Wednesday, March 24, 2010

The joy of virus infection (ave.exe)

*If you are plagued with this infection yourself, you may wish to skip to the fix at the bottom, apply it to your computer, make a cup of coffee and then return to read the rest.

A cute story

I've never used any Anti-Virus software on any of my home computers in my life. Why? They're usually bloated, resource-hungry hogs. They basically slow down my computer. At least that's what I tell my friends when they ask me why I don't wear protection. That, and the fact that viruses are hard to get nowadays - if you go about your internet business with just a tiny bit of common sense. You'd almost have to WANT to get a virus in order to get one, by clicking on some ridiculous spam mail or popups from shady sites.

Yesterday, two things changed: First, I realized I was wrong on the last assumption. You can in fact acquire a virus without being especially reckless. A masters degree in computer science and 18 years of Internet usage experience does definitely not make you immune. Second, I started to realize there might be another, subconscious reason for me wanting to ride the Internet bareback:

It's actually quite fun getting a virus :-)

Ok, not if they do permanent damage, but if you battle them and conquer, there's nothing more satisfying for an IT-geek than ridding a computer of an infection by using his wits and hard-acquired skills through years of late night hacking. To this date I still tell fellow geeks about my thrill of discovering that someone had been using my computer at college to distribute Dutch porn for nine months without me noticing. When I finally discovered the FTP and their file cache of .MPG files in C:\System Volume Information I was extatic. The ingeniousness! You couldn't browse that folder in Explorer! Had to revert to command line navigating to get to the files. Got to respect their cunning :-) The FTP server itself was of course also camouflaged as a non-descriptive service on a weird port. It was the network traffic that gave it away in the end. A tool like Netlimiter proved to be golden. Anyway, the last laugh was of course on me when I changed the FTP logon screen to taunt the next guys who tried to log in and of course disabling any up/download features.

"Win7 antivirus firewall alert"!

Well that was then, some six-seven years ago. My computer life has been infectious-free and healthy since then. Until yesterday. I was going about my regular internet business of diverse forum browsing when suddenly both Internet Explorer and Firefox shut down and some legit-looking popups appeard, telling me I'd just been protected from a possible virus infection. Legit-looking, I say, because they were infact designed in such a way that I initially thought they might be from Microsoft. But it didn't take long until I got suspicious. Here's a couple of screen shots:


Actually I stole these screenshots from Gary Davis' blog (please don't sue me), who obviously have had the same problem as me, because I forgot to save the screenshots that I actually DID remember to take myself :-). These screenshots differ in that the header says "Vista", while mine said something about "Win 7 Antivirus firewall alert". For the record, I run Windows 7 build 7600

As you can see the design of the windows and popups are pretty well done, resembling something Microsoft could do. A couple of things that made me suspicous was the fact that I'd never heard of an anti-virus software from Microsoft, secondly, wouldn't they use the full name of the OS, "Windows 7", and not "Win7"? But I wasn't convinced just yet. After all I'm still pretty new to Windows 7, and who knows what Microsoft is up to. So my first thought is of course to do some Googling. I reopened Internet Explorer but of course the home page is replaced with more security warnings and any attempt to navigate lead me to a page selling activation for the "Anti virus software" on my desktop. At this point I'm sure I'm dealing with a browser hijack and/or virus. Luckily I've got a laptop within sliding distance of my office chair so I fire it up.

My initial Googling wasn't very successful. "Win7 antivirus firewall" gave links to legit antivirus software and googling on
Trojan-BNK.Win32.Keylogger.gen gave me links to removal tips of what is probably a real worm. My next move was to open the hijacked home page in IE and look at the source code to find out the URL of the home page (the address bar was removed by the script). I soon found a link to security-pccare2010.com, which I in turn googled and up came a Danish article, which I'm fortunately able to read, being Norwegian. From that article I read that I was dealing with a program that had installed itself in my user folder with the name "ave.exe". Now I was on the right track. I killed the running ave.exe process, deleted it from disk and rebooted my computer. Home safe?

Not even close :( Trying to open Internet Explorer after the reboot gave me the following error message:


Can't open.exe files... Are you kidding me? I tried Firefox. No deal. Explorer.exe? Nope! Notepad, paint, regedit, cmd.exe?? Negative! Windows was actually unable to launch ANY .exe file on my entire computer. At this point I almost freaked out and was almost certain this would lead to a complete reinstall of my OS. How do Microsoft allow this to happen? Why is the file association for .exe overridable? Oh well, I wasn't quite ready to give up but I had to find a way to run programs. The solution was pretty simple. When the popup came, I chose "Select a program from a list of installed programs" and selected "explorer.exe" to open "explorer.exe". Smart, huh? :)

