318 Comments

Andy

Jan 22, 2010 | Reply

Friends,
Whoever doing this is making money and laughing at us. That’s how I feel. It’s been 6 months and nobody can stop him or her. This telling me that he or she is a genius. I hope some day some how we can trace and report this individual to law enforcement agencies.

Dee

Jan 20, 2010 | Reply

i have tried what you said but every time i try doing it closes the window n does not let me get a chance to delete it

nutty

Jan 20, 2010 | Reply

Thank You Thank You Thank You with all these postings and help I too was successful in getting rid of Antivirus. Now I just need to make sure I prevent it and others from getting me again. I have SymantecVirus program. But is that enough?

Any suggestions?
thanks again

Ronald

Jan 19, 2010 | Reply

I can’t run taskmgr or Process explorer. They are “infected”. What do I do?

Ben

Dec 25, 2009 | Reply

Hey there,

I am glad to say that the manual removal of this virus has worked on both of my computers. I could not find all of the fules mentioned–I caught my virus at an early stage. For those of you who seem to think that since you cant find a file, this guide is wrong, are seriously misguided. This virus is adaptable and can change look or manifest differently each time. I checked for each registry/file on my conputers, and those that I found I deleted. I am happy to say I am virus free!

Heather

Dec 24, 2009 | Reply

I have read everyones posts and have tried to get the task manager up before everything is loaded however it tells me that the task manager has been disabled by my administator which is me.. Any other suggestions??

David

Dec 17, 2009 | Reply

I forgot to say that you should also remove the actual files on the computer.

Look in username/AppData/Local and you will see some folders with names made up of random letters. These are the ones you want rid of.

David

Dec 16, 2009 | Reply

This pest renames itself at very regular intervals which makes it almost impossible to find. None of the suggestions worked for me.
However, this is what did work for me.

1. Get Startup Monitor from Sysinternals for free
2. Start Windows in Safe mode
3. Run the Startups part of the prog
4. Look for and delete any reference to ‘Sandboxie’

I must make clear here that ‘Sandboxie’ is not responsible for the virus. It is just that Antivirus Pro uses it to keep you away from your normal programs.

Alan Forbes

Dec 12, 2009 | Reply

The trick was getting to my Task Manager. Every time I tried to open it, Antivirus Security Pro closed it. Finally, I figured out that I could open it as my system was booting up on a re-start, before the malware was loaded. And when I did, I found “hwydsysguard” and deleted it.

I was then able to download the free copy of Malewarebytes from malewarebytes.net to get ride of the files. Thanks to all those for helping me.

terry

Dec 7, 2009 | Reply

Thank You very much. BT, you’ve saved us all alot of money.

Leonardo

Dec 6, 2009 | Reply

Denise:

Re the IE problem see Stormhelm’s posting from Nov 29:

“To get Internet Explorer working just go to Tools, Internet options, Connections , LAN, and where it says Proxy, just un check it…”

I myself use Firefox instead of IE but I double checked anyway and sure enough the proxy setting was turned on in my copy of IE

Neilus

Dec 6, 2009 | Reply

BT and others, I’ve followed the instructions on this website and others with some success – ie I managed to get the processes stopped. But was still getting uncovenanted re-directs on IE and firfox. The solution was to download Malewarebytes free anti malware program to a flash drive on a friends computer. Then up load this to mine. It cleared out the rest of the infected files. Any resulting registry problem can be fixed with Piriform’s awesome free CCleaner at http://www.ccleaner.com

Sivakumar

Dec 6, 2009 | Reply

it had transformed itself into a different form now, it had created a folder called prefetch in c:\windows\ and it had created a file .pf file in it. also it had created the exe inside the folderC:\Documents and Settings\\Local Settings\Application Data

BT Davis

Dec 5, 2009 | Reply

Derik,

I do not think the Virus limits itself to certain registries every time it infects a computer. The registry entries, it appears, could be in different places. This is what I discovered when doing my research.

One website listed a set of registries that the infection was found. Another website also had its list. While the two lists may agree in most instances, there may be 1 or 2 entries that were different.

Leonardo, in his December 4th post, said that the registry:
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant

Are folders ” … intended for use by Microsoft’s search assistant to record recent searches by the user. Apparently it is also a well-known hiding place for spyware. “.

From Leonardo’s comments, it sounds like you really should have this registry entry. Hopefully it is not infected. My suggestion is to look again.

I know that I have looked for entrys thinking they did not exist. But after a second look I may discover that I missed a part of the structure.

For example: In the above Registry entry, if I got through …\Software\ … but missed … \Microsoft\ …, I could mistakenly think that it just did not exist. But it actually does and I just overlooked a step in getting to it.

But, if by carefully checking again and I still do not find it, then the registry entry probably does not exist. And in the case of the Antivirus System PRO trojan, this is a good thing.

Any problem registry entrys found that are different from those that are known should be posted and shared so that others have more information to deal with this.

At any rate, Good Luck to You

BT

BT Davis

Dec 5, 2009 | Reply

Michelle,

My December 2nd post to Laura may be helpful here.

If your PC is actually a lap top, Leonardo’s post of December 4th could be helpful also.

From your post it sounds like you have already done your homework and ready to take this thing out. You just need to get into Task Manager to open up before these other “sysgaurd” files do.

Good Luck to You

BT

BT Davis

Dec 5, 2009 | Reply

Elle,

At the time of my infection I had AVG Antivirus on the computer. It did not recognize the Antivirus System PRO trojan virus. So it is not surprising that what ever you are using may not recognize it.

If you are still getting those annoying Virus alerts popping up every few minutes then it is probably the case that the virus is still on your computer despite your best efforts. I understand your frustration.

That having been said I understand that not everyone is comfortable or capable of removing this manually. You do have a few options from what I can see though.

1. You can download or buy a malware removal tool that is capable of removing the Antivirus System PRO trojan. This may require renaming this program before it can be used (see my December 2nd post to Laura on this page). I am not sure how well this works though.

2. You can take your computer to a specialist who is capable of removing this. You may even be able to get a specialist to come to your residence to work on this.

Find out how much they will charge. I have heard of some really outragious charges for this. It took me about 4 hours to get rid of this so keep this in mind if the specialist charges an hourly rate. Then again, I am not as savey as these specialists so it may take them only an hour or less.

Also let them know that it is the Antivirus System Pro virus. Chances are they have already dealt with this and know just what to do.

3. You could reformat and reload your operating system. If you have a restore CD that came with your computer you can restore your computer to its original condition when it came to you new. Make sure you choose to restore it, not “fix” it.

You will have to reload all the other applications and devices you got since you bought the computer but hey, at least you will have gotten rid of the System PRO virus.

Have a newer computer but no restore CD’s? Chances are you do have them but they are hidden on your hard drive under a drive partition labled “D:\”. I was able to restore my daughters computer this way.

While I am not sure I think I had to press the F8 key while the computer was booting up. It may be a different key and you would have to visit your computer manufacturers web site to get the details. A menu will pop up giving you choises.

I suggest, if available, that you reformat and restore the system to its original settings. But thats me.

I hope this helps

Good Luck to You.

BT

BT Davis

Dec 5, 2009 | Reply

Denise,

My Internet Explorer also would not connect. I do not remember exactly what I did to get it back. I know it was easy though.

After I got rid of the the Antivirus System PRO virus, I went to get online via Internet explorer and it did not take me to my home page.

I think what I did was click on Tools, Click on Internet Options then click on Connections. I think a dialogue box came up stating that Internet Explorer is not connected to the internet. I think it also asked if I wanted it to find a connection for me. I then probably pressed the yes button and the next thing that happened was that my home page (Google) came up.

I sure wish I had payed better attention to this. If it is any help my work computer where all this was happening is running XP.

Good luck to you

BT Davis

Dec 5, 2009 | Reply

Ricky,

How-To Geek has very good explanation of what svchost.exe is ( http://www.howtogeek.com/howto.....t-running/ ).

While this is used by windows, it seems there are some malware that mimic this. Ehow has an article on this ( http://www.ehow.com/how_513234.....virus.html ).

This should help you get started.

Good luck

Michelle

Dec 5, 2009 | Reply

I seem to have antivirus system pro on another of my PC’s at home I have found the link where it tells you how to delete, stop, remove etc however my system doesnt even allow me to get the task manager up or the registry so I cant follow these routes does anyone have another option?

Samuel

Dec 5, 2009 | Reply

Thanks BT! 15 minutes well spent reading your story and another 15 minutes remove the malware! My brother’ll be glad I fixed his computer when he waked up :)

God bless ya and good luck everyone!

Elle

Dec 5, 2009 | Reply

I need some help. So I’ve scanned my comp twice with this thing, and once it’s done it says my comp is all free from viruses, including the Antivirus System PRO. If that’s so, then why won’t this damned thing go away? I’m still getting the annoying pop-up messages from it and I still can’t use any of my .exe files. I’m totally at a loss when it comes to the instructions to remove it manually, so, does anyone have any ideas? I’d really appreciate the help.

Denise

Dec 4, 2009 | Reply

I found the exe file named as srsysguard. exe
I was able to delete that file. I did a search in my hkey for guard and a registery was found. I was able to delete that registery. I still can not connect to the internet and my Norton will not run. Any suggestions?

ricky

Dec 4, 2009 | Reply

bt

have a question i got my computer into safe mode, i pulled up task manager but i cant find any process that has sysguard.exe in it but there is a process on there 3 times in a row that reads svchost.exe, any suggestions?

ricky

Derik

Dec 4, 2009 | Reply

Ive followed BT’s steps but i ran into some problems.

Ive stopped the processes of the Virus, and deleted some of the files that BT has explained, although when i use the registry editor, i cannot find :HKEY_CURRENT_USER\Software\Microsoft\Search Assistant
It seems like there is no ‘Search Assistant’ folder I can go through.

also, my internet explorer refuses to connect.

anyone have these problems? im running vista

Leonardo

Dec 4, 2009 | Reply

BT’s instructions worked perfectly for me and saved me a huge amount of time. I’ll add my thanks and acolades to the others.

Some additional comments based on my experience:

1) If the infected computer is a laptop, start it on battery-power alone (i.e., unplugged). Many laptops have a power-saving mode that slows down the hardware. This may make it easier for you to enter the Ctrl-Alt-Del sequence before the virus starts.

2) When you do get the Process window of the Task Manager up, click on the ‘Image Name’ column header to sort the processes by name. I found two copies of a process called ‘cngvsysguard.exe’. This is consistent with BT’s experience and seems to be the normal behavior of the virus (i.e., two copies of a process named with four random letters followed by ’sysguard.exe’)

3) When you do the file search step, just enter ’sysguard’ for the name. That way you will find the files regardless of the random 4 letter prefix it is using. There should be two files: the .pf’ prefetch file and the exe file

4) BT refers to two registry folders:

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

and

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACUMru\5604

These folders are intended for use by Microsoft’s search assistant to record recent searches by the user. Apparently it is also a well-known hiding place for spyware. You can safely delete every entry in both these registry folders. For more details see http://regripper.net/RegRipper/Documents/acmru.pdf

Peter

Dec 4, 2009 | Reply

BT Davis
You memo of Nov. 29th did the trick. Thanks for all your help.

shreyash

Dec 4, 2009 | Reply

I even cant open task manager. some 1 please help me to get rid of Antivirus system pro

numbnuts

Dec 3, 2009 | Reply

I spoke too soon. Seems that I no longer have the continuous pop ups but, Malware bytes is still not allowed to run and I’m still directed to various shady sites when launching from the desktop. Strangely I also notice that when launching Google from a desktop icon the preference options on Google are disabled. I also have a reappearance of entries in the register that I deleted. Just FYI, I think my PC was infected via Adobe Reader and I’ll be using a substitute program for it after I REINSTALL WINDOWS. This Trojan is refining and improving itself. I got it last week also but was able to get rid of it with no problem using Malware bytes.

BT Davis

Dec 3, 2009 | Reply

Uggh

Please view my post on this page dated November 29, 2009 and the one to Laura dated December 2, 2009. At the the risk of sounding as if I may be bragging (which I am not), some people have said they were able to solve their problem via my experience as related in my posts. I just do not want to retyype this stuff all over again.

Good luck to you
BT

Claire

Dec 3, 2009 | Reply

Thanks BT, it stopped working when I went into task manager. Thats let me download and run Spyware Doctor. But at the end I realised that Spyware Doctor only finds the threats doesn’t remove them unless u pay! Anyone know a free program that removes threats not just finds them!!!

Tio

Dec 3, 2009 | Reply

Ugggh!

I can-not get rid of this asp! I have downloaded Spyware Doctor, renamed it, but I get the popup that my pctsgui.exe is infected and cannot open. Also, none of my normal commands are working, like SEARCH, etc.

Every time I think I’ve found a way to remove this software, it blocks me by saying .exe files are infected and inoperable, and of course all of this only started yesterday night when this horrible thing appeared.

Is there a cure for this? Is there a command or a key I can press to get to my files or processes? I don’t know what to do, please help!

Rachelle

Dec 3, 2009 | Reply

I seem to have removed all the files relating to sysguard.exe or Antivirus System Pro, but now I am facing another problem – i cannot open a web browser, thus resorting to going into a net cafe. i have resetted the settings on my browser and yet i still cannot open it/no access to the internet. is/has anyone experienced this?

if anyone can help, pls i would really appreciate it.

Laura

Dec 2, 2009 | Reply

BT
THANK YOU, THANK YOU, THANK YOU! You should have seen me…my fingers were steaming I was moving so fast trying to beat that virus. Needless to say, you were right you have to be on your toes to get ahead of it and keep closing pop-up after pop-up (as well as some porn sites in my case…lovely). I did download Spyware Doctor and all seems well. So far so good! I am back online, on my own accord. Thanks again for all your help!!

BT Davis

Dec 2, 2009 | Reply

Laura,

I am afraid I cannot give you any first hand advice concerning maleware programs like Spyware Doctor. I did not use any of them.

However, during my research on this Antivirus System PRO I did observe that others who were useing these malware removal programs experienced the same problem you were having. Others were telling them that they needed to change the name of the malware removal file name to something else.

For example: if the removal program file you want to use is named “sdsetup_aff.exe” you could rename it “abc123q.exe”.

