Antivirus Action

Antivirus Action Description

ScreenshotAntivirus Action is a fake security application that can spread via Trojans, file-sharing networks and malicious websites. On infiltrating a system, Antivirus Action, a member of the FakeSpyPro family will create a start-up registry entry which will enable it to execute with every system start-up. Antivirus Action will generate fake system security warnings to convince victims that they need to purchase its full version to remove the detected threats. Antivirus Action (AntivirusAction) is a useless application that should never be purchased. The rogue anti-virus program can be unknowingly installed onto a user's computer by Trojans that exploit known Windows vulnerabilities or when a victim opens an infected attachment in spammed e-mails. It can also come bundled with downloads from infected websites or files from peer-to-peer networks. On infiltrating a system, Antivirus Action will create a start-up registry entry to ensure that it is automatically executed every time the infected PC is started up. Antivirus Action will also block a victim's access to applications such as Task Manager or Registry Editor. These actions will ensure that the rogue is not easily detected and removed from the system.

When a victim attempts to run programs on a compromised PC, Antivirus Action will display a message claiming that the file he/she is attempting to run is infected and then it will terminate the process. The security message is as follows:

"Security Warning
Application cannot be executed. The file notepad.exe is infected. Do you want to activate your antivirus software now."

The programs and processes are terminated to prevent a victim from launching security software to remove the rogue. However if you attempt to run the programs enough times they should eventually work. To convince a victim that his/her system is infected, a fake system scan will be simulated which is designed to always report the detection of several dangerous computer parasites such as viruses, Trojan, spyware etc. Fake system security alerts and pop-up warnings will also be displayed to convince a victim that he/she needs to purchase its full version to remove the detected threats.

Below is an example of the security alerts:
"Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here to scan your computer. Your system might be at risk now."

As a result of browser hijacking, when a victim attempts to browse the internet and even when a user clicks on the security alerts displayed by Antivirus Action, he/she will be redirected to malicious websites that promote the online purchase of this rogueware. Users should be aware that Antivirus Action is not able to detect or remove legitimate computer malware and thus should never be purchased. Instead use a reliable malware removal tool to rid your PC of this useless rogue.

There are numerous clones of Antivirus Action that include Spyware Protect 2009, Antivirus System Pro, Security Central, Antivirus Soft, Antivirus Suite, AntiSpyware Soft, Antivir Solution Pro, Security Suite, Malware Destructor 2011, Antivirus Scan, PC Security 2011, Antivirus .NET, AntiVira Av, AntiMalware GO, Antivirus Monitor, Antivirus Monitor, Antivirii 2011.

Aliases: Suspicious file [Panda], Mal/FakeAV-DO [Sophos], Trojan/Win32.FakeAV [AhnLab-V3], High Risk Cloaked Malware, Rogue:Win32/FakeSpypro [Microsoft], Trojan.Win32.Generic.pak!cobra, Trojan.FakeAV.2534 [DrWeb], Trj/CI.A [Panda], Generic19.CKTO [AVG], Trojan.Win32.Generic!BT [Sunbelt], Medium Risk Malware Dropper, VirTool:Win32/Obfuscator.JM [Microsoft], Win32/AntivirusAction.O [eTrust-Vet], TR/Obfuscated.244736JM [AntiVir] and Trojan.FakeAV.1254 [DrWeb].

Technical Information

Screenshots & Other Imagery

Antivirus Action Image 1 Antivirus Action Image 2 Antivirus Action Image 3 Antivirus Action Image 4 Antivirus Action Image 5 Antivirus Action Image 6 Antivirus Action Image 7

