?
Solved

Got infected w/ malware: Antivirus XP

Posted on 2010-03-25
18
Medium Priority
?
829 Views
Last Modified: 2013-11-22
Hi,

Don't know how, but I got infected w/ a malware program masquerading as an antivirus program.  It's called Antivirus XP and mimics the native Windows Security center, and AVG.  I probably have the newest version of this malicious crap.

I couldn't launch any apps because it would always bring up that stupid app.  I looked in my registry and there was were two entries in
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
(Default)                 "C:\Documents and Settings\Gene\Local Settings\Application Data\ave.exe" /START "%1" %*
IsolatedCommand     "%1" %*

I didn't know whether the .exe entry was changed or added, so I renamed it to ".exeX".  After that I was able to launch applications.  However, the bad entry remains in my registry, just renamed.

I did some searching and a program called MalwareBytes was recommended.  However, when launched it doesn't update properly, just hanging.  I do have internet access on this machine, so that's not the problem.  So the program didn't work for me.

My concern is that if I reboot, it could start up again.  I don't know which files to delete, or which entries in msconfig or whereever.  Before deleting the registry entry, I searched for ave.exe and could only find it as ave.exe****.pf  (the **** were some numbers).  However, the program still launched.

How can I delete this crap for good??

Thanks!

0
Comment
Question by:ugeb
18 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 28574610
Go into Safe Mode with Networking then update the defs from there.

Here is another way to clean it up.

http://www.2-spyware.com/remove-antivirus-xp-2010.html
0
 
LVL 1

Expert Comment

by:kevingamin
ID: 28574839
You were correct in downloading and installing Malwarebytes.  Unfortunately, Antivirus XP is blocking MB's ability to connect to the mothership and update.

My suggestion would be to go to BleepingComputer.com and follow their instructions for removing this piece of crap (http://www.bleepingcomputer.com/virus-removal/remove-xp-antivirus-2008-2009). They are very detailed in their instructions AND also give you steps for restoring your ability to go out to the web and programs so you can remove the virus.

One word of warning, though - There's no 100% guarantee that you'll be completely free of the virus. I've had many clients who've been hit by this and other similar viruses. It's been about 50/50 where I've gotten the virus off the machine without having to reformat the hard drive.  If you do get Antivirus XP off your machine, or at least get it disabled enough to get control back of your computer, IMMEDIATELY BACK UP YOUR FILES. Get a flash drive, external hard drive, or invest in an online storage/backup service like Carbonite or Mozy, but make sure you have a copy of your documents, pictures, music, and/or videos stored somewhere besides your computer.  The only way to be 100% sure that Antivirus XP is off your computer is to wipe your hard drive clean and do a fresh install of Windows .

I don't mean to be all doom and gloom, but this new breed of virus is very pervasive, as you're well aware. You should know what you're getting into and what you'll need to do to get out of it completely.
0
 
LVL 7

Expert Comment

by:Sector5
ID: 28575023
Hi, Also try to install Sophos AV Client - http://www.sophos.com/support/knowledgebase/article/13251.html
It works great to remove any Virus etc.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 

Expert Comment

by:PEEXLE
ID: 28575318
Have you tried using HijackThis? No it’s not a hacking tool.

This tool is now owned by Trend, but I use to remove extremely irritating viruses with HijackThis. The down side is that you need to know what to remove and what not to remove. You can remove Viruses, Trojans or Malware components from computer start-up. This will allow you to run a tool like MalwareBytes once you have restarted your computer to completely remove the Virus/Trojan/Malware.
0
 

Expert Comment

by:krawl23
ID: 28575361
A great start would be running Revo Uninstaller - this will help you disable the process that is running. Log in under administrator and in safe mode.

Gabriel Altamirano
Future Tech
0
 
LVL 8

Accepted Solution

by:
Kruger_monkey earned 1600 total points
ID: 28576493
The following items will help you clean up your pc.

Download all of the following, reboot into safe mode and starting with Drweb run/install each in the order listed.  I've included links to the definitions which will overcome the lock that these things place on program updates.

http://www.freedrweb.com/cureit/?lng=en

http://www.superantispyware.com/download.html  - main application - once installed deselect automatically update definitions.  Install the file below instead instead.
http://www.superantispyware.com/definitions.html  - sas definitions,

http://mbam.malwarebytes.org/database/mbam-rules.exe  - malwarebytes definitions.

