Ave.exe Rogue Anti-Virus Removal Instructions

Gary DavisDir Internet Svcs
Recently I attended the Microsoft MIX10 Web Designer/Developer conference in Las Vegas. After the last session of the last day, before they kicked me out of the hall with the free WiFi, I somehow contracted a virus (I think from isohunt.com though just from browsing the site; I did no downloads). I actually did not realize it until the next time I started the laptop. I got a virus infection warning popup and then another window opened automatically running a scan and finding lots of infected files.

If you have this ave.exe rogue anti-virus infection, these are the removal steps that worked for me on Windows XP.   Note that this discusses updating the registry with Regedit.   If you are not familiar with this program or the registry, I advise you to attempt using downloading the latest version of MalwareBytes' Anti-Malware which should be able to fix the problem (assuming ave.exe does not block this program).

Ave.exe Removal Instructions


Type Ctrl/Shift/Escape to bring up the task manager.


Kill the ave.exe process. The popups will disappear. Leave the task scheduler up.


Type Windows/R (to get the Run box) and type regedit and OK.


Ave.exe will start again, just do step #2 again.


In Regedit, go to HKCR\.exe\shell\open\comma nd. You will see something like this for (default):
"C:\Documents and Settings\[your account]\Local Settings\Application Data\ave.exe" /START "%1" %*


Modify the value to be:
"%1" %*


Do the same with HKCR\secfile\shell\open\co mmand.


Delete ave.exe from the location in step 5.
At this point, you have control back and no more popups.


Download the current version of Malwarebytes' Anti-Malware and run it.


   Choose to fix the items the scan found.


   Run a scan of your regular anit-virus program


   Now you can read the rest of this article and add a comment about your experience!
Example of the bogus anti-virus programs display:
  Example of ave.exe Rogue AV Programs
Then a tray notification bubbled up with more warnings.
  Example of Tray Balloon Popup
Well, I did not recognize the program displaying the warnings. The laptop is an old Dell running WinXP and is up to date with patches and runs AVG Free as its anti-virus software. The window title of the warning and scanner was Total XP Security. I suspected the laptop was infected with a virus that mimicked an anti-virus program. Process status showed ave.exe, a process that I did not recognize. Killing the process closed the popups. Until the next run of a program (like explorer). Some programs would not start at all (like my AVG scanner).

I think the way I got infected was at isohunt.com. I clicked a link in the right nav Top Searches; went to the second search-results page which partially displayed the hits and then displayed a warning about the site containing malicious software. I clicked in the warning and exited the site completely. I think clicking on the warning is what initiated the download of the infection.

I searched for ave.exe but the search did not find it (it was there but hidden). I then searched for all files modified today and it found lots that shouldn’t have been. Exe’s that were installed long ago had a timestamp of the time the conference ended.

So with my laptop basically disabled, I used my BlackBerry to googled for ave.exe virus. There were several hits and I selected the Virus Removal Guru site. Looking at the manual removal instructions, I killed the ave.exe process and then I located the ave.exe (C:\Documents and Settings\[username]\Local Settings\Application Data\ave.exe) and removed it.

Well all of a sudden, none of my programs would start. They displayed the Windows dialog box to select a program to run the exe(?). That indicated to me that the programs first ran the ave.exe and then it did its work and transferred back to the originally requested program. Without ave.exe around, the requested program could no longer start up. The program I really wanted to run was regedit to fix up the registry. The running explorer still worked but I could not start up a new one.

I noticed that the programs in my launch bar (PowerBar) still ran but the same program would not run from explorer. I dragged regedit into the launch bar and clicked it and it did run! OK, Now I was back in business. I continued with the manual instructions from Guru but the registry keys it mentioned did not exist. I was hesitant to run their automatic removal tool since I am not familiar with their site. My next step in regedit was a search for ave.exe. There were several hits (ignore the scnsave.exe hits). The hits showed how it intercepted the execution of programs to do its deed first.

The first hit was:

                      "C:\Documents and Settings\Gary\Local Settings\Application Data\ave.exe" /START "%1" %*

Open in new window

I changed it to match others that were not altered:

"%1" %*

Open in new window

This did not work. The programs still failed to start. I went to the next hit


Open in new window

This did work (phew!)

There were a few more hits related to Iexplore and FireFox.

So things are working better now. I started up a complete scan with AVG Free and it is still running. I will research some more to make sure everything is cleaned out before claiming success.

Here’s another link and there are several others. As this post mentions, manual removal of viruses is generally difficult and if you make mistakes changing the registry, you may damage your system.

Well, I am now at the Las Vegas airport, waiting for the time to board my midnight red-eye back to Ft. Lauderdale. I was wondering what I was going to do to fill the time between 6pm and midnight. So a successful virus eradication plus a blog post were not on my plans but I guess you do what you’ve gotta do:)

[Update] Some of the research shows that this virus may be removed by recent versions of Malwarebytes' Anti-Malware. Anti-Malware found many infections which I chose to fix all. I then ran the AVG scan and it found none.

Some references about this virus:

* http://blogs.webguild.com/gary/archive/2010/03/18/how-i-dealt-with-an-ave.exe-virus-infection.aspx (my experiences)
* http://www.microsoft.com/security/antivirus/rogue.aspx
* https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAntivirusxp
* http://www.symantec.com/connect/blogs/xp-internet-security-2010-rogue
* http://www.bleepingcomputer.com/
* http://www.virusremovalguru.com/?p=5911

 Gary Davis - Webguild.com
Gary DavisDir Internet Svcs

Comments (2)

Author of the Year 2009

Good article, but I'd like to emphasize that this particular piece of malware is cleaned automatically by MalwareBytes' Anti-Malware software (and perhaps other programs by now).  MBAM is available for free from  http://www.malwarebytes.org/
Once again, EE comes to the rescue. Money well spent.

For me, the AV for the customer removed everything infected on the machine. It left the EXE broken though.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.