3/30/2010

Non-WoW: ave.exe virus. Conquered!

I have anti-virus protection. I have it turned on high, I even have scripts disabled in both of my browsers. (I use Firefox mainly, but also IE from time to time.) This, however, doesn't always stop you from picking up filth from traveling the intertubes.

Today, while looking for a simple subtitle file, I picked up "ave.exe" - a nasty piece of work that is essentially "Ransomware". It shuts down your computer's functionality by stopping you from running ANY .exe files. If you try to open your browser, it greets you with a very Official Looking window saying that your computer has a Trojan and OMGRITENAO you have to register (read: buy) this program to SAVE YOURSELF!

If you know even a little about the internet, you SHOULD know to never never never never never NEVER (got it? NEVER!) trust a popup that says "You are infected, click here for a free scan/download/help". N-E-V-E-R.

Still, ave.exe (and whatever other incarnations it has) just kind of... puts itself in before there's much of anything you can do about it.

As we all learned from the Guide: DON'T PANIC!




First, you have to KILL THE APPLICATION. Ctrl-alt-delete and "End Process" on ave.exe. Then search your hard drive for it. Where you find it, you'll find a .dll created/modified at almost the exact same time. Delete them both.

(If you are looking at this, chances are good that you either kept your browser open, or have figured out how to reopen it. If this is pre-emptive info for you - after you've deleted the ave.exe folder, the .exe disabling continues. When you select your browser, Windows will ask "what program do you want to open this with?" Select the browser program. I couldn't do this with IE without it getting weird, but Firefox was delightfully successful, even though I had to "browse" to find the firefox.exe in my Mozilla folder.)

Here's where you get into doing exactly what is written and nothing more.

Find your regedit.exe file. Typically, this is in your Windows folder on your main drive. But, when in doubt... Search! DO NOT DOUBLE CLICK ON IT!

Instead, right click on regedit.exe. Select "start" (yes, lowercase s) from the menu. THIS will open your registry for editing.

In the registry you will do 2 things.

Ctrl-F opens "Find". In the box, enter ave.exe. Delete everything you find.

WARNING: You will find entries in your search that are not "ave.exe", but CONTAIN "ave.exe" (An example would be SCREENSAVE.EXE.) Don't delete those.

(Basically, any .exe that you tried to run from the hatching of the program will have changed the open command line so that it attempts to open those .exe files THROUGH ave.exe - once you deleted ave.exe, you screwed up their plans. Now you just need to clean up after it.)

Return to the top of the Registry menu (the folders on your left).
Expand HKEY_CLASSES_ROOT and go down to the .exe folder. In the right hand area you will see "(Default)". Right click, select "Modify".

In the Value Data line of the box that will pop up, you may find "secfile" or something else. It doesn't matter what it says. Make it say "exefile" (no quotation marks!).

Close your registry.

THIS should have successfully cleared your machine of this nasty little thing.

I suggest a reboot, and then you may want to take some time to show your computer some love with some thorough scanning and cleaning with the cleaners/scanners of your choice. (I recommend going through CNET.com for these needs, to reduce risk of going to a fake scanner site.)

1 comment:

Sok said...

While here at my local Winchester (re: Shaun of the Dead), someone came up to me and asked me about something very similar, mistaking me for someone competent with computers. I sent them this writeup rather than feigning competence.

In short: thanks!

Archive