How To Uninstall/Remove Antivirus Live Virus Removal Guide
Antivirus Live is one of the most aggressive rogue anti-spyware programs (scams, fake anti-spyware, etc) that we have ever encountered. Once Antivirus Live gets on your computer (via Trojans), it will be automatically programmed to start up when your Windows OS loads.
Just like with other fake anti-viruses out there, Antivirus Live will perform a fake scan of your computer and report that numerous infections and security problems were found, but that you need to buy Antivirus Live to take care of those problems. Remember that these are fake reports and that you should not buy Antivirus Live: it is a scam. What you should do is remove Antivirus Live as we will show you later in this article.
Antivirus Live Is The Most Aggressive Rogue Anti-Spyware Around
Antivirus Live is a tricky “virus” to remove once it got on your computer. The first thing it will do is block out almost any program you are trying to load and tell you that it is infected. In addition, it will change your Internet Explorer Proxy settings so that the only site you can browse is the Antivirus Live site (so you can purchase it… but don’t do that). Antivirus Live will also display various security warnings and alerts on your computer, all of these telling you that your computer is infected. Do not believe these warnings. Antivirus Live is basically a virus in itself and you should remove it immediately using the removal guide below.
Ok, now that you know what Antivirus Live is and what it does, here is how to remove Antivirus Live from your computer. It is best if you print these instructions first.
Step 1. Antivirus Live may block any downloads from being made from your computer. If this is the case, all the files should be downloaded on a “clean” computer and transferred to the infected one using an USB stick or a CD/DVD.
Step 2. If you don’t have another internet browser installed (such as Mozilla Firefox, Chrome, Opera, etc), you will need to undo the proxy settings changed by Antivirus Live. If you do have another browser installed, proceed to step 4.
Step 3. In Internet Explorer go to Tools->Internet Options, click on the Connections tab. Press the “LAN settings” button. Now what you should do is uncheck the “Use a proxy server for your LAN”. Click ok and close this window. Now you should be able to browse to other sites using Internet Explorer.
Step 4. Because Antivirus Live blocks most applications from being opened, click here to download the rkill.com file. Once the download is complete, run it. Antivirus Live will show a “rkill is an infection”. Ignore this and try again until the Antivirus Live process is terminated.
Step 5. Go here, download Malwarebytes’ Anti-Malware and save the setup file to your desktop.
Step 6. Close all open applications and windows and run the Malwarebytes’ Anti-Malware setup from your desktop.
Step 7. Proceed with the default settings for the MBAM installation process. In addition, you should tell the software to automatically update itself and then run once it has been installed.
Step 8. Go to the scanner tab, select “perform quick scan” and click the Scan button. Now wait for Malwarebytes’ Anti-Malware to scan your computer.
Step 9. Once the scan is completed, go back to the scanner tab and click the Show Results button. Select all the detected infections and click “Remove Selected”.
Step 10. When the process is complete, you should have successfully removed Antivirus Live and all related files from your computer, as well as additional malware detected by MBAM.
The above removal instructions for the anti virus live can’t be completed because now the computer will not do anything. It is completely locked out. I can’t get it to start in safe mode.
Any suggestions?
Thank you!
Malwarebytes won’t run for me because Antivirus Live is blocking it. But when I downloaded a renamed version it worked perfectly fine.
Use your F8 upon start up and click repair windows. Do a system restore.
I know u love me,
Thats how I had to fix it, probably the best way, thank god I had enabled it but you can do other things to fix this as well.
You know you gotta be careful doin a system restore with this. I did that and it deleted my OS watch the hell out bros if you ever get this virus again take a different route to fix.
P.S. this is NOT the best way to do it
I just got infected by this virus last night. I have Norton internet security and I ran a system check. Norton located the corrupt files and knocked them out. I haven’t had any problems since.
Thanks so much guys! The the rkill.com file does indeed work. I was verty close to giving up on this laptop and reimaging it.
-Jason
Hello, I’m just trying to uninstall antiviruslive…I have tried rkill, but when I get to the final steps of the megaware install, it does not allow the process to complete…any suggestions???Thanks
Sorry, the malware install. as soon I get to the final steps of install it, after I have ran rkill, it will not allow me to install it…the popup states thaty it cannot find the file…any suggestions???thank you…Dustin
I found the best way to stop Antivirus live is to first stop the pop up boxes.
Re-start your computer and then as fast as you can right click on the task bar (the bar at the bottom of the screen), this will open a white box with downward headings.
Click on “task Manager” and wait for this to open. Importantly this will keep open the windows task manager box!
On the “windows task manager” you will see a few headings click on “processes”
On the bottom left side of the “processes” make sure the “show processes from all users” is ticked if not tick this box.