The point here is to name the removal tool file in such a way that the Antivirus System PRO trojan does not recognize it as a threat and thus preempt it from loading. From the trojan virus point of view, the removal tool is the virus threat and must be eliminated.

Changing the name does not affect the way the removal tool works. Just be sure that you do not change the extension part of the name. If the file name ends with “.exe” then that “.exe” must be at the end of the new name.

Now I must tell you that I am doubtful that this will work. In my experience I was not able to run any of my applications when this virus took over. Micrsoft Office, Acrobate Reader, AutoCAD, Paint and the other applications would not load. I just got that message saying the program was infected.

So I think that the trojan simply does not allow any executable “.exe” programs to operate except those it needs to carry out the scam. That is why, in my opinion, it is important to kill the trojan as it loads but before it can take control. And the way I did it was by opening the Task Manager first. This needs to be done quickly though.

The way to do this is to launch the Task manager at a time when the windows splash screen appears appears (if you do not have a user account screen to log in through).

Or, if you have user accounts that you must log in with, try loading up the task manager as soon as the logon screen starts changing to the desk top screen after loging on.

It is during this breif period that the auxillary little programs that make things work on the computer start loading into memory. That is why it is important to be quick in loading up the Task Manager.

Remember to hold down the Control-Alt-Delete keys at the same time. Do it over and over again until it comes up. Then if not already visible, click on the Processes tab. Look very carefully for any file that has “sysguard” incorporated into the file name. Click on that file name. The click on the End Process button. Then varify in the little dialoge box that you really want to end this program by clicking on the End Process button. Thats all there is to it.

But keep watching and searching because the file may try to load up again and again. Just continue to end these until they stop loading.

Once you have stopped this from loading you should then able to run the malware removal tool.

No I do not think you are doomed ;-)

As Numnutz mentioned, you can always reformat and reinstall your comuter to its original pristine state with the restore disks that may have come with your computer.

Good luck to you

BT Davis

Dec 2, 2009 | Reply

Brian Q

It is interesting that you were able to get the task manager to load this way before the xlmgsysguard.exe file loaded up. In my case I could not have typed that into the text box fast enough. Hey, what ever works and gets you to where you need to be is fine.

Yes the file names do differ. It appears that this trojan, by design, is capable of changing its name, probably in an effort to avoid detection.

The thing to remember here, though, is that “sysguard” is incorporated into the file name. I suppose that we should be thankful in that this makes it easier to spot in the Task Manager process window.

It is good that Avast was able to take care of this. I use AVG and it did not recognize it. It may be because the file name changes from infection to infection (I think).

Good luck to you

Kia

Dec 2, 2009 | Reply

this is so getting me mad

numbnuts

Dec 2, 2009 | Reply

Many Thanks BT Davis. You saved me a reinstall of Windows and many hours of wasted time.

annoyed

Dec 2, 2009 | Reply

I’ve been trying to do the first which is to delete the files on my task manager.. it keeps saying its infected. I’ve seen this virus before (Antivirus system pro) and I wanted to know if i should let it go through the “scan” so I can get onto task manager?

Laura

Dec 2, 2009 | Reply

BT
I am not able to summon the Task Manager. I keep getting a balloon message stating “…the file taskmgr.exe is infected. Do you want to activate your antivirus software now?” It then takes me to the Antivirus System PRO site. Am I doomed?

Laura

Dec 2, 2009 | Reply

BT
Please help! I have downloaded Spyware Doctor onto a disc from another computer, as mine cannot perform due to the Antivirus System Pro, and have tried to use it on my laptop. However, when I try to run it from the disc the virus will not let me. I keep getting a message stating the the program is infected. What do I do now?

Brian Q

Dec 2, 2009 | Reply

BT
I was able to get into my taskmanager by going into start/run and putting in taskmgr.exe before the Antivirus Pro started running. The filename that was running in the taskmanager was called xlmgsysguard.exe. I don’t know if this is the latest version or an older one, but I haven’t seen that filename on any post.

I tried the Malware download, but that didn’t take care of it. I downloaded the Avast anti spyware program and that seemed to take care of things.

Kate A

Dec 1, 2009 | Reply

By the way my was on BVhnsysguard.exe follow BT Davis step he the best : )

Kate A

Dec 1, 2009 | Reply

Thank you so much BT Davis this is my second time that i got this ****
God bless u ..

Oh I want to pray for whoever that created this crazy thing.
May god be closer to you and fix yr heart and mind, make you a better person you know by heart for what u did…. I forgive u eventhough u cause me my time and anger but i still forgive u ..

BT Davis

Dec 1, 2009 | Reply

Frustrated

R U running XP?

BT

frustrated

Dec 1, 2009 | Reply

BT -

I can’t even get my Task Manager tab on the security window to highlight so I can click on it … any ideas. Thanks.

Tom at OSU

Dec 1, 2009 | Reply

Thank you A MILLION BT Davis!! I had this horrible program on my computer, I followed what you said and it’s gone now. Only took me the time it took to restart my computer! THANK YOU!!!!!!!!!!!!

JUDY

Dec 1, 2009 | Reply

Has anyone found how to view “HTTP” sites? I can only search “HTTPS” sites. I have unck’d the “proxy server” & ck’d the “automatically detect setting”. This did not work. I have also “reset my default” setting for IE. I have unplugged internet cables, rebooted/ plugged back in, rebooted, cleared history/temp files/cookies. None of these things work. I am using IE 7. Am using the library’s computer to post. If anyone can help, please e-mail me as I cannot view this website from home. sjmba@centurytel.net

SillyBell

Dec 1, 2009 | Reply

To get started with the cleanup, I found it best to put a copy of hijacthis.exe in the startup folder. That way it loads before the sysguard.exe. From the hijackthis scan, you’ll be able to remove the registry keys and startup files associated with av system pro malware. Reboot computer and now you can make necessary proxy server adjustments in IE, then install and update Malwarebytes.

Brooke

Dec 1, 2009 | Reply

how did you disable it?

Brooke

Dec 1, 2009 | Reply

I need help…..woke up this morning and my laptop was infected…..how do I get rid of this…..please someone help me….

Freshman Failure

Dec 1, 2009 | Reply

Thank you so much Mr. BT Davis. I got the virus while at school today, and effectively killed it off following the directions given in your comment.

God Bless You~

mn

Dec 1, 2009 | Reply

I am still getting re-directed URLs in IE and firefox. HELP…

Marc

Dec 1, 2009 | Reply

Okay, used Spybot and it found eietsysguard.exe

It was under the folder C:\Users\myname\AppData\Local\ntdwgk

Just incase this helps people find it, I use vista.

Marc

Dec 1, 2009 | Reply

I got this last night, from a link from a trusted website. It’s incredibly annoying, I downloaded Malwarebytes (in safe mode, only place I could do it) and ran that, it found HKEY_CURRENT_USER\SOFTWARE\AvScan, however the popups still appeared when I ran Windows normally. I went back to safe mode, ran Malwarebytes again, it found the file again that was supposedly deleted. I checked the regedit for the values listed below and on sites, could not find any of them.

This morning I decided to load windows normally and use task manager at start up to quickly remove the xxxxsysguard.exe file (I have forgotten the prefix to it I was rushing and scared). Ran Malwarebytes again and that HKEY_CURRENT_USER\SOFTWARE\AvScan file was deleted… again.

Looked in the regedit for values, looked in my folders with the search function, I can’t find any of the offending files or registry keys. I know its not gone forever. Have I got a different form of the virus for this to happen? :(

Mac

Nov 30, 2009 | Reply

To BT and others like you,
I was lucky enough (obvious sarcasim) to get this “invasion” this morning. My desktop was screwed, but I was able to research this on my laptop. There were many “solutions”, but your (BT) sidebar was very direct and the most helpful. I was able to rid myself of this CRAP and could not be more thankful. I would also like to thank Stormhelm, 11/29, for the input regarding the “unchecking” of the proxy setting to restore my browser. I have had “this and that” problems with my computer over the years, and have always seemed to be able to find someone online with the solution. The “technical” solutions are often almost impossible to follow, so I, and I hope others, will follow your lead and try post real solutions (never too long) when I have them. Even if they’re a derived from other sources (AS LONG AS THEY WORK LIKE YOURS DID!)
Thanks again, you guys rock!

BT Davis

Nov 30, 2009 | Reply

Richie, Leigh & Katherine,

Thank you for your replies. I was afraid that my post may have been too long. My intent was to give as much information as possible to those who were infected. In my opinion, information and the ability to use it effectivly is a good thing. Your replys make this all worth it. The time I spent on this was not in vain.

My desire was to let others know that if I could get rid of this pest, then others should also be able to do the same.

I must say though, my thanks go to all those other people who have already done the footwork in this scam. I was only successful in my effort because I was able to glean their information from the internet. They are my heros.

God bless & good luck to all.

slimjim1814

Nov 30, 2009 | Reply

sorry my post got cut
was on my phone and well i hit the wrong spot and it posted
anyway
so i did the ctrl alt del stopped it from running
by luck i think, mcafee prompt came up about the lbcesysguard.exe wanting net acess, so i blocked and located on my drive and deleted (with a big ole smile on my face)
i had to do the unchecking of the proxy thing in the settings on IE, after that, im up and running again.
I was finally able to update the Malwarebytes software and did a run and it found the registry stuff.
I had this virus before but it was not nearly as bad and thats how I found Malwarebytes, ill have to keep an eye on the updates for it in the future.
But a big thank you to the ppl who post on here.

Slimjim1814

Nov 30, 2009 | Reply

well I got hit and this board helped me out so I’m gonna pay it forward
mine was called lbcesysguard.exe
and what an SOB it was too
completely hijacked my laptop couldn’t get into any files, net, or anything just kept popping up like crazy
anyway
had to do the ctrl alt del before it could start up and disable it

ted

Nov 30, 2009 | Reply

I contracted the virus Antivirus System Pro and rebooted in safe mode which alllowed me to run AVG 9.0, my regular anti virus software. Does anyone know if this will cath and remove the offending files etc.

Richie Rich

Nov 30, 2009 | Reply

BT Davis, you are my hero!!! Thank you so much for all of the details in your post. I keep my fingers crossed but I seem to be back up and running, Thank you again!

Gord

Nov 30, 2009 | Reply

I ran System Restore and it seems to have gotten rid of it.

Katherine

Nov 30, 2009 | Reply

BT Davis…. Thank you so much for your post. I spent hours trawling the net looking for a solution but all suggestions didn’t work because they either required me to open task manager or download anti virus software, both of which the AVS Pro virus wouldn’t let me do. So, I took your advice at trying to open task manager right at start up and sure enough found the rouge process and stopped it! So far, so good. No pop ups, I can now access all my apps and I’m not being redirected to unwanted websites (I’m female… why do I need a little blue pill anyway?!) Now, I am just hunting around to see if it’s caused any long term damage. So thank you again… you saved my sanity!

Laura

Nov 30, 2009 | Reply

Ok this virus is annoying as fuck. I got it saturday around 9pm while reading about Andy Samberg… WTF?! It was his imdb page…
Anyhoo, i freaked out and got my handy dandy iPod touch to google what the hell this thing was and how to get rid of it. I rebooted, stopped the process and tried to access the forum from my pc but got redirected.
I tried finding the files and registry keys but couldn’t. So then I tried to download AVG but it kept giving me error messages, so I downloaded the free version of Spyware Doctor from download cnet.com or whatever that place is. I ran a scan and it seemed to have found something related to the virus but I had to pay to get it removed. Though it found rookit.agent.ex which I googled and immediately got freaked. I bought a 2 month trial of Spyware Doctor for 6 bucks just for the rookit agent. It deleted it and the other files.
So I rebooted my pc (xp btw) and checked the task manager. No sysguard!!! But when I went on firefox it was fine till a site opened up on a new tab. Something like sportbook.com…
I then tried to access the forum
again but got redirected. Boooo.
Tried Malwarebytes, no help.
I’m currently running a full scan with Spyware Doctor which is taking forever and a half. If this doesn’t stop it, I’m gonna be forced to put on my gloves and black leather suit. Shhiiet.

Anyhoo, aside from searching hidden files and such… What else should I do??

Leigh

Nov 29, 2009 | Reply

BT – Thank you so much. I have been working on this issue for 2 days and your information pulled me through. Mine was egspsysguard.exe but everything else was exactly as you described. It was rooted deeply in my computer. Couldn’t restore to last time I knew the computer wasn’t infected, could not connect to the internet, could not start in safe mode, would not recognize pskill in prompt, could not install removal tool from thumb drive or cd and could not get task manager to run. I had googled as you and found a couple of the infected files but not all of them. Your big help was on a couple of the registry files. I didn’t get them all removed but at least I have Malwarebytes up and running for 8 minutes and it has found 7 infected files. Oh, and I too, had virus protection. Thank you so much for taking the time to type everything you did, it saved me from going bald!

nicole

Nov 29, 2009 | Reply

OMG!
i dont remember who i got the resolution from, but i restore my compture to a earlier date, the one before i got the the stupid program, and now my computer is fine.

THANK YOU!

nicole

Nov 29, 2009 | Reply

omg, please help.
i went onto youtube and then i saw this stupid program popped up that looked legit. I download the AntiMalware thing and it keeps having this box popping up say that i have multipule viruses, and it also put about 3 porno related viruses onto my compture. these viruses were not there before i downloaded this crap.

i thought it would help me keep my comp. safe, but all it does is give me a heart attack.. please help!
i

i cant take if off, and i sure as heck dont want to go to geeksquad and spend alot of money to get it taken off.

pleaseee help.

BT Davis

Nov 29, 2009 | Reply

About three months ago the computer I use at work somehow got a Trojan virus similar to the Antivirus System Pro Trojan virus we are all talking about now. It would constantly pop up and declare that a virus was found on the computer and kept directing me to eliminate it by buying their software. It was so bad that I was unable to use my computer at all. None of my applications would work. Since the computer is needed for data entry I called our server consultants and had them fix it. It took them a couple of days to get working on it and almost a full day to eliminate it. In the meantime I was unable to use this equipment and as a consequence, got behind on some of my work. My employer had to pay for the consultant’s time to fix the problem. It was an expensive and aggravating experience for all of us.

