Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove Antivirus Action (Uninstall instructions)

Antivirus Action is a new rogue antispyware program from the same family of malware as Antivirus IS. The program is distributed with the help of trojans. When the trojan is started, it will download and install Antivirus Action onto your computer and configure it to run automatically when you logon to Windows.

When Antivirus Action is installed, it will imitate a system scan and detect a lot of various infections that will not be fixed unless you first purchase the program. Important to know, all of these reported infections are fake and don’t actually exist on your computer! So you can safely ignore the scan results that Antivirus Action gives you.

While Antivirus Action is running, it will block the ability to run any programs as a method to scare you into thinking that your computer is infected with malware. The following warning will be shown when you try to run the Notepad:

Application cannot be executed. The file notepad.exe is infected.
Do you want to activate your antivirus software now.

What is more, the rogue will flood your computer with warnings and fake security alerts. Some of the alerts:

Windows Security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.

Your computer is being attacked by a Internet
Virus. It could be a password stealing attack, a
trojan – dropper or similar.

Threat: Win32/Nuqel.E
Do you want to block this attack?

Last but not least, Antivirus Action will hijack Internet Explorer so that it will randomly show a warning page which states:

Internet Explorer Warning – visiting this web site may harm your computer!
Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computer

What you can try:
– Purchase Antivirus System PRO for secure Internet surfing (Recommended).
– Check your computer for viruses and malware.
– More information

Of course, all of these above warnings and alerts nothing more but a scam and like false scan results should be ignored!

As you can see, Antivirus Action is a scam that designed with one purpose to trick you into purchasing so-called full version of the program. Do not be fooled into buying the software! Instead of doing so, follow the removal guide below in order to remove Antivirus Action and any associated malware from your computer for free.

Symptoms in a HijackThis Log

O4 – HKCU\..\Run: [{RANDOM}] %Temp%\{RANDOM}\{RANDOM}agnz.exe

Automatic removal instructions for Antivirus Action

Step 1. Reboot your computer in Safe mode with networking

Restart your computer.

After hearing your computer beep once during startup, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.

Instead of Windows loading as normal, Windows Advanced Options menu appears similar to the one below.

Windows Advanced Options menu

When the Windows Advanced Options menu appears, select Safe mode with networking and then press ENTER.

Step 2. Reset Internet Explorer Proxy options

Run Internet Explorer, Click Tools -> Internet Options as as shown in the screen below.

Internet Explorer – Tools menu

You will see window similar to the one below.

Internet Explorer – Internet options

Select Connections Tab and click to Lan Settings button. You will see an image similar as shown below.

Internet Explorer – Lan settings

Uncheck “Use a proxy server” box. Click OK to close Lan Settings and Click OK to close Internet Explorer settings.

Step 3. Stop Antivirus Action from running

Download HijackThis from here. Run it and click Scan button. Look for lines that looks like:

O4 – HKLM\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
O4 – HKCU\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe

Note: list of infected items may be different, but all of them have “agnz.exe” string in a right side and “O4″ in a left side.

Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.

Step 4. Remove Antivirus Action associated malware

Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.

Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded you will see window similar to the one below.

Malwarebytes Anti-Malware Window

Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.

When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.

Antivirus Action remover
Malwarebytes Anti-malware, list of infected items

Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Antivirus Action. MalwareBytes Anti-malware will now remove all of associated Antivirus Action files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.

Antivirus Action removal notes

Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.

Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.

Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.

Antivirus Action creates the following files and folders


Antivirus Action creates the following registry keys and values

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | “Enabled” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyServer” = “http=″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyEnable” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}

October 7, 2010 on 11:59 am | In Malware removal, Rogue Anti Spyware | 100 Comments |


RSS feed for comments on this post.

