Antivirus 360 is a rogue application, which is distributed by one or more sites. Although some of the sites that were propogating it are offline now. There are several variations of its infection. I will try to give you the detailed and updated info for its removal. All the tools/software mentioned in this tutorial are freeware
Trojan Removers: As you might be aware that this malware could be installed by a Trojan, you will need to remove that Trojan as well. Try these free tools . Click here to read more....
Turn system restore off :This is necessary in order to remove the virus files that may be stored inside the system restore backup files, you can turn it back to ON after the computer is cleaned. Click here to read more....
If you are unable to open Task Manager : Sometimes you will find that you are not able to open the task manager, the run command etc. The virus does this to prevent you. There are several polpular free tools available on the internet to solve this problem. I will list them here, see which one helps you. Click here to read more....
Remove Processes from Task Manager Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for a processes named
av360.exe antivirus360.exe winscenter.exe
select if found and press the End Process button. It will prompt you , say yes, and then close the Task Manager. Although the file names may differ. There may be more processes belonging to this malware.
Removing a Program from windows startup: The system configuration utility can be started in xp and in vista by typing msconfig in the run box. The run box can be opened in xp by clicking on Start > run The best part of windows startup is that the setting is reversible, therefore you can check / uncheck any entry from windows startup any number of times. So do not hesitate to uncheck anything that you find doubtful. You can always check it back if you later come to know that it is something useful.
After the system configuration utility window is open, Click on the Startup tab, that will list all the programs that are scheduled to start when you turn your computer On. Expand the middle column using your mouse pointer so that you can see the path of the program on the hard disk, that will give you a clear idea, what program that is. Locate and uncheck the entries if found "Antivirus 360" (look for any suspicious name) Uncheck the boxes in front of these entries. Also look at other entries, if you find an entry of any of the malware files listed in this article, uncheck that too. This step is very important. The further cleaning depends on cleaning this list. Press Apply , Press Close/Ok , at the next prompt select "Restart the computer".
Searching andd Deleting the Folders / files on the hard disk After restarting the computer, use the windows search utility to search for "Antivirus 360"and "A360". This search will find all its folders on the hard disk , delete the folders from the hard disk. You may find the folder in more than one location. Delete its all instances.There are some more files other than this directory. You may need to enable to view hidden files and folders if you can not see the folders listed below. In XP, Control panel > Folder options > View . Locate "Hidden Files and Folders", select "View hidden files and folders" , press Apply, press ok.
Always delete the folders first, these are A360, Antivirus 360. You will find them in one or more places, Use the windows search utility to search for the foldernames, and delete all the instances of the folders found. Then there are individual files which are created inside legitimate folders, in this case you will have to delete the individual files at that location.
Here are the current folders of Antivirus 360
C:\Program Files\A360 C:\Program Files\Antivirus 360 C:\Documents and Settings\[UserName]\Start Menu\Antivirus 360 C:\Documents and Settings\[UserName]\Start Menu\A360
Here are the current folders/files of Antivirus 360 C:\Documents and Settings\[UserName]\Start Menu\Antivirus 360 C:\Documents and Settings\[UserName]\Desktop\Antivirus 360.lnk C:\Documents and Settings\[UserName]\Start Menu\Antivirus 360\Antivirus 360.lnk C:\Documents and Settings\[UserName]\Start Menu\Antivirus 360\Help.lnk C:\Documents and Settings\[UserName]\Start Menu\Antivirus 360\Registration.lnk
Here are files created by Antivirus360 inside legitimate folders C:\Windows\Temp\malicious.bin C:\Windows\Temp\wget.log C:\Windows\Winscenter.exe C:\Windows\System32\winconfig.dll.tmp.tmp
it downloads additional file/files from the internet , search for them with the windows search tool and delete them if found av_360vit.exe av_360glof.exe
Manually removing malware entries from Registry : You can edit the registry by using the windows built in registry editor. Click here to read more....
