Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ave.exe / "windows security tool" virus in Vista


  • Please log in to reply
2 replies to this topic

#1 werdsmada

werdsmada

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 20 April 2010 - 11:28 AM

Hi all,

I have a nasty nasty virus. I think the process is ave.exe. As soon as I try to get into windows, even in safe mode, it just restarts my computer. If I'm somehow able to get into windows before it restarts, i can't run any executables, so it's been impossible to scan for.

Do you guys have any idea on where I should start to try to remove this thing? The machine is a mac that runs vista, if that helps.

Thanks in advance,

Drew

BC AdBot (Login to Remove)

 


#2 werdsmada

werdsmada
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 20 April 2010 - 12:21 PM

Ok, so after a little work, I was able to kill some processes, and change back a couple infected registry entries, namely: HKCR\.exe\shell\open\command and HKCR\secfile\shell\open\command. If you have the ave.exe infection, find these registries, and change the %1 extension to %*. This will give you control back of your machine, and allow you to run executable files again.

Hope this helps!

-Drew

#3 werdsmada

werdsmada
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 20 April 2010 - 12:31 PM

Update:

It looks like this thing created a virtual drive or "network location" Z:/ on the machine, called "memory card (Z:/)" with an IP address.

How do I remove this?

Thanks!

-Drew




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users