How to Remove Antivirus Soft Malware
Tuesday, February 2, 2010 9:54Antivirus Soft is devil spawn. My computer is protected to the teeth and somehow it still managed to not only sneak onto my computer via just going to a website (not opening or clicking anything… and not even a porn site - because that might have been more worth it) and when I noticed it, my spyware and virus programs didn’t recognize it.
Antivirus Soft masquerades as anti virus software - but it’s malware. As part of it’s masquerade, it has a little green shield that appears in your system tray and it pops up ‘virus warnings’ every few seconds and blocks other applications from running - especially the anti spyware/malware/virus software that you immediately run in order to get rid of it - and even Task Manager.
There are other sites with removal instructions on them - but the recommended malware software didn’t find it, no one addressed the fact that it won’t let Task Manager open and some of the instructions were outdated. After all… what kind of malware would it be if it wasn’t updated to circumvent common removal techniques? So, here you go. (For Win XP Pro)
1) Antivirus Soft blocks task manager from opening - so that you can’t stop the process. To get around this, log off of the profile or restart your computer. As SOON as you log into your profile again, hit ctr alt del - BEFORE Antivirus Soft has started.
Optionally, if you can’t get Task manager open, you can do the fix from a different, uninfected profile. To do it from a different uninfected profile, you need to do step 5 first to figure out what the app name is (before you delete it) and then use the app name to do step 4. You wont have to do steps 2 or 3.
2) Once you’ve got task manager safely opened, close everything that you don’t need open, including items in your system tray. System tray items can be closed by right clicking them and choosing exit, close or their applicable shut down option.
3) In Task manager, click the processes tab. You will see a bunch of stuff listed here. Antivirus Soft uses a random character string as it’s process name… so it will be gibberish (mine was nfcjsftav.exe). If you’re lucky, you’ve been through this screen before and you know what a lot of the processes listed are. If not, you will need to systematically google every one of them (enter ‘whatever.exe’ in the search blank) to figure out what’s legit and what isn’t. The Antivirus Soft application exe will not be listed on google so when you google it and get no results, you’ll know you’ve got it. However, it might help to sort by mem usage - Antivirus Soft will appear in the top few memory users (mine was around 35,000k). Make a note of whatever your app is called because it will be helpful to recognize it in the next steps.
4) This step requires editing your registry. If you’ve never done it before, please call your local geek to come help you. You can screw up your computer if you do it even a tiny bit wrong.
Open regedit (if you don’t know how to do that, stop. Call your geek. Srsly.). Wherever you see [random] in these instructions, this is the file name that you found in step 3.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run - (delete the item with [random] in data field)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Attachments - make sure ‘SaveZoneInformation’ = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings - make sure”ProxyServer” = “http=127.0.0.1:5555″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Associations - make sure “Files” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings - make sure”ProxyOverride” = “” or local (depends on your setup)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download - make sure - “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\AvScan OR HKEY_CURRENT_USER\Software\avsoft- delete the whole thing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run (delete the item with [random] in data field)
5) Delete the following files :
%UserProfile%\Local Settings\Application Data\[random]\[random]sysguard.exe
%UserProfile%\Local Settings\Application Data\[random]\
C:\Program Files\Antivirus Soft\ (I didn’t have this one but I saw it listed in the instructions I used)
If you don’t see ‘local settings’ when you browse to it, you can either put the whole path into the address bar (select view, toolbar, address bar if you don’t have it) of your explorer box or you can run a search for the [random] app.
Lee says:
February 11th, 2010 at 3:15 am
Hey, I found a stooopidly easy way to generate Task Manager even while infected with AntiVirus Soft. It was so easy I am surprised that others who are more technically advanced than me didn’t think of it first.
I tried first to get Task Manager up before the Antivirus Soft loaded to no success. Even Safe Mode blue screened on me so I just did this - I found Taskmngr.exe in the windows/system32 directory and copy/paste a shortcut to it in the STARTUP directory.
