Results 1 to 5 of 5

Thread: [Solved] XP Security infection removing ave.exe infection.

Hybrid View

  1. #1
    hewitt Guest

    Default [Solved] XP Security infection removing ave.exe infection.

    On March 19, a faux anti-virus program calling itself "XP Security" installed itself on my Windows XP system, adding a four-color shield icon (Microsoft in appearance) to my system tray. ZoneAlarm Internet Security Suite did not stop it and does not detect it after a scan.

    XP Security pops up various hysterical virus warnings every 45 seconds, which must be manually closed, such as Privacy Threat!, System Hijack!, Virus Infection!, and so on. I can "recover from an infection right now, by performing a free system scan, click here." Every hour it pops up a full window, "XP Security - Unregistered version" pretends to do a scan, in 5 seconds, reports the details of 33 faux infections, and asks if I want to activate XP Security or stay unprotected. Activation costs $49.99. Every two hours it will also pop up a full window entitled "Windows Security Center" explaining that "Security Center helps you manage your windows security settings," and informing me that my Firewall is off (it isn't), Auto update is on, and virus protection is off (it isn't).

    On an irregular basis, it will try to run ave.exe and connect to various internet locations. ZoneAlarm anti-virus firewall catches such attempts, and I deny ave.exe access. When I open Firefox, I instead get an "XP Security Firewall Alert" informing me that "XP Security has blocked a program from accessing the internet," due to a changing roster of faux infections. I can either choose to "activate XP Security" or "continue unprotected;" the later choice gives me access to Firefox. XP Security completely blocks access to Control Center, Firewall.

    An internet search revealed a www.bleepingcomputer.com forum which advises of ways to kill "XP SecurityCenter." The screen shots looked identical to my "XP Security." So, I downloaded and tried to run Malwarebytes Anti-Malware (MBAM), but XP Security blocked MBAM from running. After some more research, I downloaded and ran RKill. It shuts down XP Security and any other malware it can find. Then I ran MBAM. It updated, then killed XP Security dead.
    Last edited by GeorgeV; April 11th, 2010 at 01:48 PM.

  2. #2
    paul_chicago Guest

    Default Ave.exe - manual disinfection

    Bingo dude!

    I had the exact same "Ave.exe" malware on my PC (XP SP3). Disappointed that ZASS let it slip thru.

    I was unable to access the internet to install MBAM because the malware hijacked my browser, so I poked around and was able to delete the infection manually.

    Here is my procedure - it looks long, but it is methodical and probably will require less than 30 minutes. Please do not attempt this unless you are Registry-savvy and DOS-savvy! The commands you type in the DOS window are shown in blue courier font and the Registry keys/values are shown in red.

    Before you begin, exit all apps (including Windows Explorer & Internet Explorer) and then go into Windows Task Manager and kill the AVE.EXE process.

    1. Open a DOS window:
    a. Start -> Programs -> Command Prompt
    b. if that doesn't work, then Start -> Run -> command <enter>
    2. cd c:\DOCUME~1 <enter>


    3. dir /s /as /ah *.exe <enter>
    This may take awhile. When it finishes, look for "ave.exe" and note its directory.
    4. Go to that directory and type dir /s /as /ah <enter>
    a. If you can't CD to that directory, just type this DIR command followed by the full path.
    b. You should see "ave.exe" and probably a daughter file with the same date as ave.exe. (My daughter file was named Mh3jm32TxN)
    5. These two rogue files cannot be deleted yet, because they protected themselves with file attributes.
    a. remove the file attributes:
    attrib -h -s ave.exe <enter> and then repeat for the daughter.
    b. now you can delete them:
    del ave.exe <enter> and then repeat for the daughter.
    6. Repeat steps #2 & #3. If another copy of ave.exe is found, then repeat steps #4 & #5.


    7. Search for a standalone copy of the daughter file:
    a. repeat step #2
    b. repeat step #3, except substitute your daughter file's name for the '*.exe'
    c. if another copy of your daughter file is found, hunt it down and delete it per step #5.
    8. Reboot and start in Windows safe mode.


    9. Edit the registry in the usual manner: Start -> Run -> regedit <enter>
    a. if that doesn't work, then repeat step #1b and then in the DOS window type regedit <enter>
    b. some conventional wisdom:
    -you shouldn't be here if you aren't Registry-savvy
    -back up the infected Registry before proceeding to step #10. An infected registry is better than a corrupted one.
    -if you have a clean PC nearby, it is helpful to run Regedit in parallel on both machines so that you can compare the infected registry with a clean one.
    10. Search for the daughter file. It should not be found.


    11. Search for ave.exe
    On my PC, there were two occurrences - where it hijacked Internet Explorer and the executable handle.
    12. "Clean the executable hijack": (Fixed Typo)
    a. HKEY_CLASSES_ROOT\.exe\Default = exefile
    b. this subkey is probably okay: HKEY_CLASSES_ROOT\.exe\PersistentHandler
    c. delete all other subkeys, such as HKEY_CLASSES_ROOT\.exe\shell
    13. "Clean the Internet Explorer hijack": (Fixed Typo)
    a. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command
    This key has probably been hijacked to something like "C:\Documents and Settings\John\Application Data\ave.exe /START %1 %* C:\Program Files\Internet Explorer\iexplore.exe". Delete the first half to leave just the Explorer path (and delete any quotation marks) so that something like this remains: C:\Program Files\Internet Explorer\iexplore.exe
    14. Exit the Registry and reboot in normal mode. Your PC should now be clean, but just in case, download and run MBAM.
    Last edited by GeorgeV; March 26th, 2010 at 09:51 AM. Reason: oops - forgot a step, and fixed typos

  3. #3
    findley Guest

    Default Re: Ave.exe - manual disinfection

    Quote Originally Posted by paul_chicago View Post
    Bingo dude!

