locked
ave.exe RRS feed

  • General discussion

  • Help cant get rid of ave.exe tried different spyware and anti virus always restarts when using firefox
    • Changed type JimR1Moderator Tuesday, March 23, 2010 1:26 AM
    • Moved by JimR1Moderator Tuesday, March 23, 2010 1:26 AM Off topic. Not an MSE question. (From:Microsoft Security Essentials: Scanning, Detecting, and Removing Threats)
    Sunday, March 21, 2010 10:40 PM

All replies

  • Do you the location? If not try to search it and file location, then log on to: https://www.microsoft.com/security/portal/Submission/Submit.aspx

    And submit it for analyze, if it is Malware then you should use Scanner to remove it and if it is not then you should see what is it and do some search about it.

    Monday, March 22, 2010 4:10 PM
  • I have had this as well.  I've also had av.exe, which seems to do the same thing.  It seems to block execution of *all* exe files and pops up a very official looking Microsoft window which prompts you to buy antivirus software.  Don't buy it!

    Visit: http://www.bleepingcomputer.com/startups/av.exe-24845.html for a discussion on how to get rid of av.exe.  (The very same method also gets rid of ave.exe.)  It's a little complicated, but doable.  You might have to go to another non-infected computer to get this done.

    Good luck!

    I would very much like to hear from someone at Microsoft about this malware.  I am running my very first scan with Microsoft Security Essentials.  The antimalware program I used to successfully get rid of the av.exe and the ave.exe is Malwarebytes' Anti-Malware.  The free version does not offer full-time protection nor does it update automatically, but it does allow you to update virus definitions manually and run full scans.

    Saturday, March 27, 2010 6:32 AM
  • Hi,

    I just got infected with ave.exe also.  It doesn't allow you to run any .exe as it hyjacks reg keys so that when you try to run any .exe (including windows defender) it runs itself instead.

    These are the reg keys it changesL 

    [HKEY_CLASSES_ROOT\.exe\shell\open\command]
    @="\"C:\\Users\\<MYUSERNAME>\\AppData\\Local\\ave.exe\" /START \"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    It puts the same thing into:
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
    HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command

    To do a basic removal just so that I could download malwarebytes I did the following:
    (Please note: I've read that there are many versions of ave.exe so this may or may not work for you.  Also I've also read that ave.exe is often just a decoy for some other nasty trojans.

    We need to open a command prompt.  (note this will run ave.exe again if you have already terminated the ave.ex process)

    Go to task manager and kill ave.exe

    Then navigate to the folder it has installed itself to.  For me this was C:\Users\<MYUSERNAME>\AppData\Local\

    cd C:\Users\<MYUSERNAME>\AppData\Local\

    Unhide it...

    attrib -h -s ave.exe

    now Delete it....

    del ave.exe

    Remove the hyjacked registry settings....

    -------------------START removeave.reg ---------------------------
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\.exe\shell\open\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    -------------------END removeave.reg ---------------------------

    You should then at least be able to download and run some proper anti malware removal tools.  I ran malwarebytes to finish the cleanup which reported the following:

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    The worst thing about this malware is that it got in to a 100% patched machine just by visiting a site with IE :-( A window popped up and all of a sudden my PC was infected :-(
    It also turned off Windows firewall.

    I hope this helps someone.

    Monday, April 5, 2010 2:48 PM