(Thanks to rogueamp)
Antivirus Action is from the same family as Antivirus IS and Security Suite and Antivirus Scan. Once installed, it will pretend to scan your computer for malware and display fake security warnings. The bad news is that AntivirusAction will block nearly all programs on your computer. When I attempted to start Windows calculator, the rogue program terminated it and displayed the following message:
Security Warning
Application cannot be executed. The file calc.exe is infected. Do you want to activate your antivirus software now.
It displays the same fake alert for all the other programs on your computer. It blocks such Windows system tools as Task manager or Registry editor or even system restore. And, of course it block anti-virus and anti-spyware programs. But don't worry, it's a false message, your programs are not infected. Antivirus Action just wants to scare you into thinking that your computer has security problem so that you will then purchase the program.
What is more, this bogus program will set up a local proxy server on your computer to reroute Internet traffic. It will display a false message about malicious websites that contain exploits that could launch malicious code on your computer. The fake message reads:
Internet Explorer warning - visiting this site may harm your computer! Most likely causes:It will display other fake Windows security alerts and notifications about critical infections too. In order to remove Antivirus Action you will probably have to reboot your computer in safe mode with networking and scan your computer with Malwarebytes Anti-malware, SUPERAntispyware or some other free anti-malware programs. Full details on how to reboot your computer in safe mode with networking and remove this malware from your computer are given below. Please note, that in some cases Antivirus Action comes bundled with TDSS rootkit. You should scan your computer with TDSSKiller utility after you remove the rogue program. For more information please read TDSS, Alureon, Tidserv, TDL3 removal instructions. Last, but not least, this rogue may infect system restore points, so it would be a good idea to purge all old system restore points and create a new one after you remove Antivirus Action.
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computer
It goes without saying that you shouldn't purchase this rogue programs. It gives a false sense of security and deliberately reports false system security threats. However, if you have already bought it then please contact your credit card company and dispute the charges while explaining that the program is fake. If you have any questions or additional information about Antivirus Action, please leave a comment. You should warn all your friends about this rogue programs as well. Good luck and be safe online!
Antivirus Action removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Antivirus Action removal instructions using HijackThis (in Normal mode):
1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.
2. Search for such entry in the scan results:
O4 - HKCU\..\Run: [wzdporfhs] %Temp%\hxhdkesjd\qorhkvbyhsn.exe
The process name will be different in your case [SET OF RANDOM CHARACTERS]yhsn.exe, located in:
C:\Documents and Settings\[User Name]\Local Settings\Temp\ for Windows XP
C:\Users\[User Name]\AppData\Local\Temp\ for Windows Vista & 7
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
OR you may download Process Explorer and end Antivirus Action process:
- [SET OF RANDOM CHARACTERS]yhsn.exe
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as Auto Infoistrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Antivirus Action associated files and registry values:
Files:
For Windows XP users:
- C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
- C:\Documents and Settings\[User Name]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
- C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]
- C:\Users\[User Name]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS]yhsn.exe
- HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:33921"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
No comments:
Post a Comment