My computer appears to have been infected by the Antivirus Pro 2010 virus a few weeks ago; suddenly Mozilla was hijacked, redirected to another site (see below). Suddenly numerous fake antivirus screens suggesting I had a virus. At the time of infection, I was using McAfee Total Protection Service as well as an older version of MBAM (not runtime version).
Steps I followed:
1. Killed “ave.exe” process and manually deleted all instances in the file system (application data folder) and registry.
3. Created and ran fix.reg, which allowed me to download and execute other programs, which I was unable to do up to that point.
4. Ran SDFIX.exe which didn’t report anything.
At some point, I then rebooted and the issue occurred again. Updated and ran MBAM and it showed Trojans in the log file, which I then quarantined.
I then downloaded and ran Stopzilla, which then quarantined and deleted ave.exe. I ran MBAM after that, and it came back completely clean. Also, since Yahoo! wasn’t showing up correctly in the browser, I reinstalled the Java runtime environment, assuming it got screwed up somehow. At that point I turned off my PC for the night.
Upon reboot later the next day, Stopzilla showed AVE.exe was there again. I continue to have browser hijacks and sometimes my laptop hangs if the hijack occurs when I am out of the office. If I close the hijack right away, there are no outward signs of issues. Every so often McAfee will report it has deleted certain viruses, as below. But none of the tools seems to be able to resolve the issue permanently.
Here are links from the two of the browser hijacks:
Some of the files that have been deleted by McAfee in the last few days:
ILEE.EXE – Generic Fake Alert!gz
FakeAlert – WinWeb Security.C
FakeAlert – Xpspy Av.exe
I have attached the GMER and MBAM logs.
I would have attached the DDR logs as well, but even after multiple attempts I couldn’t get that program to finish; this despite my best efforts at removing script and popup blocking in advance.
Thanks in advance for your assistance!
Edit: Link disabled, to preclude possible infection. ~tg
Removed log as not allowed in this forum. ~ OB
Edited by Orange Blossom, 26 April 2010 - 07:58 PM.