Virus Removal Guru

Total XP Security (TotalXPSecurity) Virus Removal Guide | Virus Removal Guru March 16th, 2010 at 4:59 pm

[...] XP Security is a clone of Total Vista Security. The following programs are also similar to Total XP [...]

mark March 17th, 2010 at 4:51 am

Re: Ave.exe
I was able to (1) stop the process, (2) locate and delete the file here C:\Users\[username]\AppData\Local\ave.exe . I was unable to open regedit.exe, or any other program, other than this work-around method.
Press CTRL-ALT-DEL and open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window. Enter REGEDIT.EXE and press Enter.
However, I was unable to locate any registry entries noted above associated with Total Vista Security or any of the related names associated with this pest.
I entered msconfig with the above work-around, rebooted in diagnostic mode, but still was unable to get regedit.exe to open other than the above work-around and STILL unable to locate any entries that could help.
I also attempted to start STOPzilla that was downloaded to a thumb drive. That program, like every other program, merely opened the “Choose the program you want to use to open the file” box.
I am at a loss.

AVE.exe Virus Removal | Virus Removal Guru March 18th, 2010 at 9:09 pm

[...] programs are clones of each other. For removal help with AV.exe, please click here to view our official guide to remove Total Vista [...]

XP Security Tool 2010 (XPSecurityTool2010) Virus Removal Guide | Virus Removal Guru March 18th, 2010 at 11:36 pm

[...] Security Tool 2010 is a copy of Total XP Security, which is also a rogue security application. The following programs are also similar to XP Security [...]

XP Smart Security 2010 (XPSmartSecurity2010) Virus Removal Guide | Virus Removal Guru March 19th, 2010 at 4:14 am

[...] Smart Security 2010 is a clone of Total XP Security. The following programs are also similar to XP Smart Security [...]

Dr VC March 20th, 2010 at 2:02 am

I was able to get rid of the Total Vista Security maware/trojan and clean up the registry successfully… Here is what I did in addition to what’s indicated in the above article:

I was able to see ave.exe process in the Task Manager and right-click on it to “Open File Location” but did not see the file since it is hidden. I was somehow not able to see this file even after I turned on View Hidden/System files option in file explorer on Vista…

To find and delete ave.exe and related files, I then opened a DOS window (”cmd” command from Start-Run menu), went to the directory for infected user as stated in the above article:

C:\> CD C:\Documents and Settings\[username]\Local Settings\Application Data\

Then, I executed the following command to list all files with Attribute=Hidden and ordered by date:
DIR/AH/OD

There are multiple files – avs.exe, a dll file with a number in its name, and one or more additional files that are downloaded after avs.exe (based on file date). I deleted them all after killing the avs.exe process tree in the Task Manager.

Then I looked for avs*.* and found it in C:\WINDOWS\Prefetch directorty as stated in malwarehelp.org url listed below.

Then I opened regedit, saved/exported a backup file, and searched for avs.exe. I corrected each entry (removed “C:/../avs.exe /Start” etc from each entry. This requires knowledge of regedit file syntax. You can also use the regedit script provided on the malwarehelp.org site indicated below but it will likely not fix all registry entries modified to include avs.exe.

Thereafter, I ran my anti-virus software (AVG) – which was not able to catch this trojan! – to ensure I do not have any other problems and rebooted…

In addition to virusremovalguru, I found the following two sites to be very valuable:

http://www.malwarehelp.org/ave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html

Microsoft:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fFakeRean

Vista AntiMalware 2010 (VistaAntiMalware2010) Virus Removal Guide | Virus Removal Guru March 23rd, 2010 at 3:41 am

[...] program generally infects systems running Windows Vista. Vista AntiMalware 2010 is a clone of Total Vista Security. The following fake antivirus programs are also similar to Vista AntiMalware [...]

Vista Smart Security 2010 (VistaSmartSecurity2010) Virus Removal Guide | Virus Removal Guru March 24th, 2010 at 4:45 am

[...] 2010 generally infects systems running Windows Vista. Vista Smart Security 2010 is a clone of Total Vista Security. The following fake antivirus programs are also similar to Vista Smart Security [...]

Vinnie March 26th, 2010 at 3:27 am

I had the same problem of ave.exe as well. After cleaning it, there is still a novavapps.exe which I suspect is a virus. There are no details available online on how to clean this. It is in the startup folder and I am unable to delete it or remove it from startup. Any suggestions?

