English 
Deutsch
Español
Français
Portuguese
Antivirus Soft Antivirus Soft
By
Sumo3000 in Rogue Anti-Virus Program |
0 views
Rate it: 
(8 votes, average: 4.50 out of 5)
Loading ...
(8 votes, average: 4.50 out of 5) Loading ...
Antivirus Soft Description
Antivirus Soft is a rogue security application from the same family as Antivirus Live, which typically enters user’s systems with the help of Trojans. On execution Antivirus Soft will display fake scan reports, pop-ups and security alerts in an attempt to convince a user that his/her PC is infected. The user will also be informed that the only solution is to purchase the “full version” of Antivirus Soft. Antivirus Soft is not a legitimate security application and users should never waste their money on this useless application.
Type: Rogue Anti-Virus Program
How Can You Detect Antivirus Soft?
Antivirus Soft Technical Report
As new Antivirus Soft details are reported by our customers and findings from our Threat Research Center, we will update this section.
Fake message for Antivirus Soft:
The following fake error message(s) appears for Antivirus Soft:
Antivirus Software Alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar.
Threat: Win32/Nuqel.E
The following Antivirus Soft files with its MD5s were created in the system:
| File Name | File Size | MD5 |
|---|
| uclqsftav.exe | 359424 | bedff5f3fca64091473b46a69aef9fd4 |
| wjfmsftav.exe | 359424 | 4e5d5099e2b9c3d6a54422d5200de551 |
| awvrsysguard.exe | 279296 | 575fd44ec504096ca401776f06dea839 |
| hkxesftav.exe | 279296 | d9a480f9cba12eeb9283a4cc6401a6b8 |
| kicqsftav.exe | 279296 | 8f7b683fbbb4fab7a45f9e79704d56fc |
| bhacsftav.exe | 303360 | c632b74a0f55ece3043f72cb539ab5f6 |
| duvrsftav.exe | 279808 | 2f83d5ec93a9f6d71fb3a0cfea571812 |
| uwpxsftav.exe | 279296 | 10d29e9d84216bc5e61b61b92f70da0d |
| moobsftav.exe | 279296 | 4e57d4d8725bd9274b1871cc32c2fab5 |
| autfsftav.exe | 303360 | 5f30c793a6267af99ef544fe38542b37 |
| fugksftav.exe | 303360 | dc937d5903b4725beafd073c19b1646a |
| cskksftav.exe | 279808 | 2629cc7b8c6f6c9ce1ee7f081de5b722 |
| yhygsftav.exe | 279808 | 5481e9a82b5bbc28a2fb97d8ef578f62 |
| qtflsftav.exe | 279808 | 8becb0ee00ae2ea99744c8c2f14df966 |
| jmaesftav.exe | 254720 | 8b3986e24c87e94837db1b3bf5ef3307 |
| dtkksftav.exe | 254720 | 475202f85c6a4eb11c376a761eb1fbc0 |
| lxrlsftav.exe | 254720 | b01913697b809f4c8d5d8f8e8f0031f8 |
| mrccsftav.exe | 254720 | 6ff8759f689bee65b771f8d65cc67205 |
| fwyhsftav.exe | 254720 | 2159bf37b80cae80c586db7d74e86d83 |
| gguasftav.exe | 279808 | 3016f6ed00b56d510a52fa3b608b97a6 |
| bmalsftav.exe | 278784 | e40bd60d423b4eb5ae62b8b31bf5514a |
| dtaisftav.exe | 278784 | 203c391e72a4bdae8f8f0bf2409b688b |
| cgohsftav.exe | 278784 | 9a20659738a13e533718154fbf46e64e |
| rdvfsftav.exe | 278784 | e6d0eaf8f7353f64c917a94360da6d99 |
| fmcysftav.exe | 278784 | 1d8ad34d5232ac94f9eaabc9f298737e |
| gfwfsftav.exe | 458496 | 4ec96b59831d2c3a3ef02fe64980a0a3 |
| gckesftav.exe | 458496 | 9b939243ea25b093478c960a23452abf |
| olvbsftav.exe | 278784 | 2329d739b5edf85feeb0a9661f74d7e1 |
| avsoft.exe | 1270784 | 8c513d649042f5591a78428d51dbf9d5 |
| bvwcsftav.exe | 279296 | 1dba064604f72d4635c0eb0fd494a817 |
