the files then deleted in safe mode and then restarted the computer. There are no longer any pop up boxes but we cant start up internet explorer or AVG. Anyone have any ideas. We are using Windows 7 32 bit.

  280. Hector

    log into another account and run Rkill it should work fine

  281. Joe

    Phoenixpath was right. Log into another account, download free malwarebyte, run it, scan, remove infected software, restart as instructed. Works awesome.

  282. Joe

    Forgot to say the above worked for bitdefender. I was lucky that I created an account for guests since my bro and friend used my computer.

  283. Logan

    I got that same thing on my PC. First of I don’t know how I got it, i was uploading some of my art work to DeviantArt.com when I got a pop up that said my firewall was down and a scan was starting. I clicked the X of the pop up, but It still started the scan and I could not force quit it. Then it did the fake scan saying I had 25Worms and a bunch of Trojans. It told me to pay for it, so I thought why do that when I could just search for the files myself. I did a Computer scan for one of the infected files and found out that it was not even real.
    So I restarted on safe mode, downloaded SuperAntiViris like this said to do, and SuperAntiViris quits each time I load it, or gets a pop up that asks me to run it with AntiViris live, and there is a green check mark and a red close. So far I have only been able to do an AVG free scan, and that came up with nothing. So as of now I have my PC unplugged from the network, and I’m keeping it of.
    Would it be wise for me to just wipe my Hard Drive clean and re-install windows XP?

  284. Quan

    Ok, enter these code at the registration or activation key part : 1147-175591-6550 or 2233-298080-3424

  285. heshani

    AVG Free 2011 virus guard is out dated.I want to remove that and install new virus guard.But it can’t remove from control panel .

  286. Fab

    Hey how do you find the internet option using windows 2010 cuz i cant find it

  287. Frank

    This “AntiVirus Live” bug was a tricky one. It would shut down the power of my laptop everytime I got close to getting something done. Safe mode was useless. The task manager tip at startup did the trick and allowed me to use SuperAntiSpyware. I would suggest running the “critical point” scan 1st as it is quick and allows you to kill the bugs that are shutting the power down. Then do the “quick scan” followed by the complete scan. At this point you should be able to use MalwareBytes followed by Microsoft Security Essentials or other Antivirus software.

  288. Steven

    I tried all the above and could not get any of it to work. It blocked execution of everything except itself. I booted off Hiren’s cd and ran Avira against the hard drive selecting the clean option. It scanned ok but was unable to clean any of it off the hd. So, I ran it again with the change filename option (adding .vir) to the end and that worked effectively disabling it. I was then able to run SAS and it found all kinds of stuff. I still have some minor problems but am continuing to run more anti virus software until it seems clean.

  289. aztecmaniac

    I got this same issue, I pulled the hard drive, and baught this thing to run it external. I ran all the damned antivirus software I could download, on the drive. Now when I placed the drive back into the computer, I get a blue screen informing me that the Drive is currupt. Is there any saving it? I have some work software on it I really want to recover it. I need help.

  290. Tapan

    I Think Running the MalwareBytes Scan fixes the issue , also dont forget to clean the junk while the scan of Malwarebytes is rinning , If Malware is unable to clean then try Spybot Search & Destroy..

  291. katie B.

    PLEASE ANSWER THIS??

    So my computer was infected with this virus months ago, i tried to fix it and i couldn’t so i shut it off for awhile. Today i searched just about every site on google but it’s all just so confusing.

    Anyways today i got back on my computer and the virus seems to be gone, i went into safe mode and ran a virus scan & nothing was found.

    BUT my internet still wont work, i went into tools/internet options and un checked the boxes but my wireless internet will still not connect to the main router! i hate it! any simple idea of how i could fix this? ASAP!

  292. Zachariah

    There’s a website called cursors-4u.com, the website was just fine but now it has a brutal fake antivirus. I’m using How-to Geek’s steps right now to see if i can combat this problem. Thing is though, when I use internet explorer to go to another website, it re-directs me to a weird advertising site automatically, would this be a proxy or just an infected file?

  293. RobClark

    I have found that older versions of java are a huge component to this group of viruses. Every computer I’ve found these rogue viruses on have java on it. You will see in “add remove programs” all the installed versions of Java. All versions except the latest should be removed. I have never had this virus reoccur on an up to date java version. As of this writing Java update 29 is the most current. Maybe this will translate to something good for you too.

  294. Drave

    Just wanted to say thanks for the advice, while SuperAntiSpyware didn’t find anything other than a lot of tracking cookies (which I expected on my wife’s computer), Malwarebytes was an excellent tool. It found thing that my usual favorite (spybot) didn’t. Thanks again for helping to solidify my “geek cred” with my wife! haha

Enter Your Email Here to Get Access for Free:

Go check your email!