Then under the heading “image names” look for the following “sysguard.exe” however, it may have some other letters before it say “edrsysguard” left click this once and it will be highlighted.
Then left click the “End process” and double check there is no others of that name.
Then click the main start button and go in to control panel then click on “internet options” which will open a box with the heading “internet properties” then click on “connections”.
On the bottom right, you will see “LAN settings” click this and it will open a box with the heading “local area network (LAN) setting”.
Now any boxes that have a tick, un-tick them, make sure every box is empty ! And press ok.
This will now stop all the pop up boxes!
Now log onto the internet and get anti malware.
If you cannot get onto the internet, go back to the “local area network LAN setting” and click the box “Automatically detect setting”
Do not turn off or restart your until you loaded and run the anti malawre !
I hope this helps
Thanks, this was really helpful. My computer was affected and i was not able to do any thing. I followed these steps to stop the Virus and then did a System Restore. And that removed the virus from my Laptop.
Thanks,
Thanks so much for your help Shami, your advice worked a treat.
thats just what i did!!!
great minds think alike
Shami, this worked perfectly, thanx.
Thank you so much!
I was unable to have the rkill file open as the virus was blocking it but being able to end the process worked perfectly!
I had been searching torrents & a page kept failing to come up & that must’ve been where i got it.
Thanks again
Thank you so much for this tutorial and for the tips! I was going bonkers trying to remove the virus. McAfee didnt even detect it and that popup was driving me mad! Thank you so much and happy new year!
Shami
Great job! I really appreciate your post. This worked perfectly!!!
That is what i had to do i had to slow my computer down as much as i could by starting a ton of programs on startup and then run rkill to stop the porcesses so i could run the malwarebytes
THANK YOU!! This hit my laptop this morning & I couldn’t get past all the pop-ups to download the rkill.com. This step by step really save me – you’re the best!
Thanks Shami! rkill.exe just wasn’t working for me, but your method of stopping the sysguard process was perfect. Was easily able to install Malwarebyte’s software, and the virus is totally gone!
Just a note: I did the complete scan using Malwarebytes’s Anti-Malware, and it took nearly two hours to scan both my C and D drives. I wasn’t prepared for the wait, but you might want to bring a book along or do some chores while you wait.
Shami – Your advice worked perfectly – thank you so much!
thanks shami that did the job on my pc… happy new year…
Thank you SOOO much Shami!!! I was getting so pissed off and about to give up and just take it to the geek squad, who wanted to charge me $150! The tip about how to get the task manager to pop up was the piece I was missing, and it worked like a charm, thanks for posting on here!
Thank you so much! This is the only thing that worked for me.
After 1.5 hours, I finally have Malwarebytes running. Here’s my 2 cents to help those who are not used to doing this stuff. For some reason when I did the right click on the task bar the first time and got the task manager, none of the sysguard files showed up. Then I tried the safe mode thing and I couldn’t get to an internet connection (showing how inexperienced I am with this stuff right now). Well, I rebooted yet AGAIN and this time when I right clicked on the task bar to get task manager, I found the two sysguard files. I’m only 6 minutes into a full scan and the anti-malware already detected two infected files. whew…… Thanks to EVERYONE and especially Shami. I was about to lose it. I really love how I pay for Norton antivirus, and it just yelled at me for not having enough back up space on the internet–nothing about this stuff, but yet the free software does the trick. LOVE IT!
SHAMI’S advice was wonderful! It saved me a lot of money because I didn’t have to replace my 10 year old Dell computer. I know it will bite the dust someday, but it wasn’t today.
Her directions were so clear that even I, a 59 year old woman, could follow them. Thanks so very very much. ;0)
I had the owrse version. It changed all admin rights and stopped system restore on my vista computer. If you keep looking there is a way to do a system restore I wont post it though because these jerks probably are scanning the websites evolving the virus.
Make sure to report antivirus live to the BBB otherwise we will never know if they are truy innocent or not. Just what they say….ooo we are innocent but millions of people buy our software because of this virus.
lol, i think I hear something like that on wall street.
I had this virus in my computer, found about it today, darn Trojans, having a horrid day I tried to find a way to fix it, I have a laptop, my desktop is infected. I came on this site and that rKill file does work, but the thing is you have to press cancel on the window from the virus that says this file can not be opened. Keep On Pressing Cancel, eventually the process will stop giving the window and when you run the file it will work, once your desktop window refreshes that means the file ran correctly, and you no longer have the proccess that keeps poping up windows, then you can run a antimalware program, I am running the malware program that came with softsailors instructions to remove the antivirus live and right now i am rebooting the pc, it found 3 objects infected and removed them. Waiting… I am going to post review here right now…. …
..
…
..
waiting for reboot….
