Home About us Malwarebytes Spyware Doctor Threats Contact us
Home > Threats > Antivirus Soft

Antivirus Soft

Posted on 3 February 2010 under Rogue Programs

1. What is Antivirus Soft?

Antivirus Soft is a computer program pretending to be security tool, which is actually a scareware. Antivirus Soft is spread by a trojan and belongs to the same family as Antivirus Live and Antispyware Soft. As long as Antivirus Soft is a scareware, it uses fake virus detection tactics in order to confuse user and make him think that his computer system is infected. Fake virus detection is carried out through corrupt Antivirus Soft computer scanner, which imitates computer verification for threats and generates a report in the end containing virus-like names. User is asked to purchase the program before falsely detected viruses can be removed. Antivirus Soft belongs to rogue program category and is not able to remove real computer threats, even after license has been purchased.

In most similar cases, fake Windows Security Center is created for Windows security alert demonstration, which helps to convince user that the computer is infected. It also is used to advertise rogue software what gives the impression that the program is recommended by Windows. The same thing happens with Antivirus Soft. Here is an example of Windows Security alert falsely reported by Antivirus Soft:
  • Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.
Antivirus Soft is configured so that it initiates computer scan each time PC is started or restarted. Also internet browser will be set to use proxy server, what will result in lost internet connection (no internet page can be loaded), so that user cannot download anti-spyware tool, which might remove Antivirus Soft.

1.1. To restore internet connection perform the following steps:

  • Launch Internet Explorer
  • Go to Tools and then Internet Options
  • Choose Connections tab
  • Click on Lan settings
  • Uncheck box next to Use a proxy server for your LAN
  • Click OK to close current window
  • Click OK to close Internet Options window
To avoid anti-spyware tool installation and possible program removal, Antivirus Soft will block almost every application, which trying to run will result in warning message "Application cannot be executed. The file is infected. Please activate your antivirus software". Task Manager will be blocked too, which is needed to end malicious process in order to remove Antivirus Soft. Use the following guide to unblock Task Manager.

1.2. To start Antivirus Soft removal process:

  1. Go to Windows directory and open System32 folder (C:\Windows\system32).
  2. Rename file taskmgr.exe to iexplore.exe or taskmgr to iexplore if file extensions are hidden.
  3. Double-click renamed file iexplore or iexplore.exe. If you were able to open Task Manager go to Step5.
  4. If Task Manager still cannot be started, resulting in "Task Manager has been disabled by your administrator" message, go to Start -> Run, type in
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
    and click OK. Then repeat Step3.
    * Editing Windows Registry is complicated and should be performed by advanced computer user. Use this guide at your own risk.
  5. Under Processes tab search for [4 random chars]sftav.exe (for example vntrsftav.exe) or [4 random chars]sysguard.exe (for example bshwsysguard.exe) and end the process, by selecting it and clicking End Process button.
  6. Proceed by downloading Antivirus Soft removal tool below without rebooting the computer.

2. Antivirus Soft screen shot:

Antivirus Soft

3. How to remove Antivirus Soft:

  1. Internet connection might be disabled or Internet browser might be blocked by Antivirus Soft, so it won't be possible to download any files to infected computer. In this case please download all files required for Antivirus Soft removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove Antivirus Soft download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove Antivirus Soft.

  5. Restart the computer to complete Antivirus Soft removal procedure.

4. Antivirus Soft files:

C:\Documents and Settings\user\Local Settings\Application Data\prmlmh\vntrsftav.exe
[random string]sysguard.exe
[random string]sftav.exe

5. Hijackthis entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 - HKLM\..\Run: [ctdgbsgc] C:\Documents and Settings\user\Local Settings\Application Data\prmlmh\vntrsftav.exe
O4 - HKCU\..\Run: [ctdgbsgc] C:\Documents and Settings\user\Local Settings\Application Data\prmlmh\vntrsftav.exe
O4 - HKLM\..\Run: [eeqeqhay] C:\Documents and Settings\[user]\Local Settings\Application Data\pafrfi\bshwsysguard.exe
O4 - HKCU\..\Run: [eeqeqhay] C:\Documents and Settings\[user]\Local Settings\Application Data\pafrfi\bshwsysguard.exe
* strings in red are random in each case of infection