I am an unemployed IT professional and I work part time at an apartment complex in Eagle, CO. The computer in the office has been infected twice with a virus and I was asked to fix it. The first time was a couple months ago. I think the virus was called Antivirus 2010. I used rkill and Malwarebytes to remove it. After this I installed AVG and Spybot. AVG is updated every night and runs once a week. The second incident happened today. AVG ran last night with nothing detected. This time I could not run Malwarebytes and could not get to the internet. I was able to run Spybot. Spybot found that the antivirus, firewall and Windows update had been disabled. While Spybot was running the little shield that the virus puts in the lower right of the task bar, went away. After Spybot I ran Malwarebytes and it removed 7 entries(see log below). There was also a third virus that occurred last October before I worked here. I think Malwarebytes was used then too.
This is the virus I removed http://www.bleepingcomputer.com/virus-remo...irus-vista-2010
Recently the infected computer has only been used to run business software, email, Craigslist and Youtube. The computer user was reading email when the virus was noticed.
I would like to know how this virus propagates? Does it use email or something else? Also, is it possible that virus has not been completely removed?
MB log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
4/1/2010 2:37:54 PM
mbam-log-2010-04-01 (14-37-54).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 151381
Time elapsed: 31 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\eaglevillas\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\eaglevillas\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.