Bobic said:
Who feels like being useful?
i've managed to give my computer a snazzy new virus. It seems to have a filename of ave.exe but a search for this yielded no results. I have Mcafee antivirus software and i performed a full system scan but this doesn't seem to have worked. I googled ave.exe but i daren't click any of the links in case they make things worse. Anyone got any ideas/dealt with this before?
First things first - Mcafee is a joke at stopping spyware. Viruses? Sure, but what we generally refer to as viruses these days
aren't, they're malicious software and trojans, and anti-virus software like Mcafee sucks at preventing it and generally won't even see it while it's already there (if you're looking for effective anti-malware tools, try Spybot, Malwarebytes, or HijackThis). Fortunately for you, removing this crap is part of what I do for a living.
To get rid of this particular strain, I'd recommend following the directions on this page [http://www.malwarehelp.org/ave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html]. If you'd like the technical explanation for why this is a tricky little blighter and/or want the satisfaction of yanking it out yourself, read on.
[hr]
[HEADING=3]Why malware is a pain in the ass, but usually not that hard to stop.[/HEADING]
Most malware is designed to be
very annoying, and a lot of it includes countermeasures to prevent you from easily getting rid of it. Unless, that is, you can turn it off before it ever loads. See, to do
anything, the nasty has to get Windows to load it somehow in the first place. With a free tool like say... Autoruns from Microsoft's Sysinternals [http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx], you can easily focus on all the 3rd party software that gets called during startup, find the odd-program out, and turn it off. Some malware registers DLLs and is designed to replace those registry keys if it detects you shutting it down or tampering with them, and some will link itself to processes that absolutely
need to run, so you have to go through additional hoops to disentangle it, but for the most part if it's not loading when you turn the machine on, it's sitting there inert.
I've been able to fix 90% of malware infections I come across using nothing more than the Autoruns.exe, my common sense, and the internet (to confirm my suspicions about files I didn't recognize).
This one though, is tricky - it doesn't load at startup at all. And yet, it does!
[HEADING=3]Wait, what?[/HEADING]
How's it manage that? Quite simply - it inserts itself into the code for executing .EXE files, so if you close it
and launch anything else (because any application you run will be an .EXE file), it will come right back. It also adds itself into the launch keys for web browsers, even though as executable files it would already be launching thanks to the .EXE keys, and turns off various functions that help prevent things like this from continuing.
The limitations, at least so far as I've seen, are that it's infecting the User level registry keys, not the system - if you have two user accounts on a machine, unless they've both gotten themselves compromised only one will be showing symptoms. What this means is you can effectively 'cure' the malware by just deleting your profile and recreating it. Should you want to avoid tossing the proverbial baby out with the bathwater, and feel you have the requisite technical aptitude, try the following:
- 1. Open up Task Manager (generally done via right-clicking the start menu bar and selecting Task Manager).
2. Select the Processes tab, then click to sort processes by user name (if the box to show processes from all users is not checked, check it and then do the sort). The process you're looking for will be a program started by your user account's name, not SYSTEM, and it will probably be a random file name you don't recognize. Write it down.
3. Open up the windows registry editor (via Start - Run - Regedit).
4. Close the program that looks out of place - did all your pop-ups go away and the fake toolbar notification close? That's the filename you need to search for in the registry. Wasn't the right one? Close any other suspicious filename that your user account launched.
5. Inside the Registry Editor, click Edit and then Find, then type the filename you found the malware using. You launched the Registry Editor first because anything already open cannot re-trigger the malware to launch again, it only gets opened when you launch an .EXE file.
6. For each search result you find do not delete the key! Doing so will render your profile incapable of launching executable files anymore - you have to open the key and edit out the part about launching the filename you've discovered to be bad. It will look something like this "C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe? /START" (take a note of the full pathway to the nasty file, as that's where you'll need to navigate to to delete it later). The keys for launching .EXEs will have a Default key and the one this application injects itself into - both should have the same values, so use that as a reference to what part isn't junk. The keys for your web-browsers will have the malicious file and then the pathway and associated commands for the actual web-browser's .EXE, so it's a lot easier to tell which part needs to be removed. Once you've cleaned a value, hit F3 to proceed to the next instance of that filename the registry editor finds, and clean those.
Rinse and repeat until it tells you no more results were found.
7. Delete the malicious file and any hidden files in the same folder that share it's creation date. Then get yourself some anti-spyware protection via Spybot/Malwarebytes and do some full scans, run the immunizations, etc. Just because you know this one is there doesn't mean you only have that one. There are malware apps floating around right now that are almost undetectable (or would be, if they didn't redirect search results to ad sites if you click on them from a search engine's results page).
Once you're free of the malware, get yourself a copy of a secure web browser [http://www.mozilla.com/en-US/] and put ad-blocking software [http://www.mozilla.com/en-US/] on it, and then make sure you aren't running other vulnerable software [http://secunia.com/vulnerability_scanning/online/]. Malware isn't something that 'just happens' - it relies on complacency. In the old days you were almost certainly at fault if you picked up an infection because it meant you were trolling about the places you shouldn't be, but these days you can get malware installed just by visiting MSN.com with an unsecured Java install, without needing to be tricked into infecting yourself either (usually malware relies on social engineering - tricking clueless users into clicking OK on a box they shouldn't, generally by warning them
they already have spyware and they should click that box to fix it, thereby actually infecting themselves with spyware. The really nasty stuff doesn't even need your participation, you just have to go to a site with an infected ad while running software with open vulnerabilities).
So don't be a victim, stay pro-active, and you'll be the one wondering how people keep getting all these malware infections all the time when you never even see any
attempts to infect your computer.
