Home > Threats > Antivirus Live

Antivirus Live

Posted on 11 December 2009 under Rogue Programs

1. What is Antivirus Live?

Antivirus Live is a misleading application (not a virus) or fake Anti-virus program, which is not capable of eliminating computer viruses as promised. The only and main Antivirus Live goal is to make cash profit by cheating on user. Antivirus Live is from the same family as Antivirus Soft.

The main indication of Antivirus Live, that can also be observed in many other rogue programs, are false reports that the computer system is compromised, a misleading impression that Antivirus Live is recommended by Windows, changes in system registry so that the program would be launched every time OS is booted.

In order to convince the user that Antivirus Live is recommended by Windows, faked Security Center will be installed along with the program itself. Security Center can be found in Windows XP (beginning with Service Pack 2) and later versions. It is renamed the Action Center in Windows 7. Fake Windows Security Center looks the same as the original, even an icon in the Taskbar area is identical (a red shield), only Firewall, Windows Update, and Virus Protection sections advertise rogue Antivirus Live as a recommended solution towards computer security gaps.

Each fake anti-virus program, no exceptions for Antivirus Live, gives the impression that the computer is being checked for viruses and a report with assumingly found threat names is generated in the end. In order to remove found threats, user will be asked to buy a "licensed" version of Antivirus Live. Possessing a "full" version of the program will not help to clean computer from malware, the more your computer will not be protected.

Antivirus Live associated Trojans will also modify Internet Explorer settings so that no page will be permitted to open, except for Antivirus Live webpage, which is needed to carry out a transaction.

What to do if there is no internet connection?
  • Launch Internet Explorer
  • Go to Tools and then Internet Options
  • Choose Connections tab
  • Click on Lan settings
  • Uncheck box next to Use a proxy server for your LAN
  • Click OK to close current window
  • Click OK to close Internet Options window
Trojans will block any application from being run, stating that they are infected, in order to avoid anti-spyware tool installation, which might remove the virus. Opening Task Manager will also result in "Application cannot be executed. The file is infected. Please activate your antivirus software" message. Before downloading Antivirus Live removal tool, malicious processes should be ended. The following guide will explain how to launch Task Manager.

To start Antivirus Live removal process:
  1. Go to Windows directory and open System32 folder (C:\Windows\system32).
  2. Rename file taskmgr.exe to iexplore.exe or taskmgr to iexplore if file extensions are hidden.
  3. Double-click renamed file iexplore or iexplore.exe. If you were able to open Task Manager go to Step5.
  4. If Task Manager still cannot be started, resulting in "Task Manager has been disabled by your administrator" message, go to Start -> Run, type in
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
    and click OK. Then repeat Step3.
    * Editing Windows Registry is complicated and should be performed by advanced computer user. Use this guide at your own risk.
  5. Under Processes tab search for [random_string]sysguard.exe (for example bshwsysguard.exe) and end the process, by selecting it and clicking End Process button.
  6. Proceed by downloading Antivirus Live removal tool below without rebooting the computer.

2. Antivirus Live screen shot:

Antivirus Live

3. How to remove Antivirus Live:

  1. Internet connection might be disabled or Internet browser might be blocked by Antivirus Live, so it won't be possible to download any files to infected computer. In this case please download all files required for Antivirus Live removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove Antivirus Live download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove Antivirus Live.

  5. Restart the computer to complete Antivirus Live removal procedure.

4. Antivirus Live files:

[random string]sysguard.exe

5. Hijackthis entries:

O4 - HKLM\..\Run: [eeqeqhay] C:\Documents and Settings\[user]\Local Settings\Application Data\pafrfi\bshwsysguard.exe
O4 - HKCU\..\Run: [eeqeqhay] C:\Documents and Settings\[user]\Local Settings\Application Data\pafrfi\bshwsysguard.exe
*strings in red are random in each case of infection