Antivirus Live
Antivirus Live is unwanted and unsafe program that disguises as a security application for Windows operating systems. Antivirus Live came from the same group that created the famous Antivirus System PRO who has infected a number of computers in just a short period of time. This program will invade computers via method of which users think that it was beneficiary and useful, little did they know that installing this program may harm the computer. Using a clean-designed graphical user interface, Antivirus Live easily deceives victim particularly when it begins to exhibit shuffle of alert messages.
Antivirus Live virus is designed to form itself to run when Windows is started by modifying system registry and insert own entries. The malware also end any discovered security-related process resulting to ineffectiveness of security program. Blocking Internet access, malfunction Windows functions are additional burden users may experienced if contracted with Antivirus Live. As much as possible remove Antivirus Live at once from infected computer using well-known anti-malware programs. Keep away from rogue applications by installing effective security solution that will block entry of unwanted applications including Antivirus Live.
Screen Shot Image:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Antivirus Live Removal Procedures
Antivirus Live REMOVAL TOOL:
With threats like Antivirus Live, using the free tool Malwarebytes Anti-Malware is highly recommended. In an instance that Trojans will block the download and installation process of MBAM, use a separate and clean computer to accomplish this step. Rename the executable file before executing on the infected computer.
MANUAL REMOVAL PROCEDURE:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Antivirus Live”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
[random characters]sysguard.exe
2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Antivirus Live Virus.
4. Registry entries created by Antivirus Live must also be remove from the Windows system. Please refer below for entries associated to the rogue program.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.
5. Exit registry editor.
6. Get rid of Antivirus Live start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
[random characters]sysguard.exe
7. Click Apply and restart Windows.
Technical Details and Additional Information:
Malicious Files Added by Antivirus Live
%UserProfile%\Local Settings\Application Data\[random characters]\
%UserProfile%\Local Settings\Application Data\[random characters]\[random characters]sysguard.exe
File Location for Windows Versions:
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
Antivirus Live Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “[random characters]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random characters]”
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Attachments “SaveZoneInformation” = “1″
Jeff
Dec 21, 2009 @ 20:14:57
HI, I was able to get Antivirus Live from popping up on my screen after startup. You need to go into “msconfig”, before AV Live starts, in the “startup” tab disable “gxqwssysguard” from starting. Then you will be able to go in and uninstall Antivirus Live’s components.
Joe
Dec 24, 2009 @ 01:16:02
HI, I followed jefs instrustions with great results. everyone should folllow these steps
Phil
Dec 24, 2009 @ 06:40:52
Hey guys, i did what Jeff (above) suggested and it got rid of the programs pop-us and i can now use all my programs. However, now my Internet Explorer acts as if I have no connection and I know that I do. This virus only effects individual user accounts, and while I can connect on one account, the previously infected account will not connect. WHATS GOING ON! PLEASE HELP?
jtvision
Dec 25, 2009 @ 00:14:05
Check your Internet Explorer Proxy settings. The program modifies them.
Matt
Dec 25, 2009 @ 00:23:58
The virus changes internet explorer settings to run on a proxy. You will need to change the settings to not use the proxy.
Josh
Dec 29, 2009 @ 18:04:20
i was unable to find that specific file in startup. might it be under a different name?
Chris
Jan 01, 2010 @ 10:07:35
I too was not able to find that specific file in startup. Do you know of any other names it could be. And once you do, where do you go to uninstall the program? Thanks!
Rick
Jan 01, 2010 @ 23:03:41
It was called yumksysguard.exe for me. Just disable it and you should be able to work on getting it cleaned out.
vinniec
Jan 09, 2010 @ 16:10:18
I just took care of this problem using the help on this page. Thank you, thank you, thank you. Only thing I had to figure out was how to load msconfig on Vista, which was difficult. When you start up, click on the Vista icon before the virus starts, type in msconfig and hit enter.
Frank
Jan 10, 2010 @ 21:32:12
Where are these people .. I would like to hire some folks and ask them to find out why the good folks try and destroy other people’s computers and lives.