I wanted to avoid this again and so asked the consultant how I may have gotten it. He said that it may have come from a contaminated flash drive of mine (I save and transfer some files) but more likely I got it from a web site I may have visited. He told me that even the New York Times web site was contaminated with a link that got hijacked and caused many problems until it was eventually discovered.

Well on the morning of November 27, 2009 I was online Googleing for “freeware grid paper software”. I wanted to download a freeware program that I could use to make grid paper for design purposes of a pump station rehab plumbing project. I went to several sites and downloaded a few programs. There was one site I visited but it did not appear to have what I was looking for. Oh there was something about grid but there was also something about “raid” also. I do not remember this sites address.

At any rate, just as soon as I left that site the popups started. It was the Antivirus System Pro screen and it said a virus has been found and that I should have Antivirus System Pro remove it. I knew what this was really a scam and I tried to terminate this program. It would not close out. Depending on what button I clicked it would either start scanning, ask if you want to get the full version of Antivirus System Pro, or hide in the quick launch tray for five minutes or so and pop backup again. And every time it did it claimed another file had been infected.

So I thought I would open up the task manager and close the process out. Nope! Just as the task manager would start to open it would immediately close and a message would pop up saying the task manager was infected with a virus. I also noticed that the short cuts to my applications would not work. Instead the application launching I would get a message screen saying that the application was infected with a virus. Then it hit me that I would be unable to use my computer until this problem was fixed. I tried to get hold of our consultant but he was out of town for the holiday and would not be back until next week. I was livid that this had happened again! It was not as if I was visiting questionable sites (porn, warez, gambling, pirate software, etc.). The people who produce these things ought to be in hell with their freaking backs broken!

So I went home angry but also curious. I did some investigating of the Antivirus System Pro antivirus software on my (uninfected) home computer (I googled “Antivirus System Pro”). My goodness there a lot of information on this. As I studied this I realized that it may be possible for me to fix this problem myself. While there are some programs out there that may help get rid of this at a price, the Trojan virus could also manually be removed. So I gathered up a lot of this information, copied it onto a word processor and printed it out (51 pages). I then went to my place of employment and attempted to fix the problem on the computer. I believe I was successful and this is how I did it:

Incidentally, my computer is connected to a server. In consideration for everyone else on the system, I had disconnected the server cable from my computer thus isolating me from the server. This kept the virus on my computer only (well I hope so anyway).

I turned the computer on. When the logon screen came up I typed in my password and logged on. Just as my desktop screen came up, but before any of the application shortcuts were showing, I pressed the Control-Alt-Delete keys. I did this 2 or 3 times as my XP desktop will take awhile to populate. I wanted to be sure that the Task Manager would be among the first things to load up.

A windows security screen appeared and I very quickly clicked on the Task Manager Button (bottom center). When the task manager appeared I quickly clicked on the Processes tab. I then looked closely at the TSR’s that were loading up. From my research I knew I was looking for a program with the word “sysguard” incorporated into the file name. Sure enough a program called “ycvnsysgaurd.exe” started to load up. I quickly clicked on the file highlighting it. I then clicked on the “End Process” on the lower right side. I then clicked the “End process” button on task manager “Do you want to end this process?” warning message.

The offending program vanished! But then, all of a sudden, it loaded up again. I immediately ended that process in the same way as described above. Either this program is suppose to load up if closed (doubtful), the program is programmed in such a way that it will load two copies of itself or I had been infected twice.

After about a five minute wait it was obvious that the program would not reload. So I tested this by clicking on a few of me shortcuts. These now worked and the associated applications loaded flawlessly. So by opening up the task manager before the Antivirus System Pro program could load, I was able to close it out before it had a chance to disable the task manager and other applications.

The next thing I did was to list a couple of sites in Microsoft’s Internet Explorer that are associated with this Antivirus System Pro scam ware. Sites like antivirsystem.com, inetavirus.com, antiviraprof2009.microsoft.com and antiviraprof2009.com. There are probably more of these.

After opening Internet Explorer I clicked on the “Tools” tab, “Internet Options” from the drop the drop down, “Security” tab and then the “Restricted Sites” icon. From there I clicked on the “Sites” button, typed the offending site addresses in the upper text box and then clicked the “Add” button to get them into the bottom listing.

Now I wanted to do the same with the Firefox browser since this was the browser I was using when I got this infection. However, I was unable to list these sites as I did in the Explorer browser. There may be a way to do this but I did not have the time to figure it out.

So the next thing done was to find the program “ycvnsysgaurd.exe” so it could be deleted. I tried doing this by using Windows “Search” in the Start Menu. In the “Advance” menu I made sure the search would also look at all hidden files and during this whole computer scan. Search was unable to find it or any of the other files associated with Antivirus System Pro (iehelper.dll, uninstall.exe, conf.cfg, quarentine.vdb, queue.vdb, mbase.vdb, etc.). I was disappointed but went on to the next step in eliminating this problem.

And that was to delete any registry entries dealing with the Antivirus System Pro Trojan. This is where my research in this really paid off. I went to several different sites and put the information I got into one document. Each site offered up basically the same information but with some variation. One site would have about 10 registry listings to look at while another had about 8 and another perhaps 6 and so on. Most of these entries matched or were the same. However, there a few that differences that helped me enormously. Apparently trojan is capable of changing it’s location and change it’s name as it spreads.

I clicked on the start menu, clicked on the “Run” icon, typed in “regedit” (without the quotes) and clicked the “OK” button. The Registry Editor appeared. I would then go through the registry entries in the left pane by clicking on the tree structures as dictated from the information I found. When at the end of each structure the right hand pane would show the registry item. If I found one that related to the Antivirus System Pro Trojan in the right pane, I would click on that entry to highlight the entry, right click and then click on the entry and then click “Delete” on the drop down menu. The following is where I found entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane was an entry called “vpcomopd”. I knew this was an offending entry because it had a file path with ycvnsysguard.exe at the end. The path was C:\Documents and Settings\bdavis\Local Settings\Application Data\uwvsaw\ycvnsysguard.exe. I now knew where this program was and immediately deleted it from the hard drive. I also deleted the registry entry.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The right pane showed “vpcomopd” which I then deleted.

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACUMRU\5603

There I found entries for all the other offending files associated with this scam. These included iehelper.dll, uninstall.exe, conf.cfg, quarentine.vdb, queue.vdb, mbase.vdb and so on. I proceeded to delete the entries.

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACUMRU\5604

This only had a few of the scam files in it. They were deleted. One of the entries had the word “radiance” in it. I can only assume that it was another incarnation of this scam and deleted it also.

After I finished with the registry I performed another search and found the following:

C:\Windows\Prefetch\ycvnsysguard.exe-2855A3A15.PF

There are other files here and I am not sure what a Prefetch subdirectory is for. But I deleted the ycvnsysguard.exe-2855A3A15.PF file because the name contained within it “sysguard”. I am not taking any chances.

Well after about 4 hours I finished and went on to restart the computer a few times to make sure everything was okay. Everything worked as it should and I did not get any of those annoying popups. The only problem left was getting the IE browser to connect to the internet. The browser, through the tools menu, was able to find the connection itself.

So I have my computer back. But I am still angry that I would even have to deal with this at all. From what I have read many people feel the same way. Some express their desire to see or do unpleasant things to those who perpetuate these and other scams. I understand their frustration.

These Scum sucking bottom feeders are making lots of money with their scam. But I suspect even more money is stolen in the form of lost wages, time and expense when people and businesses endevor to flush this pest from their computers. So it really would be nice to see these people pay. Very long prison terms would be nice. Confiscation of their ill gotten gains would also be nice. Think we will ever see it?

m

Nov 29, 2009 | Reply

Could not repair the browser despite many efforts. It’s almost like this thing got into my CMOS, looking at some of the issues. Anyway, have reformatted the HD and am reinstalling the OS. NOT fun. I suppose this pathetic joker enjoys this….

Chris

Nov 29, 2009 | Reply

I have Vista on a laptop. I got the virus from cracked.com. This is the second time I’ve gotten a virus from the website (I chalked the first one up as a fluke – that was obviously a mistake).

I have Kapersky Antivirus and ran a full scan. I guess it solved the problem. I’m not having the popups anymore. However, internet explorer still is not working. Whenever I type in an address, I get a “cannot connect” error message. Thankfully, I have firefox and use it exclusively. However, I do not like the idea of this little bug still being somewhere on my computer.

Any suggestions on how to fix this final problem? I scanned my processes and was unable to find anything similar to the .exe files mentioned below. I’m assuming Kapersky got it.

Any help would be greatly appreciated.

Jerry

Nov 29, 2009 | Reply

Whew! What an awful program! After several frustrating hours, I finally read an entry thatsggested to reboot in safe mode and do aystem restore. That finally killed that ^&%$# program.

lg

Nov 29, 2009 | Reply

Thanks to this website I finally got rid of AVS Pro. what a nightmare.
I’m not snart enough to follow a lot of the directions listed here; but, i found what worked for me. Reboot and cntl alt del just after the welcome (on XP) and just as your home screen pops up. Keep clicking cntl alt del until task manager pops up. Then do as others here said, find the program with xxxsysguard.exe, mine said nnytsysguard.exe, click on it and end process. It comes up twice on mine. apparently from reading others here it may say different things before the sysguard.exe
What this allowed me to do was download new software to remove the virus. I got Kaspersky internet 2010.
Everytime your computer reboots you have to stop the process again until whatever program you use cleans your machine.
I know this isn’t very technical; but, i got rid of it.
I would truly like to be in a room with the folks who created this. Really really truly.

m

Nov 29, 2009 | Reply

I have already checked and unchecked Proxy…no better. Have reloaded IE 8 and no better….any other ideas?

Thanks!

sher

Nov 29, 2009 | Reply

When I run msconfig, i see it…xkjvsysguard and it says it is in documents and settings, software but I can’t see the full location, so i can can’t find and delete it. (I am showing all hidden files as well.) Searching for the key words sysguard comes up with nothing. My computer will not even do a system restore! Please help. I have xp on a laptop.

DG

Nov 29, 2009 | Reply

Thanks Stormhelm, that was way too easy! My IE is back up and running again.

Stormhelm

Nov 29, 2009 | Reply

To get Internet Explorer working?
Just go to Tools, Internet options, Connections , LAN, and where it says Proxy, just un check it…

Stormhelm

Nov 29, 2009 | Reply

LAN setting first, sorry…
For below…

Stormhelm

Nov 29, 2009 | Reply

To get Internet Explorer working?
Just go to Tools, Internet options, Connections and where it says Proxy, just un check it…

BarBie

Nov 29, 2009 | Reply

hey stormhelm i knw u! thnx 4 taking my pics wit me wearing my thigh high boots glams shoot! thnx 4 helping me fix browser n pc! also luv!:-)
call me!
BarBie

BarBie

Nov 29, 2009 | Reply

i even got porno wit it OMG L O L.

BarBie

Nov 29, 2009 | Reply

L O L i c so many soluts 4 dis MESS
O M G. n thnx stormhelm

Stormhelm

Nov 29, 2009 | Reply

I removed my problem by quickly and I mean FAST on Start,Run, Type: msconfig..
When STARTUP,, Disable ALL..Reboot..
Run it again and you will find “hwyi” or other in front ofsysguard or swg…
Go to regedit and in FIND/FINDNEXT, type it in and search..REMOVE everything it finds including sysguard 2010…
Your Browser may need to be reloaded or repaired..
Fastest way I know to get things up and start repair damage…

cdog

Nov 29, 2009 | Reply

ok reboot before ur system even finishes booting up as soon as u see ur background control/alt/delete go to processes u will see the file that has gaurd in it right click and click open folder there it is delete and empty recycle bin done hope this helps

christina

Nov 29, 2009 | Reply

omg thank you so much m! i hope this works. *SIGHS* ive been trying to get rid of this stupid virus since like 6pm! =(

m

Nov 29, 2009 | Reply

to Christina…

on XP go to control panel, tools (from the toolbar at the top), folder options, view and under the advanced tab, chose view “hidden files and folders”

m

Nov 29, 2009 | Reply

FINALLY removed this with the RKILL and Malwarebytes instructions from Bleeping Computer.

Still have IE8 (browser) misdirects. Have searched and destroyed all .dll with IE, manually cleaned the registry three times, removed all traces of this pitiful infection, but still have the misdirects.

Can anyone help?

christina

Nov 29, 2009 | Reply

i can’t seem to find the file where it’s located. it says its under “Local Settings” but i can’t find that folder inside where it’s suppose to be. help please. and i also can’t find the way to make the “hidden folders” visible because i don’t have the “appearances and themes” in my control panel.

Greg

Nov 29, 2009 | Reply

I am here to confirm that the info in 01’s comment worked perfectly for windows vista as well.

Thank you, I’m glad to be rid of this pain in the ass virus.

To summarize so you don’t have to find it: launch task manager (ctrl +alt +del) as soon as windows launches, then wait for a process that ends in sysguard.exe to launch. (mine was vbdvsysguard.exe, yours might be different). Go to msconfig, then startup and find that .exe on the list, get the location and delete the file.

Once again, glad to be done with it.

DG

Nov 28, 2009 | Reply

I did what O1 said, and now nothing with “guard” is running, but I STILL CANNOT access internet. I get “Internet Explorer cannot display the webpage” for everything. HELP!

robo

Nov 28, 2009 | Reply

Thanks to 01, Steve and Jean for helping me clear this #%$!@ off my pc. I did find it it in my registry as well as in my Application data and removed it in both places. However, the name (in my case it was npjhsysguard.exe) still shows up under run>msconfig>startup
but the machine works fine otherwise.

John Dough

Nov 28, 2009 | Reply

The instructions in the page are useless, but the people left a lot of good instructions that work. Read the comments and you can get rid of this annoying virus.

Jean

Nov 28, 2009 | Reply

I wish I find this page earlier!
I finally found the way and got rid of this nasty virus removed after struggled the whole evening. Similar to “01″ and Steve mentioned, the trick is try to manage to get the Task Manager as quickly as possible, find the *******guard.exe (mine was vuslsysguard.exe ) file in Process and terminate it (I spent a long time to find this file is THE one). Since it seems the virus is upgrading pretty quick, it may change to some other name later. So here I want to give a suggestion here for those future victims, but only for those who know computer well, not suggested for newbies if you don’t know what you are doing.
Also do Start->Run,type “regedit” then Enter to bring up the Registry Editor as quickly as you could. Under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
remove the entry of the removed file if you find the file name in task manager; if you got no luck finding the file name in Task Manager, check all the entries and value here to find those that you are not familiar or strange ones(e.g. parent folder name is “yrynrl”) and terminate them one by one in Task manager, then you will know which one is bad guy. You can see the path of the file name here, so just go find it and remove then remove the registry entry as well.