  1. thanks a lot for this, my girlfriend’s laptop was infected with the damn thing and you’ve just saved a lot of earache and also made me a hero in the process! thanks again

    Comment by bubblits — October 9, 2010 #

  2. At last. I got rid of the Antinvirus Action malware. I recognized this as being similar to the Security Central malware that I’d had before and tried those instructions. Still no luck. Then I found and tried the instructions above. Hijack This did not find the bad files. I caught the Run:msconfig.exe and got machine in safe mode so the product wouldn’t launch. I did a file search looking for “agnz.exe” and found 2 files. One was stored in the C:windows\Prefetch\ folder. Looks like the name may be computer generated to change, but it contained the AGNZ.exe in the name. Also found one in my documents & settings\Name\local settings\temp folder. This one had the AGNZ in the filename but not the .exe. I deleted the 2 files and restarted machine. All fixed. How do I modify my msconfig startup to stop looking for the bad files?

    Comment by Amy B — October 9, 2010 #

  3. YES!! Thank You!!! I just formatted my sons p.c and reloaded all his games. then a week later,got this virus. Deleted all those registry values and ran malwarebytes, reset proxy. and yippy. again Kudos

    Comment by Dan — October 10, 2010 #

  4. thanks alot man! i almost had given up when i tryed everything i could think of. i kept using the malware antispyware scan and it didnt find no viruses. but what i didnt try was the Hijackthis. thats the thing that really helped me alot. i dont know what i would do without my computer! THANKS AGIAN<33

    Comment by Mesiry — October 10, 2010 #

  5. OH MY GOODNESS, thank you sooo much for this!!! I had that stupid antivirus action thing on my computer and I was going crazy from it! Thank you so much really! This is the best!

    Comment by Bri — October 11, 2010 #

  6. Dude i hav no words to say i m so thankfull to u i brot dis new laptop nd dis thing scared me off even my exams r nearing thnx man thnx alot may god bless whoever wrote down dis help guide nd ofcouse the creators of hijack guide nd malwarebytes

    Comment by Malik — October 12, 2010 #

  7. lifesaver. took me like 5 tries with a whole bunch of methods but yours worked! Much appreciated. i thought hijack had failed but suddenly i was able to use the malwarebytes software (i had tried it earlier with another help guide and it wouldnt start) after running hijack, so i dont know how, i dont care! Thanks so much, keep up the good work!

    Comment by Andrew — October 12, 2010 #

  8. You are an absolute gun. I hope these scamming fuckers didn’t get Antibes money!

    Comment by Stu — October 13, 2010 #

  9. Oh man…thank you so much….I automatically knew it was a malware program but had no idea how to get rid of it and now with malwarebyte’s anti-malware I know how to fix the prob for next time….thank you again!!!!!

    Comment by Forever Greatful — October 13, 2010 #

  10. HiJackThis.exe didnt find any files with agnz.exe in them. I’m still in safe mode with networking, do i need to restart before i download hijackthis? any ideas?

    Comment by still stuck — October 15, 2010 #

  11. Thankyou so much for saving my laptop! I followed the instructions given here, but couldnt see any obvious rogue files, so posted them to Patrik on this sites forum who found 3, i removed them and with a little bit more help from Patrick the virus has now been successfully removed!! Thankyou!!!!!!!!

    Comment by Katie — October 16, 2010 #

  12. I did every step, but I can’t find any…

    O4 – HKLM\..\Run: [audpdogk] c:\docume~1
    O4 – HKCU\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe

    …lines :s

    Comment by Thanks A Lot — October 16, 2010 #

  13. “still stuck”, look also file with yhsn.exe in them or skip step 3.

    Comment by Patrik — October 16, 2010 #

  14. Ok so the person infront of me said alot and it helped me ouut alottt but to say it another way first restart your computer and press at f8 keep pressing then press at safe mode with networking when it loads and everything go to system restore try to restore it to the last time u downloaded something i would prefer 3 days back just in case it should work PERFECTLY after

    Comment by Phillip saad — October 16, 2010 #

  15. i couldn’t find any similar files in step 3, so i skipped it and ran the quick scan. but it didn’t give the same/similar results. the virus is still there! what do i do? :(

    Comment by help:( — October 16, 2010 #

  16. “help:( “, open a new topic in our Spyware removal forum. I will help you to remove this malware.

    Comment by Patrik — October 17, 2010 #

  17. thanks for your help patrik, its gone for good!