There are different variations of Antivirus360 installers, which create different registry entries, which can not be automatically removed. If possible open the registry editor and search in the registry for the presence of the following registry keys, and delete them if found (except the first one)
This is common among all variations. Registry keys are modified so as to override the firewall and the antivirus. This key is modified. So do not delete this one. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] AntiVirusOverride = 0x00000001 FirewallOverride = 0x00000001
Variation2) see threatexpert report HKEY_CURRENT_USER\Software\90998575583079729711876016521090 HKEY_CURRENT_USER\Software\90998575583079729711876016521090\Options Variation3) see threatexpert report HKEY_CURRENT_USER\Software\7B463B2E633FAD8B5DA8BBC3D6FB914E HKEY_CURRENT_USER\Software\7B463B2E633FAD8B5DA8BBC3D6FB914E\Options Variation4) see threatexpert report HKEY_CURRENT_USER\Software\6EACBEF2C6EB1BDEE028FCF8F13FB848 HKEY_CURRENT_USER\Software\6EACBEF2C6EB1BDEE028FCF8F13FB848\Options Variation5) see threatexpert report HKEY_CURRENT_USER\Software\937F7831A097F86EAB4A13961F1900A6 HKEY_CURRENT_USER\Software\937F7831A097F86EAB4A13961F1900A6\Options Variation6) see threatexpert report HKEY_CURRENT_USER\Software\8B5EA14809FE4A8EA40296BD8E3EAB51 HKEY_CURRENT_USER\Software\8B5EA14809FE4A8EA40296BD8E3EAB51\Options Variation7) see threatexpert report HKEY_CURRENT_USER\Software\66D575459F1383F635D7A46FAE513E1D HKEY_CURRENT_USER\Software\66D575459F1383F635D7A46FAE513E1D\Options Variation8) see threatexpert report HKEY_CURRENT_USER\Software\1A7976C556AC317A7AB4732F16EA5AC1 HKEY_CURRENT_USER\Software\1A7976C556AC317A7AB4732F16EA5AC1\Options Variation9) see threatexpert report HKEY_CURRENT_USER\Software\0751BFA6E5001CC876007564982B5272 HKEY_CURRENT_USER\Software\0751BFA6E5001CC876007564982B5272\Options Variation10) see threatexpert report HKEY_CURRENT_USER\Software\16532799171022322087224044348308 HKEY_CURRENT_USER\Software\16532799171022322087224044348308\Options Variation11) see threatexpert report HKEY_CURRENT_USER\Software\01061930317918491342493089649554 HKEY_CURRENT_USER\Software\01061930317918491342493089649554\Options Variation12) see threatexpert report HKEY_CURRENT_USER\Software\06C01E83FD0117ADEAF3E568AB559C01 HKEY_CURRENT_USER\Software\06C01E83FD0117ADEAF3E568AB559C01\Options Variation13) see threatexpert report HKEY_CURRENT_USER\Software\14204776048852823217144900796596 HKEY_CURRENT_USER\Software\14204776048852823217144900796596\Options Variation14) see threatexpert report HKEY_CURRENT_USER\Software\01226758386054364549117557086536 HKEY_CURRENT_USER\Software\01226758386054364549117557086536\Options Variation15) see threatexpert report HKEY_CURRENT_USER\Software\0E4492C26B2BE7C80851DED559C53D17 HKEY_CURRENT_USER\Software\0E4492C26B2BE7C80851DED559C53D17\Options Variation16) see threatexpert report HKEY_CURRENT_USER\Software\54630001239599166138511229518802 HKEY_CURRENT_USER\Software\54630001239599166138511229518802\Options Variation17) see threatexpert report HKEY_CURRENT_USER\Software\72148907600763399105141708586591 HKEY_CURRENT_USER\Software\72148907600763399105141708586591\Options Variation18) see threatexpert report HKEY_CURRENT_USER\Software\61034561822995469248597804916024 HKEY_CURRENT_USER\Software\61034561822995469248597804916024\Options Variation19) see threatexpert report HKEY_CURRENT_USER\Software\79E8E3351BAE84B46A325C5D397A6332 HKEY_CURRENT_USER\Software\79E8E3351BAE84B46A325C5D397A6332\Options Variation20) see threat expert report HKEY_CURRENT_USER\Software\5C9A918C7CB9DA5C8D47BE798C6E2BAC
Using CCleaner: CCleaner is a freeware temp files and registry cleaner. We need to use this type of software because almost all the infection that occur through internet, come through the temp files, and unfortunately windows does not remove temp files automatically.
Using Antivirus Applications: Follow this step, if even after applying all the above steps, the virus still shows its presence in the computer. Your best helper is the antivirus program on your computer. Keep it always updated. Click here to read more....
Using the system file checker : Follow this step if you notice trouble in the normal functioning of windows. This utility will check and replace the damaged/ altered or missing system files. Click here to read more....
If you are unable to access one or more sites during the repair process
- It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepad C:\ WINDOWS \system32 \drivers \etc \hosts remove anything other than 127.0.0.1 Localhost, and save and close the file. In some cases there may be entries created by you or some security application installed on your computer to block malicious sites on your computer, but there is no reason for security related sites to be in this list.
- if possible use another computer to download the software needed for repairing your computer, and then copy and transfer it to the infected computer using any available means like a pen drive. - if you are using only internet explorer, and if it is blocked from visiting some of the security related sites, try to download/ install Firefox browser, and see if you can use it for the same purpose.
Block the following connections / sites
The Malware tries to connect to following sites . Block them if you find them in your firewall. securitydeliversystem.com update-protection-stats.com live-pc-update.com pc-defence-update.com protectedupdatesystem.com update-secured-web.com worldwebupdates.com securedupdatedownloads.com liveupdateprotection.com update-software-protection.com protectionliveupdate.com onlinesoftwareupdate.com securedupdateslive.cn
