tag:blogger.com,1999:blog-8661585878226033328.post3744682555681638010..comments2023-11-16T01:04:05.703-08:00Comments on Frode Nilsen's Techblog: The joy of virus infection (ave.exe)Frode Nilsenhttp://www.blogger.com/profile/11779675194677466654noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-8661585878226033328.post-42334190684048440122010-04-06T02:44:53.020-07:002010-04-06T02:44:53.020-07:00Anonymous 11:27: I'd like to know that aswell....Anonymous 11:27: I'd like to know that aswell. Scary that this virus is spread through facebook. Probalby through one of the adds or an app, but it shouldn't be possible. What browser and version are you using? I was using both Firefox 3.0.5 and IE8 at the time of infection, and I'm not sure from which of the sites/browsers the infection stems.Frode Nilsenhttps://www.blogger.com/profile/11779675194677466654noreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-79834293136693461062010-04-05T23:12:08.483-07:002010-04-05T23:12:08.483-07:00I'm curious. I've had this virus twice. It...I'm curious. I've had this virus twice. Its been on two computers that were protected by anti-virus software. Both times I hadn't been doing anything other than Facebook. A lot of people use facebook and a good portion of them don't get this virus. Where does this come from? How does it get on your computer?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-81601435877412729342010-04-03T11:27:46.001-07:002010-04-03T11:27:46.001-07:00I am regularly being infected by this virus. Seem...I am regularly being infected by this virus. Seems to be hidden in some web pages (adverts?) so when you are quietly minding your own business you are suddenly ambushed by this nasty program.<br /><br />Getting used to the delete process but it must be lurking somewhere or has left a port open so it can reappear.<br /><br />I run ZoneAlarm and Sophos and thought I was safe... not so!Ricknoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-57864981428370404592010-03-30T15:23:12.978-07:002010-03-30T15:23:12.978-07:00I literally JUST finished removing this same monst...I literally JUST finished removing this same monster from my own computer not 10 minutes or so ago. I came here, trying to find out if the horrible nasty did any lasting damage, or if it really is just "Ransomware", as it appears.<br /><br />I removed the ave.exe file (just as you did), but I did manage to get regedit to work.<br /><br />The "trick"? Go into your Windows folder and find regedit.exe. Right click and select "start". I'm not computer-savvy enough to know WHY this worked, but this opened regedit for me just fine (when using the run command did not). <br /><br />At that point, I manually fixed a few registry entries. <br /><br />HKEY_CLASSES_ROOT\.exe, selected the Default, modified it. The virus had written "secfile" where "exefile" (no quotes!) ought to have been. (This is what the virus was using to basically disable running exe files.)<br /><br />Then I did a registry search for ave.exe and removed the two results I found related.<br /><br />I haven't had a problem so far. (I have rebooted, and tested out three different browsers. Ran a few registry scans, two 'ware removal programs, and my virus scanner, just to be sure.)<br /><br />By the way: Having anti-virus protection, even having script running turned off did not stop this "ransomware" from putting itself onto my computer.Jennanoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-34529263860120999922010-03-27T07:42:58.637-07:002010-03-27T07:42:58.637-07:00From the start menu, I also cannot run "Contr...From the start menu, I also cannot run "Control Panel", "set Program Access/Defaults). Also start-->run--> msconfig won't run.<br />C:\windows\I386\REGEDIT.EXE won't run.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-83099915698799798922010-03-27T07:30:28.584-07:002010-03-27T07:30:28.584-07:00oh yes, I did steps 3 and 4. Those completed. But...oh yes, I did steps 3 and 4. Those completed. But I still get this problem :(.<br />Internet explorer was working (and is still working) but other applications won't launch when I click on the applications or try from the start menu<br /><br />However these applications launch when I open files previously savedin those applications.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-20581559011456997772010-03-27T02:54:20.175-07:002010-03-27T02:54:20.175-07:00That's what step #3 is supposed to fix. You ne...That's what step #3 is supposed to fix. You need to run fix_exe.reg when logged in as the user with the problem. Since you can't even start explorer, you'll probably have to click the start button and punch in the file path to the .reg file in the search field and launch it that way.Frode Nilsenhttps://www.blogger.com/profile/11779675194677466654noreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-8928632180025100782010-03-26T20:58:57.796-07:002010-03-26T20:58:57.796-07:00I should have stated that when I click on the icon...I should have stated that when I click on the icons, I get Error message "Application Not Found"/ Application is there! I can also run these fine from other user accounts. That means this specific account has some issues.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-11151829343685858222010-03-26T20:25:27.966-07:002010-03-26T20:25:27.966-07:00Your information is very helpful! Thanks. I fina...Your information is very helpful! Thanks. I finally killed the virus. I also found that Kaspersky was able to fix this virus while AVG was not.<br />However I have one more problem. One of the user accounts is messed up. From this account I cannot launch any programs from their icons. e.g. Word won;t run. But if I click on a word doc, it launches theapplication fine.<br />How do I fix this issue?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-75186427756870635222010-03-26T14:56:16.883-07:002010-03-26T14:56:16.883-07:00Actually one more thing I wanted to ask. Im not s...Actually one more thing I wanted to ask. Im not sure if this is related or not (though is an odd coincidence if it isnt), but upon restarting after the system restore there was a file download warning of a file with the name dnserrordiagoff_webOC, which is from ieframe.dll. I just wasn't sure whether to trust this since the virus did attack internet explorer, so figured it could be still doing so, but at the same time, could be healing itself...any ideas?