    Comment by Stuck NoMore! — October 17, 2010 #

  18. OMG. THANK YOU SO MUUUCHHHH. THANK YOU THANK YOU THANK YOU. <3 My computer is all good now! Patrik I don't know how much i could thank you for this!! <3<3<3

    Comment by Jen is happy, thanks to patrik. — October 17, 2010 #

  19. Had problems booting to safe mode. So I managed to open the Task Manager as Windows started loading everything else. i.e. I managed to open task manager before Antivirus Action opened (which prevents programs from opening).

    Thank I killed a process that appeared to be running “Action” … the process did NOT have “agnz.exe” in it!!! You may want to update this — I have no doubt that the geeks that created the “program” have started to generate more random filenames than *agnz.exe.

    I then ran hijackthis (as I have used for years) and killed off the same process name. And am now running malwarebytes’ … just thought I’d note the changed filename for you.

    Comment by TJLF — October 17, 2010 #

  20. …I will note, however, that the directory/path is/was approximately the same as noted in the instructions above.

    Might be best to:

    1. Open Task manager FAST — immediately upon starting the windows screen. (this opens task manager before the “action” program starts to kill off any new programs when you try to open them.

    2. In Task manager, sort processes by CPU column and monitor which program(s) pop up frequently with >0 CPU value. You’ll find the IDLE process taking up a lot, …and that’s normal. Look for processes that don’t look familiar. There will likely not be more than five. Also, you can eliminate some of them, by watching the “action” program’s pop up window telling you which process it blocked!!! …those aren’t the “action” program process.

    3. Terminate the rogue processes.

    4. Test to see if the program is disabled by opening a program from the start menu. If it opens, the “action” program is temporarily disabled.

    5. Run Hijackthis. Do a scan as noted in the above, and check to kill the processes that you killed in the task manager.

    6. Change proxy settings as noted in this page’s instructions.

    7. Run Malwarebytes’, or go hunt for another solution on the web — now that you can actually open and run your browser without getting a fake error page.

    ..Incidentally, I didn’t care to figure out how to get a safe mode boot since I’ve got an endpoint encryption program on my laptop. ..Hitting task manager before the “action” program is just a quick, creative alternative to allow me access to all the programs and start hunting the stupid “action” “program”.

    I hope it’s killed.

    You may also want to be sure you’re blocking the host on this one.

    Comment by TJLF — October 17, 2010 #

  21. thank you soooo much!!! it really worked!!!! this really helped me a lot. i was going crazy when i found out my couldnt access to any of the program on my computer. Thank you so much again.

    Comment by Lulu — October 18, 2010 #

  22. You SAVED my LIFE … Well, at least my computer! Thanks so much!

    Comment by Patti — October 20, 2010 #

  23. THank YOU SO MUCH!!!!!!!!!!!!! I WAS SCARE IT WAS TRUE IN TROUBLE BECAUSE OF THESE FACT MESSAGE!!! THANK YOU!!!!!!!!!!!! THank you again plus this is my freind computer it save me a whole lot of troble! thank you! :)

    Comment by Raymond Richard — October 22, 2010 #

  24. I followed step one and during windows opening was given the option to restore. Restore worked perfect and took minutes. I absolutely recommend system restore. Thank you for this forum.

    Comment by Mike — October 23, 2010 #

  25. Thank You SO much for your kind help.
    God Bless You Dear!!!
    I wish God give you lot of fruits for helping others.
    Well done
    You Rock

    Comment by Raj Kumar — October 26, 2010 #

  26. It worked perfect. Thank you so much, the step by step instructions are great, easy to read and follow. Your service is so honourable. Thank you again.

    Comment by Mike — October 28, 2010 #

  27. Yhis was great….That stuff was driving me nuts and within about 30 minutes….all gone. Thank you very much

    Comment by Matt — November 1, 2010 #

  28. Hi. I tried using this. While I was On ” Safe Mode Networking ” I had no Internet Acess. So I tried using it on normal. I had no internet Acess either. I tried copying and pasting the link above since I needed to Click the Link and Find the 3 lines. I’m stuck on Step 3. If anyone can help please email me at xxrachieexx33 AT gmail DOT com I would love the help. Thanks!