| hxtfsftav.exe | 278784 | 2f886e103df6df60bd131b95e7c7df21 |
| hwbcsftav.exe | 279296 | f5b55e4991cd3903c60e9c6f9c032197 |
| nakusftav.exe | 278784 | 9d078d5201ce35220ba58c34fc96907f |
| mitbsftav.exe | 279296 | 4608b77197ec564c58b9b289196452aa |
| ksrjsftav.exe | 279296 | ff02e4fcfe7308cbcc18879bf69cdd3c |
| cahbsftav.exe | 279296 | 36845769a683b35463f04f2fd6f0adc1 |
| ixwdsftav.exe | 279296 | d5ee0adfa59188c4f6d93e672a4655d2 |
| kcxksftav.exe | 258304 | 445778edb9ed08b2b652d7bf7e082af7 |
| phicsftav.exe | 258304 | 225ce318b9d2d44df2733898188b14fe |
| qhrgsftav.exe | 278784 | 16c68f0acc9a2b616510e3d0d9233edf |
| ycxbsftav.exe | 278784 | afd00da8a54fd5e2ab46a550d60dee21 |
| eeissftav.exe | 269056 | 1f3c9ec2bae49a2186b4ca8e7eb28c33 |
| ehqrsftav.exe | 269056 | 481fb1264737637ce6ccdfe44946bf49 |
| enfwsftav.exe | 258304 | f35a3da8911bb19abe59a001ffb72c89 |
| tljwsftav.exe | 278784 | a9bbd607ac2937c1fb9579fce4310e33 |
| yymusftav.exe | 279296 | dd4f505d73a3935c9d51bf0a0d9f20eb |
| yjhksftav.exe | 279296 | 1ddb1062dfc1c5e6bafd8fa6d2935da3 |
| dcirsftav.exe | 269056 | 411949b7d6d1a86be730ff96cb636f26 |
| avsoft.exe | 1272320 | 31ec6ab45215a857db84745ba6cacad9 |
| spsesftav.exe | 269056 | 0c92b8e085bb1a65c54f4a9aaea9d627 |
| hyxbsftav.exe | 269056 | 7400d6d489e23bf2a7c4e12e112b4b02 |
| xwnysftav.exe | 269056 | bc8600a32a3cb9f4503c80f4dd04b878 |
| owawsftav.exe | 269056 | f6d7296ad34a8d3f39be7d0f9a6ebe5c |
| lhbusftav.exe | 269056 | 09034ec28ebd8c4de09eb324621b2117 |
| fnxbsftav.exe | 318208 | 64eb6d23136719a2347bc03ea834c19a |
Antivirus Soft has typically the following processes in memory:
- %UserProfile%\AppData\Local\[RANDOM CHARACTERS]sftav.exe
- %UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]sysguard.exe
- %UserProfile%\Local Settings\Application Data\[random]\[random]sysguard.exe
- %UserProfile%\AppData\Local\[RANDOM CHARACTERS]sysguard.exe
Antivirus Soft creates the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Attachments “SaveZoneInformation” = “1″
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run “Antivirus Soft”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “[random]”
- HKEY_CURRENT_USER\Software\AvScan
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Associations “Files” = “.exe”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run “[random]”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “Antivirus Soft”
Important Article Disclaimer
This entry was posted on 02/1/10 and is filed under Rogue Anti-Virus Program.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
February 1st, 2010 at %I:%M %p
my virus file was cigmsftav.exe. I had to restart and get task manager going before it started up. Once taskmanager was running, I was able to delete that file and stop the popups. I still have to edit the registry (little unsure of that one)
February 5th, 2010 at %I:%M %p
Antivirus Soft took out my computer even when I had Norton Antivirus installed.
Norton no help at all and wanted $160 to eliminate the Antivirus Soft.
Long story short, I canceled my subscription to Norton and did a system restore on my computer (on the extreme side, I know). Good thing all my data was backed up. Not a trace of that pesky Antivirus Soft.
