• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2682
  • Last Modified:

Antivirus360 (AV360) Virus Removal

OK, I've got a road user who has the AV360 virus (fake anti-virus program).  I also had a local in office user who got the same virus.  I spent day's fixing the in house unit, and finally was able to remove the virus.  I'm having much more trouble with the road user.  Here's the troubleshooting scenario:

Local User - We used our Symantec AntiVirus (10.1) to clean the local unit.  We removed many trojan and backdoor virus's.  Also, removed all AV360 and anti-virus360 files.  Removed all reg keys (found list on a forum).  When we rebooted, win XP locks up after about 45 second (sometimes you can get past log in).  Booted to safe mode w/ networking, ran AV, got more, did a few more times - kept finding hte same virus's.  I downloaded "malwarebytes" (linked from forum), but couldn't install due to being in safe mode.  Booted to win XP CD, ran chkdsk, fixboot. I pulled the HDD, put into an enclosure and ran all sorts of AV, spyware software from another unit. I also ran a bunch of diagnostic test (utility partition for the local dell desktops).  Not too sure what did it, but was able to boot to XP.  I installed malwarebytes (lucky?), then XP locked up.  Ended up needing to boot to safe mode - was able to run malwarebytes 3 times before the unit was clean.  Boots to XP fine

Remote User  Purchased Norton AV 360 (the legit version, boxed).  Installed and ran in XP session.  Rebooted - XP locks up.  Instructed to download malwarebytes in safemode w/ networking.  Told to run Norton again in safe mode, but it can't run in safe mode (Thanks Norton, ugh). Wants to do a "web" based cleaning , but can't connect (why? i don't know).  The user's unit did not come with an XP CD (or a CD-ROM for that matter) but does have an image cd - we don't want to lose the HD's data.   Can't get it to boot to XP (locks) and can't run AV (won't run in safe mode) and can't install another AV program (installer won't run in safe mode)

That's a long one, and if you made it through that, I commend you.  Anyway, <b>any</b> suggestions would be highly appreciated.  
0
JamesonJendreas
Asked:
JamesonJendreas
  • 5
  • 4
  • 2
  • +3
3 Solutions
 
bbrunningCommented:
Have the user download and run combofix, it will remove that trojan
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
This is the how to on it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
bbrunningCommented:
on=use
0
 
JamesonJendreasAuthor Commented:
Thanks, I'll give it a try - looks good as it should be able to run in safe mode w/o installer.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Rob HutchinsonDesktop SupportCommented:
User: "pretty box, must click, it "must" be real..."

Dang, you have quite a situation there.

If combo fix doesn't work then you might have to remove the drive and attach it to a good computer using some type of USB cable to attach the hard drive to another computer to scan it and clean it:
http://www.vantecusa.com/front/product/view_detail/266

0
 
JamesonJendreasAuthor Commented:
Wirednet - That's exactly what I assume happened - "Oh it says I need to update my anti-virus, so let's click it!"  And It's up to me to fix - w00T! Thanks for the suggestion, biggest issue with that is user is in Ohio, I'm in California.  I actually did just that (different program though) to fix the local issue (or one of the many, many steps).
Thanks VERY much
-JJ
0
 
rpggamergirlCommented:
So the only problem you're having now is the remote user?

Does he has access to another pc with online access to download the tools needed like Combofix?
If so, does the pc boot in normal mode? If so, then combofix should be able to fix the problem, just let us see the log to make sure nothing is left behind..
0
 
rpggamergirlCommented:
If it's just the antivirus 360 infection that is present in the system, actually Smitfraudfix is the specialized tool for that. Try it too, unlike combofix this one has to be run in Safe Mode to remove the infection.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.

You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".

The tool may need to restart your computer to finish the cleaning process;
0
 
bbrunningCommented:
smitfraudfix is another one of my favs, =)
0
 
JamesonJendreasAuthor Commented:
Well since the user was off-site, I ended up asking him to just take to a local repair - HDD needed to removed and scanned from another uinit.   Thanks for all the help guys, much appreciated.
0
 
JamesonJendreasAuthor Commented:
Thnx again for the suggestions!
0
 
zedd260Commented:
I too have a remote user with the same problem,.. reared it's ugly head last night.
Found this thread, and proceded with the course of action.  
The user can't get to the combofix website....   so I tried to send him the file, as email seems to be working just fine.  However, our mail server detected ComboFix as a virus, "McAfee AntiVirus : detected RemAdm-ProcLaunch!171" and it won't send.  huh?!

Has just made me a touch alarmed......    may try smitfraudfix?

Any further info on this issue apprecaiated
0
 
JamesonJendreasAuthor Commented:
Yeah, I did find out that this virus likes to block security websites.  The user I was working with was also unable to access the combo fix link.  I pointed the user to the combofix url, and had them access via a working PC, then download to a thumb drive and run within safe mode. One of the real issues we saw was after removing the virus, windows likes to lock up.  For the local user, I was able to pop in the XP cd, and use the repair console to run:

chkdsk /f
fixmbr
fixboot

These seemed to get me back into a regular windows session (after removing the virus).  One thing that proved to be very useful was pulling the HDD from the unit, and putting into and external enclosure, then scanning from a clean computer - you really don't want to get into a regular windows session with the virus still infecting files.  It's a pretty tough one to fix if you can't actually touch the unit, for the local user it did take multiple scans and running of check disk to fully remove and get windows booting.  
Good luck, it's not a fun one.
JJ
0
 
bbrunningCommented:
zedd260: that detection from mcafee is a false positive. Mcafee isn't exactly the most up to date company on true spyware/adware removal programs and they are more in the business of preventing/detecting programs that have unusual ways of penetrating the OS/Registry. Don't worry, combofix isn't and never has been a virus/malware/spyware/adware program.
0
 
zedd260Commented:
Cheers,.. thanks very much bb!

(and JJ!)
0
 
HeliosXCommented:
To fully remove rouge AVAS programs you have to remove the executables and the registry traces. To do that, simply download the following programs:

Avira Personal (www.free-av.com)
Spyware Doctor Starter Edition (from the Google Pack: http://pack.google.com/intl/en/pack_installer.html)

Install and update them. After that run the scans on both of them. Avira will remove the virus executables, while Spyware Doctor will clean your registry.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 5
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now