Antivirus Live

How do your remove this if the virus will not let you access the net or your CD drive? The virus only allows you to access the Antivirus Live site! It will also not allow you to run your sercurity program and remove it.

hi your article says everything i have but once i download the program to remove Antivirus live i download it and then it donsent let mi access the program you suggested to d.load! because the security warning pops up on it.! please help me i'm getting frustrated!.

ANTIVIRUS LIVE - Malware

If you get this on a PC, it's a bitch to remove, but here's how you do it. It wont let you open regedit or even a command prompt, but it's slow to load, so:

Log out of PC in question, and log back in again.

AS FAST AS YOU CAN, Right click on the task bar and open task manager.

Find the process: [random]sysguard.exe, for example mscqsysguard.exe and stop it.

Then run regedit and back up the registry to another location, such as a flash or network drive.

delete the following registry keys:

HKEY_CURRENT_USER\Software\AvScan

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"ProxyOverride" = ""

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"

Then, delete the following files: %UserProfile% is any user with a folder in the documents and settings folder

%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\
%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\[random]sysguard.exe
%UserProfile%\Local Settings\Application Data\(any files not in a folder that are in this tree)
%UserProfile%\Local Settings\Application Data\sysguard.exe

Tell the Virus: GOTCHA BIATCH!!

I am a Systems Administrator for an IT company, and I have seen this particular virus at least 10 times in the last week. Anyone else notice this? Is there any information of its origin?

Worked like a charm. I feel like I just beat a game...

THANKS THANKS THANKS SOOOOOOOO MUCH JESSE!

hey guys thanks for your help i also found out that if you go to a restore point like a month earlier than when you got the virus it'll work to. thank you again you guys saved my bacon, yall gave me a place to start.

thanks again

had this on my work pc, but instead of trying to beat the program to get msconfig up, I just simply rebooted in safemode. Push F8 immediately when it reboots up on XP, this will allow you to work without rushing and hurrying. It took me a few mins to do what needed to be. The scan was the longest part of the process.

I followed Jesse's steps, and everything seems to have worked fine. I'm not having issues at start-up anymore or anything.

I didn't find a few of the keys mentioned above, or any of the files, so I was unable to delete them all. I did find and delete the 1st 4 that are listed. Is there somewhere else I need to look? Could the un-deleted files still give me problems?

Hoping that I've gotten rid of enough of the virus to keep from causing any future problems...please let me know if this isn't the case.

Jesse, you’re the best! Got the malware this morning, followed your instructions, and I’m up and running again this afternoon. I was missing a couple registry keys that you mentioned. I couldn’t find these:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings”ProxyOverride” = “”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[RANDOM CHARACTERS]”

Also didn’t find this file:

%UserProfile%\Local Settings\Application Data\sysguard.exe

Maybe it’s because I pulled the plug on my computer when the pop-ups started and the virus didn’t have a change to fully deploy. BUT, here’s what I did find. I searched all local drives for files modified today. I found this file:

%UserProfile%\AppData\Local\Temp\1073.exe

My address above is a little different than yours. I’m using Vista. Not sure what you’ve got. The important thing is the “1073.exe” file has the same icon logo (yellow with red dots), same size, same modification date & time (7:04 AM), same company (tzuk), and same file description (Sandboxie Start) as the “sysgaurd.exe” file. So I deleted this file and all other files modified from 7:04 AM until I shut down. A Google search for “1073.exe” brought me back to the same torrent website that originally gave me the virus.

Now that it's gone, I hope, is there a way to prevent future attacks?

It took me forever to get rid of this. Thanks for all of the pointers. McAfee was of no help, and I was lucky to find this site.

Jesse you are the BEST! I would kiss you if I saw you, believe me I am pretty enough for you to like it! Thank you Thank you!!!

I mean usually something like this stops everything to do with internet. I had unplugged my internet connection maybe because I wanted to relax and listen to some music instead before having to worry about dealing with a virus. That's what's really annoyed me about this attack. I really want revenge now for taking over my whole PC even when I wasn't using the internet. They need to be caught and publically executed.

I madde this video about my experience http://www.youtube.com/watch?v=DZAZO00vYqs
I took this other short video to try and record how none of my offline applications were allowed to work either http://www.youtube.com/watch?v=tSU1vBnw4H0 as I could not use mspaint.exe to save any screenshots. The same message appeared for every application I tried.
It's hard to say what to do about your monitor not coming out of sleep. I hope by now you've fixed it. It's not easy to imagine what it's like to have that problem. I once overclocked my PC and got no picture on my monitor. With my little knowledge I was quite fortunate that I was able to reset the BIOS . This was a long time ago but there was one of those connections like you have on the back of hard drives to set them to slave / master etc. You have to take it off , restart the PC and then replace it to get your BIOS setings back to default. Or maybe if you try holding down "escape" "del" or "F8" you might get the setup page for the BIOS or SOMETHING.
Sorry , I knwo it's a nightmare, hopefully someone eles will be along to help soon.

Scared--thanks for the note. I have not been able to get it to work and yes it's a nightmare! I've never had a virus before, my biggest issue is always not enough memory or stupid stuff. I will definitely try your ideas though. I have tried holding down F8 and esc., don't think I tried delete. I'll be investigating my monitor later today!! Hopefully it works.
Still open to any and all suggestions, if anyone has any. In all the research I have done online, not one comment has said anything about this spam messing with the monitor. I am at a loss!

Check your Motherbord manual to see how to reset BIOS to default. It's a long time since I did it there may be a new sytem for modern PCs.

I just thought - most credit card companies insure aginst online fraud so I suppose he Michealas son could claim back what he paid as this is a scam. I should imagine those credit card companies will want to hunt down who's responsible because it's going to cost them dearly. I might pass on the information I have to them.

THANK YOU THANK YOU THANK YOU

im a kid with not very techie parents, so should i go to bestbuy or something, or can i fix this stupid thing on my own?

Restart the PC . Press F8 for startup options. Skip the taskmanager step. Delete as Jesse advised all instances of the Antivirus Live program . e.g. sysguard.exe in regedit.exe.

i cant run regedit because "application cannot be executed. the file is infected. please acrivate your antivirus."

Maybe I should have said try to beat Antivirus Live into taskmgr.exe by using the hotkeys , ctrl alt and del pressed simultaneously . Don't press the combination twice though , that will restart the PC. I just experimented with it and there is about a delay of a second before it pops up after pressing the hotkeys. Probably too late to tell you but just in case it helps anyone else struggling to rid themselves of the virus.

Another grateful THANK YOU, Jesse!!

so far i opened the task tray and stopped the programs. Also I obviously clicked not to use a proxy or I couldn't get here. 😛 trying to restore it to previous date before messing around in the registry as that scares the living crap out of me. Hoping it works and tyvm for this site so far.

~Lori

i found some things that said userprofile and deleted them. there were no precent signs and they did not specifically say what you wrote in, (ie: local settings/application data/etc...) but so far no harm seems to have come and I seem to be rid of this virus.

I had found another site on my other computer and asked them what to do about this problem and they told me that they couldn't help because I had not posted any logs and that they were deleting my post. Thank whatever higher power you believe in I found this site and you people. I hope you all have wonderful lives and wish nothing but the best for all of you.

Much gratitude,
Lori

T H A N K Y O U J E S S E!!!!! wow, what a disaster we had. Sunday morning my husband could not get on his computer ...nothing. This nasty pop up - anti virus inc forcing you to buy their protection. Fortunately, we checked on line on my laptop and somehow found this website with all these helpful comments. Found and followed Jesse's directions for deleting files. Didn't find all of them, but deleted most in the list. Thank you for helping us. We don't understand the mentality of people bright enough to do good with this technology but choose to be destructive, deceptive. Just ugly. Anyway...thank goodness for people like Jesse...thank youuuuuuuuuuuuuu! Jayne & Joe

God Bless you Jesse. You are the man!!!!!

Lori, thos files should be in documents and settings with your user profile, "lori" I presume. If you chose your user profile as fred you would see a folder fred in the "document and settings" folder. Sometimes difficult to find because for some reason it's not the same as "my documents". Click on "my computer" then on the harddrive with windows running on it probably C:/ but D:/ in my case because I have C:/ with nothing on . Then you will see it.

Thanks very much, Jesse!
I'm very much intrigued to know how you found the solution. Could you share with us?
Also, for people affected by this -- you'd better also do a full disk search for sysguard and delete those findings.

THANK YOU SO MUCH for these instructions. I was unable to find a few of the items though (listed below) and all seems to be well. Thank goodness for Mozilla Firefox which was NOT AFFECTED by this on my computer. I was still able to access the web via my Firefox even during the Antivirus live attack, which is how I found this page.

Any one have a recommendation for a better anti virus that might actually work against this coming on again? It sounds like Norton didn't do much for anyone with removing or catching it (didn't prevent me from getting this). I am considering switching to McAfee which one person above seemed to receive help from. Any insight would be great.

Thanks, Allison

Items I couldn't locate to delete. Note I did do a full system search for sysguard and sysguard.exe and nothing was found so I think I found it all.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings”ProxyOverride” = “”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5555″

Then, delete the following files: %UserProfile% is any user with a folder in the documents and settings folder

%UserProfile%\Local Settings\Application Data\(any files not in a folder that are in this tree)
%UserProfile%\Local Settings\Application Data\sysguard.exe

frustrated by this malicios virus. had to pay $100 to have it remvoed.
anythng we can do to have initiate or join a criminal invetigation or class action law suit?

thanks for your good info.

Unfortunately, I am one of those who bought the program to clear all the mess on my computer. Now I backed the files up to a previous date and the Live Virus pro is not on my system, but the charges are still pending on my card acct. Am trying now to figure out how to block the charge for something I do not have.

lets find these f**kers and bash their head in

no puedo abrir mi correo desde mi equipo

I was recommended this website by my cousin. I am not sure whether this post is written by him as no one else know such detailed about my trouble. You are wonderful! Thanks!