AV.Exe Virus

Created by DrFeelgood on March 15, 2012, 6:53 p.m.
  • So, I'm not sure how many of you go to Grooveshark.com or ThePirateBay (or other sites that have this problem), but there's been a few issues with viruses coming from those sites. I was recently on Grooveshark when, suddenly, a popup appeared that looked eerily similar to Windows Antivirus (it was called av.exe on Windows Task Manager). 
     
    It started scanning my drive on its own and, needless to say, I freaked out and ended the entire process tree for Mozilla and av.exe but there was a small problem. every time I tried to start Mozilla again or, for that matter, any other application, this av.exe thing hijacked the application, prevented it from opening, and popped up again. I did a bit of research and found that the virus was actually potentially very dangerous since it messes with your registry and that it was becoming much more widespread. There were a few fixes floating around on the net, but this one from a user at   virusremovalguru.com seemed to look like the easiest last resort, so I took a chance and I am testing it out as I type this: 

    "Here’s what worked for me – I pasted this text onto the notepad application:

    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\Software\Classes\.exe]
    [-HKEY_CURRENT_USER\Software\Classes\secfile]
    [-HKEY_CLASSES_ROOT\secfile]
    [-HKEY_CLASSES_ROOT\.exe\shell\open\command]

    [HKEY_CLASSES_ROOT\.exe]
    @=”exefile”
    “Content Type”=”application/x-msdownload”

    Then I saved it to my desktop naming it fix.reg

    I then opened up the newly made .reg file and clicked yes when prompted whether or not I wanted to update my registry with the newly modified information.

    I then restarted my computer and installed Malwarebytes anti-malware and did the update as well. Once installed, I ran a quick scan which found 11 viruses which I then subsequently removed.

    What the above .reg file did was neutralize the virus’ crippling effect of preventing me from installing or even using Malewarebytes or any other anti-virus program which I had running at the time (Avira).
    Once restarted and sufficiently neutralized, the virus was powerless against Malwarebytes.

    Problem solved. Done and done."

    I got Malwarebytes to open without any trouble so the reg edit did what it was supposed to. Here's hoping the rest of this process goes smoothly.   
    Has anyone else run into this or know anything else about it? Got any extra advice?   
  • I've never ran into that, but it reminds me of Internet Security 2010. God forbid you have it in your system for longer than a week without realizing. Best of luck.
  • By god, just use a registry edit that some anonymous person posted on the internet, that'll turn out well. If I was in your situation I would probably either: 
     
    a. See what my antivirus could do about it 
    b. Boot in safe mode, and then A 
    c. Format my HDD (just kidding, I would just hit it with a bat) 
  • Just coming in to state that I finished the scan, rebooted, and it looks like my PC's clean again. For now, at least. Hopefully I won't be required to perform a system restore in the near future.
     
    @Fripplebubby:
    I tried those things. Even in safemode, the virus would prevent applications from opening. The registry edit prevented it from opening every time I tried to run a program and it was all but confirmed by the community. You must understand that it was a last resort and I was preparing myself to do a system restore off of the boot disc anyway so I thought, why not just try it out instead of downloading a program from a random site that claimed to do the same thing.
  • Personally I'd purge the drive myself.
     
    The time you spend running different anti-virus programs, reading up for solutions on the internet and even attempting a system restore. You could easily backup any essentials and make a fresh start by wiping the drive clean. Viruses tend to have a bad habit of coming back after you think they've been removed.
     
    Why risk it when a simple drive wipe will likely solve the issue.
  • If it continues, I would recommend a system restore.
  • @HypoXenophobia said:
    " I've never ran into that, but it reminds me of Internet Security 2010. God forbid you have it in your system for longer than a week without realizing. Best of luck. "
    I had an anti virus 2009 problem, it was a nightmare to remove.
  • System restore should always be attempt #1. It can save such a headache so easy. 
     
    Super Anti Spyware does a really good job of cleaning spyware, as does Malware bytes. If you can't get success with the previous 3 things, run Hijack this and I'll try and help you. 
      
    Reinstalling the OS might be just a good thing to do anyhow.
  • @Hamz: 
    If he had anything similar to Internet Security 2010, it embeds itself into every files. Which makes backing up pretty much pointless, because when you restore, it'll still be there. But, this is all speculation as I doubt any of us have ran into AV.EXE in the past besides TC
  • this sounds crazy, but i believe the solution is as follows: 
    1. Download Spybot S&D as well as a new (or the same) Antivirus program
    2. Restart PC and Boot up in Safe Mode 
    3. (Crazy Part) Remove your Anti-Virus 
    4. Run Spybot 
    5. Take note of all infected registry entries (either write them down or take a screen shot) 
    6. Have Spybot fix all issues 
    7. Restart again safe mode. 
    8. Check those registry locations for the infections. If they are there, manually delete them and they should be gone for good.  
    9. Restart normal and install new antivirus.  
     
    Hopefully that does it. If not, you might want to upload your log to a Hijack This! forum. 
  • Holy snikies! If push comes to shove just purge your system (this should be your last choice), or a system restore.
  • @dcpc10 said:

    " Safe Mode + Some good anti-virus software  Nah just kidding, FORMAT AND REINSTALL THE OS NOW. But really, that virus should be pretty easy to get rid of if you have no problems booting up safe mode, if that doesn't work though, you really are in deep shit. xD "

    You don't have to format and reinstall unless you are very lazy. If the virus were to delete a bunch of registry entries resulting in critical services having invalid paths and such, then I would suggest a reinstall. But this is just a virus, and not all that bad of a virus. 
  • @dcpc10 said:
    " @lilburtonboy7489: The ''FORMAT NOW blah blah blah'' part was sarcasm. I guess I sarcasm failed xD "
    Hope is doesnt come to that point.

  • My guess, is that if you post this under the "Please Help!" category, you may get help from more people...maybe even norm or will.