Recommended for You:
Fix up your PC Fast

TuneUp Utilities 2012 takes out the trash: Get back long lost disk space and performance in a snap – Free Download!






You are not connected. Please login or register

SecuraGeek Forums » Security Discussions » Removal Guides » How to remove Antivirus Action

View previous topic View next topic Go down  Message [Page 1 of 1]

1 How to remove Antivirus Action on Tue Oct 12, 2010 11:40 pm

DragonMaster Jay


Site Owner
Site Owner
Antivirus Action removal

Welcome to the removal guide for Antivirus Action. This is to be considered a self-help guide, and the Security Team at this site does not assume responsibility for direct, indirect, or consequential damage to your computer as a result of doing the step-by-step guide below.

Antivirus Action is a new rogue antivirus program, based on the Security Suite family of rogue antivirus software. This program is installed on your computer, usually by Trojans.

Once the program is installed, it will begin displaying fake security alerts, including advice about removing viruses. Upon execution, it will scan your computer and find fake threats, and then it urges you to purchase its software in order to protect your computer and/or remove the threats.

Normal uninstall is usually not possible with rogue antivirus software, which is why these instructions must be particularly followed.


Antivirus Action screenshot


List of files associated with this rogue:

This rogue plants many random files in several temporary directories in Windows. To quickly and safely delete the files associated with the rogue, follow the removal instructions below for best results.

List of Registry entries associated with this rogue:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"ProxyServer" = "http=127.0.0.1:33921"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "agnz.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "agnz.exe"



List of HijackThis entries associated with this rogue:

O1 - Hosts: 91.212.127.220 intsecure.microsoft.com
O1 - Hosts: 91.212.127.220 intsecure-2009.com
O1 - Hosts: 91.212.127.220 www.intsecure-2009.com
O1 - Hosts: 91.212.127.220 google.com
O1 - Hosts: 91.212.127.220 www.google.com
O4 - HKCU\..\Run: [] %Temp%\\agnz.exe


Typical Malwarebytes' Anti-Malware log

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4797

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/10/2010 22:04:41
mbam-log-2010-10-11 (22-04-41).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 278451
Time elapsed: 52 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\wjfovxju (RogueSecurityIS) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HMOS\Local Settings\Temp\amrsrwady\orjiavyagnz.exe (RogueSecurityIS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HMOS\Local Settings\Temporary Internet Files\Content.IE5\FTY6NJPA\video[1].exe (RogueSecurityIS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HMOS\Local Settings\Temporary Internet Files\Content.IE5\YVL3H4X0\video[1].exe (RogueSecurityIS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HMOS\Local Settings\Application Data\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



How to remove this rogue


STEP 1 - RKill by Lawrence Abrams of Bleeping Computer

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot the computer.

Also, a popup may appear when you run RKill. RKill may shut down. Just ignore the popup and run RKill as many times as it takes to get the rogue to disappear from view.

STEP 2 - Clean rogue files

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


STEP 3 - Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.


STEP 4 - Fix HOSTS File

Please download HostsMan[/color][/b]

  • Unzip HostsMan and run the program.
  • Select Hosts > Open Hosts with Notepad.
  • Select all of the text in the window, and press Backspace or Delete.
  • Enter in the following line:
    127.0.0.1 localhost
  • Click File > Save.
  • Exit Notepad.
  • In HostsMan again, select Hosts > File Properties.
  • Checkmark the Read-only option, click Apply, then OK.
  • Close HostsMan.
  • Reboot your computer for changes to take full effect.


STEP 5 - Infection gone?

Check to see if the infection is gone.

If the infection is not gone, then please do the following:




If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

Ad Bot

View previous topic View next topic Back to top  Message [Page 1 of 1]

SecuraGeek Forums » Security Discussions » Removal Guides » How to remove Antivirus Action

Permissions in this forum:
You cannot reply to topics in this forum