I have been silent for a couple of weeks for two reasons. The 1st reason is personal resulting from some shocking online mistreatment (not SMF related). So I decided to take an online hiatus.
The 2nd my PC was attacked by a serious virus XP Security 2010 / ave.exe. My son had jumped on my PC and went to two big sites, yahoo, and facebook, and the PC was infected. This attack helped enforce my online hiatus.
Before some start saying my PC was attacked because of poor security, think again. All of my security software was up to date, I try to be proactive about being current on PC security. However daily new PC vulnerabilities are discovered, and hackers generate new malware/virus/trojan/rootkits/etc to infect your PC. I thought it would be helpful to share my experience with this latest virus attack.
• Fake Virus Warning Popups that attacked me below.
• Names for this virus image below.
This rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as executable called AV.exe or AVE.exe that uses very aggressive techniques to prevent you from removing it. First, you can't launch any executable, instead it launches XP Security Tool 2010, or (see virus list below). Only programs that the virus deemed safe (won't threaten the virus) are allowed to launch,in order to protect itself. Anti Virus software will not be allowed to launch, instead the Fake Virus Warnings popup. It may also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Your Windows Firewall is disabled. In addition when trying to browse a web site, it will hijack your browser and state that the site is a security risk.
• You can read about this virus here
My PC, is 3 year old 2.0+ghz, 3 gig ram, dual core.
Anti Virus software: Avast (resident), SuperAntispyware Pro (resident), Windows Firewall (I have now changed), Winpatrol resident. Malwarebytes (on call), Sophos for rootkit detection.
My security hole was Windows Firewall. I used Windows Firewall because I felt with Winpatrol, Avast/Superantispyware setup was pretty solid, and if infected the 4 AV programs I could detect or clean most infections. I was wrong!
Tools you will need:
Malwarebytes (MB)
Everything this is a super fast NTFS drive file finder tool, will find any file in 1 to 3 seconds after initial scan. (I have 750gigs of storage initial scan is less than 1 minute). Won't search USB Fat32 flash stick, or any Fat32 device.
STEPS To REMOVE Virus.
This only applies to XP, and my system but may help others.
• If you don't have Malwarebytes, you need to download it on a clean PC, and put the MB setup file on a flash stick. If you don't have another PC that is connected to the internet, see sys restore method below.
-You need the latest database update. Install MB on clean PC, launch and update, click ok.
- Copy "rules.ref" from clean PC to your flash stick located C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
• Boot the infected PC to Windows Safe Mode
• The virus stops launch of "mbam-setup-1.45.exe", so change the file name .exe extension to .com. (mbam-setup-1.45.com).
Now launch MB INSTALL only. When MB installs, it will ask to Update & launch, STOP!
- copy "rules.ref" to the correct directory on the infected PC. Use "Everything" to quickly find that directory. Or using Windows Explorer check here: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware, overwrite the existing rules.ref. ALSO
-using "Windows Explorer" go to the directory you installed malwarebytes, and change "mbam.exe" to "mbam.com". Remember the virus takes over all .exe and prevents them from running especially Anti Virus apps.
Back to the MB install screen.
- click No on Update.
- NOW Launch.
• Do a quick Scan, MB should locate the virus and its various infections. Follow the steps to quarantine or delete.
• Reboot your PC to normal windows mode. Now run your other virus detectors and see if you can find any other viruses. Besure to update your AV detectors before you do this scan. Only run one scanner at a time.
You already have Malwarebytes, but it won't run. Follow the step above and rename the "mbam.exe" to "mbam.com". Try to launch and scan, if successful good.
If not successful, uninstall malwarebytes then run "mbam-clean.exe".
Follow the instructions above for those that don't have malwarebytes.
If none of above worked then. Use Windows System Restore and restore the registry to a point several days prior to the infection. BEWARE, if your system wasn't running smoothly before the infection System Restore could cause a catastrophic failure. (To make sure your system is operating properly weekly, clean out all browser cache, defrag hard drive, keep the number of programs launching at startup to minimum only, remove from startup all other unnecessary apps.)
- After System Restore Follow the instruction above.
Problems
In my case there was residual viruses installed by initial infection. Depending on how bad a version you are infected with, you may be lucky and the above instructions get you up and running with no more problems. If you are unlucky and the infection not only installs the Security 2010 virus, you may also be infected with 1 to dozens of other viruses. In my case there were about 4 to 6 other viruses.
