Antivirus Action is a new rogue antispyware program from the same family of malware as Antivirus IS. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Action onto your computer and configure it to run automatically when you logon to Windows.
When Antivirus Action is installed, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Action gives you.
While Antivirus Action is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:
Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.
What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:
Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.
INFILTRATION ALERT
Your computer is being attacked by a Internet
Virus. It could be a password stealing attack, a
trojan – dropper or similar.DETAILS
Threat: Win32/Nuqel.E
Do you want to block this attack?
Last but not least, Antivirus Action will hijack Internet Explorer so that it will randomly show a warning page which states:
Internet Explorer Warning – visiting this web site may harm your computer!
Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computerWhat you can try:
– Purchase Antivirus System PRO for secure Internet surfing (Recommended).
– Check your computer for viruses and malware.
– More information
Of course, all of these above warnings and alerts nothing more but a scam and like false scan results should be ignored!
As you can see, Antivirus Action is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Action and any associated malware from your computer for free.
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [{RANDOM}] %Temp%\{RANDOM}\{RANDOM}agnz.exe
Automatic removal instructions for Antivirus Action
Step 1. Reboot your computer in Safe mode with networking
Restart your computer.
After hearing your computer beep once during startup, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.
Instead of Windows loading as normal, Windows Advanced Options menu appears similar to the one below.
Windows Advanced Options menu
When the Windows Advanced Options menu appears, select Safe mode with networking and then press ENTER.
Step 2. Reset Internet Explorer Proxy options
Run Internet Explorer, Click Tools -> Internet Options as as shown in the screen below.
Internet Explorer – Tools menu
You will see window similar to the one below.
Internet Explorer – Internet options
Select Connections Tab and click to Lan Settings button. You will see an image similar as shown below.
Internet Explorer – Lan settings
Uncheck “Use a proxy server” box. Click OK to close Lan Settings and Click OK to close Internet Explorer settings.
Step 3. Stop Antivirus Action from running
Download HijackThis from here. Run it and click Scan button. Look for lines that looks like:
O4 – HKLM\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
O4 – HKCU\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
Note: list of infected items may be different, but all of them have “agnz.exe” string in a right side and “O4″ in a left side.
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 4. Remove Antivirus Action associated malware
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Antivirus Action. MalwareBytes Anti-malware will now remove all of associated Antivirus Action files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Antivirus Action removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Antivirus Action creates the following files and folders
%Temp%\{RANDOM}\
%Temp%\{RANDOM}\{RANDOM}agnz.exe
Antivirus Action creates the following registry keys and values
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | “Enabled” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyServer” = “http=127.0.0.1:30215”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyEnable” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
I cannot find these strings when running the scan to uninstall antivirus action.
O4 – HKLM\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
O4 – HKCU\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
i tried downloading the malwarebytes and it was not successfull either.
I’ve just removed ‘antivirus action’ using this guide and others comments. I couldn’t find the agnz.exe file using hijack so I cleaned out temp files using ATF Cleaner as Patrick recomended. Then I downloaded the Malwarebytes and performed the scan which found infected files which I then removed. My computer is now working fine with no sign of the antivirus action so far. It also helped that I had a second computer to do the downloads as I couldn’t get my infected computer to connect to internet while in safe mode.Thanks heaps for this great guide and for saving me dollars!
You re the number 1.thank you very much for all inste
ruction.you save my hair.I was pulling off my hairs.But i am going to uninstall Malwarebytes Anti-Malware.Dont know yet would that be a problem.Thanks again.
rob, ask for help in our Spyware removal forum.
Omg Finally i was able to get rid of this stupid virus.
thanxxxxxxxxxxxxxxx so much <3 <3
I love you, u saved my laptop 🙂 Thanks x1000000 times
Found your site the best to work with on this. Followed the instructions above (fortunately I had could get internet access in safe mode) and seems to be clean. Couldn’t see any desktop icons though, then found that in right click arrange icons by…show desktop icons was unchecked. checked it seems fine now. Is anything else needed?
Thanks – meltdown.
OMG!! thanks a million…i was starting to freak out because i have finals in two weeks.
the ATF cleaner and malwarebyte worked for me! thanks again for providing free help online. at first, i was skeptical and thought maybe your advice was leading me to another virus. but, it worked!! you are awesome. truly!
Have Antivirus Action on Vista. Active in Safe Mode with NW’g. Please advise.
Very easy to follow instructions, back up and running in less than an hour, thanks a bundle.
Thank you so much for all help. I too couldn’t locate the exact files names listed above, but I simply skipped this stepped. Once I was done, so was this #$#@$ virus…
It looks like they’ve altered this beast. In Hijackthis, I didn’t have any …agnz.exe. Instead the files were ….tsbl.exe. If you find them, kill them. Then do the LAN setting step above.
I apologize, I’m a little confused. what am I supposed to do with those registry keys? delete them? or change the values?
Finally this damn virus is off my computer! I tried a couple of sites before I came to this one but this is the only thing that worked! Thanks so much guys!
Ah! Thank you so much guys! I never would have known what to do if I hadn’t of found your website. You guys freakin rock! Thanks so much.
Thank you to Shift fork for pointing out that the files are now .tsbl.exe!!!!
Oh god, finally its over. It was 3AM & I can’t sleep so I made up my mind to fight this virus. I worked through my PS3 to laptop, about 30 minutes & its done. Thank you :’]
Thanks so much for this worked like a charm! oh might i add a wish for whomever invented this little gem…I wish you painful ass cancer you puke!
thanks
Jimmy
Thank you so much! Exellent guide!
Well, I’m on the third step, and I couldn’t find any agnz.exe or tsbl.exe. Can anyone help me? I tried skipping step 3 but it was still there. CAN SOMEONE PLEASE HELP?
it worked. you are a legend!
Hi there, first off thank you for this page, it has got me 90% of the way there, and I appreciate it. Antivirus Action is definitely gone now, thank goodness.
One problem – I’ve followed all of the steps above, all the way through replacing the HOSTS file – however my computer still does not access the internet. Both IE and Safari return messages stating that there is no internet connection.
I can see that I’m still picking up my wireless signal, like always, so I’m thinking that something additional needs to be done to get me the rest of the way there. Several reboots didn’t help, of course.
Would appreciate any input you have. Thanks.
I went through the Steps. I have two problems:
1) I am still getting a window tell me its blocking: csrss.exc.
-I’ve already deleted it
2) And when the internet loads, there is no image.
Connection good, read diff urls, just white background.
This worked perfectly. Thank you!
Could not figure out which files were affected with Hijack this, but downloaded Malware and scanned. Mischief managed.
This wonderful site saved not only my computer, but my room mate’s life that ventured onto P*rno.com and put this annoying thing on my computer.
Thank yo sooooooooo much! I was going insane with this! 🙂
Hi, look for lines that have “\temp\” string in a center and {set of random characters} in right.
George, check proxy settings once again. Also, you have tried to ping any site ?
Patrik I was unable to locate any of the agnz.exe files. Should I skip and proceed through?
Hey after i choose safe mode with networking, another option appears before the computer finishes loading from restarting.
I cant get from step 1 to step 2 because of this extra option.