YAHTSEE ITS GONE!! It worked, thank goodness, I hate malware, I dont know how I got a trojan on my pc, i usually go on piratebay and other trusted websites, maybe I accidently went on a wrong site.
But this method worked for me follow the instructions on here. I have a desktop with vista and this method worked.
I think the key thing here is being able to run the rkill file, that file stops the popups generated by the virus, without this you can open any program, such a nasty virus. Thank you softsailor!!!
I also tried a pirated version of spyware doctor but it wouldnt open with my desktop because of the popup process.
THANK GOD!!
Please tell me you are joking.
If not, either jump to linux or just watch TV and leave the computers to the 8 yr olds and up.
This AntiVirus Live trojan is pissing me off too… SuperAntiSpyware seemed to contain it this time for me but not always. Malwarebytes last night didn’t even recognize it as a problem.
AntiVirus Live turns off your actual antivirus projection, and often won’t allow anti-malware/virus programs to run… it also prevents one from being able to restore settings to an earlier date (not that I think that would really help as I think it embeds itself in a registry that doesn’t change) and also prevents one from going in via safe mode.
I think there may be a way to immediately start up SuperAntiVirus immediately after boot up.
What worked for me is this – I disabled the internet connection physically (this didn’t prevent all the fake virus messages bogging down the computer but I got the sense it gave me some time to get SuperAntiSpyware going.
SuperAntiSpyware ran a thorhough check which took awhile – and I was able to get it so far as to finish and address the trojans it found… however it froze towards the end. This was still good enough apparently to take care of the problem and upon start up next time it seemed to have solved it… but I wish Microsoft would address a fix to this vulnerability. It’s pissing me off.
I’ve been infected two times now with this malware and I seem to be getting it from Pirate bay. It also seems to open adobe acrobat before starts to play havock on your computer thats how I knew I got infected again, so I was able to remove it before it started. I went to C:\Documents and Settings\****(user name)\Local Settings\Application Data and found a folder with random letters, I renamed this folder, went in the folder and also renamed the [random]sysguard application. I then rightclicked the applicated and scanned it with Malwarebytes and it removed it. I also went into the registry and deleted the folders “AVSCAN”. The first time i was not fast enough and i wasn’t able to do much until i renamed the file and folder restarted and then removed it, it can’t seem to function if its name is changed. Just a fast way to remove the infection…
thx i tried the one the posted but it will delete the file seen your post and tried your method my scan did not delete it but i renamed it to dont touch this is a virus so if my friend open it it is his problem but thanks alot
Thanks, it worked fine with the rkill.com.
I’ve had a different one of these ‘virus-scanners’ before, and this one was the first one I’ve seen that didn’t actually allow malware bytes to load, considering how it was the first thing I thought of..
Love you.
thank you kindly. this worked well. i had to run the runkill file from a usb, malware was already installed on my machine. i must have continuously run the runkill for about a half-hour until my desktop refreshed. ran malwarebytes immediately after, 3 objects found and purged. all is now back to normal.
i will ask here – i have been computing for 12 years now and this is the first time i’ve been infected. i don’t run anti-virus software, never have. i am not exactly sure how i picked up this trojan. i was on iso-hunt checking for versions of the hangover and then the anti-virus live scam popped up. i will say that my firewall notification was popping up intermittently in the weeks before this. windows firewall is on and my router’s firewall is set to off. so, how did this happen, and how do i prevent it happening in the future.
much obliged for this fix and for all of the comments and suggestions that followed.
The best way to make sure that you won’t get any infections on your computer in the future is to always have an internet security software. I cannot recommend one for you as each security software has its pros and cons (the price, how much resources it uses from your computer). But I am positive that if you have an internet security software that you constantly update (this way it can keep up with all the new nasty viruses that come up), you won’t have too many problems in the future.
Hope this was useful,
Mihai
I tried to run rkill but the pop ups won’t allow it to run – tried to keep saying no to running the fake virus program and then constantly open the rkill but no luck – how long do I sit here and press no on the pop up ? also why didn’t macaffe pick it up? when I try tom open the program I see the dos file come up and try to load but it just gets stopped .. ahhhhhhhh! How can we KILL the people who do this ??
Hy Josh, please give this a try: try to run the rkill file a bunch of times with one immediately after the other. Just double click the file for a few times without pressing anything else. Maybe this way you’ll be able to fool the Antivirus Live Virus.
Hope this works,
Mihai
Just wanted to tell you how much I appreciate this advice!
I (think, hope, fingers crossed) was able to get this to work. This is a seriously malevolent virus! I am VERY careful about the sites I visit and think of myself as pretty well educated as far as phishing and such goes.
So I tried a variety of ways to get rkill to work directly on the affected PC, but although I’d do the LAN step, the malware simply reloaded the checked box. I also tried repeatedly to install rkill to no avail. Because I couldn’t get rkill up, I couldn’t get the antivirus program up either (obviously, lol).
