Thursday, October 7, 2010

How to remove Antivirus Action malware (Uninstall Guide)

Antivirus Action is a rogue security program which pretends to be legitimate anti-virus software with the goal of deceiving users into paying registration fees to remove malware from their computers. It's a ripoff rogue which claims that your computer is infected with spyware, adware, Trojans and other malicious software. Antivirus Action reports predetermined infections, it doesn't even scan your computer. This rogue program is distributed through the use of fake online anti-malware scanners, infected web pages and other malware. Usually, it masquerades as a video codec of flash player update. It can come bundled with other malicious software as well. The thieves also use social engineering, spamming and other misleading methods to promote their bogus software. If your computer is infected with this rogue program then please follow the removal instructions below to remove Antivirus Action and associated malware from your computer for free using legitimate anti-malware software.




(Thanks to rogueamp)

Antivirus Action is from the same family as Antivirus IS and Security Suite and Antivirus Scan. Once installed, it will pretend to scan your computer for malware and display fake security warnings. The bad news is that AntivirusAction will block nearly all programs on your computer. When I attempted to start Windows calculator, the rogue program terminated it and displayed the following message:
Security Warning
Application cannot be executed. The file calc.exe is infected. Do you want to activate your antivirus software now.


It displays the same fake alert for all the other programs on your computer. It blocks such Windows system tools as Task manager or Registry editor or even system restore. And, of course it block anti-virus and anti-spyware programs. But don't worry, it's a false message, your programs are not infected. Antivirus Action just wants to scare you into thinking that your computer has security problem so that you will then purchase the program.

What is more, this bogus program will set up a local proxy server on your computer to reroute Internet traffic. It will display a false message about malicious websites that contain exploits that could launch malicious code on your computer. The fake message reads:
Internet Explorer warning - visiting this site may harm your computer! Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computer
It will display other fake Windows security alerts and notifications about critical infections too. In order to remove Antivirus Action you will probably have to reboot your computer in safe mode with networking and scan your computer with Malwarebytes Anti-malware, SUPERAntispyware or some other free anti-malware programs. Full details on how to reboot your computer in safe mode with networking and remove this malware from your computer are given below. Please note, that in some cases Antivirus Action comes bundled with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions. Last, but not least, this rogue may infect system restore points, so it would be a good idea to purge all old system restore points and create a new one after you remove Antivirus Action.

It goes without saying that you shouldn't purchase this rogue programs. It gives a false sense of security and deliberately reports false system security threats. However, if you have already bought it then please contact your credit card company and dispute the charges while explaining that the program is fake. If you have any questions or additional information about Antivirus Action, please leave a comment. You should warn all your friends about this rogue programs as well. Good luck and be safe online!


Antivirus Action removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.



3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Action removal instructions using HijackThis (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [wzdporfhs] %Temp%\hxhdkesjd\qorhkvbyhsn.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS]yhsn.exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end Antivirus Action process:
  • [SET OF RANDOM CHARACTERS]yhsn.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Antivirus Action associated files and registry values:

Files:

For Windows XP users:
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
For Windows Vista & 7 users:
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
  • C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
Registry values:
  • HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:33921"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
Share this information with other people:

No comments:

Post a Comment