    I had the exact same "Ave.exe" malware on my PC (XP SP3). Disappointed that ZASS let it slip thru.

    I was unable to access the internet to install MBAM because the malware hijacked my browser, so I poked around and was able to delete the infection manually.

    Here is my procedure - it looks long, but it is methodical and probably will require less than 30 minutes. Please do not attempt this unless you are Registry-savvy and DOS-savvy! The commands you type in the DOS window are shown in blue courier font and the Registry keys/values are shown in red.

    Before you begin, exit all apps (including Windows Explorer & Internet Explorer) and then go into Windows Task Manager and kill the AVE.EXE process.

    1. Open a DOS window:
    a. Start -> Programs -> Command Prompt
    b. if that doesn't work, then Start -> Run -> command <enter>


    2. cd c:\DOCUME~1 <enter>


    3. dir /s /as /ah *.exe <enter>
    This may take awhile. When it finishes, look for "ave.exe" and note its directory.


    4. Go to that directory and type dir /s /as /ah <enter>
    a. If you can't CD to that directory, just type this DIR command followed by the full path.
    b. You should see "ave.exe" and probably a daughter file with the same date as ave.exe. (My daughter file was named Mh3jm32TxN)


    5. These two rogue files cannot be deleted yet, because they protected themselves with file attributes.
    a. remove the file attributes:
    attrib -h -s ave.exe <enter> and then repeat for the daughter.
    b. now you can delete them:
    del ave.exe <enter> and then repeat for the daughter.


    6. Repeat steps #2 & #3. If another copy of ave.exe is found, then repeat steps #4 & #5.


    7. Search for a standalone copy of the daughter file:
    a. repeat step #2
    b. repeat step #3, except substitute your daughter file's name for the '*.exe'
    c. if another copy of your daughter file is found, hunt it down and delete it per step #5.


    8. Reboot and start in Windows safe mode.


    9. Edit the registry in the usual manner: Start -> Run -> regedit <enter>
    a. if that doesn't work, then repeat step #1b and then in the DOS window type regedit <enter>
    b. some conventional wisdom:
    -you shouldn't be here if you aren't Registry-savvy
    -back up the infected Registry before proceeding to step #10. An infected registry is better than a corrupted one.
    -if you have a clean PC nearby, it is helpful to run Regedit in parallel on both machines so that you can compare the infected registry with a clean one.


    10. Search for the daughter file. It should not be found.


    11. Search for ave.exe
    On my PC, there were two occurrences - where it hijacked Internet Explorer and the executable handle.


    12. Clean the Internet Explorer hijack:
    a. HKEY_CLASSES_ROOT\.exe\Default = exefile
    b. this subkey is probably okay: HKEY_CLASSES_ROOT\.exe\PersistentHandler
    c. delete all other subkeys, such as HKEY_CLASSES_ROOT\.exe\shell


    13. Clean the executable hijack:
    a. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command
    This key has probably been hijacked to something like "C:\Documents and Settings\John\Application Data\ave.exe /START %1 %* C:\Program Files\Internet Explorer\iexplore.exe". Delete the first half to leave just the Explorer path (and delete any quotation marks) so that something like this remains: C:\Program Files\Internet Explorer\iexplore.exe


    14. Exit the Registry and reboot in normal mode. Your PC should now be clean, but just in case, download and run MBAM.
    No software is going to catch 100% in this day of new rogues and ever changing malware. I regularly use and recommend adding MBAM as a secondary on-demand layer of security protection which can be run periodically alongside other zone alarm security products. Install it, keep it updated and run it regularly as a secondary check on your computer(s).

    With the manual removal you performed on your computer, you may want to take a look at the files and registry keys documented to be a part of this rogue.

    Ave.exe is part of the new rogue XP Security Tool 2010. It also goes by many different names and across all Windows operating systems. See a full list here Different names but all using exactly the same program according to bleepingcomputer's removal guide.

    XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro, Win 7 Security Tool and Win 7 Security Tool 2010 are all new rogues that are exactly the same program. They are just shown with different names and interfaces depending on the version of Windows that it is run on.

    How to remove XP Security Tool 2010, XP Defender Pro, and Vista Security Tool 2010 (Uninstall Guide) for manual removal instructions and listing of files and registry keys.

    Findley

  4. #4
    paul_chicago Guest

    Default oops - minor correction

    oops! folks, if you were paying closer attention than I was, you'll see that in my haste to post the fix I mixed up two titles: step #12 should read "Clean the executable hijack" and step #13 should read "Clean the Internet Explorer hijack".

    As Lloyd Bridges famously said, I picked the wrong week to stop sniffing glue!

  5. #5
    J Mac Guest

    Default Re: XP Security infection

    Mr. Paul Chicago...nice job. Your instructions for removing ave.exe worked nicely.
    Thanks.
    john

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. what to do after infection?
    By grandmere in forum Malware Discussion
    Replies: 1
    Last Post: November 29th, 2009, 09:09 AM
  2. Major infection?
    By layneh in forum Malware Discussion
    Replies: 1
    Last Post: December 17th, 2008, 10:32 PM
  3. Replies: 4
    Last Post: September 19th, 2007, 07:22 AM
  4. Help with infection
    By av_envy in forum Security Issues
    Replies: 7
    Last Post: June 20th, 2006, 05:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •