If anyone can help, please...

Was working on computer today, when suddeSnly screen flashed up with a virus detection. Software called 'Antivirus Action' then installed itself in the windows startbar, and told me the computer was infected, and started to scan it.

After supposedly identify threats, it informed me that I would need to purchase the full software to disable them.

I now can't use my own antivirus software - AVG, nor can i use any application on the computer. If I try, a message pops up telling me computer is infected.
(Windows security alerts, that prompts me to activate this software)

It appears that the culprit is the Antivirus Action software. Until I purchase it, my machine is completely disabled. The company is American, but has a british address - Great Marlbourgh Street, London SE 12TU.

I don't want to purchase this software, as I think it may be a con to get bank details, etc..

I'm not brilliant on computers - Please can anybody help, is there a way to get this off my system??? If I try, it just blocks me, and my whole life is on my laptop.

(using a friends laptop to post this thread)

Download MalwareBytes, save it on a USB stick then boot your machine into safe mode and run it.

I have suffered a similar infection recently and I managed to fix it by booting into safe mode (press F8 repeatedly during the boot up cycle before the windoze loading display occurrs) and then running system restore.
I must admit that I was doing it with a grin on my face as I had just replaced the computer (a laptop) hard disk and had the image of the entire disc on another machine, hence if all else failed it would be a matter of a quick reformat and then rebuilding the hard drive - a two hour job of waiting while my other computer did the business.

P.P.

Look at this site, it should help you to remove it: Remove Antivirus Action (Uninstall Guide) (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-action)

And next time you see a warning page like that, shut it down as fast as you can. Dont click on any butttons.

And then report the company to trading standards/police for distributing a virus.

Start with this guide (http://forums.majorgeeks.com/showthread.php?t=35407) and follow the instructions to the letter.

If you fail to solve the issue running the software in sequence and according to the detailed instructions (including how to get around the virus blocking certain removal programs) then follow the instructions for seeking help. The site has a number of trained volunteers who will help you resove the problem.

In my (considerable) experience running the software suggested, in the way suggested and in the sequence suggested has always solved the problem I have been dealing with.

It is all free.

The "Windows System restore from safe mode" followed by downloading MalwareBytes (MBAM) and running it (don't forget to update the MBAM virus databasey-description thing first) sorted out a very similar problem on my daughter's laptop recently.

I went back a good long way for a restore date to be as sure as I could be that I wasn't restoring to a date when the infection was already present....

And then report the company to trading standards/police for distributing a virus.

Not much point if it's not within their jurisdiction.

Agreed - but it is like wetting your nappy - you DO get a nice warm feeling for a few moments.:)

Guys / Girls

Thanks ever so much for all the information - I've now got various things to try to hopefully reclaim my computer.

Cheers

Not much point if it's not within their jurisdiction.


The company is American, but has a British address - Great Marlbourgh Street, London SE 12TU.

Sorry - dim question. How does this nasty get past one's existing anti virus software? OP mentions AVG and I have Zone Alarlm extreme, how does it get past these? Not updated regularly perhaps?

Ah Ha! I think that that is the one that caught me - if it is then system restore from safe mode will fix it, followed, as suggested above by running an updated version of Malwarebytes. I have also found that Superantispyware, another free virus/malware search tool seems to find things that Malware bytes doesn't and vice versa. www.SUPERAntispyware.com (http://www.SUPERAntispyware.com).

P.P.

How does this nasty get past one's existing anti virus software?

Because most AV software is very good at slowing your system down but often miss some virii. No AV software will catch everything despite the writer's extravagant claims.

AVG is free but clunky in later editions. Avast! is free and as effective as any without a large overhead.

Zone Alarm is almost a complete waste of time especially if you are behind a router.

Malwarebytes is a good program but all the people here extolling its virtues are omitting the fact that it will not necessarily rid you of ALL malicious software. Hence my link to Majorgeeks and the step by step procedures you need to go through to be certain to find everything causing problems or lurking unseen.

I had a virus very similar pop up a little while ago. It disabled AVG, Malwarebytes and generally was a bl**dy pest.
I contacted my local computer genius and even he couldn't get rid of it so I googled it and found pages of info, all of it very technical and not at all simple.
Having nothing else to do I started reading the prophets of doom and considered a complete re-install until one short reply caught my eye, it follows:

If the icon appears on the task bar right click properties, highlight the address and write it down, make sure you get it all.
Shut down and restart in safe mode and then search for the address, lo and behold it came up with a prefix that prevented me from finding it before.
DELETE THE B*****rd and then restart
As you can tell I am not an expert but it worked, felt really smug.
Hope it works for you.
PJ

It sounds very similar to this one I saw on Click on the BBC yesterday


BBC News - How to avoid the fake security tool scam (http://news.bbc.co.uk/2/hi/programmes/click_online/9161218.stm)

I realise this won't help in this case, but I have built or configured countless PCs and laptops for friends etc over the years, and since most of these were not computer-literate people many of them eventually got infected with various stuff.

