Got infected w/ malware: Antivirus XP
Hi,
Don't know how, but I got infected w/ a malware program masquerading as an antivirus program. It's called Antivirus XP and mimics the native Windows Security center, and AVG. I probably have the newest version of this malicious crap.
I couldn't launch any apps because it would always bring up that stupid app. I looked in my registry and there was were two entries in
HKEY_CURRENT_USER\Software
(Default) "C:\Documents and Settings\Gene\Local Settings\Application Data\ave.exe" /START "%1" %*
IsolatedCommand "%1" %*
I didn't know whether the .exe entry was changed or added, so I renamed it to ".exeX". After that I was able to launch applications. However, the bad entry remains in my registry, just renamed.
I did some searching and a program called MalwareBytes was recommended. However, when launched it doesn't update properly, just hanging. I do have internet access on this machine, so that's not the problem. So the program didn't work for me.
My concern is that if I reboot, it could start up again. I don't know which files to delete, or which entries in msconfig or whereever. Before deleting the registry entry, I searched for ave.exe and could only find it as ave.exe****.pf (the **** were some numbers). However, the program still launched.
How can I delete this crap for good??
Thanks!
Don't know how, but I got infected w/ a malware program masquerading as an antivirus program. It's called Antivirus XP and mimics the native Windows Security center, and AVG. I probably have the newest version of this malicious crap.
I couldn't launch any apps because it would always bring up that stupid app. I looked in my registry and there was were two entries in
HKEY_CURRENT_USER\Software
(Default) "C:\Documents and Settings\Gene\Local Settings\Application Data\ave.exe" /START "%1" %*
IsolatedCommand "%1" %*
I didn't know whether the .exe entry was changed or added, so I renamed it to ".exeX". After that I was able to launch applications. However, the bad entry remains in my registry, just renamed.
I did some searching and a program called MalwareBytes was recommended. However, when launched it doesn't update properly, just hanging. I do have internet access on this machine, so that's not the problem. So the program didn't work for me.
My concern is that if I reboot, it could start up again. I don't know which files to delete, or which entries in msconfig or whereever. Before deleting the registry entry, I searched for ave.exe and could only find it as ave.exe****.pf (the **** were some numbers). However, the program still launched.
How can I delete this crap for good??
Thanks!
You were correct in downloading and installing Malwarebytes. Unfortunately, Antivirus XP is blocking MB's ability to connect to the mothership and update.
My suggestion would be to go to BleepingComputer.com and follow their instructions for removing this piece of crap (http://www.bleepingcomputer.com/virus-removal/remove-xp-antivirus-2008-2009). They are very detailed in their instructions AND also give you steps for restoring your ability to go out to the web and programs so you can remove the virus.
One word of warning, though - There's no 100% guarantee that you'll be completely free of the virus. I've had many clients who've been hit by this and other similar viruses. It's been about 50/50 where I've gotten the virus off the machine without having to reformat the hard drive. If you do get Antivirus XP off your machine, or at least get it disabled enough to get control back of your computer, IMMEDIATELY BACK UP YOUR FILES. Get a flash drive, external hard drive, or invest in an online storage/backup service like Carbonite or Mozy, but make sure you have a copy of your documents, pictures, music, and/or videos stored somewhere besides your computer. The only way to be 100% sure that Antivirus XP is off your computer is to wipe your hard drive clean and do a fresh install of Windows .
I don't mean to be all doom and gloom, but this new breed of virus is very pervasive, as you're well aware. You should know what you're getting into and what you'll need to do to get out of it completely.
My suggestion would be to go to BleepingComputer.com and follow their instructions for removing this piece of crap (http://www.bleepingcomputer.com/virus-removal/remove-xp-antivirus-2008-2009). They are very detailed in their instructions AND also give you steps for restoring your ability to go out to the web and programs so you can remove the virus.
One word of warning, though - There's no 100% guarantee that you'll be completely free of the virus. I've had many clients who've been hit by this and other similar viruses. It's been about 50/50 where I've gotten the virus off the machine without having to reformat the hard drive. If you do get Antivirus XP off your machine, or at least get it disabled enough to get control back of your computer, IMMEDIATELY BACK UP YOUR FILES. Get a flash drive, external hard drive, or invest in an online storage/backup service like Carbonite or Mozy, but make sure you have a copy of your documents, pictures, music, and/or videos stored somewhere besides your computer. The only way to be 100% sure that Antivirus XP is off your computer is to wipe your hard drive clean and do a fresh install of Windows .
I don't mean to be all doom and gloom, but this new breed of virus is very pervasive, as you're well aware. You should know what you're getting into and what you'll need to do to get out of it completely.
