Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, October 7, 2010

How to remove Antivirus Action malware (Uninstall Guide)

Tell your friends:
Antivirus Action is a rogue security program which pretends to be legitimate anti-virus software with the goal of deceiving users into paying registration fees to remove malware from their computers. It's a ripoff rogue which claims that your computer is infected with spyware, adware, Trojans and other malicious software. Antivirus Action reports predetermined infections, it doesn't even scan your computer. This rogue program is distributed through the use of fake online anti-malware scanners, infected web pages and other malware. Usually, it masquerades as a video codec of flash player update. It can come bundled with other malicious software as well. The thieves also use social engineering, spamming and other misleading methods to promote their bogus software. If your computer is infected with this rogue program then please follow the removal instructions below to remove Antivirus Action and associated malware from your computer for free using legitimate anti-malware software.




(Thanks to rogueamp)

Antivirus Action is from the same family as Antivirus IS and Security Suite and Antivirus Scan. Once installed, it will pretend to scan your computer for malware and display fake security warnings. The bad news is that AntivirusAction will block nearly all programs on your computer. When I attempted to start Windows calculator, the rogue program terminated it and displayed the following message:
Security Warning
Application cannot be executed. The file calc.exe is infected. Do you want to activate your antivirus software now.


It displays the same fake alert for all the other programs on your computer. It blocks such Windows system tools as Task manager or Registry editor or even system restore. And, of course it block anti-virus and anti-spyware programs. But don't worry, it's a false message, your programs are not infected. Antivirus Action just wants to scare you into thinking that your computer has security problem so that you will then purchase the program.

What is more, this bogus program will set up a local proxy server on your computer to reroute Internet traffic. It will display a false message about malicious websites that contain exploits that could launch malicious code on your computer. The fake message reads:
Internet Explorer warning - visiting this site may harm your computer! Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computer
It will display other fake Windows security alerts and notifications about critical infections too. In order to remove Antivirus Action you will probably have to reboot your computer in safe mode with networking and scan your computer with Malwarebytes Anti-malware, SUPERAntispyware or some other free anti-malware programs. Full details on how to reboot your computer in safe mode with networking and remove this malware from your computer are given below. Please note, that in some cases Antivirus Action comes bundled with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions. Last, but not least, this rogue may infect system restore points, so it would be a good idea to purge all old system restore points and create a new one after you remove Antivirus Action.

It goes without saying that you shouldn't purchase this rogue programs. It gives a false sense of security and deliberately reports false system security threats. However, if you have already bought it then please contact your credit card company and dispute the charges while explaining that the program is fake. If you have any questions or additional information about Antivirus Action, please leave a comment. You should warn all your friends about this rogue programs as well. Good luck and be safe online!


Antivirus Action removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Action removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [wzdporfhs] %Temp%\hxhdkesjd\qorhkvbyhsn.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]yhsn.exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus Action process:
  • [SET OF RANDOM CHARACTERS]yhsn.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Action associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
For Windows Vista & 7 users:
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:33921"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
Share this information with other people:

35 comments:

Anonymous said...

Thanks! This seems to have worked :)

Anonymous said...

Money post dude! Worked like a charm!

Brian said...

Once the Antivirus action thing ended on my computer (ended of this hour) i noticed that my google chrome is not responding to any websites.
for example when i type in google.com i end up getting a message saying that this site is temporarily down or has been moved. Refreshing doesn't help. refreshing is pretty much the only i have tried. The other internet browers i have don't have this problem. My Firefox works just fine and so does my Internet Explorer.

Anonymous said...

greAT relief to have found ur support. really kicked some ass against that annoying program. cheers/thanks!

Anonymous said...

Thanks! This helped to save my friend's computer... He should know better than dl anything he finds, but hey..

Anonymous said...

^This gets installed without having to click yes or accept anything.

samabraham said...

From operating systems to multimedia, PC & mobile games to anti-virus, from drivers to registry cleaners and internet tools our website features all the latest soft wares for safe and free downloading enjoy.

Anonymous said...

dear brian.
you more than likely did not resent the proxy that the program created.
on internet go to tools> internet options>connections> LAN settings> make sure that the proxy box on the bottom is turned off

Won3two said...