    Comment by Rachelle — November 2, 2010 #

  29. I also can’t find any agnz.exe on the hijackthis scan and its driving me crazy. should i be looking for anything else? i can’t get rid of this stupid virus… please help!!

    Comment by amy — November 3, 2010 #

  30. Rachelle, you have completed the second step ?

    Comment by Patrik — November 3, 2010 #

  31. amy, skip step 3.

    Comment by Patrik — November 3, 2010 #

  32. Patrik, yes I have done te 2nd step.
    Correction of email: xxrachiexx33 AT

    Comment by Rachelle — November 5, 2010 #

  33. Btw I’m on my laptop and trying to do these on my computer since I cannot get onto my internet. So I cant actually click here In step 3.

    Comment by Rachelle — November 5, 2010 #

  34. Rachelle, what shows your browser when you trying to open any site ?

    Comment by Patrik — November 7, 2010 #

  35. Well , when I use Safe Mode With Networking I have no internet access for some reason. I have fine internet. When I try using it the normal way , It shows ” Internet cannot Access. This website may be infected! ” everytime I open up the internet

    Comment by Rachelle — November 7, 2010 #

  36. Rachelle, reboot your PC in Safe mode with networking. It will stop the rogue from running. Next go to step 2. When you done it, don`t reboot your computer and go to next 4.

    Comment by Patrik — November 7, 2010 #

  37. Thanks for your work! Really appreciated!

    Comment by Esther — November 7, 2010 #


    Comment by HELP! — November 8, 2010 #

  39. “HELP!”, ask for help in our Spyware removal forum.

    Comment by Patrik — November 9, 2010 #

  40. I recieved antivirus action on nov 3. used rkill and malwarebytes and got rid of it. today on the 9th it returns. however this time rkill and malwarebytes can’t locate anything. My system also won’t let me restore because i never created a restore point. did i overlook something last time? i dont know why im getting this or how to get rid of it. Please help.

    Comment by BradS — November 9, 2010 #

  41. I can’t find the files, also malwarebytes shows up with nothing. :S

    Comment by Xavier — November 10, 2010 #

  42. i didnt find any agnz.exe files so i skipped it and went to the step 4 it found 6 i removed them then restarted but then it was still there help plz D:

    Comment by Anthony — November 10, 2010 #

  43. BradS and Anthony, probably your computer is infected with a new/updated version of the rogue. Please start a new topic in our Spyware removal forum. I will help you to remove this malware.

    Comment by Patrik — November 10, 2010 #

  44. Oh,how relieved and excited I am!!!! I finally found a site that addressed my exact problem, and walked me through lines and lines of computer codes that I can’t comprehend, and I didnot feel lost. You saved me $100 easy!Now I will upgrade both computers and pass on the word to my family members who have computers. It was exhilerating to do this myself, a 40 year old mom!

    Comment by Rhonda M. — November 12, 2010 #


    Comment by Aarushi — November 12, 2010 #

  46. Thank you so much!! I feel so empowered after getting rid of this nasty thing. I ended up using rkill to get all back to normal, but thank you so much!!

    Comment by Michelle — November 13, 2010 #

  47. Hello again, sorry i was unresponsive last week. Please email me instead if you can,I am more active on email than this website,Thanks! (:

    Comment by Rachelle — November 13, 2010 #

  48. After an excruciating night trying everything that other websites recommend, yours was the only one that provided information that worked. The problem with most websites is that they ask you to download their scanning software in order to remove the malware, but the malware prevents the user from accessing the Internet. I don’t know why the other websites are that stupid. What finally worked was the information below:

    Antivirus Action creates the following registry keys and values

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | “Enabled” = “0″
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyServer” = “http=″
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyEnable” = “1″
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}

    I didn’t find all of the above keys and values, but enough so that I could access the Internet and then run scanning software.