Good luck!

tzft5l

Nov 28, 2009 | Reply

I followed info from 01 but found the file, heupsysguard.exe in C:/WINDOWS/Prefetch.

Ali

Nov 28, 2009 | Reply

01 is a genius. Thank you. : )

Catherine

Nov 28, 2009 | Reply

01 and JG’s comments really helped me. I fiddled with ComboFix, RKill, TFC, and OTL, yet nothing worked. Until their instructions. For my XP laptop, the virus was named ‘tjthrf,’ for record purposes.

Thanks again for all the help in the comments section!

Hammerhead

Nov 28, 2009 | Reply

My daughter got this tonight. I had to start SuperAntiSpyware as soon as windows booted (before the insidious crap could start). SuperAntiSpy ware kicked its ass.

Ed

Nov 28, 2009 | Reply

I just had 2 hours getting rid of this trash. It was obtained from the Dailymotion website (it is a video site like YouTube). Do NOT use Dailymotion.

User “01″ had some very useful tips. I did some things the same and some a little different:
1. Do “CTRL-ALT-DEL” as soon as the system boots up otherwise you won’t be able to. Then open up the Task Manager.
2. The offending program was “OHANSYSGUARD.EXE”. In the task manager window, processes tab, sort the processes by memory useage and this one will be near the top of the list. Be patient it will take a few minutes for it to show up.
2a. Highlight it and hit “end process”. The virus will protest with an ineffective pop up window. Soooooo satisfying to watch it finally die. I felt like John Conner killing Skynet.
2b, Do what user “01″ did – I did a search and found out where “OHANSYSGUARD.EXE” was (it was on hidden and system folders in my C drive) and deleted it and emptied the recycle bin. 3. I turned off the wireless internet to stop the porn downloads.
4. I deleted all history, cookie and temp internet files in case something was hiding in there. I did this with My Computer, go to local settings and enable hidden and system files.
5. I checked the program list in the control panel to make sure nothing else was downloaded.
Thanks “01″ for your help, you did most of the work on this.
Ed

mike

Nov 28, 2009 | Reply

hey this thing is also listed under documents, local swettings under file name xijldw.

Malwarebytes found it and then went in an deleted the file folder. oh had to due this in safe mode because this little thing locked up the computer, nothing but the pop ups would work.

Mike

Nov 28, 2009 | Reply

If you are running Vista, follow Steve’s instructions (Nov 27 2009). They worked perfectly for me.

JG

Nov 28, 2009 | Reply

I struggled with this SOB for three hours and the only thing that worked was user “01″’s suggestion above. Cleaned it up…for me the virus was called vsgfsysguard.exe and prevented me from accessing the internet. The virus was hidden in a master folder called xypdpy.

The key here seems to be taking advantage of the few seconds it takes for the virus to boot up. You only have a few seconds to hit “Alt-Control-Delete” once Windows comes up before you’re locked out of the Windows Task Mgr and are unable to disable the program with “guard” in the name.

Thanks O1!

JLM

Nov 28, 2009 | Reply

I also followed the instructions that “01″ posted and it worked wonderfully. Good luck to all who have this silly virus.

anthony

Nov 28, 2009 | Reply

@ 01 this works!!! clean and fast! Virus gone.

Mike

Nov 28, 2009 | Reply

I managed to end the antivirus system pro processes, but I cannot locate the program files nor most of the registry files (HKEY_CURRENT_USER\Software\AvScan was the only one that I was able to locate). Any suggestions on how to locate these files? I have turned on viewing hidden files and folders, and I have run searches for the specified files/folders, but they elude me.

Also, if you have problems opening task manager, reboot your computer. When your user logs in, quickly press ctrl+shift+esc to open task manager. If you open task manager before antivirus system pro begins running, it should stay open.

02

Nov 28, 2009 | Reply

How do you open the folder containing the .exe file? I just know its in C:/Documents and Settings/ and then its like HKCU/SOFTWARE/Windows but i dont know how to get to that last part. I already made hidden files visible

Looks Fixed

Nov 28, 2009 | Reply

Ok… after two days of dealing with this thing (and the not very helpful support staff at Norton/Symantec) – it seems I finally managed to get this off my computer. I had to use a few tips from different areas for different things I had going on with my XP.

I used 01’s suggestions below – plus a few other tips I found elsewhere that helped me.

I could not get any exe files, including taskmgr to run — BUT, you can get firefox.exe to work.

SO — I went to find the taskmgr.exe file in the Windows/System32 area and changed the name to firefox.exe — this allowed me to run it and turn off the ‘***sysguard.exe’. If you can’t rename it later, sometimes Windows just replaces it – so check. I just renamed it to something else, so it was there to use again.

Then, you can run your other exe – I used Malwarebytes to clean my system. Do an update first so you get their latest updates, then run the quick scan. If you can’t run Malwarebytes – again, find it in the program files and rename it to ‘firefox.exe’ and then it will run, make sure to change it back to the original name later.

Then I followed 01’s plan below and found where the file was on my system and deleted it, cleaned out the recycle bin as well.

Run another quick scan via Malwarebytes – if it says to restart computer, do so. If not, because everything is ‘ok’, restart your computer anyway to make sure the virus is gone.

So, I’m at the point of it seeming like it is gone — so will check in again if I run into any problems.

And to note, this was on BOTH my computers in the last two days. On my netbook, it was easy to do a system restore, run Malwarebytes, and Avast. It was gone.

On my big pc with Norton ANTIVIRUS, where you can’t do system restores because Norton Antivirus doesn’t allow it, I got this virus the next day by going to flickr. I didn’t download anything, no weird emails, no approving anything — just clicked on an innocent image on flickr and then blammo. On the netbook, it was a flash video on a popular humour website (which made more sense – lol).

I also got the the Malwarebytes software license for both computers which was cheaper than than the $200 that Norton wanted (aside from being extremely rude).

Thanks everyone for your help.

Trey

Nov 28, 2009 | Reply

Do a restart, then run Spybot. Got rid of it for me.

KK

Nov 28, 2009 | Reply

After spending many hours on this virus, the only thing that worked were the instructions by “01″ on Nov 28, 2009. None of the free programs worked – just paused it until restart. Follow the directions a few spots below, and it will be cleaned off in 10 min. Thanks “01!”

AJB

Nov 28, 2009 | Reply

1)Disable the ***sysguard.exe file (name may vary) process using task manager. Hold CTRL-SHIFT-ESC. The task manager will flicker but through some coordination you should be able to get to the process tab and find the exe file–end the process.
2)Do a system restore to an earlier time when your computer was healthy (if you have one. If you don’t have one, continue with these steps anyway).
Start/All programs/accessories/system tools..
3)Download Malwarebytes and run a quick scan. Delete the files (from recycle bin also). Makesure you perform this step after restore as the trojans embed themselves into your restore points.
I would also download a firefox browser as a backup (and stamp this antivirus pro link to your bookmark). That way you will be able to access the internet to troubleshoot in the event explorer gets hijacked again.

nick

Nov 28, 2009 | Reply

when you guys delete it and get your computer to work and then turn it off and back on again, is it still gone/functioning normally or does it come back?

i did the delete thing (mine was called idpasysguard.exe) and then found the file and deleted it and my comp works fine but then when i restart it comes back…

Arun

Nov 28, 2009 | Reply

My laptop got infected with this today. It is preventing me to invoke task manager nor do system restore. Can someone help?

D

Nov 28, 2009 | Reply

I just spent most of yesterday and all of this morning getting rid of this pest! Finally, it looks like I’ve succeeded. First off, I tried malwarebyes and panda antivirus PRO(I even have a subscription) and neither detected it. Like many of you, I had to end the processes in task manager. Mine were titled “rrrwsysguard.exe”. Once I ended those processes I was able to actually get to the root of the problem without the pop-ups coming up. From there I searched for any files with that name and deleted them. I also found the folder, which was named “vmijle” and deleted that. So far, that seems to have done the trick.

DD Drew

Nov 28, 2009 | Reply

My desktop computer which I use regularly is completely paralysed because this Antivirus System Pro’s invasion. It installed itself in my computer without my knowledge the time I downloaded one of the antivirous protection program recommended by a friend, and upgraded my ReelPlayer that day.

That awfully scareware not only pops up as soon as I turn on the computer and shows scary messages and demands purchasing of their “service” it totally prevents any use of the computer. I cannot open any Word document or get online. I wonder if my documents have been destroyed by it as well. The manuscript of my book as well as thousands of other documents are in the computer. They are backed up in an external hardware. But I don’t know if the malicious scareware has also affected the external drive. Please advise.

I am skeptical about the suggestions on how to remove this malicious invader. What is I land on a wrong one and more virus would come in? Is my worry warranted?

Lee

Nov 28, 2009 | Reply

After hours of trying to locate the processes and end them – nothing would work. I couldn’t even find them.

Finally, I did system restore and restored my computer to Thursday’s date which was fine for me because I didn’t do anything on my computer that I was worried about.

I restored, restarted and all my files were there and the evildoer was gone.

v

Nov 28, 2009 | Reply

People, this is a BOGUS blog!! I did everything they said but continued getting the virus. Don’t download Spyware Doctor from this site!!! It is a fake version of it and will keep reinfecting your pc. I downloaded the official version off Google pack. And when you are starting up your pc hit ctrl-alt-del immediately to kill the process for this virus. That was the only way I could get it to stop working…

Katie

Nov 28, 2009 | Reply

SOOOOOOO AGREEEEEEEEEEEE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! i was up until 5am trying to get rid of that devil!!!!!!!!!

Steven

Nov 28, 2009 | Reply

Someone PLEASE give me the name or company name of the creator of “Antivirus System Pro” and/or SysGuard, as I’m preparing a MASSIVE lawsuit as I type this.

01

Nov 28, 2009 | Reply

This information was also not useful for me so instead I did a combination of things offered in the side comment section.

By the way, I have XP on my laptop.

I restarted and as soon as windows opened I pulled up the task manager (ctrl+atl+del) and clicked on “processes” and found the .exe file with the word “guard” in it. I wrote down the file name and ended the process (this will keep the virus from hijacking your system while you get rid of it)

I went to the start up menu and hit “run” and typed in “msconfig” then i went to the “startup” tab and found the .exe file I had terminated earlier to see where the .exe virus file is.

I opened up the to the folder (you may want to had “hidden files” viewable which can be accomplished by going under “appearance and themes” in the control panel in category view) it was in and deleted the .exe file and the folder it was contained in (the folder it was in had a bunch of random mixed up letters in it) and I emptied my recycling bin to make sure it was gone.

I restarted my system and it no longer is there!

I really hope this is helpful for people experiencing this stupid virus now (because does change quite rapidly by the looks of all these comments)

Good luck!

Alek Costanzo

Nov 27, 2009 | Reply

I have recently had problems with the Antivirus System PRO, although i do not know how i got this. I have tried several websites o help get rid of this program but most tell me to use the task manager, but i cant open it. Others have told me to manually delete them. I have tried this but those files dont exist on my computer. I really dont know what to do, i cant even put any antivirus systems on here because the only program i can open is Firefox.

Ed

Nov 27, 2009 | Reply

Have go this on my other PC followed steps on other sites to launch in Safe Mode. PC won’t launch in Safe Mode. I changed the IOS Boot instructions to launch in safe mode so now it is in a loop that never starts in any mode. If I select normal the IOS boot forces it to safe and it fails. Help!!

Steve

Nov 27, 2009 | Reply

Tried the system restore did not work. Went into Task Manager immediately upon startup after entering password (cntrl-alt-del). Waited for an entry with “guard” in it. Right click to open the containing folder. Right click and delete the file and folder. Restart. Problem solved. Now using RegSeeker to clean up the registry automatically. And I went into msconfig (“Run” then type in msconfig) and found an entry with the same name and unchecked it.

leanne

Nov 27, 2009 | Reply

these directions worked perfectly for me once i got the stupid pop up out of my way long enough to disable it!

ld

Nov 27, 2009 | Reply

Don’t try to look for those files, I spent 4 hours to look for them, but it did not work, wasting your time. Please follow the below instruction. It worked perfect well for my laptop, all porn pop up completely are gone, and the virus can’t block the task manager system anymore. here is the instruction:
First reboot your pc, then when the window opens up, click ctrl+shift+esc immediately (I placed my fingers for those keys before the window opens up), then you will see task manager window, then cick on processes, then delete all .exe, some of them can be deleted, just leave them by themselve.

second, reboot your system, then go to the system restore, and restore your system at least from that you know that your system is not affected (I restored my laptop from two days ago since I got that stupid virus this morning). After that reboot again, and check to see if your system is restored back to previous stage. then reboot again, then the icon of that stupid is gone. Hope this help.

ld

Nov 27, 2009 | Reply

Hello Kristen,

I just spent 5 hours to fix my laptop, and it worked.

First reboot your pc, then when the window opens up, click ctrl+shift+esc immediately (I placed my fingers for those keys before the window opens up), then you will see task manager window, then cick on processes, then delete all .exe, some of them can be deleted, just leave them by themselve.

second, reboot your system, then go to the system restore, and restore your system at least from that you know that your system is not affected (I restored my laptop from two days ago since I got that stupid virus this morning). After that reboot again, and check to see if your system is restored back to previous stage. then reboot again, then the icon of that stupid is gone. Hope this help.

Drb

Nov 27, 2009 | Reply

Just spent 2 hours tracking this bad boy down on a remote machine. This seemed to be a newer version than those published. On Win XP it simply created a startup entry under the system configuration.
To remove it i simply started ‘msconfig’ under startup there were two unique ‘XXXXguard.exe’ a slight variation on those posted. Traced back the command , in this case they were “%system%\ documents settings\%user%\local settings\application data\xxxxx”. I removed the startup entries, and then deleted the source executable. Restarted and it’s all good.

brian

Nov 27, 2009 | Reply

i think that i have deleted it thanks to suggestions below. now it did something to my browser. i can only open https and not http.
does any one have a suggestion how to get my settings back please?
thanks
brian

raniel

Nov 27, 2009 | Reply

try restarting your computer. then when windows start to load. run your task manager. this virus takes a minute to load. look for XXXXsysguard.exe. once you find it end its process tree.