My solution is go to your last windows restore .. then do a Norton vurus scan.
Does anyone know where these scumbags operate from?
How can Mastercard accept payment for their product?
charles
Jan 13, 2010 @ 07:32:25
well i have the same exact problem and i cant even get my msconfig (start up) to load. it blocks that. but however i was able to transfer all my memory and such to my external hard drive. anyone have any other ideas for me to get onto start up other then msconfig? thanks
Edith
Jan 16, 2010 @ 05:40:10
Jeff’s comment is a great 1st step (and there are only 2). It was called “jbjnsysguard” for me. Looks like they come in varying forms and all end in “sysguard”. I saw it in “msconfig” -> “startup” several times, so you may want to scroll thru the whole list and disable all of them. You need to do this pretty quickly when your desktop loads, before the “Live Antivirus” loads. After it’s disabled, all you need to do is a System Restore back to a most recent date where you know you didn’t have this virus.
greg
Jan 17, 2010 @ 23:47:13
the secret to success is all in the timing. After you turn on your computer and windows boots up, wait just until the desktop appears and icons start loading in the systray. (look in the bottom right corner of the desktop) Now queue the task manager (Ctrl+Alt+Del) and it should open before Antivirus live kicks in. In task manager, click on the processes tab and wait until you see a program called XXXXsysguard.exe start. (The XXXX refers to random letters, e.g qtlssysguard.exe or fdtpsysguard.exe) Highlight that program and right click. choose “end program” and then “yes.” That’s step #1. Now click start->search->files and folders and search for “sysguard.exe” (be sure to enable “search hidden files and folders”) Just delete all the entries that show up. Make sure to empty the recycle bin, and you’re done with step #2. There’s only one more step, but I must warn you, it’s dangerous. Like open heart surgery, one misstep and you’ll have a big problem. This virus make changes to the registry files, which are the heart and soul of the computer. if you want to go ahead with it, first backup your registry files and then start->run and type “regedit.” Now look for a folder called “HKEY_CURRENT_USER” and click the little plus next to it. Navigate to the folder labeled “Software” and click that little plus. Look for a folder called “AvScan” and delete it. There are a few more files to go, but they require the alteration of registry values, not the deletion of files. I strongly suggest letting a professional do this part, but if you want to do it yourself, google the phrase “delete antivirus live registry keys” and click a link.
Tina
Jan 19, 2010 @ 17:46:21
Need help where is msconfig and task manger
Jo
Jan 20, 2010 @ 20:27:05
for ms config go to start, click on run and type in msconfig click ok. For task manger, all at the same time hold down control, alt, and delete and you task manger will appear
trista25
Jan 21, 2010 @ 18:05:39
It was under uvlmsysgaurd on my computer..It seems that the prefix changes, but always ends in sysguard. deleting that process at startup, before the program kicks in worked for me but now I have to do the proxy connection thing because I cannot connect to the internet.
Tim from CT
Jan 21, 2010 @ 18:09:59
I got the virus last night and couldn’t do much so I shut down. I just followed Greg’s advice above for step 1 and 2 and everything seems to be working fine.
My question is regarding the registry keys…. is that a step that needs to be done or will my antivirus that I use (ESET Smart Security) pick up anything else that’s wrong?
Like you mentioned I don’t want to screw anything up so wondering if I should take it to someone to perform this task or if it’s straight forward enough to do myself and again whethere it definitely needs to be done.
Thanks…
Chris From TX
Jan 23, 2010 @ 16:59:17
Hey greg< thanks for the info…..got the virus this morning and was lucky to find this info on the web….but tim had a good question, does that registry key step need to be done?? cuz my computer seems to be working fine, but what ‘s really goin on inside?? Thx……
John
Jan 29, 2010 @ 16:49:13
U can run msconfig in safemode and save yourself some headache.
greg
Jan 30, 2010 @ 00:15:47
tim and chris:
the registry keys are like instructions for the computer’s operating system. Each key has a value that tells the system to do something. But like gears in a clock, each key has a purpose. Move one clock gear a tiny bit, and the clock could be ruined. That’s why it’s very risky to make changes unless you know exactly what you’re doing. In my first message, I added that last bit about registry keys to be thorough, plus the deletion of HKEY_CURRENT_USER\Software\AvScan is pretty straightforward. While it is true for the most part that the step about revaluing the other registry keys isn’t always neccessary, in some cases they can cause the computer to act up. (slow boot times, error messages popping up) If you followed steps 1 and 2, and afterward your computer worked fine, then I wouldn’t worry about the registry keys.
