Got infected w/ malware: Antivirus XP

Hi,

Don't know how, but I got infected w/ a malware program masquerading as an antivirus program.  It's called Antivirus XP and mimics the native Windows Security center, and AVG.  I probably have the newest version of this malicious crap.

I couldn't launch any apps because it would always bring up that stupid app.  I looked in my registry and there was were two entries in
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
(Default)                 "C:\Documents and Settings\Gene\Local Settings\Application Data\ave.exe" /START "%1" %*
IsolatedCommand     "%1" %*

I didn't know whether the .exe entry was changed or added, so I renamed it to ".exeX".  After that I was able to launch applications.  However, the bad entry remains in my registry, just renamed.

I did some searching and a program called MalwareBytes was recommended.  However, when launched it doesn't update properly, just hanging.  I do have internet access on this machine, so that's not the problem.  So the program didn't work for me.

My concern is that if I reboot, it could start up again.  I don't know which files to delete, or which entries in msconfig or whereever.  Before deleting the registry entry, I searched for ave.exe and could only find it as ave.exe****.pf  (the **** were some numbers).  However, the program still launched.

How can I delete this crap for good??

Thanks!

LVL 11
ugebAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Go into Safe Mode with Networking then update the defs from there.

Here is another way to clean it up.

http://www.2-spyware.com/remove-antivirus-xp-2010.html
0
kevingaminCommented:
You were correct in downloading and installing Malwarebytes.  Unfortunately, Antivirus XP is blocking MB's ability to connect to the mothership and update.

My suggestion would be to go to BleepingComputer.com and follow their instructions for removing this piece of crap (http://www.bleepingcomputer.com/virus-removal/remove-xp-antivirus-2008-2009). They are very detailed in their instructions AND also give you steps for restoring your ability to go out to the web and programs so you can remove the virus.

One word of warning, though - There's no 100% guarantee that you'll be completely free of the virus. I've had many clients who've been hit by this and other similar viruses. It's been about 50/50 where I've gotten the virus off the machine without having to reformat the hard drive.  If you do get Antivirus XP off your machine, or at least get it disabled enough to get control back of your computer, IMMEDIATELY BACK UP YOUR FILES. Get a flash drive, external hard drive, or invest in an online storage/backup service like Carbonite or Mozy, but make sure you have a copy of your documents, pictures, music, and/or videos stored somewhere besides your computer.  The only way to be 100% sure that Antivirus XP is off your computer is to wipe your hard drive clean and do a fresh install of Windows .

I don't mean to be all doom and gloom, but this new breed of virus is very pervasive, as you're well aware. You should know what you're getting into and what you'll need to do to get out of it completely.
0
Sector5Commented:
Hi, Also try to install Sophos AV Client - http://www.sophos.com/support/knowledgebase/article/13251.html
It works great to remove any Virus etc.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

PEEXLECommented:
Have you tried using HijackThis? No it’s not a hacking tool.

This tool is now owned by Trend, but I use to remove extremely irritating viruses with HijackThis. The down side is that you need to know what to remove and what not to remove. You can remove Viruses, Trojans or Malware components from computer start-up. This will allow you to run a tool like MalwareBytes once you have restarted your computer to completely remove the Virus/Trojan/Malware.
0
krawl23Commented:
A great start would be running Revo Uninstaller - this will help you disable the process that is running. Log in under administrator and in safe mode.

Gabriel Altamirano
Future Tech
0
Kruger_monkeyCommented:
The following items will help you clean up your pc.

Download all of the following, reboot into safe mode and starting with Drweb run/install each in the order listed.  I've included links to the definitions which will overcome the lock that these things place on program updates.

http://www.freedrweb.com/cureit/?lng=en

http://www.superantispyware.com/download.html  - main application - once installed deselect automatically update definitions.  Install the file below instead instead.
http://www.superantispyware.com/definitions.html  - sas definitions,

http://mbam.malwarebytes.org/database/mbam-rules.exe  - malwarebytes definitions.

Between these 3 items I've been able to clean loads of infections.

Reboot into safe mode, run drweb cureit (don't worry about updates) this should pickup most of the stuff.  Reboot, and  go back into safe mode, run dr web again. If the same file comes up again, make a note, you will possibly have to replace it.

Install superantispyware and it's associated definitions and run a quick scan.

Again reboot and go back into safe mode.

Install malwarebytes definitions and run a scan.  After that repeat all in normal mode.  Generally after that you will be spyware free. Although you may have to reset some file associations.  In which case see this link.

http://www.dougknox.com/xp/file_assoc.htm

The above will hopefully help you sort out all the problems.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thompsonwirelessCommented:
Superantispyware isn't one of my favorites.  However, they do offer a bootable solution that will eliminate XP Antivirus.  There are several versions of that Malware, most of which require different steps to remove them.  Malwarebytes didn't locate or eliminate the version I was dealing with.

http://www.superantispyware.com/portablescanner.html
0
optomaCommented:
Try a scan with Hitmanpro. Should repair rogue proxy setting that prevents Mbam from updating
http://www.surfright.nl/en/hitmanpro
0
ugebAuthor Commented:
Thank you everybody for all the tools you've listed.

I have a dual-boot system with win xp and win 7.  My win 7 machine is uninfected and works fine.  Not so sure about the xp.

I did as much as I could from within xp, and then booted into win 7 and have run a number of those tools from there.  However, those tools aren't finding anything.  My concern, however, is that they're not scanning my xp windows system (on drive D) like they would the active windows system (on drive C).

Is there a way to make sure these programs scan my xp windows files the way they should?

Thanks!

0
thompsonwirelessCommented:
There are more than likely permissions on admin folders such as Users.  Windows 7 is more likely to allow scanning of secured folders for XP than it is the other way around.

Eset and Trend Micro both have good, online scanning options if nothing else will work.
0
optomaCommented:
Hitmanpro has to be ran when OS is live
0
Dan KennedyBusiness System AnalystCommented:
try renaming the malware bytes executable to something else.
0
thompsonwirelessCommented:
Renaming executables doesn't work.  I had the same problem.  I reloaded and took much less time.  There is an exe file in Local Settings that is hidden that runs randomly and has attributes where you cannot just do a -s -r -h and remove it.  I managed to get around this but the executables still wouldn't open.  Malwarebytes didn't work and the only option I was advised of was booting to the Superantispyware program but still not sure that would work.  I recommend reloading.
0
kevingaminCommented:
There is a registry fix that BleepingComputer.com has which fixes the running executable issue.
0
Gary DavisDir Internet SvcsCommented:
I got this and fixed it by killing ave.exe, running regedit (this will restart the ave.exe so kill it again). Edit the registry to fix the entries that keep starting up ave.exe. Now you can remove the hidden ave.exe and run the latest version of MalwareBytes anti-Malware.
I discuss my experiences and have removal details at my blog posting:
http://webguild.dyndns.org/Blog/archive/2010/03/18/how-i-dealt-with-an-ave.exe-virus-infection.aspx
Gary Davis - Webguild.com
0
xmachineCommented:
0
ugebAuthor Commented:
A huge "Thanks!" to you all for all your suggestions.  I seriously wish I could give you all max points as this question was really worth about a million points to me.

One of the things that really saved me was having a dual boot system, where win 7 was uninfected and unfettered from getting these tools.  I highly recommend having a dual boot just for this purpose alone!

Thank you again!
Gene
0
sb7785Commented:
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_25347695.html 
http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.