Now I have to decide which non-Norton antivirus software to purchase.
February 7th, 2010 at %I:%M %p
I use sytem mechanic with antivirus and its been the best product that i have ever used but it didnt stop the antivirus soft. Kicker was I never clicked anything it just popped up on the screen while i was reading a web page. I never click buttons on these rogue antivirus scams i just turn off my computr and restart but that didnt work. So i looked up the antivirus soft virus on live search and found an article directing me to Enigma and I had to start my computer in safe mold with internet access to get to the site and download SpyHunter3. antivirus soft sucks and even though the problem is fixed on my computer it has been detected and moved 3 times since i got spyhunter so that just goes to show how many other people are getting hit with this bug!
February 9th, 2010 at %I:%M %p
Hi, just removing this for a friend, pretty nasty. Another reg key that may have been modified is
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “yes″
it will have been changed to
“CheckExeSignatures” = “no″
Not sure if the malware does this but it has been changed on the system I’m fixing.
February 10th, 2010 at %I:%M %p
Can someone please tell me how to get rid of this Antivirus soft. I can’t get ro anything executable including my registry keys or task manager
February 17th, 2010 at %I:%M %p
Like Veeppilo above, I too have Norton Antivirus installed and fully up to date but somehow the virus got through, either from my on line bank web site (unlikely) or my web mail browser which I use occassionally. Once infected, and in between all the annoying pop ups, I ran a full system scan using Norton and nothing was found – the PC was reported as clean!! The only way I could resolve the problem was to reboot the PC from a recovery disk and run a full system restore from my latest backup. All running ok now.
February 20th, 2010 at %I:%M %p
Thanks for the tips. I just used all of this information to fix my girlfriend’s PC. Deleted all of the questionable registry files listed and things are running fine now.
February 22nd, 2010 at %I:%M %p
I have windows vista and was logged on as admin when got infected with this soft virus. doesn’t let me do anything as admin but i can logon as guest or other user name with no problem. can it still infect these other users? not very good with computers so would prefer something i just click to fix the problem. please help
February 25th, 2010 at %I:%M %p
Avast didn’t pick it up either and for a second there i actually thought that it was avast telling me this. thank goodness i found out how to close it or else i wouldn’t be able to even find the fix for the damn thing.
February 28th, 2010 at %I:%M %p
Too late for me…I paid 70 bucks to BUY antivirus soft…after a gazillion popups, I could NOT access the internet, except for the site to buy this. Do I have any recourse?? Can I recoup the money? Man I am ticked
March 2nd, 2010 at %I:%M %p
I got it from the icanhascheeze site. Probably a banner :/
March 4th, 2010 at %I:%M %p
Add hnppsftav.exe to the list of culprits.
March 5th, 2010 at %I:%M %p
I blew the $49.99 to get it to even let me get to my files, it totally locked up the computer, once I blew the bucks I was able to remove it.
March 10th, 2010 at %I:%M %p
Wonderfully helpful post!
Machine had Eset Nod32 2.7 antivirus, and did not prevent this infection.
It blocked taskmanger, file deletion (rundll32), regedit, and even safe mode!
After a reboot I got to regedit before it started, and removed the entries listed above.
Many Thanks!
March 16th, 2010 at %I:%M %p
I was infected when I was reading an article on Encyclopedia Dramatica. I know I didn’t click on any suspicious links or ads. Norton, Spybot Search & Destroy, and Malwarebytes didn’t help. My only option was to try manually delete everything. Antivirus Soft doesn’t run anymore, but Internet Explorer did open on its own and open a pornography page. I’d like to think I’m in the clear because no further websites have opened in the last 45 minutes, but I remain skeptical.
Does anybody know anything about the people behind this rogue program?
March 17th, 2010 at %I:%M %p
Wow. this has been a fun time. Thanks for posting all this very useful info
March 17th, 2010 at %I:%M %p
GREAT POST!!! Saved my LIFE!!!
March 18th, 2010 at %I:%M %p
Like Denise when I was infected by Antivirus Soft. I spent $49.95 to purchase the removal software. Everything looked above board and it unlocked my machine. It was not long afterwards that I discovered that I had been taken for a sucker.