Thanx a lot! this was a great help for a friend of mine!!! I'm fine tho, been rockin' the same mac book for 4 years & no sign of malwares!!! Y'all know the solution!! (no disrespect just kiddin')
Peace

beanierob said...

I followed every step, but now I cannot get online. I get a message saying that my connection was reset. Problem loading page. What can I do now?

PradyM said...

This must be a new variation. My computer got infected on 11/3. I tried all of these steps and the spy-ware is still there. The problem occurs only with a particular account. I can get online and use the computer using another account. All my executables get blocked but if I am fast enough after logon I can launch an app (I launch superantispyare that way and it ran for 40 mins).

Looks like my only option now is to reinstall.

Cheng-Chih Yang said...

Hi PradyM,

My Win XP box was infected too on 11/6(few hours ago), and I had the same experience that following the same steps did not resolve it. What I found actually worked was

https://community.mcafee.com/thread/28943?start=15&tstart=0

quote techrumy's comment:

"Antivirus Action blocks nearly everyting on the computer, but it allows you to use Internet Explorer. Here's a quick set of instructions on how to remove Antivirus Action (it may not work for everyone):



1. Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.

2. Click on the Connections tab and then click on the Lan Settings button.

3. Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen.

4. Downlaod Process Explorer. Before saving Process Explorer onto your computer, rename the installer procexp.exe to iexplore.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator.

5. Run iexplore.exe (Process Explorer). Now, you should see a list of active processes on your computer. Look for process name with random characters., i.e. hdreladagnz.exe. Righ click the process name and to see where the .exe file is located. It should be located in:

C:\Documents and Settings\UserName\Local Settings\Temp\ for Windows XP

C:\Users\Username\AppData\Local\Temp\ for Windows Vista & Windows 7

6. End the process using Process Explorer and then delete the file.

7. Download MalwareBytes anti-malware or SUPERAntispyware and run a full system scan. Both programs are free and should remove all the remains of Antivirus Action malware.
"

Doing 1-6 alone seems to keep Antivirus Action away already.

Another easy way was to press ctrl+alt+del once you boot into the Windows to start the Task manager (before Antivirus Action even starts), and look for some process with random characters and close that. Yet doing this does not completely remove the malware, it simply makes it from running.

Anonymous said...

Hi,I just got rid of the Antivirus Action by deleting the random .exe under Task Mgr. but now I can't access internet explorer. Also, I did get the chance to find out where the .exe file is located, so I have not removed them from the registry. What should I do now?

Cheng-Chih Yang said...

Regarding accessing Internet Explorer, did you try the following:

1. Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.

2. Click on the Connections tab and then click on the Lan Settings button.

3. Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the OK button to close the Internet Options screen.


The above steps worked well for me.


Also for my comments above, I found that SUPERAntispyware did not resolve the problem but MalwareBytes anti-malware seemed to do a better job in locating the malware.

One problem I had with MalwareBytes anti-malware though was that it kept reporting errors when it detected the problem. And once there were too many of them, it just froze so I had to stop the scan and remove the problems it found at the time. So far the Antivirus Action has been removed completely for me.

Hope this helps some...

PradyM said...

Thanks Cheng-Chih.

I used system restore to get back to a week old snapshot of the system that got rid of problem but after that my IE8 was non-functional i.e. will load and I can see toolbars etc. but won't do anything as if stuck in a loop. Other browsers on the machine (Safari, Firefox) worked so I downloaded FixIt utility from Microsoft that did fix the browser problem but I lost some of the cookies (good) and some of the settings (not so good). Bottom line - the machine is back up and running.

Anonymous said...

I got rid of the fake anti viruses but it stopped my exe files from working now, what is the solution to this?

Anonymous said...

Had same issue as brian, fixed. Thanks a bunch

Anonymous said...

thank you so so so much good help

and easy to understand

Uroko said...

@Anonymous (November 12, 2010 5:06 AM)
After manual removal steps are taken, it is a common occurance to receive "Open With..." errors when attempting to run programs.

The cause of this issue is when you remove viral executibles, they are sometimes referenced in the .EXE portions of the registry. And when they are removed, Windows no longer "knows" how to open them.

