We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Antivirus360 (AV360) Virus Removal

Medium Priority
Last Modified: 2013-11-22
OK, I've got a road user who has the AV360 virus (fake anti-virus program).  I also had a local in office user who got the same virus.  I spent day's fixing the in house unit, and finally was able to remove the virus.  I'm having much more trouble with the road user.  Here's the troubleshooting scenario:

Local User - We used our Symantec AntiVirus (10.1) to clean the local unit.  We removed many trojan and backdoor virus's.  Also, removed all AV360 and anti-virus360 files.  Removed all reg keys (found list on a forum).  When we rebooted, win XP locks up after about 45 second (sometimes you can get past log in).  Booted to safe mode w/ networking, ran AV, got more, did a few more times - kept finding hte same virus's.  I downloaded "malwarebytes" (linked from forum), but couldn't install due to being in safe mode.  Booted to win XP CD, ran chkdsk, fixboot. I pulled the HDD, put into an enclosure and ran all sorts of AV, spyware software from another unit. I also ran a bunch of diagnostic test (utility partition for the local dell desktops).  Not too sure what did it, but was able to boot to XP.  I installed malwarebytes (lucky?), then XP locked up.  Ended up needing to boot to safe mode - was able to run malwarebytes 3 times before the unit was clean.  Boots to XP fine

Remote User  Purchased Norton AV 360 (the legit version, boxed).  Installed and ran in XP session.  Rebooted - XP locks up.  Instructed to download malwarebytes in safemode w/ networking.  Told to run Norton again in safe mode, but it can't run in safe mode (Thanks Norton, ugh). Wants to do a "web" based cleaning , but can't connect (why? i don't know).  The user's unit did not come with an XP CD (or a CD-ROM for that matter) but does have an image cd - we don't want to lose the HD's data.   Can't get it to boot to XP (locks) and can't run AV (won't run in safe mode) and can't install another AV program (installer won't run in safe mode)

That's a long one, and if you made it through that, I commend you.  Anyway, <b>any</b> suggestions would be highly appreciated.  
Watch Question

Have the user download and run combofix, it will remove that trojan
This is the how to on it:

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Thanks, I'll give it a try - looks good as it should be able to run in safe mode w/o installer.
Rob HutchinsonTech Lead, Desktop Support
User: "pretty box, must click, it "must" be real..."

Dang, you have quite a situation there.

If combo fix doesn't work then you might have to remove the drive and attach it to a good computer using some type of USB cable to attach the hard drive to another computer to scan it and clean it:


Wirednet - That's exactly what I assume happened - "Oh it says I need to update my anti-virus, so let's click it!"  And It's up to me to fix - w00T! Thanks for the suggestion, biggest issue with that is user is in Ohio, I'm in California.  I actually did just that (different program though) to fix the local issue (or one of the many, many steps).
Thanks VERY much
Top Expert 2007
So the only problem you're having now is the remote user?

Does he has access to another pc with online access to download the tools needed like Combofix?
If so, does the pc boot in normal mode? If so, then combofix should be able to fix the problem, just let us see the log to make sure nothing is left behind..
Top Expert 2007

If it's just the antivirus 360 infection that is present in the system, actually Smitfraudfix is the specialized tool for that. Try it too, unlike combofix this one has to be run in Safe Mode to remove the infection.
Please download SmitfraudFix:
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click

Select option #2 - Clean by typing 2 and press "Enter" to delete infected

You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press

The tool may need to restart your computer to finish the cleaning process;
smitfraudfix is another one of my favs, =)


Well since the user was off-site, I ended up asking him to just take to a local repair - HDD needed to removed and scanned from another uinit.   Thanks for all the help guys, much appreciated.


Thnx again for the suggestions!

I too have a remote user with the same problem,.. reared it's ugly head last night.
Found this thread, and proceded with the course of action.  
The user can't get to the combofix website....   so I tried to send him the file, as email seems to be working just fine.  However, our mail server detected ComboFix as a virus, "McAfee AntiVirus : detected RemAdm-ProcLaunch!171" and it won't send.  huh?!

Has just made me a touch alarmed......    may try smitfraudfix?

Any further info on this issue apprecaiated


Yeah, I did find out that this virus likes to block security websites.  The user I was working with was also unable to access the combo fix link.  I pointed the user to the combofix url, and had them access via a working PC, then download to a thumb drive and run within safe mode. One of the real issues we saw was after removing the virus, windows likes to lock up.  For the local user, I was able to pop in the XP cd, and use the repair console to run:

chkdsk /f

These seemed to get me back into a regular windows session (after removing the virus).  One thing that proved to be very useful was pulling the HDD from the unit, and putting into and external enclosure, then scanning from a clean computer - you really don't want to get into a regular windows session with the virus still infecting files.  It's a pretty tough one to fix if you can't actually touch the unit, for the local user it did take multiple scans and running of check disk to fully remove and get windows booting.  
Good luck, it's not a fun one.
zedd260: that detection from mcafee is a false positive. Mcafee isn't exactly the most up to date company on true spyware/adware removal programs and they are more in the business of preventing/detecting programs that have unusual ways of penetrating the OS/Registry. Don't worry, combofix isn't and never has been a virus/malware/spyware/adware program.

Cheers,.. thanks very much bb!

(and JJ!)

To fully remove rouge AVAS programs you have to remove the executables and the registry traces. To do that, simply download the following programs:

Avira Personal (www.free-av.com)
Spyware Doctor Starter Edition (from the Google Pack: http://pack.google.com/intl/en/pack_installer.html)

Install and update them. After that run the scans on both of them. Avira will remove the virus executables, while Spyware Doctor will clean your registry.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.