I had the exact same "Ave.exe" malware on my PC (XP SP3). Disappointed that ZASS let it slip thru.
I was unable to access the internet to install MBAM because the malware hijacked my browser, so I poked around and was able to delete the infection manually.
Here is my procedure - it looks long, but it is methodical and probably will require less than 30 minutes. Please do not attempt this unless you are Registry-savvy and DOS-savvy! :cool: The commands you type in the DOS window are shown in blue courier font and the Registry keys/values are shown in red.
Before you begin, exit all apps (including Windows Explorer & Internet Explorer) and then go into Windows Task Manager and kill the AVE.EXE process.
1. Open a DOS window:
a. Start -> Programs -> Command Prompt
b. if that doesn't work, then Start -> Run -> command <enter>2. cd c:\DOCUME~1 <enter>
3. dir /s /as /ah *.exe <enter>
This may take awhile. When it finishes, look for "ave.exe" and note its directory.4. Go to that directory and type dir /s /as /ah <enter>
a. If you can't CD to that directory, just type this DIR command followed by the full path.
b. You should see "ave.exe" and probably a daughter file with the same date as ave.exe. (My daughter file was named Mh3jm32TxN)5. These two rogue files cannot be deleted yet, because they protected themselves with file attributes.
a. remove the file attributes:
attrib -h -s ave.exe <enter> and then repeat for the daughter.
b. now you can delete them:
6. Repeat steps #2 & #3. If another copy of ave.exe is found, then repeat steps #4 & #5.
del ave.exe <enter> and then repeat for the daughter.
7. Search for a standalone copy of the daughter file:
a. repeat step #2
b. repeat step #3, except substitute your daughter file's name for the '*.exe'
c. if another copy of your daughter file is found, hunt it down and delete it per step #5.8. Reboot and start in Windows safe mode.
9. Edit the registry in the usual manner: Start -> Run -> regedit <enter>
a. if that doesn't work, then repeat step #1b and then in the DOS window type regedit <enter>
b. some conventional wisdom:
-you shouldn't be here if you aren't Registry-savvy
-back up the infected Registry before proceeding to step #10. An infected registry is better than a corrupted one.
10. Search for the daughter file. It should not be found.
-if you have a clean PC nearby, it is helpful to run Regedit in parallel on both machines so that you can compare the infected registry with a clean one.
11. Search for ave.exe
On my PC, there were two occurrences - where it hijacked Internet Explorer and the executable handle.12. "Clean the executable hijack": (Fixed Typo)
a. HKEY_CLASSES_ROOT\.exe\Default = exefile
b. this subkey is probably okay: HKEY_CLASSES_ROOT\.exe\PersistentHandler
c. delete all other subkeys, such as HKEY_CLASSES_ROOT\.exe\shell13. "Clean the Internet Explorer hijack": (Fixed Typo)
a. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command
This key has probably been hijacked to something like "C:\Documents and Settings\John\Application Data\ave.exe /START %1 %* C:\Program Files\Internet Explorer\iexplore.exe". Delete the first half to leave just the Explorer path (and delete any quotation marks) so that something like this remains: C:\Program Files\Internet Explorer\iexplore.exe14. Exit the Registry and reboot in normal mode. Your PC should now be clean, but just in case, download and run MBAM.