What I ultimately had to: Downloaded rkill and the antivirus program (AVG) on a jumpstick via a separate, clean laptop … went into Safe Mode on the affected desktop … installed rkill while in Safe Mode.
rkill then wouldn’t run/launch while in Safe Mode, so I restarted and quickly launched rkill before the malware loaded. That halted the malware from loading, and I was able to finally get the antivirus up and running, too. It quickly isolated the malware, and so far, so good!
Now … if there were a program to delete the g.d. jerkoffs who created this …
You guys are the best! I sincerely appreciate your good work. Take care!
Thanks shami did just as you said & it worked great.
Thanks again
wilber
when i turn off my computer an then turn it back on the antivirus comes back
Thank you so much
Thank you so much
Merry Christmas
God bless
thanks shami
How many times do you have to open the rkill file untill it comes through? I have done it many times and it keeps shutting it down
cmare2009
I GOT RID OF “ANTIVIRUS LIVE” FOR FREE
1. I DOWNLOADED “MALWAREBYTES” TO A USB FLASH DRIVE, THROUGH A UNINFECTED COMPUTER.
2. I THEN STARTED THE INFECTED COMPUTER IN “SAFE MODE”. AND INSTALLED “MALWAREBYTES” AND RAN A SCAN.
3. POOF….THE VIRUS WAS GONE !
I TRIED “SPYWARE DOCTOR” FIRST AND IT DIDNT WORK.
I THEN DID A SYSTEM RESTORE (FOR ONE WEEK PRIOR) TO UN-DO ANY SYSTEM CHANGES THE VIRUS MAY HAVE MADE
I got this virus when I was logging out of myspace…
I have the internet security 2010 virus just a week ago, ugh i’m hating the internet so much.
i think i got rid of this one though..
So far so good…
Booted XP in safe mode, where Antivirus Live wasn’t able to rear its ugly head. In this mode, I was able to install Malwarebytes and run a scan. It detected 5 items (the changes to the registry, executables, etc) and removed them. Booted back up in normal mode – everything seems fine (and hopefully it is).
These twat-waffles have a website. Why is it some federal task force hasn’t disappeared them yet?
We got the Antivirus Live Virus on 12-24-09. I wish I knew how our computer got infected. Thanks to your site, and the line by line directions, we were able to remove it.
Thank you so much! It’s so nice to be online again!
Just keep TRYING. It took me almost 35 minutes to get RKILL to work. I had to keep going into internet explorer and shutting off the proxy server setting. I did this over and over and over for 35 minutes and finally RKILL was able to finish its process. ass soon as this happened. I used firefox to download malware bytes program , ran the scan and was able to get the processes.
holy shit it worked.
What do you do if you can’t get the disk to boot up? Yeah, that’s right, it won’t boot up. After you have tried several (many) times to get rid of this thing, it will eventually prevent your computer from booting. Now what? None of the above fixes work. It won’t boot. You can’t get in. You can’t change anything. It has even gotten to the point that when I try to reinstall XP, the system will loop upon re-boot. Let me explain…. You boot from the XP disk, reinstall Windows, the install program copies files, then it reboots, Ah Hah!!! It won’t boot from the hard drive. It starts the install process again!!!!!! Now what??!? How do I get rid of this shit without formating my drive?
I have succesfuly removed the virus useing rkill and malwaregytes but it keeps reinfecting my pc.IS there anything else i can do and why do i keep getting this virus ,iy seems to happen when i search on google ,,thanks graham
THANK YOU SOOOOOOOOOOOOOOOOOOOOOO MUCH!!! You saved my computer with all of my babies pictures on it!!!!!! I almost had a heart attack! Thank you for saving my life!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
FOR VISTA USERS:
During windows boot up, it will show “Welcome”,
press “Ctrl + Alt + Del” at the same time.
This will bring up “Taskmanager”, before all other
processes are loaded. Open Taskmanager and keep it open.
Allow windows to boot up normally, very soon you will
see this virus process in the taskmanager windwo,
it’s usually called “_ _sysguard.exe”. Now you can end it.
Then use other software to remove it.
Here is the very easy way. I was lucky that I was running AVG free and super antispyware (free) and they were both up to date.
1. Shutdown computer by holding the power button for a few seconds.
2. Remove ethernet cable.
3. Run super antispyware, this should get the virus.
4. Run AVG (mine found nothing I assume it was killed by step 3).
5. Plug ethernet cable back in and it’s done!
Hi,
It worked!
For those clueless about tech/ PC (like me), please not that I needed shami’s method (see his post) to get it done.
I couldn’t download rkill or MBAM because the virus would not lee me. Tried to install rkill via a CD (downloaded rkill to a clean PC). Did not work.
Shami’s method did.
One final note – When you get to the part Shami mentions as “look for the following “sysguard.exe” however, it may have some other letters before it say “edrsysguard””, my version had ‘sysgyard’ in it but preceded by some other letters.
Cheers
well guys, the way i got rid of it was going into the task manager while my computer was loading, find the systemguard process and end it, then run a system restore and voila all gone…..
Yes, This virus is indeed new and once it gets deep into your system youll be locked out. The best way to avoid this is to make weekly backups of your C drive and have a trustworthy antivirus with Malwarebytes installed. This virus has already infected some Warez websites such as Warez-BB and some Megaupload Popups. I found this program called Sandboxie in my C / Application files folder and it was the cause of the virus. I googled it and it came up with the developer Ronen Tzur. Good luck for the people who still have the virus in their hardrive. If you dont have a chance to get Malwarebytes and Install it then i strongly recommend a reformat or recovery because i dont know yet but this virus may have a keylogger or phisher but i dont know. Good luck and if anyone knows Ronen Tzur Please shoot him in the face with a RPG k thx bye.
I am running Safe Mode with Networking on Windows XP, whenever I run rkill it opens up and says everything (including please be patient) and then a couple seconds later it closes and the icons on my desktop along with my start taskbar go away and then it says “Windows is running in safe mode. To continue working in safe mode click Yes. To use System Restore click No.” It is the same window you get when launching Safe Mode. Is this supposed to happen? What do I do now?
I want to say thank you for posting the instructions on how to remove the Antivirus Live virus. I thought I might have to wipe my drive clean to be able to stop it.
I had to use the USB method to load rkill and anti-malware on the desktop. I ran rkill at least 25 times before the virus stopped running. In fact, I gave up, stepped away and when I came back the process was dead. Anti-malware seemed to do the trick.
can somebody help me out. which is the best method to use. shami or the actual one at the top.
i dont understand because i followed shamis down to a t but 2 pop ups keep popping up and the Malwarebytes’ Anti-Malware site is blocked so i cant download it.
can somebody help me out?
I’m not sure about others, but I used shami’s up until the line “Now log onto the internet and get anti malware”, then started the original instructions at Step 4. For some reason, I felt that’s where they merged. Good luck!
thank you so much and if i may thow in a tip… if the rkill don’t work restart your computer then if you used a USB plug that in as soon as you are loged on run the program and then run the malwarebytes and that should fix it a link to malwarebytes http://www.tbscc.com/tech/ go to the bottom and find mbam-setup.exe. Hope this works and thanks for the publisher of this page who’s name i do not know
Oh my god that was terrifying. I’m a nearly 18 year old girl and the only one in my house that knows even a little bit about computers, so of course I had to fix this myself. I was so lost. Using my uninfected laptop and the trusty Google, I found this page. I followed shami’s tips and the original instructions and I’m pretty sure it’s gone now. I’ve never had such a scare!
Usually the basic antivirus program that came with this computer stops trojans and the like, even though it’s outdated. All our laptops have virus protection but I thought the desktop would be fine without it. I was wrong. I guess next time I head out I’ll pick up a decent protection program! Thank you guys so much for this!!!!! Good to see that not everyone out here makes viruses- some of you awesome people help get rid of them!
(Note: I’ll admit, the first thing I did when I saw the virus start up was yank out my internet cable. I only put it back in when I had memorized the instuctions from this page. Fortunately my little freakout turned into a good thing- damn virus tried to open some porn sites, among others.)
IFFFF YOUT MBAM SETUP DONTTTTT WORKKKKKKK JUSSSS RENAME IT IM GUNNA KICK THAT ANTI VIRUS GUY IN HIS NUTS
My computer crashed and I unknowingly lost my McAfee Antivirus-spyware protection and it got infected with this virus. I was dreading the idea of taking it to Best Buy in the middle of winter – so I used McAfee’s online virus removal service. Big mistake. I was chained to the computer and phone for 5 hours over the course of two days while they tried to remove the virus. At the end of it, my computer still didn’t work properly, but they said it had nothing to do with the virus, because they supposedly removed it. So I took it to Best Buy, the Geek Squad hooked it up and guess what – they found anti-virus live. They cleaned it up – but I wish I had seen this post before so I could have at least tried it myself. My DSL internet provider (AT&T) provides McAfee Antivirus-spyware as part of their service, which I have reinstalled. Is this good enough to stop this (and other) viruses in the future? (Postscript – It took two hours on the phone – but I did get McAfee to refund my $90 for their “alleged” virus removal service).