Now I was able to work again. The Danish article gave me a couple of new keywords to google for: "ave.exe" lead me to this forum post. Reading that thread I was encouraged to try PC Tools Spyware Doctor, and that tool helped me further:


..but of course, I had to buy a registered version for the tool to remove the remains of the virus. But since the tool gave away the rogue registry keys, I thought maybe I could fix it myself. So I tried to launch regedit with my newfound .exe-launch-method, and there came a new smack in my face: When you launch regedit.exe with regedit.exe, "regedit.exe" is passed as a command line parameter (you following?). What does regedit do with command line arguments? It tries to parse them as .reg change scripts - and when it fails, it simply shuts down. Yes, I couldn't start regedit, but I wasn't giving up now. I went back to my laptop and actually hand-crafted two .reg files that were to remove and restore the registry keys. Yes - I punched the hideous number sequence in the topmost key by hand. Sliding the .reg files back to my infected computer through a USB stick I was finally able to launch and modify the registry. And you know what? It worked!! :-))

The satisfaction of cleaning up after that messy virus/hijack was greater than the best sex and more adrenalin-fuelling than climbing Mount Everest ten times in a day. Well, not really, but it was quite satisfying :-) So will I install Anti-virus software now? Of course not. But I wouldn't mind waiting a few months for the next challenge. :-)

The fix

update (march 26):You might want to download the .reg files in step 2 and 3 and launch explorer.exe before you delete the .exe file in step 1, or else you'll have trouble starting both IE and explorer on the infected machine

1. Kill the process ave.exe. If you can't find it with regular task manager, try Process Explorer

2. Delete %LOCALAPPDATA%\ave.exe. Or maybe it was %Documents and Settings%\%YourUserName%\Local Settings\Application Data\ave.exe as the Danish article says. I don't remember because... well... I deleted the file :P Note: It is a hidden system file. You must enable explorer to show system files, alternatively run a command shell and type "attrib -h -s ave.exe" in the correct folder before deleting it.

3. Download and run fix_exe.reg. This deletes the registry key that messed up the .exe file association.

4. Download and run fix_ie.reg. This restores the shell open command in Internet Explorer.

23 comments:

  1. i was infected with this on mar 23rd at 310 pm pst.I have Trend Micro internet security installed and updated and the bastard still got thru.trend micro helped me remove it. but wait it came back today! either it was never removed completely or possibly it wasreactivated through my other user account.Trend micro is helping me with it now. this is avery annoying malicious virus that takes control of your browser.thanks for tips and story.

    ReplyDelete
  2. I just got this virus. Even after deleting ave.exe (from windows\prefecth folder) it keeps coming back. Still searching for its real location.

    ReplyDelete
  3. I didn't have any problem with it reappearing. Make sure you've killed the processes before you delete the file. I couldn't see it with Task manager - do you guys use Process Explorer?

    ReplyDelete
  4. I discovered this article when a friend worriedly brought in a Vista machine which said it had loads of viruses.

    Like you, I thought it all looked legit (you have to admire the effort they put in - even the popups are annoying), but the thing which set me off was the fact that they were asking me to register to remove the viruses it had found (odd). So with the network cable safely disconnected, I went to register to see what site they were directing me to (security-pccare2010.com) and lo and behold I get this article as one of the results :)

    Before I start playing around with the registry I'm gonna try installing kaspersky. Yes it's bloated, annoying and horrible, but it does catch a lot of stuff the free AV's tend to miss.

    I have opened up msconfig on the off-chance I might find stuff inserted into the startup items in the registry and disabled one or two things to see if this does anything...

    Anyway, thanks for your article! :)

    ReplyDelete
  5. Wow - msconfig was new to me. Why didn't I know of this tool like years ago :-) Thanks for your comment, and yes - I'm sure several (REAL) anti-virus tools can remove this aswell like both you and the first commenter here pointed out. Maybe they do a better job aswell. I'm still not 100% sure I've gotten everything cleaned up, even though my computer now acts normal (which is a scary thought). Please tell if you discover anything suspicous.

    ReplyDelete
  6. Hi
    I have this on my computer at the moment, but don't understand what you're meant to do in steps 3 and 4, can you please elaborate?

    ReplyDelete
  7. .REG-files are instructions/script for Regedit.exe . Double-click on them from explorer or simply click on "run" when you download the files.

    You should get a messagebox saying "The keys and values contained in (...) have been successully added to the registry".