In particular any PC used by a child is likely to have a useful life measured in months if not weeks :)

Obviously you cannot get infected if behind a NAT router (as most people are) but infections come to you by email or from infected websites. AV software (esp. Kaspersky) catches most of them but not all, and once infected most infections cannot be cleaned by any software (because they have damaged windoze files, etc).

So in most cases the infections are simply too complicated to remove. You might find it and apparently remove it, but it has done damage and the PC doesn't work properly.

On top of the infection itself, the user has often trashed the machine by doing something silly.

The only way to deal with this stuff is to install (in my case; there are other similar tools) Trueimage before the delivery of the machine, make a boot CD and store that somewhere (I used to give it to the "customer" but they tend to lose them) and then do a full image backup of the HD. This often fits onto a DVD (dual layer perhaps; 9GB) but in some cases I just store the image on a 2TB network drive.

Then when the customer comes back asking for help to clean out a trashed machine (which IME is guaranteed to happen within 1-2 years) I just copy off what data one can copy off (e.g. jpegs, docs, etc) to a DVD, and restore the image. This is what computer shops used to do and it is all they can do.

DELETE THE B*****rd and then restart

Unfortunately, deleting will not be sufficient in most cases. In fact, merely deleting can make matters a lot worse. During the infection process, code is written into the registry, inconspicuous files will be infected etc. (and because the virus will thus bury itself deeper and deeper into your system it becomes harder to detect), and the culprit may reproduce itself and reactivate. :(

One anti-virus tool is never enough. In addition to Malwarebytes, you should try Hijackthis (e.g. HijackThis Logfileauswertung (http://www.hijackthis.de/en)).

Also make use of CCleaner on a regular basis.

I contacted my local computer genius and even he couldn't get rid of it

With respect he is not particularly competent in that case. PCs have been a hobby for the past twenty years. I have become quite well known for restoring systems corrupted by malware. I have never been beaten by a virus. It is sometimes quite time consuming and tricky to remove the difficult ones but not, in my experience, impossible.

I disagree with IO540's generalisation that the only way to effectively resolve issues is to reinstall a disk image. That is what professionals do because a) it is simple and b) they cannot spend the time doing othyerwise.

What I find is that I spend far longer than a paid technician could reasonably charge for. I do not charge and I do it purely for the fun of it.

Others on this thread are suggesting try this and try that. I am talking from experience when I say use the MajorGeeks Malware removal guide because I can virtually guarantee that you will methodically, thoroughly and permanently remove the malware that is causing the problem. The guide has not been written in a random fashion nor the procedures guessed at. It has been written from experience and works. It is all free.

I will chuck in my oft-posted suggestion too that a boot-time AV scan is an excellent weapon in the armoury. Avast offers such. This scans your system BEFORE Windows activates (which is where a large number of viruses etc lurk). It finds those that 'hide' themselves in Windows.

In particular any PC used by a child is likely to have a useful life measured in months if not weeks
For anyone who hasn't already seen it several times, my solution to this one was as follows.

The first time a child got a nasty I pulled their network connection until such time as I had time to clean up their PC. So, no internet for a week. I explained that each time this happened it would take me twice as long to get round to dealing with it. Some child downloaded and installed and ran a virus a second time. Two weeks with no internet.

That was sufficient to get them to believe me. That was several years ago now. There have been no problems since - none of them wants to live without the internet for a month.

I disagree with IO540's generalisation that the only way to effectively resolve issues is to reinstall a disk image. That is what professionals do because a) it is simple and b) they cannot spend the time doing othyerwise.

What I find is that I spend far longer than a paid technician could reasonably charge for. I do not charge and I do it purely for the fun of it.


For the others of us whom have 'real lives' and 'other things to do', copying off the useful stuff and reinstalling /re imaging/reformatting IS the best and most intelligent course of action.
Besides. Some may install a rootkit which is virtually undetectable.
Boot time virus checks may help, but add to your boot time, encouraging you to not reboot at all (which negates the value of boot checks)

You can EASILY become infected behind a router or firewall if you access the net at all.
Comodo Antivirus/Firewall is very effective even though the false alarm 'training' is somewhat annoying initially.

Boot time virus checks may help, but add to your boot time, encouraging you to not reboot at all - I think you mis-understood - these are 'one-time' boot scans, not regular. No dis-incentive at all if it gets rid of a nasty?

Again, thanks for all your help.

M.Mouse, the instructions on your link look as if they'd certainly do the job, but unfortunately, I can't do anything at all on my computer, it seems to be completely disabled. If I try to run the add/delete programs, it won't let me, and an 'infected' message pops up.