I was on the phone with Norton today and he told me this virus got into my computer because I ok it and its my fault and that i had to pay him $99.99 to fix it. I can not get onto the internet to fix any of this. I can only get nasty porn sites. Can someone please help me. The last step requires the internet and I cant get to it????
Thank you so much!! Followed your steps and was able to reclaim my computer. Will be much more careful on the internet! Also worked to get rid of Desktop Defender 2010 trojan. Saved having to send it to the shop!
ok here’s a little weird problem. this thing has changed my task manager function. when task manager is opened, it is a large rectangle (wide left to right) with the programs running listed. It has NO processes tabs. It has NO minimize, expand or close boxes at the top. No wayt to close out the TM. How do I get my TM back to normal?
SHAMI – your directions worked perfectly when i could not get the rkill file to run. thanks!!!!
holy shit thank you so much. For those still with a problem download rkill, then continue to try and execute it dont give up. push for a black window to appear. thank you so much again
I did not know what to do when I got this virus, but thanks to these steps, it has been removed. Thank you so much!
I picked up the virus on 1/9/09, was looking for a video, think it was in pirate’s bay, not sure, looking for a torrent. RKILL is what allowed me to get rid of the virus, after I logged in, immediately went to the task manager, and killed the various *sysgard.exe versions. Of all things, I ended up killing it with spybot, after I finally got it loaded.
I’m running up to date versions of webroot’s spysweeper, and version 8.5 of McAfee AV, either of them stopped the intrusion, both paid for programs with annual update payments made. Someone else complained that Norton didn’t detect it either.
So what is a good AV to go with that will for sure detect this virus?
Jim
My situation was probably the strangest one. I will try to summarize really quickly. I came home from work last night and noticed the Antivirus Live with all of its fake ads and warnings. I tried most, if not all suggestions, but nothing happened. I did the repeated clicking of the rkill file for a few minutes, and nothing. I couldn’t load a thing, and even when I did download the malware program, it wouldn’t open, renamed or not. I literally gave up and decided to save my important things to a flash drive, thinking it was over. I was fortunate enough it let me even save them. I then wanted to restart my computer to see if it could, and it did, but to my surprise, no Antivirus Live running and things worked. I then was able to run the malware program to get rid of this. What a scare! How I did this, I am not sure, especially since I am not computer savvy, but many thanks to all here.
Dude.. the same thing happened to me..
Whew..
If you’ve followed the above instructions and the virus keeps coming back with each re-boot, there is still a “run” instance of it buried in the registry and a copy on your disk. Spybot Search & Destroy (http://www.safer-networking.org) comes with some very handy tools (switch the product to “advanced” mode to see them). It has a “system startup” tool that shows ALL of the programs configured to start when your computer boots (much better than “msconfig”, which omits some things). This is how I found the “buried” AntiVirus Live still lurking in my registry after repeated scans with AVG and Malwarebytes. I must say that Malwarebytes found 95% of the corruption due to AntiVirus Live, but it missed this “buried” one. I must also say that I was very disappointed at how effective AVG was against this particular virus.
Use Spybot’s display to track down the “buried” copy on your hard drive & delete it. You may have to play with the directory permissions to be able to navigate to it (I did; the virus did a very good job trying to protect itself). You can then disable and/or delete the remaining registry “run” directive from within Spybot. No need to hand-edit the registry with “regedit”.
When your system is running fine again, download CCleaner (http://www.ccleaner.com/) and do repeated registry scans until your registry comes up clean. I will also add that Spybot has a registry tool that cleans up a couple things that even CCleaner misses. Then use the system’s “system restore” utility to make a restore point of your pristine environment. You’ll be able to use that restore point should the shi* hit the fan again instead of going through all this work (live and learn).
I hope this extra info helps. This site certainly helped me. Note: all comments are for Windows XP, SP2.
This guide didn’t work for me. The IE setting change allowed me to download files but it seems this thing doesn’t allow you to run any .exe files. (I wonder how many different variations there are of this thing)
With a few minutes of playing around, I figured out I could change taskmgr.exe to “iexplore.exe” and it would run w/o the program giving me any error messages.
Safe mode would work but I was working on the machine remotely…
I guess “iexplore.exe” is allowed to run–so perfect solution. Rename taskmgr… run taskmgr… kill the sysgaurd process, and delete the .exe file.. run msconfig to remove it from startup as well…then run malewarebytes to remove the registry keys…
Good luck!
I have done all of the above…thought I got rid of this thing twice. Everytime it comes back, it is worse. I think is literally about to ry my laptop as the hard drive started spinning and making noise followed by a loud beep that wouldnt stop. I had to yank the battery.
Malwarebytes finds and removes things, but it’s not getting it all. Rkill buys some time, but eventually this thing keeps coming back. Has anyone kept this thing off their PC. I’ve tried manually removing the files suggested as well. Need a fix!!!!