    ReplyDelete
  8. Ok update...I did a full system scan in mcafee while the computer was in safe mode, then turned off the computer, and upon restarting it appears to have gone, well sort of. There was a pop up or two of programs that were trying to run that I promptly closed, but aside from that there appears to be no sign of it...I'm erring on the side of caution and remaining vigilant, assuming its not finished with me yet, but am currently doing a system restore with fingers crossed, with a bit of luck it may have been defeated :)

    ReplyDelete
  9. Oh sorry didn't see your previous post, cheers

    ReplyDelete
  10. K sorry if I'm being a bit dense here, but I still don't really know what to do with them. I've got regedit open on the infected computer and am on the internet on a different one. When I click the link it simply opens a new browser tab with text in it, and I'm not really sure what to do with them. In other words, it doesn't download anything when I click the link, so don't have anything to run.

    ReplyDelete
  11. Ok that problem is solved, the registry files wouldnt run because I was trying to open them on my girlfriends laptop who uses google chrome...doh!!

    ReplyDelete
  12. I think I may be ok now, the major problem that still remained has been fixed. This was that McAfee had lots of issues with virus scanning and other things. It seems that the virus managed to delete part of McAfee that enables new file scanning, but an update solved that fairly easily. I'm still not convinced its completely gone, but am fairly happy for now, thanks for the help (and also sorry for attacking your blog with about 10 comments!!)

    ReplyDelete
  13. Actually one more thing I wanted to ask. Im not sure if this is related or not (though is an odd coincidence if it isnt), but upon restarting after the system restore there was a file download warning of a file with the name dnserrordiagoff_webOC, which is from ieframe.dll. I just wasn't sure whether to trust this since the virus did attack internet explorer, so figured it could be still doing so, but at the same time, could be healing itself...any ideas?

    ReplyDelete
  14. Your information is very helpful! Thanks. I finally killed the virus. I also found that Kaspersky was able to fix this virus while AVG was not.
    However I have one more problem. One of the user accounts is messed up. From this account I cannot launch any programs from their icons. e.g. Word won;t run. But if I click on a word doc, it launches theapplication fine.
    How do I fix this issue?

    ReplyDelete
  15. I should have stated that when I click on the icons, I get Error message "Application Not Found"/ Application is there! I can also run these fine from other user accounts. That means this specific account has some issues.

    ReplyDelete
  16. That's what step #3 is supposed to fix. You need to run fix_exe.reg when logged in as the user with the problem. Since you can't even start explorer, you'll probably have to click the start button and punch in the file path to the .reg file in the search field and launch it that way.

    ReplyDelete
  17. oh yes, I did steps 3 and 4. Those completed. But I still get this problem :(.
    Internet explorer was working (and is still working) but other applications won't launch when I click on the applications or try from the start menu

    However these applications launch when I open files previously savedin those applications.

    ReplyDelete
  18. From the start menu, I also cannot run "Control Panel", "set Program Access/Defaults). Also start-->run--> msconfig won't run.
    C:\windows\I386\REGEDIT.EXE won't run.

    ReplyDelete
  19. I literally JUST finished removing this same monster from my own computer not 10 minutes or so ago. I came here, trying to find out if the horrible nasty did any lasting damage, or if it really is just "Ransomware", as it appears.

    I removed the ave.exe file (just as you did), but I did manage to get regedit to work.

    The "trick"? Go into your Windows folder and find regedit.exe. Right click and select "start". I'm not computer-savvy enough to know WHY this worked, but this opened regedit for me just fine (when using the run command did not).

    At that point, I manually fixed a few registry entries.

    HKEY_CLASSES_ROOT\.exe, selected the Default, modified it. The virus had written "secfile" where "exefile" (no quotes!) ought to have been. (This is what the virus was using to basically disable running exe files.)

    Then I did a registry search for ave.exe and removed the two results I found related.

    I haven't had a problem so far. (I have rebooted, and tested out three different browsers. Ran a few registry scans, two 'ware removal programs, and my virus scanner, just to be sure.)

    By the way: Having anti-virus protection, even having script running turned off did not stop this "ransomware" from putting itself onto my computer.

    ReplyDelete
  20. I am regularly being infected by this virus. Seems to be hidden in some web pages (adverts?) so when you are quietly minding your own business you are suddenly ambushed by this nasty program.

    Getting used to the delete process but it must be lurking somewhere or has left a port open so it can reappear.

    I run ZoneAlarm and Sophos and thought I was safe... not so!

    ReplyDelete
  21. I'm curious. I've had this virus twice. Its been on two computers that were protected by anti-virus software. Both times I hadn't been doing anything other than Facebook. A lot of people use facebook and a good portion of them don't get this virus. Where does this come from? How does it get on your computer?

    ReplyDelete
  22. Anonymous 11:27: I'd like to know that aswell. Scary that this virus is spread through facebook. Probalby through one of the adds or an app, but it shouldn't be possible. What browser and version are you using? I was using both Firefox 3.0.5 and IE8 at the time of infection, and I'm not sure from which of the sites/browsers the infection stems.

    ReplyDelete