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-56107226099433073992010-03-26T14:48:05.951-07:002010-03-26T14:48:05.951-07:00I think I may be ok now, the major problem that st...I think I may be ok now, the major problem that still remained has been fixed. This was that McAfee had lots of issues with virus scanning and other things. It seems that the virus managed to delete part of McAfee that enables new file scanning, but an update solved that fairly easily. I'm still not convinced its completely gone, but am fairly happy for now, thanks for the help (and also sorry for attacking your blog with about 10 comments!!)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-24385720205538397492010-03-26T14:44:21.301-07:002010-03-26T14:44:21.301-07:00Good to hear! :)Good to hear! :)Frode Nilsenhttps://www.blogger.com/profile/11779675194677466654noreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-73337725401957459982010-03-26T14:34:41.431-07:002010-03-26T14:34:41.431-07:00Ok that problem is solved, the registry files woul...Ok that problem is solved, the registry files wouldnt run because I was trying to open them on my girlfriends laptop who uses google chrome...doh!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-17697516157812438472010-03-26T14:29:22.922-07:002010-03-26T14:29:22.922-07:00K sorry if I'm being a bit dense here, but I s...K sorry if I'm being a bit dense here, but I still don't really know what to do with them. I've got regedit open on the infected computer and am on the internet on a different one. When I click the link it simply opens a new browser tab with text in it, and I'm not really sure what to do with them. In other words, it doesn't download anything when I click the link, so don't have anything to run.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-30152499538745660852010-03-26T14:23:11.857-07:002010-03-26T14:23:11.857-07:00Oh sorry didn't see your previous post, cheers...Oh sorry didn't see your previous post, cheersAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-56208688672797295562010-03-26T14:18:53.235-07:002010-03-26T14:18:53.235-07:00Ok update...I did a full system scan in mcafee whi...Ok update...I did a full system scan in mcafee while the computer was in safe mode, then turned off the computer, and upon restarting it appears to have gone, well sort of. There was a pop up or two of programs that were trying to run that I promptly closed, but aside from that there appears to be no sign of it...I'm erring on the side of caution and remaining vigilant, assuming its not finished with me yet, but am currently doing a system restore with fingers crossed, with a bit of luck it may have been defeated :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-70025222398973828162010-03-26T14:15:58.123-07:002010-03-26T14:15:58.123-07:00.REG-files are instructions/script for Regedit.exe....REG-files are instructions/script for Regedit.exe . Double-click on them from explorer or simply click on "run" when you download the files.<br /><br />You should get a messagebox saying "The keys and values contained in (...) have been successully added to the registry".Frode Nilsenhttps://www.blogger.com/profile/11779675194677466654noreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-90261572259807398452010-03-26T13:38:12.528-07:002010-03-26T13:38:12.528-07:00Hi
I have this on my computer at the moment, but d...Hi<br />I have this on my computer at the moment, but don't understand what you're meant to do in steps 3 and 4, can you please elaborate?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-9967775865131680752010-03-26T08:34:47.259-07:002010-03-26T08:34:47.259-07:00Wow - msconfig was new to me. Why didn't I kno...Wow - msconfig was new to me. Why didn't I know of this tool like years ago :-) Thanks for your comment, and yes - I'm sure several (REAL) anti-virus tools can remove this aswell like both you and the first commenter here pointed out. Maybe they do a better job aswell. I'm still not 100% sure I've gotten everything cleaned up, even though my computer now acts normal (which is a scary thought). Please tell if you discover anything suspicous.Frode Nilsenhttps://www.blogger.com/profile/11779675194677466654noreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-26674034843918388302010-03-26T02:59:46.297-07:002010-03-26T02:59:46.297-07:00I discovered this article when a friend worriedly ...I discovered this article when a friend worriedly brought in a Vista machine which said it had loads of viruses. <br /><br />Like you, I thought it all looked legit (you have to admire the effort they put in - even the popups are annoying), but the thing which set me off was the fact that they were asking me to register to remove the viruses it had found (odd). So with the network cable safely disconnected, I went to register to see what site they were directing me to (security-pccare2010.com) and lo and behold I get this article as one of the results :)<br /><br />Before I start playing around with the registry I'm gonna try installing kaspersky. Yes it's bloated, annoying and horrible, but it does catch a lot of stuff the free AV's tend to miss.<br /><br />I have opened up msconfig on the off-chance I might find stuff inserted into the startup items in the registry and disabled one or two things to see if this does anything...<br /><br />Anyway, thanks for your article! :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-48104209201788264992010-03-26T02:08:12.978-07:002010-03-26T02:08:12.978-07:00I didn't have any problem with it reappearing....I didn't have any problem with it reappearing. Make sure you've killed the processes before you delete the file. I couldn't see it with Task manager - do you guys use Process Explorer?Frode Nilsenhttps://www.blogger.com/profile/11779675194677466654noreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-41464368599180325132010-03-25T22:19:27.186-07:002010-03-25T22:19:27.186-07:00I just got this virus. Even after deleting ave.ex...I just got this virus. Even after deleting ave.exe (from windows\prefecth folder) it keeps coming back. Still searching for its real location.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8661585878226033328.post-91401914456889828602010-03-25T11:22:12.263-07:002010-03-25T11:22:12.263-07:00i was infected with this on mar 23rd at 310 pm pst...i was infected with this on mar 23rd at 310 pm pst.I have Trend Micro internet security installed and updated and the bastard still got thru.trend micro helped me remove it. but wait it came back today! either it was never removed completely or possibly it wasreactivated through my other user account.Trend micro is helping me with it now. this is avery annoying malicious virus that takes control of your browser.thanks for tips and story.Anonymousnoreply@blogger.com