The Fix:
For Windows XP: http://tiny.cc/xpregfix
For Windows Vista/7: http://tiny.cc/vistaregfix

Hope this helps.
:)

Anonymous said...

Please help me, it doesn't work at all. I used the hijackthis program, but i couldn't find the files you stated or anything similar to it. I've tried rkill, hijackthis, spyware doctor, MBAM, basically every methos there is but it's still there! I'm desperate, please help...

Cheng-Chih Yang said...

Hi, did you try my comment on Nov 6th? Basically it's to delete the suspicious process from the "Process Explorer" (which can be downloaded from Internet). In particular, you will need to right click on that process to find out where the file is located.

DCh. said...

what if I get the msg of "'6'runtime error :overflow" whenever I run the anti-malware software? what should I do? help

Anonymous said...

I tried the safemode w/ networking technique.
I used Malwarebytes, which seemed to help and did quarantine some trojans/malwares, but when I log into normal mode, the antivirus action thing is still popping up. So then, I tried using avira, and now I'm using superantispyware. I have windows 7, and I no longer use ie, just firefox. This did happen when I opened up ie though. Please help? I'm not very good with computers..

Anonymous said...

I have been dealing w/ trying to get this malware off my computer for the last 6 hours. I have the list that HiJack This shows but don't see any files specifically with the 04 [random characters].exe A bunch of files came up (like 20) but I don't want to use the clean up button and screw anything up.... any help????

Kristi

Anonymous said...

all i did was do a system restore to an earlier point in time.
Worked fine. graphic properties are alittle different. Performance is fine.

Anonymous said...

Thanks Anonymous 12/7/10 @ 3:04 PM. I did the same. Worked like a charm. I did have to boot in safe mode in order to allow System Restore to start.

Anonymous said...

how can it be so much fun to shut down peoples computers. these people have way too much time on there hands. maybe doing time is what they need. if i ever find a haker ill contact the fcc. and do my part to stop these idiots! antivirus action WATCH OUT you will be stopped!

Anonymous said...

OMG BEST SOLUTION EVERRRRRR... THIS IS LIKE THE THIRD TIME I USED MALWARE AND ITS THE ONLY SOLUTION DOGG!!

Anonymous said...

1st - THANKS to everyone who has posted here. My laptop was seriously messed up from this malware.

2nd - just to share my experience: the short version is that MalWare Bytes did the trick for me.

First I tried to restore to previous verisons and that would fail (even from Safe Mode). Then I followed the directions here except I already had Spyware Dr and MS Essentials on my computer so I ran those instead of dowloading them. They did NOT clear up the problem.

I then went back and followed the steps for SUPERAntivirus. That found things that had been skipped by the other two, but it did not clear up Antivirus Action when I rebooted.

Eventually, I started over and used MalWare Bytes and that did the trick for me.

Hope that helps.

I also followed the steps at bleepingcomputer.com. However when I got to #16, I saw that my hosts file had not been changed since 2008 so I discontinued their process at that point.

Good luck everybody.

Anonymous said...

First Off - Thanks so much, this fix worked perfectly for me.

Git hit bit that F*&%£ing Antivirus Action yesterday and have manged to clear it off with MalwareBytes after following the instuctions here.

Again - Thanks.

Anonymous said...

Thanks Dude. Why the hell do these f#ckers do this. Like I dont have anything better to do for 2 hours.

Anonymous said...

i got this malware a while back and malwarebytes got rid of it. i now have the malware AGAIN and malwarebytes is just not finding anything...

Anonymous said...

hi my computer was infected probably 2 weeks ago. i didn't have time to fix this until now. but it looks fine now. what happened? i couldn't see the antivirus action key in my registry. i'm amazed!!!!!

Anonymous said...

ok... i got the pop-up and i immediately killed it with tack manager and it disappeared, i looked for it in registry, and in my temp folder and it wasn't there, i also scanned in malware-bytes in safe mod and it didn't find anything, so... i'm confused, did it delete itself?

Admin said...

I'm afraid it's still on your PC. Please scan your computer with Hitman Pro.