Shelby

Nov 27, 2009 | Reply

I am trying to remove Antivirus System PRO and every time I search or enter the task manager I can not locate the files listed on the instructions. Could it be listed under any other file names? Any help would be greatly appreciated.
Shelby

Jesse

Nov 27, 2009 | Reply

I had success downloading and installing Malwarebytes‘ Anti-Malware on another computer, and then dragging it over to the infected computer on a flash drive. Ran and removed infected files… upon reboot computer looks to be clean!

Aleesa

Nov 27, 2009 | Reply

“Antivirus System PRO” virus attacked my computer. I tried these steps, but I cannot access task manager. I keep getting Windows Security alert that and multiple alert windows saying “Application cannot be exectued. The file… is infected…” These happen to popup when I try to access virus scans, task manager, adding or removing programs, and other programs similar. I’m getting popups to porno.com and other alerts that tell me to purchase the software. If you can help, please contact me at aleesapinay94@aol.com. Thanks.

Kevin

Nov 27, 2009 | Reply

Well I managed to get Malwarebytes running by starting it (and the Taskmanager) before the malware started. Good news: AVSP is *OUT* of my system. Bad news: It left behind some crap. Internet still isn’t functioning properly on some programs. Mozilla applications seem to be fine. Thunderbird and Firefox both can get online. Nothing else can though. IE, Safari, iTunes, etc can’t see an internet connection. Even Malwarebytes can’t connect now, but at least it’s up-to-date.

System Restore didn’t fix that internet connection issues.

tom

Nov 27, 2009 | Reply

Hey, I just got the “Antivirus System PRO” virus, except mine is a hardcore version. I cannot access task manager, no file with the suffix “sysguard” or even “guard” exists in search results, and when I sort my files by date/time created, nothing appears other than my normal files. I’m getting popups about every 5 seconds to porno.com and general warnings telling me to purchase the bogus software. Could you please send some directions on how you removed the virus? My email is cgsman6345@yahoo.com. Thanks so much

Timothy

Nov 26, 2009 | Reply

Second bout with this ‘virus’. First time was able to remove almost all of it without help, but it did corrupt dlls not listed in the on-line help guides. Needed some professional help.
Didn’t get all of it and it came back much worse. All of its locations were hidden. Had to use Malwarebytes‘ Anti-Malware 4 times (with updates!) to get it all…for now. Other steps involved, too, but the Anti-Malware was essential.
As an aside, the company responsible for this horrible bug has a disclaimer saying they are not responsible for a similar bug developed by another group. Wish both would just go away.

Pikatwig

Nov 26, 2009 | Reply

i think this virus (if it is one) has really advanced in program cuz now its kiling PC’s (mine). i bet its just the HD but a new PC would be nice (mine is old and slow). what happenes now is i start up my pc and since the last time i shut it down was when i used the power button it askes me how to start it up but every option i try is does
Windows XP:
1 sec start up logo
1 sec BSOD (blue screen of death) and pc restart. i tryed using the windows XP SP2 CD but this time is stayed on the BSOD

Safe Mode (All 3):
DOS loading script stuff
3 sec wait
system restart

so now im blocked out from windows… if anyone has a fix for this (i bet its buy a new HD and/or new PC and install or reinstall Windows XP) it would be a BIG help!
Thanks!

Pikatwig

Nov 26, 2009 | Reply

because of this virus my PC crashed. :(

Ryan

Nov 26, 2009 | Reply

FOR PEOPLE WHO CANNOT CONNECT TO THE INTERNET WITH INTERNET EXPLORER OR Malwarebytes WON’T UPDATE: In Internet Explorer, go to Tools>Internet Options>Advanced tab>Click Restore Advanced Settings. This should get you back up and running to fight this thing.

Kevin

Nov 26, 2009 | Reply

I can’t use IE or Safari to access the net. Firefox (thankfully, no pun intended) still works fine.

AM

Nov 26, 2009 | Reply

Same Here. Did it lock you out of getting internet access as well?

Kevin

Nov 26, 2009 | Reply

Already have wasted 2 hours on AVSP this afternoon. Got back from lunch and computer was messed up bad. So far, no dice. All the “step by step” instructions I’ve found don’t lead me to the problem. Things I’m supposed to do/look for/delete aren’t there. Still working on it, just getting frustrated.

MS Firewall Settings locked

Nov 26, 2009 | Reply

After anti virus System Pro poped up and I stopped/cancel the scan it does. I rebooted my laptop. Once I did so I could not get internet access. The dinostic tool said to check my firewall setting. I did so, and they are all greyed out and it is set to off and I cna not change it. Any Help/advice?

Rich

Nov 26, 2009 | Reply

I want to thank all of your help, I’m not sure
how I picked up this nasty, however I think I have it cleaned up now.

Thanks again.

jeff

Nov 26, 2009 | Reply

Thanx Taylor

For some reason System Restore didn’t work with my computer, so i did what you did, restart my compture and hit Ctrl+Shift+Esc as Windows was loading and followed the instructions and now ASVP is gone as far as i know. No popups or anything. Whoever created this crap needs to be locked up

Brian

Nov 25, 2009 | Reply

Thank you to the people on the side bar. I combined your suggestions to fix my mom’s computer, and it was hit with the bad one. Thanks also to the people at Malwarebytes your software is awesome. I hope the creators of Antivirus system pro end up behind bars, some of us work hard for our computers!

Elisa

Nov 25, 2009 | Reply

I just got this thing today and was able to get it rid of it just a few minutes ago. I tried everything at first… I even installed Malwarebytes and it still didn’t remove it.

So the only that worked for me was to boot into safe mode and do a system restore to an earlier date.

Hope that helps.

Alex

Nov 25, 2009 | Reply

This was very nasty. I also got rid of it by downloading the rkill program and activating it as soon as my computer booted up. Then I got Malwarebytes, went to internet options, LAN settings and disabled the proxy server, and checked automatically detect settings. This allowed Malwarebytes to update, and it eventually got rid of the problem. I think I picked up Antivirus System Pro from Newgrounds.

Sonya

Nov 25, 2009 | Reply

You people were a huge help for me today! I had the AVSP where it didn’t show up anywhere and I couldn’t access my spyware programs, task manager or anything else to delete stuff associated with it. I restarted in safe mode and then went straight to the system tools to system restore. Restored the computer to a week ago. It’s working great with no signs of the little sucker. Thanks again!

Robert

Nov 25, 2009 | Reply

OK here is how I got rid of it….
turned computer off and restarted.
got task manager running before virus took over… killed every start up of the virus as it started. Did a restore to day before… Bitch is gone now and PC is running great.
This is a bad one….
Good luck

Taylor

Nov 25, 2009 | Reply

To everyone who is having trouble opening task manager because it keeps blocking it:

How I got around this was I restarted my computer, then when I got back on my desktop, immediately pushed Ctrl+Shift+Esc, that should open task manager BEFORE the spyware is opened. It worked for me! Good luck.

Shamus

Nov 25, 2009 | Reply

To ScottL: I did what this website said and it worked for me. Have you tried it?

Shamus

Nov 25, 2009 | Reply

I also got it after visiting People of Walmart

RevWayne

Nov 24, 2009 | Reply

Man this was some ugly virus…thanks to you guys, Barry specifically, you saved me an expensive trip to one of the local area in-store ‘computer shops’ where for 6-10 days and $200 they would have done what you did. Thank you!!

Doug

Nov 24, 2009 | Reply

Ok.. I was hit too.. figured out the trick to stopping the process, sysguard 1st. Then I went to another PC not infected by this POS virus. I downloaded Ad-aware to a thumb-drive (the free one) I then loaded Ad-aware to the infected pc. I was able to run the scan which took quite a bit of time. Then I ran it again,, after the second time though I have no real sign of this virus. Let me know if I’m just wishful. So far so good. I don’t work for Ad-aware and the only reason I used it was because one of my computer geek friends told me it would work,,, and i’m cheap and it was free.

Eric

Nov 24, 2009 | Reply

I had a lot of trouble with this one, but I was able to install the rkill program and Maywarbytes to my computer by using another computer to download the files and transfer via a thumbdrive. The key is just after the computer starts the reboot, to access the rkill program and the Malwarebytes (or any other automatic removal tool) and run the removal programs before the Antivirus System Pro initializes. Once the Antivirus System Pro starts, it inhibits its own removal. This idea was curtesy of “BSJ” on the McAffee website forum.

Kimberly

Nov 24, 2009 | Reply

I also got it after viewing people of walmart……..

glen

Nov 24, 2009 | Reply

I got hit with AVSP today after looking at peopleofwalmart. I tried a few things mentioned here with no luck removing it then just tried a system restore to a few days ago. That seemed to get rid of it. This is with XP

Kimberly

Nov 24, 2009 | Reply

I’ve been fighting with this thing for four days. The main thing I’ve found is as soon as windows starts for you hit cntrl+alt+delete to have your task manager pop up. You basically have to have it open before the virus realizes what you are doing. From there end the process ***sysguard.exe. The first three or four letters always seem different. From there it wil allow you to run your virus/malware scan.

ScottL

Nov 24, 2009 | Reply

Have tried everything suggested. None of it works. This must be a new variant. Can’t get on internet. Can’t open any program at all. Search doesn’t work. Task manager can’t access. Will only run registry edit in safe mode. Can’t find any Antivirus System PRO files. Can’t do a system restore. Can’t find registry keys. HELP!! All anit-virus, spyware and malware disabled.

Ryan

Nov 23, 2009 | Reply

If you are able to update Malwarebytes, it should be able to find all of the files causing the problem and remove them. This virus does cut your internet connection to IE and anti-virus programs so they can’t connect for updates though.

Jason

Nov 23, 2009 | Reply

I had the Antivirus System Pro and was able to remove it quickly doing this.

Hard Reboot (turning of w/o shutdown
this should automatically give you the option to go to Safemode with Networking

I did not have to do anything but use Malewarebytes ( I may be lucky that I already use this and had updated it the morning I got the Virus ( 11/22/09 ).

I ran the quickscan option and it found this

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vtbungpw (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\(*my CPU name*)\AppData\Local\hgmvdu\fwadsysguard.exe (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

this was a copy and paste from the Malwarebytes Log after it ran.

I am not sure if this will work for everyone or not. Like I said I have Malwarebytes already and I was lucky enough to have a very recent update.

You should be able to download from whatever malware website AVG, AVAST, Malwarebytes ect. from safemode, if not it may just be a matter of changing your internet proxy settings.

I have been up and running for a while now (checking all of my Registry and files ect. what a pain) with no problems. Hope this helps I will be checking this thread for a couple days incase there are questions.

Good Luck

Brian

Nov 23, 2009 | Reply

Ok here’s what I had to do to get rid of it. First off I had to restart my comp and run task manager right away before antivirus system pro took over and wouldn’t let me. Find the sysgaurd.exe process and cancel it, this should stop the annoying pop ups. Then download Malwarebytes anti-malware. Now once you have it up and running you will need to update it, for some reason the updates aren’t working through the program so you’ll need to do it manually. Here’s the link

http://www.Malwarebytes.org/forums/index.php?showtopic=3436

Once that installs run a quick scan and it should find everything that needs to be deleted. Restart your comp when it asks you too and everything should be good to go. Hope this helps

Nina

Nov 23, 2009 | Reply

Did that work Juan for good?

Kenya Coleman

Nov 23, 2009 | Reply

i cannot find any of these files on my pc. I know its there, i was able to prevent it from popping up by ending a process tree wsntfy.exe…. but i know when i reboot my pc it going to pop up again. Any new suggestions. i think its masking as something else, but i can’t find it. any help?

Brian

Nov 22, 2009 | Reply

Ok I’m lost. I tried what Barry said and I could locate the file but could not delete it. So then I tried to do a system restore in safe mode but it says I have no restore points other than today which doesn’t help me. What now?

Juan

Nov 22, 2009 | Reply

This has been the worst attack I’ve ever seen on my comp. I had to go through the BIOS and do a system restore to the previous week. This took care of the problem, then I ran windows updates just to be safe.

Hope this helps some of you…

Kevin

Nov 22, 2009 | Reply

The same thing happened to me. I turned off my computer and restarted it in safe mode(press F8 before windows loads as soon as you turn your computer on). I then went and performed a “system restore”. You can find where to do it if you search for it in the support and help application in the start menu.

I had to do this because I couldn’t find any other way to fix it. All the files listed here as ASP, I couldn’t find. You may have read what Barry said to do. This didn’t work for me because I wasn’t allowed to view the address.

Andy Aldrich

Nov 22, 2009 | Reply

Okay i REALLY need help i have absolutely zero experience with doing things like this. Every time i open the task manager, internet options in control panel, automatic in control panel, windows firewall in control panel, and basically anything that sounds like it could help the situation, it opens for a split second and then disapears. i never have enough time to close the processes as described above. I have EZ antivirus and i normally use firefox. i’m on windows xp. Someone PLEASE HELP ME!

Matt

Nov 21, 2009 | Reply

Barry’s worked for me; however, my varient changed my IE8 Proxy Settings so even after it was “clean” i couldn’t browse in IE and Malware gave me a error code of 732 0 0… when i tried to update it. FOUND IT – it sets your Internet Options to use a proxy. Go into Internet Options and change your LAN Settings to Automatically Detect Settings; Whala! done.

Alec ward

Nov 21, 2009 | Reply

Before anything else is able to load go to system restore and restore it to an earlier point. Worked for me

Sherisha

Nov 21, 2009 | Reply

Barry, you are my hero! This was the most aggressive virus I have ever encountered. I followed you instructions and was getting nowhere and then found Hijackthis, a program that allows you to freeze your computer, from there i was able to follow your instructions and get the **** thing off my computer. I agree with everyone else, if I ever meet this guy……..