• The initial virus was stored in "av.exe" or "ave.exe", but that isn't the only place, and I can't find any posting that gives a complete list of files to search for. Fortunately Avast did a good job in blocking a majority of the residual viruses, but the attacks were random and happened at various times of the day. I still don't know what events triggered them.
• When new popups occurred I would reboot into safe mode and do a scan with the virus detector that gave the warning. I always did a scan with all three of my Virus detectors (Avast, Superantispyware, Malwarebytes). Combined that could be 2 hours of scanning. I had to find the root of the problem. Sometimes after a warning or pop up, running all three AV scans one after another, each would catch something different. That is why you need multiple AV engines. NOTE, it is NOT recommended to have two Antivirus apps running resident, one Antivirus and one antimalware is ok.
• I contacted Superantispyware, as a Pro owner, I get free analysis using SAS's online system diagnostic tool, which uploads a complete system detailed report. Unfortunately, SAS on this virus did a lousy job, and the technical help and I just went back and forth, never achieving anything.
• I posted in the Malwarebytes support forum, but never received an answer. However after carefully reading the many other complaints and requests for help on the exact same issue, I noticed some repetitive things. One was a common complaint about PDF files, and I read many advisories on Adobe Reader vulnerabilities in connection with java.
• I uninstalled Adobe Reader, and install a free PDF reader alternate.
ALL VIRUS ATTACKS STOPPED! (It was more involved than this, but it is worth a shortcut try.)
Read how to remove this virus
Here , here , check this forum category
TIPS On Security
• Keep all the programs you are regularly using up to date. I can't stress this enough!
• Dump Windows Firewall, I used to believed in my other AV apps with W.firewall was enough. The sophistication and level of attacks/infections are so broad and no security app can keep up. Therefore all levels of protection needs to be addressed, I had failed in not dealing with the Firewall. I now use "Online Armor", so far ok.
•This forum is fairly reliable for finding PC problems info
• Check this site for Free Anti Virus stuff that works, look under Security Category.
• YOU PAID for one of the Big AV programs Norton, McAfee, etc. Maybe you are getting what you paid for maybe not, Independent feb 2010 report, Proactive tests, tests conducted by.
VIRUS fake warning POP UPS
VIRUS NAMES : XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro,
are just a few of the names this virus uses...
The 2nd my PC was attacked by a serious virus XP Security 2010 / ave.exe. My son had jumped on my PC and went to two big sites, yahoo, and facebook, and the PC was infected. This attack helped enforce my online hiatus.
Before some start saying my PC was attacked because of poor security, think again. All of my security software was up to date, I try to be proactive about being current on PC security. However daily new PC vulnerabilities are discovered, and hackers generate new malware/virus/trojan/rootkits/etc to infect your PC. I thought it would be helpful to share my experience with this latest virus attack.
• Fake Virus Warning Popups that attacked me below.
• Names for this virus image below.
This rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as executable called AV.exe or AVE.exe that uses very aggressive techniques to prevent you from removing it. First, you can't launch any executable, instead it launches XP Security Tool 2010, or (see virus list below). Only programs that the virus deemed safe (won't threaten the virus) are allowed to launch,in order to protect itself. Anti Virus software will not be allowed to launch, instead the Fake Virus Warnings popup. It may also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Your Windows Firewall is disabled. In addition when trying to browse a web site, it will hijack your browser and state that the site is a security risk.
• You can read about this virus here
My PC, is 3 year old 2.0+ghz, 3 gig ram, dual core.
Anti Virus software: Avast (resident), SuperAntispyware Pro (resident), Windows Firewall (I have now changed), Winpatrol resident. Malwarebytes (on call), Sophos for rootkit detection.
My security hole was Windows Firewall. I used Windows Firewall because I felt with Winpatrol, Avast/Superantispyware setup was pretty solid, and if infected the 4 AV programs I could detect or clean most infections. I was wrong!
Tools you will need:
Malwarebytes (MB)
Everything this is a super fast NTFS drive file finder tool, will find any file in 1 to 3 seconds after initial scan. (I have 750gigs of storage initial scan is less than 1 minute). Won't search USB Fat32 flash stick, or any Fat32 device.
STEPS To REMOVE Virus.
This only applies to XP, and my system but may help others.
• If you don't have Malwarebytes, you need to download it on a clean PC, and put the MB setup file on a flash stick. If you don't have another PC that is connected to the internet, see sys restore method below.