TwoHawks March 27th, 2010 at 7:16 pm

Followup… it came back. I discovered a file I cannot identify that I think ave may be responsibel for…

I found a file named: OgDbc43wei.dll in 4 directories, as follows:
C:\Documents and settings\\…
– Local Settings\Application Data
– Local Settings\Temp
– \Templates
C:\Documents and settings\All Users\Application Data

I am uncertain if its for sure related to ave.exe, but it was the only thing with the same time/date stamp as ave that I found after the reinfection suddenly occured, and so there was no reason for it to exist (because I had not installed anything for some time ;^).

There you go. What I want to find otu is how to protect against getting it !

==========================
Oh yeah, one more thing… you can get around the block against launching stuff if you use the dialog that pops up (once you have deleted the ave.exe) for navigating to the item you wish to launch (cmd.exe, regedit.exe, etc) for cleaning up the registry or whatever.

Cheers.

TwoHawks March 29th, 2010 at 2:12 am

HIT AGAIN! HERE’s HOW I AM STOPPING IT…

First though… I ran lengthy tests today at a known site that is downloading this onto my PC. Let me just warn you, if you try to get smart and block “all” the places where this installs, in the end it will simply do an end-run around your stops and write directly to the registry and do its buggery.

What’s interesting to note is that when I stopped it from depositing files in the “usual” places, it started depositing files in “other” places, but I could stop it before it had chance to do anything each time.
As I kept stopping it, it would find new places to work, until finally I guess it ran out of options…, once I plugged all the places, the next time it ran it simply shut off my firewall, wrote to my registry, and launched its ugly little self… oh, and then it invented a new kind of file to save for repoisoning later !

HERE’s WHAT I AM USING TO “HANDLE” IT FOR FREE:
I installed Spyware Terminator and custom set it up running –>>
– Realtime Protection in Advanced mode
– HIPS Enabled on High
– Did not bother turning on WebShield (because I want to keep resource usage to a minimum).

…It starts setting up a “white list” of what I am running, so it takes a bit of time for prompts you need to answer to settle down.

What’s nice is if anything trys to install or run in the background (or not on your white list) it pauses that process and alerts me, providing options what to do.

With AVE.EXE, it stops it’s host rogue-initializer before it has a chance to bugger things up… while it is holding the thing on pause I can –>>
– go to Temp Directory where the initial ‘thing’ launches (always a different name) that is trying to deposit and setup AVE.exe and family members,
…And Select to Delete the process (but you cannot just yet)
– launch task manager and kill the thing (but it won’t go away just yet)
– Click Deny on the Spyware Terminator prompt
– Kill the process again
– then Delete It in the Temp folder

OR Something along those lines.

Once you get that initializer stopped, then all you need to do is go cleanup files it began installing …but they do not get a chance to run, and the registry remains untouched.

———-
Spyware Terminator is running on about 11mB of Ram in the background, using almost no CPU cycles until it “sees” something.

I do not work for, neither have any affiliation with ST. I was just looking around for something I didn’t have to pay for that would monitor for me without imposing too much on my browser installations or my system.

THANKS FOR THE SITE AND A PLACE TO SHARE.

HAPPY HUNTING!

TwoHawks March 30th, 2010 at 4:09 am

Spyware Terminator version 2.6 has a conflict with Java. Just found out today. Find Version 2.3 instead… its working fine. ST is working on the problem. You can followup in their forum.
Cheers, TwoHawks

Catzilla April 17th, 2010 at 9:28 pm

I caught this while surfing with Firefox. It shut down my Firefox and went into the system tray. I didn’t let it do anything and opened the task manager and shut it down. The file was “ave.exe”.

Next thing I did was do a search for the file and deleted it from both the hard drive and from the recycle bin.

This thing messes up your .exe associations so a lot of your programs won’t run. I was able to right click an application and choose “start” from the menu. This worked to get me back to the internet.

I was able to run CCleaner and do a registry clean after deleting the executable. It found and removed them … BUT the .exe association remains messed up.

You will need to do a search for the “exefix.reg” on Google. You will need to right click and merge with the registry. This will fix the associations. Make sure and use the proper one for your operating system.

This file, as I remember, was only 187Kb and it downloaded and ran quickly but I took my time addressing and answering questions not to let it do anything and then I thought things through in taking steps to remove it.

All is back to normal now!

Paulo April 24th, 2010 at 11:36 am

Thanks Steve, this was indeed a nasty one and Rkill did the job and allowed me to stop the Security Central processes, run my anti-virus and remove this little nasty.