Antivirus Action is a new rogue antispyware program from the same family of malware as Antivirus IS. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Action onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Action is installed, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Action gives you.
While Antivirus Action is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
INFILTRATION ALERT
Your computer is being attacked by a Internet
Virus. It could be a password stealing attack, a
trojan – dropper or similar.DETAILS
Threat: Win32/Nuqel.E
Do you want to block this attack?
Last but not least, Antivirus Action will hijack Internet Explorer so that it will randomly show a warning page which states:
Internet Explorer Warning – visiting this web site may harm your computer!
Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computerWhat you can try:
– Purchase Antivirus System PRO for secure Internet surfing (Recommended).
– Check your computer for viruses and malware.
– More information
Of course, all of these above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Action is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Action and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [{RANDOM}] %Temp%\{RANDOM}\{RANDOM}agnz.exe
Automatic removal instructions for Antivirus Action
Step 1. Reboot your computer in Safe mode with networking
Restart your computer.
After hearing your computer beep once during startup, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.
Instead of Windows loading as normal, Windows Advanced Options menu appears similar to the one below.
Windows Advanced Options menu
When the Windows Advanced Options menu appears, select Safe mode with networking and then press ENTER.
Step 2. Reset Internet Explorer Proxy options
Run Internet Explorer, Click Tools -> Internet Options as as shown in the screen below.
Internet Explorer – Tools menu
You will see window similar to the one below.
Internet Explorer – Internet options
Select Connections Tab and click to Lan Settings button. You will see an image similar as shown below.
Internet Explorer – Lan settings
Uncheck “Use a proxy server” box. Click OK to close Lan Settings and Click OK to close Internet Explorer settings.
Step 3. Stop Antivirus Action from running
Download HijackThis from here. Run it and click Scan button. Look for lines that looks like:
O4 – HKLM\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
O4 – HKCU\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
Note: list of infected items may be different, but all of them have “agnz.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 4. Remove Antivirus Action associated malware
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Antivirus Action. MalwareBytes Anti-malware will now remove all of associated Antivirus Action files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Antivirus Action removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Action creates the following files and folders
%Temp%\{RANDOM}\
%Temp%\{RANDOM}\{RANDOM}agnz.exe
Antivirus Action creates the following registry keys and values
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | “Enabled” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyServer” = “http=127.0.0.1:30215”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyEnable” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
amy, skip step 3.
Patrik, yes I have done te 2nd step.
Correction of email: xxrachiexx33 AT gmail.com
Btw I’m on my laptop and trying to do these on my computer since I cannot get onto my internet. So I cant actually click here In step 3.
Rachelle, what shows your browser when you trying to open any site ?
Well , when I use Safe Mode With Networking I have no internet access for some reason. I have fine internet. When I try using it the normal way , It shows ” Internet cannot Access. This website may be infected! ” everytime I open up the internet
Rachelle, reboot your PC in Safe mode with networking. It will stop the rogue from running. Next go to step 2. When you done it, don`t reboot your computer and go to next 4.
Thanks for your work! Really appreciated!
I TRIED EVERYTHING AND NOTHING HAS WORKED! PLEASE HELP ME!
“HELP!”, ask for help in our Spyware removal forum.
I recieved antivirus action on nov 3. used rkill and malwarebytes and got rid of it. today on the 9th it returns. however this time rkill and malwarebytes can’t locate anything. My system also won’t let me restore because i never created a restore point. did i overlook something last time? i dont know why im getting this or how to get rid of it. Please help.
I can’t find the files, also malwarebytes shows up with nothing. :S
i didnt find any agnz.exe files so i skipped it and went to the step 4 it found 6 i removed them then restarted but then it was still there help plz D:
BradS and Anthony, probably your computer is infected with a new/updated version of the rogue. Please start a new topic in our Spyware removal forum. I will help you to remove this malware.
Oh,how relieved and excited I am!!!! I finally found a site that addressed my exact problem, and walked me through lines and lines of computer codes that I can’t comprehend, and I didnot feel lost. You saved me $100 easy!Now I will upgrade both computers and pass on the word to my family members who have computers. It was exhilerating to do this myself, a 40 year old mom!
THANKYOU SO MUCH! 😀
Thank you so much!! I feel so empowered after getting rid of this nasty thing. I ended up using rkill to get all back to normal, but thank you so much!!
Hello again, sorry i was unresponsive last week. Please email me instead if you can,I am more active on email than this website,Thanks! (:
After an excruciating night trying everything that other websites recommend, yours was the only one that provided information that worked. The problem with most websites is that they ask you to download their scanning software in order to remove the malware, but the malware prevents the user from accessing the Internet. I don’t know why the other websites are that stupid. What finally worked was the information below:
Antivirus Action creates the following registry keys and values
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | “Enabled” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyServer” = “http=127.0.0.1:30215″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyEnable” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
I didn’t find all of the above keys and values, but enough so that I could access the Internet and then run scanning software.
thank you so much!!!!!!!!! you really did saved me … awesome!!!!
Hijack doesn’t show me any files ending in agnz. But what if the entire file name is a mix of letters that is completely unrecognizable. Should I remove it?
I have no internet access while I’m in safe mode with networking.
Ah I believe it’s off my computer some how? But thanks for the help anyways Pat.
Confused, reboot your PC in Safe mode with networking.
Antivirus Action stores its files in Temp folder. Try clean it. Download ATF Cleaner by Atribune from here, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Download Malwarebytes and perform a scan.
I just want to say, when I find the fuck who wrote this virus, I’m going to take him and his girlfriend outside, then force the bitch to watch me kerb-stomp him. Then she’ll blow me.
Rachelle, please start a new topic in our Spyware removal forum.
Worked, thank you so much.. you saved my life !!!
This thing’s been updated… it’s called twswbla bla bla something now :/. And would Ccleaner work instead of the ATF? And im pretty sure the random letters = antivirus action..
oh one more thing. No internet access but I was able to get on skype. on safe mode and normal. if you’re trying to boot normal press ctrl+alt_dlt asap and try to find a matrix of random letters and end task that thing….
Thanks for the instructions.
I couldn´t find the files by HijackThis – but MalWareBytes was the key …! Thanks!
Chris, boot in Safe mode with networking, reset proxy settings, download and scan with malwarebytes.