    Comment by Phil — November 13, 2010 #

  49. thank you so much!!!!!!!!! you really did saved me … awesome!!!!

    Comment by liz_guevara — November 15, 2010 #

  50. Hijack doesn’t show me any files ending in agnz. But what if the entire file name is a mix of letters that is completely unrecognizable. Should I remove it?

    Comment by Confused — November 15, 2010 #

  51. I have no internet access while I’m in safe mode with networking.

    Comment by Rachelle — November 16, 2010 #

  52. Ah I believe it’s off my computer some how? But thanks for the help anyways Pat.

    Comment by Rachelle — November 16, 2010 #

  53. Confused, reboot your PC in Safe mode with networking.
    Antivirus Action stores its files in Temp folder. Try clean it. Download ATF Cleaner by Atribune from here, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
    Start ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    Download Malwarebytes and perform a scan.

    Comment by Patrik — November 17, 2010 #

  54. I just want to say, when I find the fuck who wrote this virus, I’m going to take him and his girlfriend outside, then force the bitch to watch me kerb-stomp him. Then she’ll blow me.

    Comment by Luis — November 17, 2010 #

  55. Rachelle, please start a new topic in our Spyware removal forum.

    Comment by Patrik — November 18, 2010 #

  56. Worked, thank you so much.. you saved my life !!!

    Comment by Redshoescow — November 25, 2010 #

  57. This thing’s been updated… it’s called twswbla bla bla something now :/. And would Ccleaner work instead of the ATF? And im pretty sure the random letters = antivirus action..

    Comment by Chris — November 27, 2010 #

  58. oh one more thing. No internet access but I was able to get on skype. on safe mode and normal. if you’re trying to boot normal press ctrl+alt_dlt asap and try to find a matrix of random letters and end task that thing….

    Comment by Chris — November 27, 2010 #

  59. Thanks for the instructions.
    I couldn´t find the files by HijackThis – but MalWareBytes was the key …! Thanks!

    Comment by Poulsen — November 27, 2010 #

  60. Chris, boot in Safe mode with networking, reset proxy settings, download and scan with malwarebytes.

    Comment by Patrik — November 28, 2010 #

  61. I cannot find these strings when running the scan to uninstall antivirus action.

    O4 – HKLM\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe
    O4 – HKCU\..\Run: [audpdogk] c:\docume~1\user\locals~1\temp\akotrowvc\bcgcihiagnz.exe

    i tried downloading the malwarebytes and it was not successfull either.

    Comment by rob — November 28, 2010 #

  62. I’ve just removed ‘antivirus action’ using this guide and others comments. I couldn’t find the agnz.exe file using hijack so I cleaned out temp files using ATF Cleaner as Patrick recomended. Then I downloaded the Malwarebytes and performed the scan which found infected files which I then removed. My computer is now working fine with no sign of the antivirus action so far. It also helped that I had a second computer to do the downloads as I couldn’t get my infected computer to connect to internet while in safe mode.Thanks heaps for this great guide and for saving me dollars!

    Comment by Sandra — November 29, 2010 #

  63. You re the number 1.thank you very much for all inste save my hair.I was pulling off my hairs.But i am going to uninstall Malwarebytes Anti-Malware.Dont know yet would that be a problem.Thanks again.

    Comment by ozal — November 29, 2010 #

  64. rob, ask for help in our Spyware removal forum.

    Comment by Patrik — November 29, 2010 #

  65. Omg Finally i was able to get rid of this stupid virus.
    thanxxxxxxxxxxxxxxx so much <3 <3
    I love you, u saved my laptop :) Thanks x1000000 times

    Comment by Julie — November 30, 2010 #

  66. Found your site the best to work with on this. Followed the instructions above (fortunately I had could get internet access in safe mode) and seems to be clean. Couldn’t see any desktop icons though, then found that in right click arrange icons by…show desktop icons was unchecked. checked it seems fine now. Is anything else needed?
    Thanks – meltdown.

