cheshiregriffin
01-29-2010, 05:37 PM
Browsing through the forums over the past month and a half I've come across not just a few topics on people getting a virus/malware/hijackware from the forums. I cannot say it is caused by the forums, but various people seem to think so. Last night I was on the forums and contracted this malicious program myself. I spent most of the night and all of today working to fix it. From the research I did, the "Antivirus Live" can be contracted from almost any website, its not just outspark forums. .
I figure, since I managed to fix it, I might as well post on how I fixed it.
(seeing that trying this first might save you a hundred bucks from sending it to a tech)
+Anti virus Live+ = (Identified as) When browsing the net or forums here the antivirus live program (fake software) pops up on your screen and starts scanning for viruses, trojans,etc. It will pull up over 20 (fake) problems with your comp and then start giving you warnings of all sorts to say that you MUST buy the full version to fix these (fake) problems. As soon as you click that you dont want to pay them $50 to install the full (fake) version it basically hijacks your computer. Every time you try to open ANY program (even task manager) it pops up a warning that " cannot open (file name) the file is infected" and immediately shuts down the program you were trying to open. And very soon your toolbar is full of red shields (mine had over 200 in less than 30 mins). To sum it up, your system is useless.
+Fix+ =The first step is to disable this malware so that you can use programs to do the fix. This requires that you restart your comp. As SOON as your background shows up in windows hit ctrl + alt + delete and pull up your task manager ASAP. Leave tsk mgr up and watch in processes for a program with ?????sysguard.exe (?? meaning random letters) this is the process that you need to disable/end. When you do this, you can use your comp almost as normal until you restart again.
Next, you have to disable proxy server for LAN in Internet Explorer or use another browser, for example Firefox or Opera. The malware tends to disallow you to access any other site (in IE) than the ones it says you can. Which is the one where it wants you to pay to fix it.
Alright, now that you can use your comp and internet again, here is what i did to remove it.
If you dont already have these free programs, then you might want to install them (before starting in safe mode).
(I used a small program called rkill first which is supposed to help disable this malware, but it didnt seem to help)
SUPERAntiSpyware Portable edition
Malwarebytes' Anti-Malware
Spybot search and destroy
---
After you have these 3 programs installed and -updated-(very important), restart the comp in safe mode with networking. And be ready to hit ctrl + alt + delete again to end process of sysguard again.
First thing to do is do a search on your local harddrive (start button - search) type in sysguard or sysguard.exe and any file that comes up with either of those names in the file, DELETE and then clear from recycling bin. It's parts of the malware.
Next run the programs above in this order, and it will take a few hours to run all 3 of em, just have to have patience. It seems that not just one of these can remove all parts of the malware, so a few different ones are needed, and these seem to be the best 3 that I've found in my research. (and these were the ones that worked for me{using windows XP} )
Next, you will need to clear all of your previous restore points from your computer. I dont know if this part is entirely necessary, although alot of the sites I did research on stated that the antivirus live malware hides parts of itself in restore points. So later on when you have a different problem and use a restore point, the malware comes back up full force and has to be dealt with all over again.
After these steps have been taken, restart your computer in normal mode. This should have removed all traces of the Antivirus Live malware.
If this did NOT work, then you will have to remove the processes and registry values yourself "manually". Which, unfortunately is much more difficult.
I have a link to a page that has a guide on how to remove it manually, although I'm pretty sure I'm not supposed to post links to other websites on forums. So if it comes to this part then just send me a PM and I can give you the site address.
Hope this helps for anyone else who has had this problem be it from outspark forums, other sites, or even P2P downloads.
I figure, since I managed to fix it, I might as well post on how I fixed it.
(seeing that trying this first might save you a hundred bucks from sending it to a tech)
+Anti virus Live+ = (Identified as) When browsing the net or forums here the antivirus live program (fake software) pops up on your screen and starts scanning for viruses, trojans,etc. It will pull up over 20 (fake) problems with your comp and then start giving you warnings of all sorts to say that you MUST buy the full version to fix these (fake) problems. As soon as you click that you dont want to pay them $50 to install the full (fake) version it basically hijacks your computer. Every time you try to open ANY program (even task manager) it pops up a warning that " cannot open (file name) the file is infected" and immediately shuts down the program you were trying to open. And very soon your toolbar is full of red shields (mine had over 200 in less than 30 mins). To sum it up, your system is useless.
+Fix+ =The first step is to disable this malware so that you can use programs to do the fix. This requires that you restart your comp. As SOON as your background shows up in windows hit ctrl + alt + delete and pull up your task manager ASAP. Leave tsk mgr up and watch in processes for a program with ?????sysguard.exe (?? meaning random letters) this is the process that you need to disable/end. When you do this, you can use your comp almost as normal until you restart again.
Next, you have to disable proxy server for LAN in Internet Explorer or use another browser, for example Firefox or Opera. The malware tends to disallow you to access any other site (in IE) than the ones it says you can. Which is the one where it wants you to pay to fix it.
Alright, now that you can use your comp and internet again, here is what i did to remove it.
If you dont already have these free programs, then you might want to install them (before starting in safe mode).
(I used a small program called rkill first which is supposed to help disable this malware, but it didnt seem to help)
SUPERAntiSpyware Portable edition
Malwarebytes' Anti-Malware
Spybot search and destroy
---
After you have these 3 programs installed and -updated-(very important), restart the comp in safe mode with networking. And be ready to hit ctrl + alt + delete again to end process of sysguard again.
First thing to do is do a search on your local harddrive (start button - search) type in sysguard or sysguard.exe and any file that comes up with either of those names in the file, DELETE and then clear from recycling bin. It's parts of the malware.
Next run the programs above in this order, and it will take a few hours to run all 3 of em, just have to have patience. It seems that not just one of these can remove all parts of the malware, so a few different ones are needed, and these seem to be the best 3 that I've found in my research. (and these were the ones that worked for me{using windows XP} )
Next, you will need to clear all of your previous restore points from your computer. I dont know if this part is entirely necessary, although alot of the sites I did research on stated that the antivirus live malware hides parts of itself in restore points. So later on when you have a different problem and use a restore point, the malware comes back up full force and has to be dealt with all over again.
After these steps have been taken, restart your computer in normal mode. This should have removed all traces of the Antivirus Live malware.
If this did NOT work, then you will have to remove the processes and registry values yourself "manually". Which, unfortunately is much more difficult.
I have a link to a page that has a guide on how to remove it manually, although I'm pretty sure I'm not supposed to post links to other websites on forums. So if it comes to this part then just send me a PM and I can give you the site address.
Hope this helps for anyone else who has had this problem be it from outspark forums, other sites, or even P2P downloads.