JB,
Sounds like you might have the variant that I encountered. See my 1/12 11:24 post above. Make sure you do everything in “safe” mode (hold the F8 key down while your machine is booting).
THANK YOU SO MUCH
that dam virus or watever is gone now!!!
Wow. Thank you so much. I am completely computer inept, but I was able to follow these instructions and get rid of that terrible virus. Thank you, thank you!
I am in the process of trying to remove AVL. I have initiatiated MBAM and it’s at the point where it needs to do updates. I have a dial-up modem and when I dialed up for internet access, I get the message that my username and/or password are invalid. I am now using that same user name and password for this connection on another computer at home that’s clean. Does anyone have an idea of what’s happening here? I’m at a loss now as to how to get on the internet so that MBAM can update itself and continue. Is there another way to proceed?
Thank you so much Shami. My daughter is fixing to start online high school and she got that terrible virus. I spent hours trying the rkill to no avail. Your advice saved us and now she can get on with learning. Thank you so much
Please anyone needing help with anti virus live. Go to top of page and scroll down until you see Shami. His solution works, and it is easy. Only took me minutes to get to the scan and waalaaahh!!! virus gone.
Thanks a million! Had a friend in a panic because she’d been using her friend’s laptop and it got infected with this – have just sorted it out thanks to this guide.
One thing I’d point out is that you may have to keep unchecking that ‘use proxy’ checkbox – it would work until the next time the fake alert popped up and that would seem to re-enable it. So I had to keep unchecking as I tried to load various pages etc. (I was reading this article on my macbook whilst fixing on her Windows laptop, so needed to google rkill.exe and download on it directly).
Cheers!
Tracy
**How to kill and pop up box and run RKill***
I got this virus (still puzzled as to how) but following these instructions helped me get rid of it, very useful site.
Now here are my two cents,
for the ppl that have trouble with the pop up not allowing some programs (including the Rkill) to work what you do as soon as you turn on your pc and windows loads right click on the blue taskbar at the bottom. Click on task manager, go to the processes tab and at the bottom check the box that says “show processes……users”
then look for a file with a name ending in guard.exe
click end process and that will get rid of the pop up box.
Now you can run Rkill
Thanks to everyone who took the time to post information about how to remove the horrible “Antivirus Live” malware program. It struck my computer tonight, and rebooting in safe mode and running Malwarebytes seemed to do the trick.
Thanks a lot. Really appreciate the details. Downloaded the files onto a flashdrive from laptop, installed it on desktop- rebooted desktop, ran software and lo and behold- started working again.
THANK YOU SO MUCH i got this for christmas and sas soon as i got on it antivirus ppped up its been like a week and im soooo glad now THANK YOU AGAIN
Am currently running the Malwarebtyes on one of my other computers. Shami’s advice worked great. Don’t know how i got it, but the only thing i have downloaded for quite awhile is the adobe flash something from adobe to view a video. Did this today and here it is. My malware has found 3 objects infected so far and i am hoping it works. So far Shami is god! Thanks
Unbelievable!!!! Bravo!!!
I searched a few sites before I found this one which had clear concise instructions. And it worked flawlessly! I have tried to remove viruses like this before unsuccessfully but thanks to the advice of the people on this site it I won this time!
So here is what I did. Follow Shami’s directions. (Smart person.) Then simply pick up at step 5 on the instructions. Easy as hell.
Thanks.
Just got this virus Feb.1, 2010. The file was NOT called ‘sysguard.exe’. This one was called ‘kqtesftav.exe’ AND ‘kbkhsftav.exe’. Yes, TWO processes. Located in folders ‘eoblar’ and ‘qpheae’ in c:documents and settings/user name/local settings/application data.
I tried rkill.exe, malware, anti-virus, none of them would pick it up.
Once I deleted these, my computer was acting normal again. Make sure to change your LAN settings back to auto.
Do I delete the processes that RKill closed? Here are the files from RKill:
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\System32\rundll32.exe
Should I delete these files?
Earl
I’ve seen several people asking how they can avoid getting this Antivirus Live malware. Well, the best I can figure is by disabling the Adobe Acrobat Reader from opening in your browser. It seems that this scumware is downloaded via some sort of Acrobat Reader exploit. It seems that the files read by Adobe Acrobat (which have the extension .pdf) can harbor a script that will run on your computer (and thus, .pdf files can be Trojan horses!).
I caught this malware, as well as ANOTHER rogue security program (Vista Antispyware 2010), simply by visiting sites that were affiliated with http://www.wikia.com. Apparently, the Wikia sites (such as starwars.wikia.com) have poisonous ads that download malware to your computer when you so much as go to the Web pages that have the poisonous ads. That’s right– no user intervention required! You don’t have to click on or even mouse over those ads! The ads will download the malware to your PC if you allow the Adobe Acrobat Reader to open .pdf files in your browser.