File System Details

Antivirus Action creates the following file(s):
# File Name Size MD5 Detection Count
1 %TEMP%\ixoyqwddd\tomgggctsbl.exe 240,640 0031942d0205335f097fe21c15ba2ee0 33
2 %TEMP%\ppihpaywy\jiswvkutsbl.exe 240,640 b0917d1066fce6ca5e3ee38dc4b12339 26
3 %TEMP%\hakqcptbm\kbcrutetsbl.exe 240,640 96b9351e4fad70fbabca7fb9aca6f67c 26
4 %TEMP%\elvmofdxr\vqucadstsbl.exe 240,640 afc83bf8d1d7d1d76ad92926c88b6e69 21
5 %TEMP%\lpdbbcwkr\guqjvbhtsbl.exe 241,152 1f6d0d4ff9a73bd17682a451837b19df 21
6 %TEMP%\ysggivppe\fligkfktsbl.exe 240,640 dcd0b1c2e428fbd85d149b04173d8223 20
7 %TEMP%\dglfdvenk\micrgnutsbl.exe 240,640 2e5b8f33b3369233d1b9527a5de367bc 20
8 %TEMP%\scryfyegv\edbqjiptsbl.exe 240,640 e044872b0a14d73a2c496d27b6232f74 19
9 %TEMP%\bolkywoth\mhhvhtatsbl.exe 240,640 7d161d4cd66b72504455d3dd06166825 19
10 %TEMP%\fypsqpbap\hyimnjgtsbl.exe 240,640 f02b140ddab36d3d9d9c572a0db3b210 18
11 %TEMP%\dhearglll\fbwilfttsbl.exe 240,640 38d7d7f7ffe6002612eb06ffe36d8e92 18
12 %TEMP%\wgaqofdnx\locpogytsbl.exe 240,640 a6e0d5a876f6c098d0b89e3122aaac7f 17
13 %TEMP%\waupepdka\qqumhletsbl.exe 240,640 9d2b498694cca08670f7673c02546114 16
14 %TEMP%\wfdkaoaqr\txqsqdutsbl.exe 240,640 a7be3c4f59c04663ff3faa05f3d90704 16
15 %TEMP%\plrktqmdj\ikuekrqtsbl.exe 240,640 7dd0f0b6a0723f8ae65bb7e68de08dc3 15
16 %TEMP%\cgubutctf\qrevhdptsbl.exe 240,640 7f38a47f377b10c66980a858fa87c455 12
17 %TEMP%\xxmpijnus\eovhjxftsbl.exe 240,640 957ea706776975b1f3f7572302fdea34 11
18 %TEMP%\hvugnkqgb\nflthhetsbl.exe 246,784 80a49cc60c21619185970ccaad578cbd 11
19 %TEMP%\mqxywmvgs\gtmnhaotsbl.exe 240,640 3500bdd4b51c74fe3caf24aa0a7c18bd 10
20 %TEMP%\whyiqnmyx\lthdllhtsbl.exe 240,640 8ada13b2881ca7fcd889d6b2a260a6a1 9
21 %TEMP%\bncdwkvdp\qalhtmxtsbl.exe 240,640 50183249bbfad7fb636c7f38c995b01b 9
22 %TEMP%\espmedwnu\xggrvhctsbl.exe 240,640 05232ed8383e86081840b08e6c95de8e 9
23 %TEMP%\ihgbqnebw\ospmbvjtsbl.exe 240,640 c9dd85714fb0e0debdf578d0996f4592 9
24 %TEMP%\sgqgnokqm\unauenetsbl.exe 240,640 303ed290f218207f3cd6dbb65a4d6e64 9
25 %TEMP%\ycouxscaj\oletxivtsbl.exe 240,640 d5ddc3187fa7440bb21b31088ca2d469 9
26 %TEMP%\ddpeagnpe\uhblmjjtsbl.exe 240,640 8394abc8b63e0afd6c6eac3f3f1ae7be 9
More files

More Details on Antivirus Action

The following URL's were found:
Tip: We recommend blocking the domain names as well as the IP addresses associated with them.
  • 193.106.34.16
  • 93.174.88.135
  • 93.174.88.136
  • 93.174.88.138
  • 93.174.88.139
  • antispydot.com
  • antispylake.com
  • antispylake.net
  • antispyroad.com
  • antispytag.net
  • antispytask.com
  • antispyway.com
  • antispyway.net
  • antisywire.com
  • antivirboost.com
  • antivirdrome.com
  • antivirnet.com
  • antivirnet.net
  • antivirstress.com
  • ns1.antispydot.com
  • ns1.antispylake.com
  • ns1.antispyroad.com
  • ns1.antispytag.com
  • ns1.antispytag.net
  • ns1.antispytask.com
  • ns1.antispyway.com
  • ns1.antispyway.net
  • ns1.antisywire.com
  • ns1.antivirboost.com
  • ns1.antivirdrome.com
  • ns1.antivirnet.com
  • ns1.antivirnet.net
  • ns1.antivirstress.com
  • ns1.antivirwall.com
  • ns1.infinitetraffic.info
  • ns1.pcsecurityland.com
  • ns1.softwaretoolsstore.com
  • ns1.versionantispy.com
  • ns2.antispydot.com
  • ns2.antispylake.com
  • ns2.antispyroad.com
  • ns2.antispytag.com
  • ns2.antispytag.net
  • ns2.antispytask.com
  • ns2.antispyway.com
  • ns2.antispyway.net
  • ns2.antisywire.com
  • ns2.antivirboost.com
  • ns2.antivirdrome.com
  • ns2.antivirnet.com
  • ns2.antivirnet.net
  • ns2.antivirstress.com
  • ns2.antivirwall.com
  • ns2.pcsecurityland.com
  • ns2.softwaretoolsstore.com
  • ns2.versionantispy.com
  • server1.usdebtmodifiers.com
  • softwaretoolsstore.com
  • versionantispy.com
The following messages associated with Antivirus Action were found:
Security Warning
Application cannot be executed. The file notepad.exe is infected. Do you want to activate your antivirus software now.
Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.