Between these 3 items I've been able to clean loads of infections.

Reboot into safe mode, run drweb cureit (don't worry about updates) this should pickup most of the stuff.  Reboot, and  go back into safe mode, run dr web again. If the same file comes up again, make a note, you will possibly have to replace it.

Install superantispyware and it's associated definitions and run a quick scan.

Again reboot and go back into safe mode.

Install malwarebytes definitions and run a scan.  After that repeat all in normal mode.  Generally after that you will be spyware free. Although you may have to reset some file associations.  In which case see this link.

http://www.dougknox.com/xp/file_assoc.htm

The above will hopefully help you sort out all the problems.

0
 
LVL 6

Expert Comment

by:thompsonwireless
ID: 28577768
Superantispyware isn't one of my favorites.  However, they do offer a bootable solution that will eliminate XP Antivirus.  There are several versions of that Malware, most of which require different steps to remove them.  Malwarebytes didn't locate or eliminate the version I was dealing with.

http://www.superantispyware.com/portablescanner.html
0
 
LVL 22

Expert Comment

by:optoma
ID: 28581849
Try a scan with Hitmanpro. Should repair rogue proxy setting that prevents Mbam from updating
http://www.surfright.nl/en/hitmanpro
0
 
LVL 11

Author Comment

by:ugeb
ID: 28693221
Thank you everybody for all the tools you've listed.

I have a dual-boot system with win xp and win 7.  My win 7 machine is uninfected and works fine.  Not so sure about the xp.

I did as much as I could from within xp, and then booted into win 7 and have run a number of those tools from there.  However, those tools aren't finding anything.  My concern, however, is that they're not scanning my xp windows system (on drive D) like they would the active windows system (on drive C).

Is there a way to make sure these programs scan my xp windows files the way they should?

Thanks!

0
 
LVL 6

Expert Comment

by:thompsonwireless
ID: 28693563
There are more than likely permissions on admin folders such as Users.  Windows 7 is more likely to allow scanning of secured folders for XP than it is the other way around.

Eset and Trend Micro both have good, online scanning options if nothing else will work.
0
 
LVL 22

Expert Comment

by:optoma
ID: 28694166
Hitmanpro has to be ran when OS is live
0
 
LVL 2

Expert Comment

by:Dan Kennedy
ID: 28701103
try renaming the malware bytes executable to something else.
0
 
LVL 6

Expert Comment

by:thompsonwireless
ID: 28701871
Renaming executables doesn't work.  I had the same problem.  I reloaded and took much less time.  There is an exe file in Local Settings that is hidden that runs randomly and has attributes where you cannot just do a -s -r -h and remove it.  I managed to get around this but the executables still wouldn't open.  Malwarebytes didn't work and the only option I was advised of was booting to the Superantispyware program but still not sure that would work.  I recommend reloading.
0
 
LVL 1

Expert Comment

by:kevingamin
ID: 28709224
There is a registry fix that BleepingComputer.com has which fixes the running executable issue.
0
 
LVL 18

Assisted Solution

by:Gary Davis
Gary Davis earned 400 total points
ID: 28710098
I got this and fixed it by killing ave.exe, running regedit (this will restart the ave.exe so kill it again). Edit the registry to fix the entries that keep starting up ave.exe. Now you can remove the hidden ave.exe and run the latest version of MalwareBytes anti-Malware.
I discuss my experiences and have removal details at my blog posting:
http://webguild.dyndns.org/Blog/archive/2010/03/18/how-i-dealt-with-an-ave.exe-virus-infection.aspx
Gary Davis - Webguild.com
0
 
LVL 15

Expert Comment

by:xmachine
ID: 28717313
0
 
LVL 11

Author Closing Comment

by:ugeb
ID: 31707143
A huge "Thanks!" to you all for all your suggestions.  I seriously wish I could give you all max points as this question was really worth about a million points to me.

One of the things that really saved me was having a dual boot system, where win 7 was uninfected and unfettered from getting these tools.  I highly recommend having a dual boot just for this purpose alone!

Thank you again!
Gene
0
 
LVL 3

Expert Comment

by:sb7785
ID: 28892289
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_25347695.html 
http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question