    Comment by Meltdown — November 30, 2010 #

  67. OMG!! thanks a million…i was starting to freak out because i have finals in two weeks.

    the ATF cleaner and malwarebyte worked for me! thanks again for providing free help online. at first, i was skeptical and thought maybe your advice was leading me to another virus. but, it worked!! you are awesome. truly!

    Comment by bookworm — December 2, 2010 #

  68. Have Antivirus Action on Vista. Active in Safe Mode with NW’g. Please advise.

    Comment by stuck — December 3, 2010 #

  69. Very easy to follow instructions, back up and running in less than an hour, thanks a bundle.

    Comment by Schnuz — December 3, 2010 #

  70. Thank you so much for all help. I too couldn’t locate the exact files names listed above, but I simply skipped this stepped. Once I was done, so was this #$#@$ virus…

    Comment by Thankful — December 3, 2010 #

  71. It looks like they’ve altered this beast. In Hijackthis, I didn’t have any …agnz.exe. Instead the files were ….tsbl.exe. If you find them, kill them. Then do the LAN setting step above.

    Comment by shift fork — December 3, 2010 #

  72. I apologize, I’m a little confused. what am I supposed to do with those registry keys? delete them? or change the values?

    Comment by confusedAlittle — December 4, 2010 #

  73. Finally this damn virus is off my computer! I tried a couple of sites before I came to this one but this is the only thing that worked! Thanks so much guys!

    Comment by Nikeeta — December 4, 2010 #

  74. Ah! Thank you so much guys! I never would have known what to do if I hadn’t of found your website. You guys freakin rock! Thanks so much.

    Comment by Ethan — December 4, 2010 #

  75. Thank you to Shift fork for pointing out that the files are now .tsbl.exe!!!!

    Comment by deedee — December 5, 2010 #

  76. Oh god, finally its over. It was 3AM & I can’t sleep so I made up my mind to fight this virus. I worked through my PS3 to laptop, about 30 minutes & its done. Thank you :’]

    Comment by Meor — December 5, 2010 #

  77. Thanks so much for this worked like a charm! oh might i add a wish for whomever invented this little gem…I wish you painful ass cancer you puke!

    Comment by jimmy spencer — December 5, 2010 #

  78. Thank you so much! Exellent guide!

    Comment by Sudar — December 5, 2010 #

  79. Well, I’m on the third step, and I couldn’t find any agnz.exe or tsbl.exe. Can anyone help me? I tried skipping step 3 but it was still there. CAN SOMEONE PLEASE HELP?

    Comment by Hi — December 6, 2010 #

  80. it worked. you are a legend!

    Comment by Breaka Promo — December 6, 2010 #

  81. Hi there, first off thank you for this page, it has got me 90% of the way there, and I appreciate it. Antivirus Action is definitely gone now, thank goodness.

    One problem – I’ve followed all of the steps above, all the way through replacing the HOSTS file – however my computer still does not access the internet. Both IE and Safari return messages stating that there is no internet connection.

    I can see that I’m still picking up my wireless signal, like always, so I’m thinking that something additional needs to be done to get me the rest of the way there. Several reboots didn’t help, of course.

    Would appreciate any input you have. Thanks.

    Comment by George — December 6, 2010 #

  82. I went through the Steps. I have two problems:
    1) I am still getting a window tell me its blocking: csrss.exc.

    -I’ve already deleted it

    2) And when the internet loads, there is no image.
    Connection good, read diff urls, just white background.

    Comment by Rico — December 7, 2010 #

  83. This worked perfectly. Thank you!

    Comment by ChrisJonesUW — December 7, 2010 #

  84. Could not figure out which files were affected with Hijack this, but downloaded Malware and scanned. Mischief managed.

    Comment by Leen One — December 7, 2010 #

  85. This wonderful site saved not only my computer, but my room mate’s life that ventured onto P* and put this annoying thing on my computer.