If this is true, then for now, the best way to avoid getting this and other rogue security software is by disabling your Adobe Acrobat Reader from opening in your browser. Do not re-enable this feature until such a time (if any) that Adobe sees fit to fill in the security holes that are letting programs like this one into people’s computers!
To keep Adobe Acrobat from opening .pdf files in your browser (and thus potentially downloading this and other malware like it into your PC), open up the Acrobat Reader (by double-clicking on its desktop icon). Then, click on the “Edit” menu on the menu bar, then click on the “Preferences…” option. Now, in the Preferences box, click on the “Internet” Category. Under the “Web Browser Options”, remove the checkmark from the “Display PDF in Browser” checkbox. Then, click “OK”, exit out of the Reader, and you’re done!
The easiest way to remove the AV is by deleteing the EXE via an administrator share aka \\pcname\c$. you will need to do this from another PC on the same network. Once on the C drive, navigate to c:\documents and settings\the users account\local\application data
The virus is usually in here somewhere, check by date modified. Delete, reboot. You may need to re register Exe files but there is a com for that, or a reg key….
how to remove SA43cb
how to renove SA43cb this file pls
This site is very helpful. The sysgaurd.exe file did not show up in my task manager. The way that I solved this problem was to reboot in safe mode and then do a system restore to a previous checkpoint that did not have the problem. I then ran the rkill exec successfully and then installed and ran the malwarebytes program. This fixed everything!
I am functional in getting mALwarebytes and troubleshooting by loggin into a Windows profile other than the one I was infected on
I got this nasty little virus on my laptop. Tried following Shami’s method but it kept getting blocked by the virus. Finally I saw Tony Dee’s suggestion about running in safe mode. Tried that and so far, fingers crossed, it’s working. At least it’s gotten the Malwarescan running!
Step by step:
Restart PC
Tap F8 to launch Safe Mode menu
Choose ‘Safe Mode with Networking’
When PC starts, open IE and go to Download.com or other trusted site and download Malwarebytes. Double click to begin installation.
Select to run and update automatically.
It should install the program and begin a scan right away. I’ve been running mine for just 5 minutes and it’s found 15 infected files so far.
Thank you soooo much. I have been trying to get this virus out for almost 24 hours. Luckily I had access to another computer & a usb stick. I have your page bookmarked. Thank you again, you are a real life saver. Have a great day!!
I love that on there website they have quotes from people that just love the program, if they do then these people should be beaten severely! This is a horrible virus thats easy to get embedded into your computer, I have wasted now about three hours trying to remove the virus
It work. Run rkill.exe and then run Malwarebytes’ Anti-Malware
on step 3 it will not let m turn it off and sug on what to do
Thank you sooo much for posting this!! Very very helpful and it worked great! How do I learn how to do this things.. fight virus’ that is.
thanks again!
I would like to thank all of you for making my Xmas day, since we were infected with anti virus live and didn’t know what to do
your instructions, collectively, worked and mbam found registry keys infected, registry values infected, registry data infected and one folder and nine files
thanks again
Cathy P 12/25/09
Why does Norton not pick this up?
The only way I got the rootkill.exe to work was to shut down my laptop, then restart it but while all the programs were loading, msnmesseger, blackberry desktop, etc., I immediately loaded rootkill.exe and it came immediately up and killed the malware. After that I ran the malware scan and everything is good now. Took an hour of my time to get rid of this nasty virus. Stay away from porn site video exe files!!!!!!!!!!!!!!!!!
Man, what an ordeal!!
I booted into safe mode, ran Malwarebytes scan (already had it installed) and removed the 3 entries it found. Then, per BigBirdPhila, I also ran Spybot and it did indeed encounter (and I deleted) a number of registry “run” directives. After about 10 passes with cc cleaner, I thought all was well and rebooted normally, but kept encountering errors every time I tried to update MB, SB AND CC. To fix this, I went into control panel: internet options: Connections: LAN Settings, unchecked Proxys and re-checked Detect settings and that allowed me to be able to update and re-run MB, SB and CC.
They all found MORE stuff.
Looking a an earlier post, I rooted around in my Local settings: applications and found a file called earph and deleted this as well.
You would think that would do it, but after doing some more research, I also installed SUPERAntispyware. After running a quick scan it found a whole BUNCH of nasty stuff related to the AVL virus, so I deleted THEM (as well as hundreds of other nasties SB AND MB AND CC missed) and am now running a full scan with SAS.
All told, this has been a 4 hour task. I pray that I have successfully eradicated all traces and effects of this thing and want to give HUGE thanks to all here who helped me wade through this muck!
I am going to BED!!