Simple! That way Task Manager loads on startup. Simple enough to me……
Kevin says:
February 14th, 2010 at 7:57 pm
I just went through all of this. I made a Recovery CD with Barts PEBuilder and used that to remove the files, then rebooted. That wGreat write up, thanks.as how I got around the task manager problem….
Tristan says:
February 15th, 2010 at 6:34 pm
Freaking thank you.
Pissed me off, just wiped the hardrive, got stuck with this virus, thought i was screwed.
brett says:
February 19th, 2010 at 3:56 pm
One more step I had to do… In IE, I had to go into Settings, LAN Settings and turn off the proxy server checkbox, otherwise IE wouldnt launch a webpage.
Michael says:
March 1st, 2010 at 5:07 am
Grrrrr! I got up this morning and this Antivirus Soft was on my computer. It would not let me run AVG, Task Manager or open msconfig. It told me that the files were infected.
I went to another computer and found instructions to start up in safe mode (with networking), disable proxy server in I Explorer and then download/rename and run “rkill”. Then download/rename and run “Malwarebytes”.
Malwarebytes found 7 infections and removed them all successfully. Hopefully that will work.
FYI…. I also read that this crap may be introduced from Facebook. My girl friend had been on Facebook last night and noticed some sort of strange popup from something she said may be “Wonderwall”. I’d like to know if anyone else gets this after being on Facebook.
Cassandra says:
March 1st, 2010 at 8:22 am
I did read about Malwarebytes and tried it but in the midst of obviously having Antivirus Soft on my computer, Malwarebytes didn’t find anything. FWIW, neither did Symantec or Lavasoft though.
Unless it’s something in a third party game, I don’t think facebook allows enough latitude in the code a publisher can post to facebook to post something CAPABLE of infecting anyone with it. You certainly couldn’t in a fan page or an ad.
That said, there are some shady groups and fan pages on facebook for getting ‘a dislike button’ or to ’see whos spying on you’ that include instructions to install plugins and such that could very well be infected.
Michael says:
March 2nd, 2010 at 6:29 am
Just a stab in the dark recalling odd stuff happening just prior to the problem… (I’m still wondering how AV Soft got into my system.)
I had a problem in Google Earth (which I just installed the day of the earthquake in Chile) that caused an error in ialmrnt5 driver. This happened just before the virus hit me.
Now I am reading about an exploit that was identified back in 2006 (in version 6.14.10.4308 of the driver) that allowed a Denial of Service attack. Just wondering if this might be a new exploit in version .6.14.10.4421. I have also read that this thing may be getting in via streaming video (which I had tried to access some webcams the day of the tsunami warnings for Hawaii.)
One thing I did notice also… I had been browsing the internet at the same time the error occurred. After restarting… my Firefox history for that day had vanished.
Cassandra says:
March 2nd, 2010 at 2:11 pm
Ah. Who knows. It appears that Antivirus Soft has been around for a while. The removal instructions I found didn’t address a few of it’s most annoying removal avoidance techniques so it appears to be frequently updated - so I would imagine that how it gets onto a computer also has changed.
In my case, I went to a website (a specific roller derby website) and as the page loaded, it was downloaded and I started getting the popups from it almost immediately. I didn’t click on anything on the page so it had to been in a script that runs when you load the page. FWIW, there was no streaming video on this page. Because I know the site and know it’s not a malicious site, it had to have been in an ad somewhere on their page. That means, it was likely javascript. If javascript is the vehicle, that would account for it being associated with streaming video, which can be done (but not always the case) with javascript.
I haven’t gone back to the page to find out. ;p
Jake says:
March 9th, 2010 at 6:38 pm
The process name for Antivirus Soft will ALWAYS be [randomletters]sftav.exe in case anyone was having trouble finding the process.
Sue says:
June 20th, 2010 at 10:09 am
I got this AVsoft virus while on Facebook, too. I avoided it for a while by shutting down as soon as it came on, and logging off the internet immediately, but my daughter thought it was my anti virus and let it proceed. I hope this works, ’cause it sure is a pain in the butt!