    Comment by Pat C — December 8, 2010 #

  86. Thank yo sooooooooo much! I was going insane with this! :)

    Comment by Erika — December 8, 2010 #

  87. Hi, look for lines that have “\temp\” string in a center and {set of random characters} in right.

    Comment by Patrik — December 9, 2010 #

  88. George, check proxy settings once again. Also, you have tried to ping any site ?

    Comment by Patrik — December 9, 2010 #

  89. Patrik I was unable to locate any of the agnz.exe files. Should I skip and proceed through?

    Comment by David — December 9, 2010 #

  90. Hey after i choose safe mode with networking, another option appears before the computer finishes loading from restarting.

    I cant get from step 1 to step 2 because of this extra option.

    Comment by Help Please — December 9, 2010 #

  91. Hi there!
    Antivirus Action has an another Fake AV=Think Point.It is an exploit attack.When a Japanese enjoyed wachitng web site,he got a Think Point.He tried deleting that one then suddenly an Antivirus Action appeared!!!!

    1)Think Point has a ” hotfix.exe”,so we can delete it .We can take a ” safe mode and commandprompt” then we paste this command ” cd %APPDATA% ” ,press enter.Plus we take a command then paste ”del hotfix.exe ”.Please reboot your PC.You will see Think Point sleeps in his bed.It is very easy for you to delete him.
    But is is NOT easy for you to remove an Antivius Acthion.I tried looking into his ”EXE ”.Hey guys,please see this as follows:

    tayoeesu C:/Users/user name/AppData/Local/Temp/jghqsfrmm/lglsavkaffm.exe

    (This is a windows Vista OS )


    Antivirus Action has this EXE ” lglsavkaffm.exe
    ”. And when we tried deleting that EXE in safemode and command prompt( we tried using this command ”del lglsavkaffm.exe”)but we could not delete that one.

    So we took ATF cleader in safe mode the we could stop Antivirus Aciton.

    Some Japanese can remove Antivirus Action but other Japanese can not remove that one.Why?
    The reason is that Antivirus Action has a downloader!!!When we tried removing Antivirus Action,”backdoor Win32 cycbot.B” suddenly appeared.Windows Defender detected it.And we can not see IE internet explorer and Firefox .

    It is my report on Antivirus Action,thank you !
    See you soon.

    from Japan




    cd %APPDATA%

    と打ち込み、enterを押す(cd %APPDATA% ←ポイントは、cdと%の間は、必ず、半角スペース空間を空けること)


    del hotfix.exe

    Comment by daimao1 in Japan — December 9, 2010 #

  92. Thank you so much,computer instincts told me something wasnt right about that antivirus action thing so i searched on my phone for countless solutions.this really helped.Thank you so much. :)

    Comment by Roderick — December 10, 2010 #

  93. THANNNNKKKK YOOOUUU SO MUCH!! This was the only legit site I read that actually helped me!

    Comment by Emma — December 10, 2010 #

  94. David, skip step 3.

    Comment by Patrik — December 10, 2010 #

  95. “Help Please”, ask for help in our Spyware removal forum.

    Comment by Patrik — December 10, 2010 #

  96. Thanks Patrick.

    I followed directions as listed above except for I had to delete files with ….tsbl.exe rather than ….agnz.exe.

    Remember to keep your proxy settings under your Local Area Network settings unchecked in order to access the internet.

    Comment by Scooby — December 12, 2010 #

  97. THANK YOU THANK YOU THANK YOU!!!! So far i haven’t seen the damn thing and everything is working fine!

    Comment by jenn — December 12, 2010 #

  98. Thanks mate! you saved me from reformatting the disk.

    For other users who experienced the same problem, if “STEP 3″ is not applicable, skip it and move to “STEP 4″.

    Make sure that the program “Malwarebytes Anti-Malware” is INSTALLED and RUN under “Safe Mode with Networking”

    Note: Definition should be updated as well.

    Then proceed with removing the INFECTED files.

    Reboot back to normal mode and install your LEGIT Antivirus.

    Hope this helps.

    Comment by bariumzero — December 15, 2010 #

  99. I was so exhausted with trying to remove this virus that I just deleted the user account. I am back up and running (fingers-crossed) without the virus being present.

    Comment by Bernadette — December 15, 2010 #

  100. hi, new to the site, thanks.

    Comment by icefpurcecy — February 18, 2011 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.