[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Antivirus360 (AV360) Virus Removal

Posted on 2009-02-13
15
Medium Priority
?
2,676 Views
Last Modified: 2013-11-22
OK, I've got a road user who has the AV360 virus (fake anti-virus program).  I also had a local in office user who got the same virus.  I spent day's fixing the in house unit, and finally was able to remove the virus.  I'm having much more trouble with the road user.  Here's the troubleshooting scenario:

Local User - We used our Symantec AntiVirus (10.1) to clean the local unit.  We removed many trojan and backdoor virus's.  Also, removed all AV360 and anti-virus360 files.  Removed all reg keys (found list on a forum).  When we rebooted, win XP locks up after about 45 second (sometimes you can get past log in).  Booted to safe mode w/ networking, ran AV, got more, did a few more times - kept finding hte same virus's.  I downloaded "malwarebytes" (linked from forum), but couldn't install due to being in safe mode.  Booted to win XP CD, ran chkdsk, fixboot. I pulled the HDD, put into an enclosure and ran all sorts of AV, spyware software from another unit. I also ran a bunch of diagnostic test (utility partition for the local dell desktops).  Not too sure what did it, but was able to boot to XP.  I installed malwarebytes (lucky?), then XP locked up.  Ended up needing to boot to safe mode - was able to run malwarebytes 3 times before the unit was clean.  Boots to XP fine

Remote User  Purchased Norton AV 360 (the legit version, boxed).  Installed and ran in XP session.  Rebooted - XP locks up.  Instructed to download malwarebytes in safemode w/ networking.  Told to run Norton again in safe mode, but it can't run in safe mode (Thanks Norton, ugh). Wants to do a "web" based cleaning , but can't connect (why? i don't know).  The user's unit did not come with an XP CD (or a CD-ROM for that matter) but does have an image cd - we don't want to lose the HD's data.   Can't get it to boot to XP (locks) and can't run AV (won't run in safe mode) and can't install another AV program (installer won't run in safe mode)

That's a long one, and if you made it through that, I commend you.  Anyway, <b>any</b> suggestions would be highly appreciated.  
0
Comment
Question by:JamesonJendreas
  • 5
  • 4
  • 2
  • +3
15 Comments
 
LVL 10

Accepted Solution

by:
bbrunning earned 501 total points
ID: 23635977
Have the user download and run combofix, it will remove that trojan
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
This is the how to on it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 10

Expert Comment

by:bbrunning
ID: 23635984
on=use
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23636141
Thanks, I'll give it a try - looks good as it should be able to run in safe mode w/o installer.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 19

Assisted Solution

by:Rob Hutchinson
Rob Hutchinson earned 498 total points
ID: 23636186
User: "pretty box, must click, it "must" be real..."

Dang, you have quite a situation there.

If combo fix doesn't work then you might have to remove the drive and attach it to a good computer using some type of USB cable to attach the hard drive to another computer to scan it and clean it:
http://www.vantecusa.com/front/product/view_detail/266

0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23636235
Wirednet - That's exactly what I assume happened - "Oh it says I need to update my anti-virus, so let's click it!"  And It's up to me to fix - w00T! Thanks for the suggestion, biggest issue with that is user is in Ohio, I'm in California.  I actually did just that (different program though) to fix the local issue (or one of the many, many steps).
Thanks VERY much
-JJ
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 501 total points
ID: 23638088
So the only problem you're having now is the remote user?

Does he has access to another pc with online access to download the tools needed like Combofix?
If so, does the pc boot in normal mode? If so, then combofix should be able to fix the problem, just let us see the log to make sure nothing is left behind..
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23638128
If it's just the antivirus 360 infection that is present in the system, actually Smitfraudfix is the specialized tool for that. Try it too, unlike combofix this one has to be run in Safe Mode to remove the infection.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.

You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".

The tool may need to restart your computer to finish the cleaning process;
0
 
LVL 10

Expert Comment

by:bbrunning
ID: 23638162
smitfraudfix is another one of my favs, =)
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23652604
Well since the user was off-site, I ended up asking him to just take to a local repair - HDD needed to removed and scanned from another uinit.   Thanks for all the help guys, much appreciated.
0
 
LVL 1

Author Closing Comment

by:JamesonJendreas
ID: 31546721
Thnx again for the suggestions!
0
 

Expert Comment

by:zedd260
ID: 23664781
I too have a remote user with the same problem,.. reared it's ugly head last night.
Found this thread, and proceded with the course of action.  
The user can't get to the combofix website....   so I tried to send him the file, as email seems to be working just fine.  However, our mail server detected ComboFix as a virus, "McAfee AntiVirus : detected RemAdm-ProcLaunch!171" and it won't send.  huh?!

Has just made me a touch alarmed......    may try smitfraudfix?

Any further info on this issue apprecaiated
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23665029
Yeah, I did find out that this virus likes to block security websites.  The user I was working with was also unable to access the combo fix link.  I pointed the user to the combofix url, and had them access via a working PC, then download to a thumb drive and run within safe mode. One of the real issues we saw was after removing the virus, windows likes to lock up.  For the local user, I was able to pop in the XP cd, and use the repair console to run:

chkdsk /f
fixmbr
fixboot

These seemed to get me back into a regular windows session (after removing the virus).  One thing that proved to be very useful was pulling the HDD from the unit, and putting into and external enclosure, then scanning from a clean computer - you really don't want to get into a regular windows session with the virus still infecting files.  It's a pretty tough one to fix if you can't actually touch the unit, for the local user it did take multiple scans and running of check disk to fully remove and get windows booting.  
Good luck, it's not a fun one.
JJ
0
 
LVL 10

Expert Comment

by:bbrunning
ID: 23666581
zedd260: that detection from mcafee is a false positive. Mcafee isn't exactly the most up to date company on true spyware/adware removal programs and they are more in the business of preventing/detecting programs that have unusual ways of penetrating the OS/Registry. Don't worry, combofix isn't and never has been a virus/malware/spyware/adware program.
0
 

Expert Comment

by:zedd260
ID: 23666741
Cheers,.. thanks very much bb!

(and JJ!)
0
 

Expert Comment

by:HeliosX
ID: 23870148
To fully remove rouge AVAS programs you have to remove the executables and the registry traces. To do that, simply download the following programs:

Avira Personal (www.free-av.com)
Spyware Doctor Starter Edition (from the Google Pack: http://pack.google.com/intl/en/pack_installer.html)

Install and update them. After that run the scans on both of them. Avira will remove the virus executables, while Spyware Doctor will clean your registry.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
While Plesk offers many potential benefits to website administrators, including compatibility with Windows Server and other leading technologies, the company has also been working to differentiate it from other control panels for content management…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question