Patrick

Nov 21, 2009 | Reply

Cheers, Barry

misscandy

Nov 20, 2009 | Reply

Like Shel, I was on Facebook and viewed a video a friend loaded onto youtube. The AVS PRO popups started right after I left FB and was looking at people of walmart. So far, initial search results are empty, and popups continue. I’ve already installed the dr. I’ve expanded the search to files containing the words…

Ryan

Nov 20, 2009 | Reply

Update: If you are able to get Malwarebytes to update it will then be able to find the newest programs causing the trouble on your PC. I just finally got it to update and ran a search. It went from finding zero files to 9. Removed them and it looks like problem solved after restart.

Ryan

Nov 20, 2009 | Reply

So I got the latest version of Antivirus Pro on my computer and here is what you guys need to know: 1) it somehow disables your Internet Explorer, and also stops real anti-virus programs from connecting to the internet to update. To fix this you have to go to in IE… Tools>Internet Options>Advanced Tab> and Hit Reset, this should restore everything. Also uncheck Enable Third Party Browser extensions in that same tab. 2) The files listed in this guide do not show up on your computer. In the Task Manager, you have to kill the program called ddjpsysguard.exe*32 to be able to open programs and such, that is now what Antivirus Pro is called. However, a search of your system for ddjpsysguard.exe*32 will turn up nothing and I still have no idea how to get rid of the thing. Malwarebytes won’t find the files for this new Antivirus Pro version and is ineffective. Spyware Doctor will find the files but for some reason the new version available everywhere for download online won’t remove the Antivirus Pro files unless you pay the 30 bucks to register it.

As it stands I have no idea how to remove the files so they don’t come back, only how to get my computer functioning until the next restart when I have to kill the ddjpsysguard.exe process before it goes active.

Hopefully someone can figure out how to remove these files, or knows of a good free anti-malware program to remove it, that will work.

mattfromhi

Nov 20, 2009 | Reply

I’ve followed all the steps and managed to rid myself of ASP but now, like els, I am not able to connect to the internet…what can I do?

Leah

Nov 19, 2009 | Reply

My husband also got this virus, we tried all the regular methods to get rid of it but all were blocked. Finally after installing the malware on his desktop, we had to go into safe mode and run it (the malware). This way nothing had been started up and would not block the malware. Only my experience but if it helps anyone it is worth it.

els

Nov 19, 2009 | Reply

I managed to get rid of this virus will help from all of your comments. Unfortunately my internet does not connect, even though it is connected to my network. Any suggestions?

Mehak

Nov 19, 2009 | Reply

I have Antivirus system pro virus on my laptop and I tried to remove it manually, but I don’t seem to the get the directions. Please help me. I tired to run and regedit thing as well but I don’t know the key.

Jason

Nov 19, 2009 | Reply

Although I managed to get it off of my step-daughter’s puter, it hit mine yesterday, and I have yet to get it out. I got task manager up swiftly, and deleted a process named mppjsysguard, and also found and deleted a registry folder named avscan. But it came back and I did the same thing. I just downloaded Spyware Doctor and it has already found a host of things that my anti spyware programs have not found. Even running Windows Defender did not get rid of it.

Adam

Nov 19, 2009 | Reply

I downloaded and bought the Spyware Doctor which at first removed the program, but the antivirus has returned and the Spyware Doctor will not find it. Please help.

Debbie

Nov 19, 2009 | Reply

I used Barry’s instructions and it worked. I went to the url, wrote down the path, found it, renamed it.

Then I restarted. I found the renamed file and deleted it.

Ran Malwarebytes. It came up with 3 security disabled lines. Restarted and it looks like it is gone. Thanks Barry.

Shel

Nov 18, 2009 | Reply

Ok – after much frustration, I went ahead and downloaded the PC Tools’ Spyware Doctor. I figured, since I couldn’t find where this program had hidden itself – then maybe a scan from an outside source (installed post-infection) couldn’t hurt. After all, my already installed anti-virus and malware detection softwares seemed to be heavily compromised by the attack.

Needless to say, I was quite surprised at the sheer number of infections – all largely connected to AVSPro – that I was presented with. This thing really gets in deep. Anyhoo, as of this writing, my ‘puter “appears” to be clean.

And for that – I have to say “thank you” to PC Tools’ program – and to Kris (for recommendating it). As, personally, I don’t think I’d have ever had the patience to clear all those infected .dll’s and reg. entries on my own!

Thanks again, Shel.

Tim

Nov 18, 2009 | Reply

Finally figured out that the .exe running in task manager started with a name called blcksys or something like that. I did cntl+alt+delete and it wouldn’t open the task manager, so I hit OK and tried again…the fifth time I did that it managed to open. Keep trying to cntl+alt+delete and eventually you will get in. Stop the .exe from running.

My internet wouldn’t open either. I went to Tools – Internet Options. Under the “Advanced” tab I hit “Reset” to restore Explorer to its original state. Then I was able to go to Malwarebytes‘ website and download and run their one-time free scan and clean.

I think I got infected with this just by going to my email page (not an actual email mind you, just the webpage that lists all my new emails). Never seen anything like that before.

From reading all these comments, this malware continues to be adjusted, renamed, and reworked by it’s original creator. Not all the instructions may work for you. Be flexible with your rthinking.

One more thought. If you simply can’t get to Malwarebytes website no matter what advice in here you follow, go to another computer and download the application for Mozilla Firefox (differen kind of web browser), save it to a flash drive or disk, and run it on your computer to load Firefox. That browser should allow you to go wherever you need to on the internet. Good luck.

-Tim

Shel

Nov 17, 2009 | Reply

To echo the other’s sentiments – the fixes listed here are no longer working. And all searches [of my registry] have come up blank.

I’m still surprised that my Malwarebytes Anti-Malware AND McAfee BOTH failed miserably to protect my system from this one.

And as for having it infect via suspect websites – the only spots that my system had travelled in the past couple of days were AICN.com and Facebook. Well, and Google and the Bell Aliant homepage. But that’s about it.

Trend-micro – which is where I ended up initially – cleared up the mess via their Housecall. Or so I thought. However, on rebooting – it was all back again – with a vengeance.

This thing really does seem to be mutating on a daily basis – and it almost seems like it doesn’t matter where one is “surfing” – it’s a matter of hit-or-miss.

And yes – I certainly would enjoy a face-to-face with the character responsible for this one… well – more like a face-to-baseball bat… but you get the idea.

That said, if anyone has any other info – it’d be greatly appreciated.

Thanks for listening, Shel.

josh

Nov 17, 2009 | Reply

I have tried all of Barry’s instructions, but I am unable to delete the sysguard.exe file. Any suggestions how to come at it now? Does this virus change daily?

sceaton8ball

Nov 17, 2009 | Reply

ash, unfortunately the only thing that worked for me was to bite the bullet and purchase Spyware Doctor. I ran Malwarebytes at least 4 times and it did nothing. Spyware Doctor got rid of it completely. Good luck.

ash

Nov 16, 2009 | Reply

i can run Malwarebytes, but whenever i reboot my computer i still have ASP. i’ve tried manually deleting, but that doesn’t work either- ASP prevents me from deleting it

RP

Nov 16, 2009 | Reply

Nothing that is listed here exists within my computer. What is going on am completely frustrated, need help.

Manny

Nov 16, 2009 | Reply

Nothing worked that anybody mentioned here and I tried it all. I had to do a live chat with my antivirus program and pay tech support to get rid of the files. This was a bad one and I’d like a face to face with the jerks who created this.

Alis

Nov 16, 2009 | Reply

Alla and Barry, you were both a great help!
I had to stop the process of ugxlsysguard to remove the pop ups. This really is the virus from hell!

Barry

Nov 16, 2009 | Reply

James / Jay / Steven:
Didn’t you bother to read any older posts to find a solution? No wonder you can’t fix it. Are you a bunch of liberals, waiting for Obama to fix it for you? My solution seems to work for everyone, but you have to go back almost 10 posts to read it.

James

Nov 16, 2009 | Reply

everything i try fails.. spy doctor Spybot s&d windows defender.. none of them will open.. This is ridiculous :/

Jay

Nov 15, 2009 | Reply

For the life of me, I can’t find the *sysguard.exe thing anywhere. I tried to manually search and it comes up empty. I went into the registry and deleted the sysguard.dlls. Any help would be greatly appreciated.

Steven

Nov 15, 2009 | Reply

What can i do about Antivirus System Pro, if it keeps comming back everytime i turn on my computer?

lyusya

Nov 15, 2009 | Reply

Barry,

It works. Great thanks!

It is best ans most simple way to remove ASP so far I found. Smart!

lyusya

Nov 15, 2009 | Reply

Barry,

It works. Great thanks! When I right click on Properties first time, it showed http://….down load address not kaka://C:\Documents and Settings\…

I restarted the computer and repeated the process and find the path.

It is best ans most simple way to remove ASP so far I found. Smart!

Barry

Nov 15, 2009 | Reply

Sorry, meant the “windows\system32\iehelper.dll” file

Barry

Nov 15, 2009 | Reply

lyusla:
The path is there. It’s the location listed under “Address (URL)” when you right click the main APS window and click “Properties”. You may only see 2 lines of the address, so you’ll need to left click and highlight the address so you can drag down to see the final, randomly named folder and file name (ending in sysguard.exe). Write down the file path, restart in safe mode, then find the folder and file using “My Computer” or “Windows Explorer”. Delete the file, then the folder, then the windows32 .dll file. Restart in normal mode, run Malwarebytes and it should be over.

lyusya

Nov 15, 2009 | Reply

Barry’s method seems expired. YOu don’t see the path for *sysguard.exe.

I ran save mode and restored old registration backup. The ASP still show on the bar, but no pop windows come up

Martin

Nov 15, 2009 | Reply

Barry’s quick solution works! I found the file in my Appdata and changed the name. After that I could run taskmgr.exe and stopped the process. Went back and deleted the file. Deleted the Avscan from the registry and restarted. Malwarebytes had quarentined some registry keys on the first scan but if you don’t find the *sysguard.exe file it’ll keep coming back.

Theresa

Nov 14, 2009 | Reply

Finally got rid of this problem. Had it on my laptop and desktop. I copied 3 programs to USB drive on another computer:
1. ATF Cleaner — http://www.atribune.org
2. Malwarebytes Anti-Malware
3. SUPERAntispyware
Ran ATF cleaner, restart computer
Ran Malwarebytes‘ Anti-Malware (quick scan), restart computer
Ran SUPERAntispyware, restart computer
THEN ran Malwarebytes‘ Anti-Malware (full scan) — Problem seems to be solved

Barry

Nov 13, 2009 | Reply

Here’s a quick solution. Click the taskbar icon to open the ASP main window. Right click to Properties. You should be able to highlight the full location of the program ’s *sysguard.exe file (It may be a long path.) Restart in ’safe mode’ to delete the file. Restart and delete the \system32\iehelper.dll file. This kills it. You can then run malware or clean up the registry manually.

Barry

Nov 13, 2009 | Reply

How do you get Windows Defender. The virus keeps blocking the installation

Jason

Nov 13, 2009 | Reply

Windows Defender worked for me. I tried both Spyware Doctor and Spybot, but the virus prevented both from accessing recent updates. Windows Defender’s most recent version was from 11/12/09 so it didn’t need to update. It found and removed what it considered a “high” threat trojan. I am now back to normal.

I am now able to access updates for both Spybot and Spyware Doctor, which is why I believe MS Defender worked.

pete

Nov 13, 2009 | Reply

i’m not sure if this is related but i think i was able to remove antivirus systems pro with the help of running Malwarebytes from a flashdrive. however i still get this program popping up called leyovose.dll but i cannot find it when searching for it. if you google it, only one program comes up that says it can detect it called prevx. it scans for free but you have to pay to remove the file. i’m willing to bet whoever created leyovose also created prevx just to get you to pay to remove it. anyone have any experience w/ this? my computer still acts up when i try to run other antivirus programs and google still redirects to crap websites so i think leyovose is the cause.

sceaton8ball

Nov 13, 2009 | Reply

I deleted sysguard.exe then purchased and ran Spyware Doctor. It seems to have worked. I rebooted and didn’t get the annoying popups. Thanks so much for your help Daver and everyone else!!!!

bg77

Nov 12, 2009 | Reply

My file that I deleted out of the registry was rliksysguard.exe. Seem to work so far, I need to do some more searching though to make sure I got it all.

John

Nov 12, 2009 | Reply

Matt, I am looking for help to get rid of Antivirus System Pro. It infected my system today and I have spent about 8 hours trying to get rid of it. I have run Windows Defender, Quick Scan and Full Scan, McAfee Quick and Full Scan, Malwarebytes, and looked at some manual removal info and so far nothing has worked. I do the search for the files listed that need to be deleted but none of their names come up. Please help. Tks John

Brian

Nov 12, 2009 | Reply

I had to search the registry and the windows\system32 folder for ??sysguard.exe before I was able to isolate this virus. this one is pretty nasty…

sceaton8ball

Nov 12, 2009 | Reply

Thanks, Daver. I’ll try it. I’m desperate.

daver

Nov 12, 2009 | Reply

The exe changes names from system to sytem.

c:\documents and settings\username\local setting\application data \”Random letters”\”random letters”Sguard.exe

The “random letters” part of the file name seems to change from system to system.

The reg entries where all under /AVSCAN

Danielle

Nov 12, 2009 | Reply

Hi! I’m fighting with the antivirus system pro and could use some help, if you’re able. i ended the sysguard process, but I don’t know where to go from here. help?

daver

Nov 12, 2009 | Reply

I hate buying stuff, Spyware Doctor was the only thing that found “Antivirus System Pro”, Malbytes did not pick it up

sceaton8ball

Nov 12, 2009 | Reply

I downloaded Malwarebytes, ran the quick scan twice and ran the full scan twice and Antivirus System Pro is still there! I’m at a complete loss. And I’m not very computer savvy. Somebody please help!!!

Elias Spence

Nov 12, 2009 | Reply

Matt, your help would be much appreciated.

Jon

Nov 12, 2009 | Reply

This program is driving me insane. I’ve already tried using both Spyware Doctor and Malwarebytes, but by the time I get around to actually using them, this Antivirus crap has already disabled me from using them, virtually eating the .exe files needed to launch them. Im not good enough with computers to do this manually, I really need help, Im about to throw this damn thing out a window…

ape

Nov 11, 2009 | Reply

New executable filename is mvchsysguard.exe and it resides in the user directory as a hidden file. Registry key is cnlsmwvq.

ape

Nov 11, 2009 | Reply

You need to update your removal instructions. They are now working around these file names.