-You need the latest database update. Install MB on clean PC, launch and update, click ok.
- Copy "rules.ref" from clean PC to your flash stick located C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
• Boot the infected PC to Windows Safe Mode
• The virus stops launch of "mbam-setup-1.45.exe", so change the file name .exe extension to .com. (mbam-setup-1.45.com).
Now launch MB INSTALL only. When MB installs, it will ask to Update & launch, STOP!
- copy "rules.ref" to the correct directory on the infected PC. Use "Everything" to quickly find that directory. Or using Windows Explorer check here: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware, overwrite the existing rules.ref. ALSO
-using "Windows Explorer" go to the directory you installed malwarebytes, and change "mbam.exe" to "mbam.com". Remember the virus takes over all .exe and prevents them from running especially Anti Virus apps.
Back to the MB install screen.
- click No on Update.
- NOW Launch.
• Do a quick Scan, MB should locate the virus and its various infections. Follow the steps to quarantine or delete.
• Reboot your PC to normal windows mode. Now run your other virus detectors and see if you can find any other viruses. Besure to update your AV detectors before you do this scan. Only run one scanner at a time.
You already have Malwarebytes, but it won't run. Follow the step above and rename the "mbam.exe" to "mbam.com". Try to launch and scan, if successful good.
If not successful, uninstall malwarebytes then run "mbam-clean.exe".
Follow the instructions above for those that don't have malwarebytes.
If none of above worked then. Use Windows System Restore and restore the registry to a point several days prior to the infection. BEWARE, if your system wasn't running smoothly before the infection System Restore could cause a catastrophic failure. (To make sure your system is operating properly weekly, clean out all browser cache, defrag hard drive, keep the number of programs launching at startup to minimum only, remove from startup all other unnecessary apps.)
- After System Restore Follow the instruction above.
Problems
In my case there was residual viruses installed by initial infection. Depending on how bad a version you are infected with, you may be lucky and the above instructions get you up and running with no more problems. If you are unlucky and the infection not only installs the Security 2010 virus, you may also be infected with 1 to dozens of other viruses. In my case there were about 4 to 6 other viruses.
• The initial virus was stored in "av.exe" or "ave.exe", but that isn't the only place, and I can't find any posting that gives a complete list of files to search for. Fortunately Avast did a good job in blocking a majority of the residual viruses, but the attacks were random and happened at various times of the day. I still don't know what events triggered them.
• When new popups occurred I would reboot into safe mode and do a scan with the virus detector that gave the warning. I always did a scan with all three of my Virus detectors (Avast, Superantispyware, Malwarebytes). Combined that could be 2 hours of scanning. I had to find the root of the problem. Sometimes after a warning or pop up, running all three AV scans one after another, each would catch something different. That is why you need multiple AV engines. NOTE, it is NOT recommended to have two Antivirus apps running resident, one Antivirus and one antimalware is ok.
• I contacted Superantispyware, as a Pro owner, I get free analysis using SAS's online system diagnostic tool, which uploads a complete system detailed report. Unfortunately, SAS on this virus did a lousy job, and the technical help and I just went back and forth, never achieving anything.
• I posted in the Malwarebytes support forum, but never received an answer. However after carefully reading the many other complaints and requests for help on the exact same issue, I noticed some repetitive things. One was a common complaint about PDF files, and I read many advisories on Adobe Reader vulnerabilities in connection with java.
• I uninstalled Adobe Reader, and install a free PDF reader alternate.
ALL VIRUS ATTACKS STOPPED! (It was more involved than this, but it is worth a shortcut try.)
Read how to remove this virus
Here , here , check this forum category
TIPS On Security
• Keep all the programs you are regularly using up to date. I can't stress this enough!
• Dump Windows Firewall, I used to believed in my other AV apps with W.firewall was enough. The sophistication and level of attacks/infections are so broad and no security app can keep up. Therefore all levels of protection needs to be addressed, I had failed in not dealing with the Firewall. I now use "Online Armor", so far ok.
•This forum is fairly reliable for finding PC problems info
• Check this site for Free Anti Virus stuff that works, look under Security Category.
• YOU PAID for one of the Big AV programs Norton, McAfee, etc. Maybe you are getting what you paid for maybe not, Independent feb 2010 report, Proactive tests, tests conducted by.
VIRUS fake warning POP UPS
VIRUS NAMES : XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro,
are just a few of the names this virus uses...