The same happens if I try to right-click on the anti-virus icon that has been installed. I can't get on the internet at all, and programs such as Word, etc. will not run, just bringing the pop up message 'infected, buy and run our program to clean' (or words to that effect), up.

I'm going to try the boot in safe mode suggestion tonight, but am not sure whether it'll let me do that or not, I suppose it is determined by how soon after applying power to the computer does the virus activate.

I've encountered a few virus' in the past, but nothing that AVG couldn't get rid of, and certainly nothing as vicious as this one appears to be.

For the others of us whom have 'real lives' and 'other things to do', copying off the useful stuff and reinstalling /re imaging/reformatting IS the best and most intelligent course of action.

And in the long run almost as time consuming as repairing the damage instead. Having to retrieve everything you want and restablishing the appearance and set up which the user likes and is used to also takes time. It does of course assume that the users data is all neatly stored in sensible places and easily transferred to an interim medium or backed up even. In my experience that is rarely the case. Hence the user loses all sorts of stuff but hey, who cares, you can get on with your 'real life'.

Besides. Some may install a rootkit which is virtually undetectable.

Rootkits are perfectly detectable and removable. They are also becoming more common.

You can EASILY become infected behind a router or firewall if you access the net at all.

Of course you can but then the fundamental purpose of a firewall is not to prevent a virus infection.



G String

You will be able to boot into safe mode. The initial actions to remove malware can be a little difficult and slow because the malware itself often obstructs attempts to remove it and also blocks access to helpful internet sites if not all internet access.

Do you have access to another PC? If so one useful technique is to download the programs you need to a USB memory stick and run them from there. You sometimes have to rename the programs you wish to use to prevent the malware recognising the program you are trying to run.

Agree with MMouse that whatever you do must be done methodically. Erratic deletion etc. will make matters worse. If internet connection is impossible you will have to revert to another computer to download whatever is needed.

You will be able to boot into safe mode - not necessarily! It depends which 'cold' he has caught. If Safe mode has been disabled, http://www.didierstevens.com/files/data/SafeBoot.zip will restore the registry keys for him.

I had the same problem on a computer a few weeks ago. Reboot in safe mode didin't help. Couldn't open taskmanager either (to kill the process). The virus acted as a popupblocker and blocked taskmanager.

What to do:
press CTRL-ALT-DEL AND KEEP IT PRESSED !!!! This way task manager will open a few dozens of taskmanagerwindows at the same time and the blocker can't keep up with this. So you will have your taskmanager again.
Then go to processes and look for a process with some random letters/numbers with the .EXE extension. For example hjapgkwagnz.exe or qkwcrrwagnz.exe. Killing this process gave me control over the internet explorer again.
Then I went on the net, downloaded and installed malwarebytes, ran a scan and the program was removed.

Hope this helps and good luck :ok:

Although all of us here rekon that Malwarebytes is a good program for getting rid of nasties, my wife was complaining that she was getting fed up of windoze (XP) repeatedly crashing recently. It was only a few months ago that I rebuilt XP on her machine. A scan with Avast revealed nothing, Malwarebytes found nothing, so in desparation I tried good old windoze defender. It found a nasty trojan which it managed to remove. This was clearly well embedded as when windoze boots now it complains that it cannot find a certain .dll but still runs happily. Problem appears to be solved.

P.P.

PP: it may be that the .dll in question is a valid Windoze one that the trojan "modified", but that it provides a function that you don't use.

You may be able to download or acquire a valid (clean) copy of it and eliminate whatever isn't working.

Or not, of course.

Thanks Keef - I was thinking along those lines as well, all I've got to do is to make a note of the file name and see if I can find it on my machine then I can copy it over. As you say, the file is probably involved in an unused function.

P.P.

I had an issue with a similar program called Personal Security a few months ago. I followed this process:

To start with I booted up and started Task Manager before the malware program started and stopped it running, then:

Personal Security manual removal:
Kill processes:
psecurity.exe
HELP:
how to kill malicious processes

Delete registry values:
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\5FFB10D58FFCF482208906E6A889FD56
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "PSecurity"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Settings\5.0\User Agent\post platform "WinTSI 01.12.2009"
HELP:
how to remove registry entries

Unregister DLLs:
win32extension.dll
HELP:
how to unregister malicious DLLs

Delete files:
psecurity.exe Uninstall.lnk win32extension.dll Computer Scan.lnk Help.lnk Personal Security.lnk Registration.lnk Settings.lnk Update.lnk
HELP:
how to remove harmful files

Delete directories:
C:\Program Files\PSecurity
C:\Program Files\Common Files\PSecurityUninstall
C:\Documents and Settings\All Users\Start Menu\PSecurity

Obviously the details will be different, but the above worked fine and I haven't had a problem since.