Lynn

Nov 11, 2009 | Reply

Matt, Where are the instructions to get rid of this?

Robert

Nov 11, 2009 | Reply

Matt

It looks like you have been able to beat this. We have abeen at it all day. do you have instructions posted some place?

Jason

Nov 11, 2009 | Reply

sorry, it was an APO post

Jason

Nov 11, 2009 | Reply

I tried XoftspySE, Malwarebytes‘, and Iobit Security. None of the files mentioned could be found. The only thing that did work to get rid of Antivirus System Pro was to get taskmgr up as soon as the computer started, by pressing ctrl-shft-esc, and ending a process that appeared to be an incorrect one. I spent a total of about 6 hours getting this off of my step-daughter’s computer, which she must have for school. Nothing worked. I have alot of experience with computers and just could not find anything that appeared remotely related to this spyware. They will certainly be facing a rather large federal suit. When the computer first started with the usual pop-ups from this trash program, I kinda knew that so many exe files could not actually be infected. I did a search and found alot of material touting the 3 programs that I tried to use, none of which worked in removing the problem. It was only after I read Matt Potter’s post that I cured the problem myself. Thanks for all the posts on this

Jason

dez

Nov 11, 2009 | Reply

i need help guys! i need help, i just installed two of these anti pro removals and when i click on the desktops thats when the virus pops up not allowing it to remove it

&& how do i find the virus file in my files?

help someone

Matt Potter

Nov 10, 2009 | Reply

Find Me at Matt Potter OKC Network on facebook. I hated this virus and talk you through it. Im the guy with the guitar in the background

dave

Nov 10, 2009 | Reply

my dad’s laptop is infected, i thought we had it removed last night with a safety scan from windows live one care, but it came back the next day….i really need to get this removed, since it is his work comptuer. i would really apperciate your help.

Matt Potter

Nov 10, 2009 | Reply

I can help Message me…

Matt Potter

Nov 10, 2009 | Reply

send a me a request and ill walk you through it. I beat it with no software yesterday

ronel

Nov 9, 2009 | Reply

OMG! I have had so many antispyware problems. Once I get rid of one they keep coming back with it being harder to get rid of. My computer is so slow and the “file search” is taking forever. I downloaded maleware but that didntwork.DX. I feel like getting a bat and destroying my damn computer and getting a dell. EERRR
There are so many porn pop-ups and they are really getting a nnoying. I’m scared O_O

Really ned help with this!!

Allyson

Nov 9, 2009 | Reply

Ugh I just got hit with this scam today. I hope this works for me….

Mira

Nov 9, 2009 | Reply

I don’t see any of those registry keys, processes, or files on my computer at all! Also, I can’t afford Spyware Doctor AND I can’t get my computer to start in safe mode :(

Is there ANY other way? :(

kc

Nov 9, 2009 | Reply

i am having the same problem suziq is having. i have tried everything to get rid of this thing. Boot is safe mode try and delete files run Malwarebytes which was already downloaded on my computer and i cant even use it because of this antivirus system pro. i need help any suggestions…this thing is so annoying

APO

Nov 8, 2009 | Reply

I will answer Amy’s question and add a little more. I ended up running MALWAREBYTE(MWB), which I loaded on the infected computer from a flash drive since I could not get on the internet.

First, I ended the sqhusysguard.exe process in Task Manager, which I accessed from Start>Run>taskmgr.

Registry Keys

For MWB, I first ran a Quick Scan and got no results. I then ran a Full Scan and came up with the following hits:

Registry Key

HKEY_CURRENT_USER\SOFTWARE\AvScan

Registry Values

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afgflsak

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfbtgpqs

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afgflsak

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfbtgpqs

Files

C:\System Volume Information\_restore{C270FBA8-9F0F-4C49-A9E4-437A0B65B651}\RP1143\A0142533.dll

C:\System Volume Information\_restore{C270FBA8-9F0F-4C49-A9E4-437A0B65B651}\RP1143\A0144528.dll

C:\System Volume Information\_restore{C270FBA8-9F0F-4C49-A9E4-437A0B65B651}\RP1143\A0146533.dll

C:\Documents and Settings\”username”\Local Settings\Application Data\isemlo\sqhusysguard.exe

C:\Documents and Settings\”username”\Local Settings\Application Data\khkiad\sxkjsysguard.exe

(I also found the 2 ****sysguard.exe files above in the Windows/Prefetch folder as mentioned above also)

After a Restart, it appears to be gone!!

If this did not work, my next attempt would have been running MWB in Safe Mode as mentioned in earlier postings.

suziq

Nov 8, 2009 | Reply

It appears to have migrated. Cannot boot in safe mode, cannot access task manager, and all previous restore points appear to be gone. (I’m guessing the bad guys are reading the posts on this one…NOTHING I’ve seen has worked on my machine.)

Ran Malwarebytes and THOUGHT it fixed the problem, but it was back when I rebooted.

Computer is now on track to become a boat anchor unless someone has a better suggestion…

APO

Nov 8, 2009 | Reply

I am still not clear how you determine which Registry Keys are assoiated with this program.

Earlier posts talk about AVScan but when asked whether or not to delete it, there was no response. (see below)

Any suggestions?

ACE 6/22/09
“I didn’t have any of the files either, but endins sysguard.exe in task manager stopped the popups. I did find a few of the registry entries and deleted HKEY_CURRENT_USER\Software\AvScan and a couple more. That removed the rest and it seemes normal now. No more virus.”

AMY 7/5/09
“Is it safe to delete HKEY_CURRENT_USER\Software\AvScan?”

Denny

Nov 8, 2009 | Reply

I had this thing on my work laptop and I ran Malwarebytes but no use. Popups and quick launch icon disapper when i delete the xxxsysguard.exe from tasklist. But ther are back next day.

I haven been using Malwarebytes on my home Laptop for a long time and it always works. For some reason its not doing the trick on my work laptop. It says it quarentined and deleted the files every time I run it but it comes back immediatly after rebooting.

Unfortunately I am not allowed to do a sys restore on my work laptop. I am in a pickle…can any one help.

dennis

Nov 7, 2009 | Reply

It also shows up as eharsysguard.exe
Minimal registery enteries and 2 entries in the start-up tab under MSCONFIG. 1 process running under an alphabet folder name under docs&sets\user(login name)\local sets\app data\( I.E ) xqsyka.

Brett

Nov 7, 2009 | Reply

Another process name for taskmanager – efhesysguard.exe Seems that they change it regularly, or that its a randomly generated name for the process now.

Had the same issues other people were having about the crap-ware telling me that taskmanager, Malwarebytes, and even firefox were infected… attemt to open the programs repeatedly and they’ll eventually start. Once Malwarebytes was running without interruption, the infection was quickly cleaned up.

Jamie

Nov 7, 2009 | Reply

Under Windows Task Manager I don’t even have SYSGUARD, are there any other image names it could be under?

ekcat

Nov 6, 2009 | Reply

John,

I had the same problem with Antivirus System Pro hijaking my computer. I tried everything that is listed here and nothing worked because it kept blocking everything I tried. Finally, I finally did a system restore to early this morning and that took care of the problem. Hopefully, you are able to do this.

E

Dave

Nov 6, 2009 | Reply

Mine got hit today as well. Did a google on antivirus system pro and found Malwarebytes‘ anti-malware. Dnlded and ran once then rebooted. Didn’t work, so I restarted in safe mode w/networking, ran anti-malware again after checking for updates. Problem solved…so far.

John

Nov 6, 2009 | Reply

my computer is not letting me open up the task manager, it is saying the file taskmgr.exe is infected. do you want to activate your antivirus software now?

howie

Nov 6, 2009 | Reply

Great info thanks for sharing
I got it off but took me a while to find the files but I did it

poderio

Nov 5, 2009 | Reply

I have tried this for the last years and it has worked:

1- Backup your personal files
2- Re-install all your system using the recovery disks that comes with your pc or laptop. (you don’t need to be geek to do this)
3- If you dont’ have the original disks try to invest in an original windows (i prefer XP) and look for the installers on the manufacturer’s site ONLY! or you will get infected again.
4- Keep the new windows disk and backup the drivers you downloaded. You will need those for future recoveries for SURE!

This way I havent spent a single penny by buying any antivirus.

LET’S STOP THE ABUSE!!

Doug

Nov 3, 2009 | Reply

Just found “jcfsysguard.exe” in the task manager and that DAM Antivirus System PRO went away. Spent four hours on this stupid thing. Just an FYI

Erik

Nov 3, 2009 | Reply

I will swear by Malwarebytes‘ Anti-Malware It took me all of about ten mintues to get rid of the annoyance that is Antivirus System Pro..

Bobbi

Nov 2, 2009 | Reply

I was not able to find any of the files you listed. My computer can’t find any part of Antivirus System PRO so how do I get rid of it?

kristen

Nov 2, 2009 | Reply

okay, when i try to start taskmanager the fake antivirus warnings pop up and say that it is infected and it will not come up. what do i do! i also had installed Malwarebytes to get rid of it because i found a forum where everyone said it had worked but the fake alerts would not let me open this either.. please, please, please help me.

marc

Oct 31, 2009 | Reply

shut your computer down and before anything gets loaded got to the system restore and reload to an earlier date. it wiped it all out.

adnan

Oct 30, 2009 | Reply

What if I can’t start regedit because it tells me the administrator has blocked access to regedit? Which I know is not true…

Also, I cannot launch taskbar because that’s blocked too…

melissa

Oct 29, 2009 | Reply

Yes I found hmpqsysguard.exe hiding in program files\tlfkua. Thanks!!!

mort

Oct 27, 2009 | Reply

another new name, toysysguard.exe

Evan

Oct 27, 2009 | Reply

Read the above comments, but note that the sysguard file has likely changed. it is now jyhfsysguard (just look for something ending in sysguard in processes). Find it in task manager, note the name, and then stop it. Then run search to find the file location. Once you do, rename and delete the files. Currently prefetch in windows and mieqei in programfiles. Then run regedit.

lilkunta

Oct 26, 2009 | Reply

hello kristopher

This thing (is it a trojan? virus? malware?)
has disabled me from getting online via wifi, from editing the registry, and from doing sytem restore. Please what do I do?

I think it has even disbaled safe mode. Bc when I hit f8 and choose safe mode, the comp (toshiba L25 laptop with windowws xp sp2) restarts. I have to choose ‘ Directory Service Restore Mode’ or ‘Debugging Mode’, and then Safe Mode loads.

How do I kill it /delete it? I cant get online to d/l an AVG or anti malware. Thanks.

Jordon

Oct 23, 2009 | Reply

I couldn’t find any of the files but i did find this ‘AVS4YOU’ is that Antivirus System PRO files?

Justin

Oct 23, 2009 | Reply

Deb’s advice worked for me:

Start your computer in safemode and download and run Malwarebytes.

Nick

Oct 22, 2009 | Reply

This happened to me, the file was named “dboesysguard.exe” in the folder Program Files\knshys. I also had a file in my WINDOWS/system32 folder called “~.exe”. Both files had a beach ball icon. Other than those changes, the directions above are spot on.

A bit of advice: when restarting, pull up your task manager right away (ctrl+alt+del), and make sure to stop the AVP scan as soon as it starts. I found this helped keep me from the issues of having this thing kill my tm or cmd window or anything else by saying the file was infected. If it doesn’t run long enough to throw the false positives, you can easily go about your business of killing it.

Good luck all!

Andreas

Oct 21, 2009 | Reply

If you cant reach processes through ctrl+alt+delete, try startmeny-run and type taskmgr.exe and hit OK. worked for me.

Kristine

Oct 19, 2009 | Reply

The new name is tnxesysguard. ctrl>alt>delete>Processes>tnxesysguard>End Process.

And then searched this name and deleted it.

marie

Oct 18, 2009 | Reply

Guys, if you’re using Microsoft as an operating system, I suggest you try contacting Microsoft and they would give you free assistance. Their technical support had helped me cleaned up my computer from Antivirus System Pro Alert pop ups, and other malwares today for free. They have excellent technical support and of course you are assured that you’re dealing with a reliable company. Try searching for Microsoft Consumer Security Support Center. Here’s the link.

https://consumersecuritysupport.microsoft.com/default.aspx?mkt=en-us&scrx=1

Dee

Oct 17, 2009 | Reply

I had problems even after I installed the freeware Malwarebytes. I

I was having problems even getting that installed properly due to the FAKED pop ups saying all these different files are corrupted.

I restarted my computer in safe mode.

When Malwarebytes STILL didn’t work. I hit the INSTALL PROGRAM for Malwarebytes again (while still in safe mode).

Malwarebytes installed as if it wasn’t already installed. It ran perfectly. It stopped the pop-ups in safemode.

I started the computer again and the pop-ups had stopped there too.

I ran Malwarebytes again in regular mode to make sure it didn’t miss anything that wasn’t running in safe mode (It hasn’t so far)

Now I can look for some the registry keys etc listed here at my leisure.

Good Luck Deb

Jason

Oct 15, 2009 | Reply

it’s not even letting me open regedit or task manager to try these things? It says that these programs are infected yada yada

Gzus Raider

Oct 14, 2009 | Reply

my mom payed and downloade this crap. i erased all they listed. Is there any more damage or threat still in pc.?

izz

Oct 14, 2009 | Reply

Al Alla…

you r such a life saver thx so much…

anster

Sep 28, 2009 | Reply

i really really thank you
first i almost quit cuz i was confuse
and these pop-up thing y are so annoying
i cant focus on the instructions and now i did it…
thank you very much…

Frank

Sep 23, 2009 | Reply

okay i downloaded and installed Spyware Doctor and I cannot open the program

Dave Korpi

Sep 20, 2009 | Reply

The slimeball is getting sneakier on Sept 2009 the executable is called apbsysguard.exe and lives in ProgramFiles/nuhuhm and the iehelper.dll is still in the system32 subdir.

sampath

Sep 17, 2009 | Reply

Hi guys , i have the same problem, and none of these instructions worked for me , after 3 hours of hard work i found dcfkut folder under c:\program files , which has one exe file, i didnt get the exact name of the file , but it starts with flrsys…exe , i renamed the file and the folder , restarted the computer and my pop-ups from Antivirus system pro has stopped. it worked for me so far.

