Antivirus Action Virus

Three heavy knocks on my bed room door, and my dad yelled: “Something is wrong with the computer because I could not access the website this morning. Could you fix it for me?” It was six o’clock on a Friday morning and I was still in bed. Lazily, I asked him what was wrong with the computer. My dad said that he did not know, but he could not access the Internet.   I asked, “why not, what did you do?” I asked him what he did. I waited for any explanation from my dad, but outside my bedroom it was quiet.  From experience, I predicted that my dad would sit in front of the computer and wait for me.   I got out of bed and went downstairs to enter the family’s office. 

            As I entered the room, I heard my dad’s angry voice: “Did anyone else use the computer last night?” I realized that my prediction was correct.  My dad sat on big black chair in front of the computer, and his face was red from anger.  I asked: “Ok, dad, what is wrong with your computer and why can’t you access the Internet?” With his voice raised, he replied: “There was an error and the website was not displayed.” I pulled up a small chair (next to him) and asked: “Did you reboot the computer this morning?” He replied: “No, why do I have to reboot it?” The computer was turned off and on again. After the computer was turned on properly, my dad clicked the Internet icon. Then an error message popped up and the Internet was disabled.   A Windows Security Alert message also appeared on the computer screen, informing us that the file “notepad.exe” was infected. It also asked us if we wanted to activate our antivirus software now. Then the Antivirus Action Rogue program automatically turned itself on and scanned the computer.  I then decided to debug the system. Following are some pictures of antivirus action to help you to understand the problem better.

            After a few hours of debugging and online research, I understood that the error message that appeared earlier was fake. This error message was in fact aimed at scamming the user into buying the “antivirus program”–which was actually a virus.  This antivirus application configures itself to start when Windows logs in, and then runs a system scan, trying to make the user believe that his computer has been compromised by lots of infected files. My dad panicked and almost fell prey to this scam. I explained to my dad how the scam worked.   We later found out that this antivirus was installed through the use of Trojans that hide themselves under the name of fake system scanners or video codecs (codes required for watching a video). This “Antivirus Action Virus” spreads itself by fake antivirus websites and contracted files uploaded on to file-sharing networks. Installation of Antivirus Action will allow it to change the system’s registry. The hacker is then able to control the infected PC as a remote host and able to steal your personal details. According to “Need to Remove Antivirus Action”, an article on Spyware-Expert.com “Antivirus Action is what is known as rogue spyware or ransomware, which means it claims to be legitimate security software but is actually spyware itself. It attempts to threaten  you  by bombarding you with fake security alerts and spyware scans; however, the larger threat that Antivirus Action poses is that hackers can use it to attempt to gain access to your sensitive information ( like passwords, account numbers, and credit cards). Because it can log keystrokes and Internet activity and then send that information to a remote server over the Internet – which can ultimately lead to identity theft.”  Once I knew what the root cause of the error message was, I followed the instructions from an article above to remove the antivirus from my dad’s computer.

            The above instructions are only applicable for Windows XP operating system but my dad’s computer operating system is Windows Vista; therefore, I was able to follow the instructions partly to remove the virus.    I was able to execute the Mcafee security program to scan for any virus in the computer; however, the network was still not working correctly.  Since the antivirus operated from the Internet and each time I tried to connect to the Internet new junk files were created.  The only solution to this problem was to disconnect the computer from the Internet and reboot it after I removed all the new junk and registry entry files from the computer’s hard drive that were created by the antivirus software, I shut down the computer.  I was crawled under the computer table to re-connect the computer to the Internet. I turned on the computer, clicked on the Internet icon and it worked.  Below are some steps I used to remove the antivirus from my dad’s computer, so that they may help you—the reader— if your computer is infected (taken from www.antivirus.com)

1.     Stop Antivirus Action process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
(random characters).exe

2.     Shutdown the computer, unplug the entire internet wirers.

3.     Find and delete all files that are created by antivirus action. These files are located inside software, program, antivirus, Microsoft run, and user directories.

4.     Run a full system scan and clean/delete all detected infected file(s). A manual removal of virus-related files should also be performed.

5.     Remove Antivirus Action start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Startup item(s): (random characters).exe agnz.exe

6.     Delete Antivirus Action registry entries:

HKEY_CURRENT_USER\Software\Antivirus Action
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “Antivirus Action”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus Action

7.     Plug the entire internet wires, turn on the computer.

8.     Just after the initial PC startup screen and just before the “Starting Windows” screen appears, press the F8 key.

9.      Use the ↑ and ↓ keys on your keyboard to navigate to the “Safe Mode with Networking” choice. Press the “Enter” key to begin the safe mode boot up process.

10.    Once your computer has booted into “Safe Mode with Networking“‘  Open Internet Explorer. Click on “Tools” and then choose “Internet Options”

11.   Clear the box next to “Use a proxy server for your LAN”. Make sure the box next to “Automatically Detect Settings” is checked.

12.   Open Internet Explorer and type www.spyware-experts.com/aa in the address bar to begin the download and installation of Spyware Doctor

13.   Install Spyware Doctor with the default options and when the install is finished, Spyware Doctor will automatically begin to scan your computer.  When the scan is complete, click the “Fix Checked” button and follow the instructions to complete the removal process.  I use register Spyware Doctor to complete the removal process.

If you have the Windows Vista operating system and the Antivirus Action virus on your computer, then you can apply the above steps to debug and remove the virus from your computer. The above instructions will be very useful and could save you a couple of hours trying to find a solution yourself.