Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVE.EXE infection


  • Please log in to reply
4 replies to this topic

#1 johsin

johsin

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 30 March 2010 - 03:54 PM

My Toshiba laptop running Windows XP w SP3 got infected 2 days ago with the Trojan.FakeAV virus and the Ave.exe virus. I have been to numerous malware websites and followed the advice given and think the FakeAV virus is gone - at least the broswer warning messages 'XP Smart Security 2010' no longer appear. However, I have tried numerous times to remove the ave.exe without success. Basically, it doesn't allow me to run any programs with exe endings including any programs I try to download - I either get the Window asking which program to use to open the file with or a message 'C:\WINDOWS\system32\rundll32.exe Application not found' Interestingly, I have been able to get IE to now work, but not firefox, so I can get to the web, although I am posting this via my virus free imac. I finally managed to download Malwarebytes Anti-Malware software and ran it in safe mode and in normal mode with Administrator rights and it picked up about 5 registry values and data that had been added and removed them. I also tried the registry file 'trojan_fakerean_exe_fix.reg' recommended by malwarehelp.org for this virus, but it did not work and the exe files are still unable to be opened. I did a file search for all av.exe and ave.exe files and found 1 and deleted it as well. So after 2 days, I'm ready to throw the PC out the window and buy a new one. Appreciate some advice on what to do next. I am reasonably computer literate and have removed viruses before but this one has outsmarted me. I have Norton anti-virus on the infected computer. Would greatly appreciate advice on next steps to try.

Edited by Orange Blossom, 30 March 2010 - 08:30 PM.
Move to AII as no logs posted. ~ OB


BC AdBot (Login to Remove)

 


#2 johsin

johsin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 31 March 2010 - 09:39 AM

Here is an update to my situation. I think the virus has been removed, but I'm left with a disabled computer. I can't open firefox or any of the control panel programs or any exe files except IE browser and Outlook Express. I think the registry entries were changed by the virus, but I don't know how to restore them. I tried system restore but it apparently was turned off so I could not go back to pre-virus timeframe.

Can someone point me to some links that explain how to restore or check and edit the registry entries that affect the firefox browser and other exe programs. This may be the file associations, but not sure how to fix that. Thanks for any suggestions!

#3 dmitryseliv

dmitryseliv

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 02 April 2010 - 12:54 PM

Hi there,

I just had the same problem and it's pretty easy to get rid of it.
What it does it's run itself when you trying to execute any .exe file.
Also search for av.exe on you computer it might made a second copy named like that.

So to solve the problem with opening app .exe file.


Go to Folder Options click on File Types tab.
Then click on New click on advanced.
Associated file type select - Application
For file extension type exe If it will complain that exe file extension already exist and ask you to replace it say yes.

After that you should be able to run applications.

Remove all traces of ave.exe go to RUN type regedit
search for ave.exe remove all the values you might find.

Cheers and good luck.

Dmitry

Edited by dmitryseliv, 02 April 2010 - 12:56 PM.


#4 Otaku1031

Otaku1031

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:01:50 AM

Posted 02 April 2010 - 01:51 PM

At the risk of getting stomped on by a mod, try using HitMan Pro 3.5 (free 30 trial). This program saved my Vista machine when the ave.exe virus hit me. If you can't run .exe files, you may need to run/install HitMan from a thumb drive. It wil find the ave.exe file, but be sure to tell it to delete that file - it won't do it by default. After starting HitMan, be sure to update it, if possible.

#5 johsin

johsin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 03 April 2010 - 10:56 AM

I just made the changes suggested by Dmitry and they worked. Going to the Folder Option and changing the associated file type for application was easy and effective and much safer than going into the registry and tinkering with the various entries. After changing the file type association, I went to regedit and searched for av.exe, ave.exe and y7v11 and found about 7 entries and deleted all of them. The only open issue I have is that one of the registry entries was a 'default' entry and I dont know what value to put in to replace the one deleted, assuming one is necessary. The string is HKEY_CLASSES_ROOT\.exe\shell\open\command and the entry is REG-SZ. Do I need to add a value since it seems to be the default entry or should I change the default to another registry entry for that string function? Since everything seems to be running OK, and programs now open that previously were blocked, I'm inclined to do nothing but appreciate any suggestions.

Otaku, thanks for your note but since Dmitry's suggestion worked, I'm not going to try HitMan at this time.

Thanks, Dmitry, for such a quick and easy solution to the problem!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users