LKW

Sep 11, 2009 | Reply

How amazing is this? I had this antivirus system pro thing annoying me to death, popping up porn sites and blocking me from using other programs. So I tried the seach and destroy routine. I ran my AVG and it didn’t get rid of it. Saw all this info about how Spyware Doctor would do the trick. So, I bought it. And then miraculously, with only downloding the program and scanning, the Antivirus System Pro was gone. It’s a miracle…..or is it?

ifredoto

Sep 10, 2009 | Reply

Firsd thing I did was search the users cookies with him standing there. Low and behold there was a cookie to a ‘questionable site’ which he claimed just started poping up.

I scanned for all of the files mentioned above, on the HD as well as the registry. Some I was able to locate and delete. I also found the ASHKJI file folder but could not deletre the EXE file. I finally booted the computer up in a safe mode and was able to delete the file and folder. After deleting the file & folder I rescanned the registry and hard drive and removed the remaining traces of this file.

Catnip

Sep 9, 2009 | Reply

Tiens, son «mari» va s’en occuper «plus tard»… lequel, et quand ?

Kathy

Sep 7, 2009 | Reply

I deleted the Sysguard entries (agwxsysguard and agwxsysguard.exe-08469,) and the popo ups went away, but now I can’t access the internet. What now?

Nila

Sep 6, 2009 | Reply

the weird thing is im supposed to have this really good anti virus on my computer, called Symantec endpnt protection, i have scanned twice already today and it keeps telling me i dont have anything and that my computer is clean.

Nila

Sep 6, 2009 | Reply

so should i delete all the HKEY folders?
for example it shows right now an,
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG…..
SHOULD I JUST DELETE THOSE FOLDERS AND ANYTHING IT COMES WITH THEN?
AND THEN IT WILL GO AWAY. I BASICALLY TRIED EVRYTHING ON THIS SITE IT ASKED BUT COULDNT FIND ANYTHING, THEN I STARTED READING THESE COMMENTS AND UNDERSTOOD BETTER. NO MORE POP UPS BUT LIKE SOME1 SAID ITS STILL IN MY COMP, SO SHOULD I DELETE THOSE FOLDERS??? THANKS FOR HELPING BY THE WAY!

Hannes

Sep 2, 2009 | Reply

The name of the file changed. It is now “ymawsysgaurd.exe”. Stop the process first and then delete the file. The file is not detectable with “search”. Search manually. This does not delete all the crap files, but at least no more stuff popping up on your screen.

george

Aug 21, 2009 | Reply

Malwarebytes is the only thing that worked that fuckin anti virus system pro put 338 infections on my laptop ,, if i find the persons who created this ill break their fucking head open

Mike

Aug 19, 2009 | Reply

These sites such as Antivirus Pro. Who intentionally infect your PC. with the intent Of getting you to pay to remove thier infections. Should be noted And Reported To The Internet fraud Department Or FBI.
This is illegal and common Fraudulant use of computer Software. To remove This Software. Download Malwarebytes ( free ) scan your computer. it will automatically detect the changes made in the system registry. would also recommend Spybot-search and destroy. And AVG Free. All the above mentioned Software Is Available free For Download. Search The Web. Another Tip Is that if you get infected By This. press ctrl/alt/del which will open the task Manager. select Processes. Scroll down. To see whats Actually Running. you Can Stop The Running process in question. to allow a full uninterupted scan. Hope This Helps you all out. Mike @ Abracadabra Computers.

QBALL253

Aug 19, 2009 | Reply

Tried Spyware Dr., found infections and when went to fix, had to buy/register software. Downloaded Malwarebytes, scanned, found and removed ALL infections…for FREE!!!

Linden

Aug 19, 2009 | Reply

I had Anti virus System PRO.
It was driving me nuts.
After many hours of messing with it, I re-booted in SAFE MODE and restored all files to the day before the damm thing infected me. thanks Linden

Sam

Aug 16, 2009 | Reply

I could not find any of the files mentioned here until i searched for systemguard in safe mode which i found in two locations. I was able to remove them in safe mode without having to rename the files. I since downloaded STOPzilla and ran the scan and discovered 48 other files located in very incospicuos places with totally unrelated names but all are a part of this particular virus. Stop zilla is not free but it is also not expensive so I for one definitely recommend it as now I do not have to reformat my entire hard drive to get rid of AVsystem pro. Good Luck to all.

Andy

Aug 16, 2009 | Reply

You are life saver. Thank you very much.

MJB

Aug 15, 2009 | Reply

Sometimes, you cannot remove the files for antivirus system pro because, in my case, when I delete one file/process, it reinstalls/reactivates.

DarkEnergy

Aug 15, 2009 | Reply

Those guys have modified the file names

Search thru Task Manager/Properties to disable for:
uomsysguard.exe

Am still searching for the location of the files so I can remove them

tpham

Aug 15, 2009 | Reply

Al Alla, you’re life saver!

I didn’t find the exact name but a similar one. After highlight it in the Process tab of Windows Task Manager, hit the “End Process” then “Yes”
It’s gone!
I bet thousands people out there will appreciate your finding.
“Antivirus System Pro” is a devil. It installed or tricked its program in our PCs without premission!

shoneseto

Aug 13, 2009 | Reply

Just wanted to say I could not find any of the files or registry entries at all. However, I did read the post about free melwarebytes software. It wored. I copied on to my flash drive from another computer and installed from the drive to my infected system. I let the scan run and because I could not get internet work I let it run without the updates. One scan and one reboot later I was up and running. Warning I did a search for melwarebytes and the first one that comes on my google search is not real. It is a red page that looks pro but if you try to download it is itself a trojan. Mcaffee caught this fo me. I went on to the next link and this one was lagite. NIce lite blue page. Thans Shat it wored perfectly

Kyle

Aug 12, 2009 | Reply

Absolutely marvelous. This process worked, and has saved me alot of trouble, thank you so much.

Laura Taff

Aug 11, 2009 | Reply

There were two vital pieces of advice here that helped me. One was that the name was hidden as SYSGUARD, and the other was that you had to re-name the files to delete them.

However, the advice on opening your task manager to stop the pop ups did not work because antivirus system pro would not let me open my task manager because it said it was contaminated. So frustrating!

But when I ran a search for SYSGUARD it found the files where this was located. One was in Windows called prefetch and the other was in program files called gbobck. So I renamed prefetch and was able to delete that without a reboot. I did have to re-boot the computer to delete the re-named gbobck file, but was able to do it….no more Antivirus System Pro! Thanks so much for the advice on here!!!

Jim

Aug 6, 2009 | Reply

I too couldn’t remove it manually. Finally AVG 8.5 got rid of it. Antivirus System Pro Alert is slow to load. I rebooted, logged on and started AVG before anything else. Somehow the scan started and ran to completion. Took almost 2 hours but haven’t seen the virus now for 2 days. Got lucky I guess.

Latoya

Aug 1, 2009 | Reply

Al ALLA — yOU ARE definitely CORRECT… As soon as I deleted that from the processes then the popup stopped plus the icon went away.

THANK YOU SOOOOOOOOOOOOOOO much..

Latoya

JR

Jul 30, 2009 | Reply

Josh,
I am havimg the same exact issue. Did you find an answer? If not does anyone have suggestions. I don’t see any files in Registry and drive c:. I can’t access internet with IE or FireFox. When I go to email it puts me into a browser properties screen.

Thanks in advance for any direction.

JR

Josh

Jul 26, 2009 | Reply

I seem to not be able to find all of the reg entries. I notice some are similar, and I wondered if that meant that there would only be one of them, that it could be different per machine. I however can only find 2 of the entire set of reg entries, and I’ve checked over and over. The other issue is that all of the automated removals require me to download and execute a .exe file, which I can’t do because this thing disables that ability. I find it interesting that everyone says to do that when it isn’t possible. Also, I have attempted to reset the .exe reg file, but without being able to restart it does not good. And if I restart without finding all the AVSP files then it reverts back anyway. I did manage to get my task manager back, but again, if I restart it goes back as well. Any suggestions?

Miles

Jul 21, 2009 | Reply

I stop the virus in taskmanger but i cannt access the internet. everytime i try and get on it just pop ups to “you comp is at harm” and wants me to go to its website only. How to i get rid of this part of the virus? I have Norton and is doesnt take care if it.

Bob

Jul 19, 2009 | Reply

I tried searching for the antivius pro system files you listed but after over an hour none show up.–Now what??

amy

Jul 5, 2009 | Reply

wat do i do if i cannot find all of the files suggested to be deleted in the registry- do i assume the virus is gone? Does anyone know any other registry files that should be deleted?

amy

Jul 5, 2009 | Reply

?????

amy

Jul 5, 2009 | Reply

is it safe to delete HKEY_CURRENT_USER\Software\AvScan

Rick

Jul 5, 2009 | Reply

Dude you are THE MAN thanks for the great inside info and instructions!

You did a good deed!

Saty13

Jul 4, 2009 | Reply

To “ggg”
Do NOT ever interact with “Anti Virus System PRO” malware except to shut down the warnings and windows it pops up! You are just asking for more trouble by interacting with it as if it is a legitimate company. Your money is not going to be refunded and the longer you allow these hackers to have control over your computer and credit card information, the worse your security problems will be. Get these files off your computer as you humanly can!!

Saty13

Jul 4, 2009 | Reply

Here’s one way to delete the files that refuse to delete (for example…)
WINDOWS\sysguard.exe
WINDOWS\system32\iehelper.dll

Supposedly they are “in use” or “write-protected” (so says the error message when you try to delete them). Just re-name the files (for example, I re-named sysguard.exe to sysguardHELP.exe). Re-name them both and then RE-START your computer. You will now be able to delete the RE-NAMED files. Re-naming the files prevents the program from starting up after a re-boot, but it won’t stop the program from doing its mischief already in progress.

After you deleted these files you can proceed to delete the registry entries, if they are on your computer. I only found one: HKEY_CURRENT_USER\Software\AvScan

If you don’t know how to find the registry entries hit the START button in the lower left hand corner then click on “Run.” Type “regedit” and then hit enter. Windows explorer will open and you will now see the “HKEY” folders listed. I CAUTION YOU: don’t play around with this stuff unless you are VERY careful and are confident of what you’re doing. Erasing the wrong file in the wrong place could be a disaster. And do NOT erase an entire folder if the instructions say to delete just one file within that folder. Check and double-check to make sure you are in exactly the right path and folder listed in the instructions. There are many folders and files that sound the same but are not exactly the same. Good luck!

ggg

Jun 29, 2009 | Reply

hey can u help me, i got that anti virus pro . i want to return my money there was some return policy. helPPPPPPPPPPPPPPP meeeeeeeeeee guys tnks for reading

DEAr ,..

Shay

Jun 29, 2009 | Reply

follow-up to above: I installed Malwarebytes Anti-Malware software (which was free), did a quick scan then removed all infections and rid my computer of the Antivirus System Pro!
No more pop-ups even at start up, no more viruses. It was very easy and took no time at all. I hope this helps some of you. Try it.

Shay

Jun 29, 2009 | Reply

zHotkey.exe is listed in my task manager. Will deleting this help remove AVSystem Pro or will it do more harm than good. Thanks

Not important

Jun 24, 2009 | Reply

As far as I’m concerned – EVERY website like yours pushing a $30 malware removal tool is just as guilty of scamming consumers as the people who developed the software? What’s your commission on each sale of these bogus tools?

leah

Jun 22, 2009 | Reply

it won’t allow me to delete the “iehelp” from the files and folders. also, once i deleted sysguard.exe from the task manager, it returned the next day! what do i do?

Ace

Jun 22, 2009 | Reply

I didn’t have any of the files either, but endins sysguard.exe in task manager stopped the popups. I did find a few of the registry entries and deleted HKEY_CURRENT_USER\Software\AvScan and
a couple more. That removed the rest and it seemes normal now. No more virus.

Denise

Jun 16, 2009 | Reply

Actually, this works for every time you sign on, but the program still exists within your computer. At any rate, I am glad to at least be able to stop the pop ups when I sign on, and my husband will take care of removing the -program later.

Denise

Jun 16, 2009 | Reply

Nevermind. The pop ups stopped and the icon is gone. This seemed to have worked so far.

Denise

Jun 16, 2009 | Reply

You are right. This stopped the pop-ups. Although the icon still remains at the bottom of my desktop. How do I rid myself of this on my computer?

Al Alla

Jun 16, 2009 | Reply

it’s hidden as SYSGUARD.
watch: 1) hit ctrl+alt+del , 2) highlight sysguard.exe and 3) click ‘end process’…
the pop-ups quit

Frank

Jun 4, 2009 | Reply

I also can’t find any of these files and its driving me nuts…These intructions don’t work

Yael

Jun 3, 2009 | Reply

I agree with Rabih, your instructions are not valid. I have a guy here at work who got this Antivirus System Pro Alerts… but none of your instructions helps finding where it is installed.

I tried Search C, Regedit etc.. all of your tips and there is no such files as you describe. Do you know what name this Trojan – like program will hide under? Registry key names or processes?

BR // Yael

rabih

May 31, 2009 | Reply

Dear, i couldn’t find the Anti Virus System PRO files in the Program files, also i couldn’t find the registry entries that you have mentioned.
please advice
thanks.

1. Trackbacks

2. May 11, 2009: Remove Antivirus System 2009 (Removal Instructions) | 411 on Spyware
3. May 13, 2009: Top 5 Free Antivirus Software
4. May 15, 2009: Top 5 Free Antivirus Software | Best Tutorials, Tips, Tricks For You
5. Jun 6, 2009: Remove “Spyware Alert” Popup (Removal Instructions) | 411 on Spyware
6. Jun 6, 2009: Remove Antivirus System Pro Alert (Removal Instructions) | 411 on Spyware
7. Jun 8, 2009: Remove Win32/Nuqel.E (Removal Instructions) | 411 on Spyware
8. Jul 7, 2009: Remove Windows Security Suite (Removal Instructions) | 411 on Spyware
9. Jul 8, 2009: Remove Security Central (Removal Instructions) | 411 on Spyware
10. Sep 9, 2009: Remove AwareRemover.com (Removal Instructions) | 411 on Spyware
11. Nov 12, 2009: My scareware night and how McAfee lost a customer | Between the Lines | ZDNet.com