Hi, Also try to install Sophos AV Client - http://www.sophos.com/support/knowledgebase/article/13251.html
It works great to remove any Virus etc.
It works great to remove any Virus etc.
Have you tried using HijackThis? No it’s not a hacking tool.
This tool is now owned by Trend, but I use to remove extremely irritating viruses with HijackThis. The down side is that you need to know what to remove and what not to remove. You can remove Viruses, Trojans or Malware components from computer start-up. This will allow you to run a tool like MalwareBytes once you have restarted your computer to completely remove the Virus/Trojan/Malware.
This tool is now owned by Trend, but I use to remove extremely irritating viruses with HijackThis. The down side is that you need to know what to remove and what not to remove. You can remove Viruses, Trojans or Malware components from computer start-up. This will allow you to run a tool like MalwareBytes once you have restarted your computer to completely remove the Virus/Trojan/Malware.
A great start would be running Revo Uninstaller - this will help you disable the process that is running. Log in under administrator and in safe mode.
Gabriel Altamirano
Future Tech
Gabriel Altamirano
Future Tech
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Superantispyware isn't one of my favorites. However, they do offer a bootable solution that will eliminate XP Antivirus. There are several versions of that Malware, most of which require different steps to remove them. Malwarebytes didn't locate or eliminate the version I was dealing with.
http://www.superantispyware.com/portablescanner.html
http://www.superantispyware.com/portablescanner.html
Try a scan with Hitmanpro. Should repair rogue proxy setting that prevents Mbam from updating
http://www.surfright.nl/en/hitmanpro
http://www.surfright.nl/en/hitmanpro
ASKER
Thank you everybody for all the tools you've listed.
I have a dual-boot system with win xp and win 7. My win 7 machine is uninfected and works fine. Not so sure about the xp.
I did as much as I could from within xp, and then booted into win 7 and have run a number of those tools from there. However, those tools aren't finding anything. My concern, however, is that they're not scanning my xp windows system (on drive D) like they would the active windows system (on drive C).
Is there a way to make sure these programs scan my xp windows files the way they should?
Thanks!
I have a dual-boot system with win xp and win 7. My win 7 machine is uninfected and works fine. Not so sure about the xp.
I did as much as I could from within xp, and then booted into win 7 and have run a number of those tools from there. However, those tools aren't finding anything. My concern, however, is that they're not scanning my xp windows system (on drive D) like they would the active windows system (on drive C).
Is there a way to make sure these programs scan my xp windows files the way they should?
Thanks!
There are more than likely permissions on admin folders such as Users. Windows 7 is more likely to allow scanning of secured folders for XP than it is the other way around.
Eset and Trend Micro both have good, online scanning options if nothing else will work.
Eset and Trend Micro both have good, online scanning options if nothing else will work.
Hitmanpro has to be ran when OS is live
try renaming the malware bytes executable to something else.
Renaming executables doesn't work. I had the same problem. I reloaded and took much less time. There is an exe file in Local Settings that is hidden that runs randomly and has attributes where you cannot just do a -s -r -h and remove it. I managed to get around this but the executables still wouldn't open. Malwarebytes didn't work and the only option I was advised of was booting to the Superantispyware program but still not sure that would work. I recommend reloading.
There is a registry fix that BleepingComputer.com has which fixes the running executable issue.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try the following to clean your system:
Microsoft Security Essentials : http://www.microsoft.com/security_essentials/
ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
a-squared: http://download1.emsisoft.com/a2usb.zip
Vipre Rescue: http://live.sunbeltsoftware.com/Download/
Online Virus Scanners:
http://www.bitdefender.com/scanner/online/free.html
Microsoft Security Essentials : http://www.microsoft.com/security_essentials/
ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
a-squared: http://download1.emsisoft.com/a2usb.zip
Vipre Rescue: http://live.sunbeltsoftware.com/Download/
Online Virus Scanners:
http://www.bitdefender.com/scanner/online/free.html
ASKER
A huge "Thanks!" to you all for all your suggestions. I seriously wish I could give you all max points as this question was really worth about a million points to me.
One of the things that really saved me was having a dual boot system, where win 7 was uninfected and unfettered from getting these tools. I highly recommend having a dual boot just for this purpose alone!
Thank you again!
Gene
One of the things that really saved me was having a dual boot system, where win 7 was uninfected and unfettered from getting these tools. I highly recommend having a dual boot just for this purpose alone!
Thank you again!
Gene
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
https://www.experts-exchange.com/questions/25347695/anti-infection-CD-solution.html
https://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html
https://www.experts-exchange.com/questions/25347695/anti-infection-CD-solution.html
https://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html
Here is another way to clean it up.
http://www.2-spyware.com/remove-antivirus-xp-2010.html