Parker
Feb 05, 2010 @ 11:38:43
Thanks all everything worked out great! I did have the problem where I cound not get my internet exploer to work saying I had no connection but I did. Go into Interenet Exploer/Tools/Connection/Lan Settings/ and turn off using proxy server.
jim
Feb 05, 2010 @ 19:43:16
I too got infected with AntiVirus Live last week. However, I did not have an AVScan folder in my registry file. The only way I could get rid of it was to boot into Safe Mode w/Networking. Next, go to Internet Explorer > Tools>Internet Options>Connections. Go down to the LAN Settings button > click and then uncheck the Proxy check box. This Malware makes this change and sets you Internet settings so that you can only get to their site to buy a “solution” to the infection. Change the Proxy settings and now you should be able to get to the web in Safe Mode w/networking and then download rkill.com (Google it and there are a number of reputable sites where you can download it for free). Run this file in Safe Mode and it will kill the underlying processes of the malware that prevents you from browsing folders, accessing Regedit, Task manager etc. but will only work in Safe Mode or the malware will kill it. Since the Malware files are in “Hidden Folders”, you’ll need to be able to see them in order to get rid of them. Therefore, open Control Panel then go to Tools from the menu bar and Folder Options> View. Check “Hidden Files and Folders” and Uncheck “Hide Extensions for Known File Types” and “Hide Protected Operating System Files” and then OK.
Then, go to My Computer>Documents and Settings>[your profile]>Local Settings>Application Data. Look for a folder with a random file name (mine was ak3gh) and check the create date on it. If it is in line or close to when you started noticing problems, it’s probalbly one of the culprits. Open the folder and look for an .exe file (usually the only file in there). If you’re not sure whethere this is oe of the offending files, Google the file name to ensure it is not a known executable associated with a valid program or update. Make a note of the create date and, if Google does not indicate it is a know file, then delete it.
Then go to My Computer>Documents and Settings>[your profile]>Local Settings>Temp. Sort those files by Create Date and look for any strange .exe file names with a Create Date/Time similar to the file you deleted previously (again, Google the file name if unsure). This is evidently a beakon file that is created incase the original file is deleted. It will contact infected web servers and will ultimately re-infect your system. I also cleaned my registry but as I said before, I did not have the AVScan folder. What I did have was a registry entry under HKEY_CURRENT_USER>Software>Microsoft>Windows> Run. There I found an entry for starting and running the .exe file I had deleted in my Applications folder under my profile in Documents and Settings. Right Click and delete the ENTRY (not the Run folder).
I also had a few other Registry entries pertaining to my Internet Explorer settings that I changed but unless you know what you’re doing, I wouldn’t suggest making those changes. There are free Anti-Malware programs out on the net that will clean the rest of the registry settings and other ancillary files that may be hanging around once the main files have been deleted.
Siv
Apr 06, 2010 @ 04:32:22
Thank you very much, Greg!! It worked great. I searched many forums, but, I didn’t get right instructions anywhere. Your suggestions worked out well. The .exe file name is “PASBCTYTSSD.EXE”. So, it is not always true that EXE file name is always having “SYSGUARD” in it.
Lauren
Feb 22, 2011 @ 02:55:07
Hey there I’m just sick and tires of tyhe AntiVirus Computer Virus and yes it’s very agressive. It blocks evenything on your computer to get rid of it. I don’t know any free anti-malware programs you can install. My dad thinks it’s my fault that I get this stupid virus! It distroys lives, businesses, and in my case the trust my dad had for me online. How acn I stop it from coming back on my computer?