Bookmark and Share

Action AntivirusAfter my previous post about how to remove Thinkpoint antivirus, a lot of things have changed. We have another new fake antivirus called Antivirus Action, a malware infecting  computers which tricks users into thinking that it is a legit and free antivirus.  Usually, you get it while surfing malicious websites which pop-up fake warning windows and scanners on the computer screen. At this point the fake antivirus window will warn  that your computer is full of  viruses and will prompt you to download the free Antivirus Action.  So let’s see how to uninstall and remove it! Be Aware that most of the time your computer, after removing the fake antivirus, will become sluggish or unresponsive so that it might be necessary to reinstall the operating system completely.

As soon as you install Antivirus Action, it will start scanning your computer and will report you that your machine is full of threats and viruses. Of course it is not true because no scanning is performed at all. The whole purpose is to convince you to pay for the full version of the software.  The malware  will also automatically start every time you boot your Windows operating system and each time it will warn you about  infections and viruses.

Antivirus Action is coded to prevent you from performing any kind of action while it fakely scans your computer and, as a consequence, you will be stuck in front of your screen waiting for the malware to finish its phony scanning. It will also report your the following security warning: “Windows Security Alert – Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.”  Antivirus Action will also hack your Internet Explorer browser so that every time you open it you will get warning messages.

Here is the removal procedure and legit and free programs that will help you get rid of this pestware!

1) Reboot your computer and press the F8 key. This will let you access to the Windows Advanced Menu Option. Now, select the following option: Safe Mode with networking and press Enter. This option will let you reboot your PC in Safe Mode and at the same time you will be able to access the Internet. The goal of this is to temporary disable certain Antivirus Action features so that you will be able to remove the virus easily.

1.1 Run Internet Explorer.
1.2 Click Tools – Internet Options.
1.3 Now,  click Connections Tab and click to Lan Settings button.
1.4 Untick  the Use a proxy server  check box.
1.5 Click OK .

2) Download rkill.com . This small software will let you get rid of of certain processes which could prevent you from removing Antivirus Action.

3) Now, download and run Malwarebytes’ Anti-Malware . This software is not free. It  is shareware but its “limited-mode” will let you get rid of certain files belonging to the fake antivirus. As soon as Malwarebytes starts you have to instruct the software to perform a full scan of your system. Please, be aware that this scanning may take quite along time but you can be certain that at the end other, new, dangerous files fill be removed from your machine.

4) Now, download and run  Hostsperm.bat . You have to know that Antivirus Action, after being installed, it will automatically uninstalled your Windows HOSTS file. Hostsperm will replace it with a new one!

5) Now, get rid of C:\Windows\ System32\ Drivers\etc\ HOSTS.  After you have deleted it, download all these files and put them in the following folder: C:\Windows\ System32\ Drivers\ etc:

Windows XP HOSTS File
Windows Vista HOSTS
Windows 2003 Server HOSTS File
Windows 2008 Server HOSTS File
Windows 7 HOSTS File

6) Reboot your computer.

7) Download and run  Spybot Search&Destroy. This excellent software will scan your whole computer looking for malicious pestware and malware and it will also get rid of Antivirus Action leftovers.

8 ) If you want to completely clean your computer and give it its “old freshness” you could even try to remove the following registry keys. This will make your computer faster and more responsive.

Files and Registry keys to remove in Windows 7 registry

Delete these files:

  • C:\Users\Username \AppData \Local\Temp\ [random characters of words and numbers]
  • C:\Users\Username \AppData \Local\Temp\ [random characters of words and numbers]\[random characters of words and numbers]yhsn.exe

Delete these registry values:

  • HKEY_CURRENT_USER\ Software\ [random characters of words and numbers]
  • HKEY_CURRENT_USER\ Software\Microsoft\ Internet Explorer\PhishingFilter “Enabled” = “0”
  • HKEY_CURRENT_USER\ Software\Microsoft\Windows\ CurrentVersion\Internet Settings “ProxyOverride” = “”
  • HKEY_CURRENT_USER\ Software\Microsoft\Windows\ CurrentVersion\Internet Settings “ProxyServer” = “http=”
  • HKEY_CURRENT_USER\ Software\Microsoft\ Windows\ CurrentVersion \Internet Settings “ProxyEnable” = “1”
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\CurrentVersion \Run “[random characters of words and numbers]yhsn.exe”
  • HKEY_CURRENT_USER\Software\ Microsoft\ Windows\ CurrentVersion\  Run “[random characters of words and numbers]yhsn.exe”

What follows is very good visual tutorial (video) which will guide you through the different steps to take to uninstall the pestware. Very good info and cleared explained!

Related Articles Latest Articles

3 Comments to “How to Remove Fake Anti Virus Action”

  1. Rahul Says:

    Hi Tiara, I had same problem. i have followed instruction from below website which helped me to remove fake AV. You can check it at



  2. Tiara Says:

    I followed the instructions up to 3. I had to reboot my computer. When I restarted, I was still getting the messages and the blocks from Antivirus Action. Plus, it was still messing with my internet explorer’s LAN settings, which was also for some weird reason changing the settings on my Firefox.
    What am I supposed to do?
    I have Windows 7 if that helps.

  3. Dennis F. Says:

    Sound-wise all I could hear was a mouse clicking. Also had to run it full screen in order to read the XP screen.

    I had a problem on another PC recently where Malwarebytes indicated the the PC was clean. Windows Essential Security indicated it found a virus and removed it. Running Essential again and again found the same virus every time. What to do? I downloaded “Combofix”. Finally, it found and removed a virus, not the same one that Essential found. Running Combofix, Malwarebytes, & Essential again, I’m 99% sure that the PC is clean. You might want to check out Combofix. It is much more than a program as it includes an extensive forum where you can upload your logs and someone will take a look at it and advise you what to do.

Copyright © 2007-2017 | Sitemap | Privacy | Back To Top
Best screen resolution 1280x800 or higher.
Web Talk is best viewed in Firefox.