PC was infected by av.exe for three days, since Saturday, February 13. Scareware for XP Antivirus Pro launched popups, icon in tray, balloon warnings, and when a URL in IE was attenpted, a fake web page appeared which only allowed you to go to their web page to purchase their antivirus software. Used Task Manager to stop the av.exe running, in the processes view. Have McAfee Internet Suite, all defs were up-to-date, two full scans in regular mode and one full scan in safe mode did not identify any virus infection. Microsoft OneCare found the files but advised it could not clean them. Ran two Stinger apps, but NOT the one for the fake alerts since I didn't know about this one, but no viruses were found. Then last night an automatic update ran, so I ran a quick scan but no viruses were found BUT after I closed Security Center, a window appeared that two Trojan files, affiliated with av.exe were removed. !! Ok, great, the popups stopped but now nothing will launch from the start menu. Nothing with the extension exe will load and a window appears that it is an unknown file type.
As one test, I tried to reload IE but it indicates it is already loaded. McAfee Security Center does not open. Now what? Any bona fide suggestions? Thanks
I found a possible solution on Microsoft http://support.microsoft.com/kb/310585 (the symptoms listed on the page do not exactly match this situation) but it requires registry edits. Since the PC does not recognize exe files, typing %SystemRoot%\system32\restore\rstrui.exe into the RUN command to back up the registry before editing it, brings up a window to select the application to open this file. Catch 22, boo hoo. Files on the desktop launch OK, just ones in the start menu and in every other way don't work. I'm bummed the QA process for the solution to remove av.exe did not identify this issue before it was implemented.
Clearly the full cleaning did not occur, so we would need to gather your scan logs, and if possible, get a copy of that av.exe, so we can see what system modifications it makes, and better understand why we did not revert those changes.
What product of McAfee's are you running?
Thanks for a reply. I'm running Internet Security 2010. I did not make any copies of the av file and did not intentionally back up any files unless the backup and restore of McAfee Security Center does it automatically. I use an external drive for backups but have not used it this month. Let me know next steps, e.g. what folders house the logs, etc. Thanks
I had the same problem this evening. Fortunately, I don't allow any of my family to run as a privileged user, so the infection was limited to their accounts. After rebooting in safe mode (with networking), I updated McAfee, scanned and it removed the av.exe file.
I thought it was all done until I logged back in as the other user and was unable to launch any applications as described by PeKan.
After doing some research, I was able to figure out which registry entries I had to modify. The difficult part is that they were all in HKEY_CURRENT_USER. I had to edit these when logged in as the user, but unable to launch regedit.
My solution: When logged in as the user that cannot launch the *.exe files, open up any folder on your machine ("My Documents", "C:\Temp", etc). Right click, create new Text Document. Name it whatever you want. Windows, by default will add the .txt extension. Double click that file, it'll open in Notepad. Type in the text "regedit.exe" Then do File -> Save As ... This will bring up a dialog to save the file. Change the "Save as type" to "All Files" change the name to "exefix.bat" or anything else. The important part is the ".bat" You may not be able to launch .exe directly, but you can launch .bat files, which essentially launch the regedit.exe
Once saved, you can close notepad, and then double click on the newly created batch script. This will launch regedit, and now you can do a registry search for "av.exe" I found 4 entries. All of these entries had the value similar to: “%UserProfile%\AppData\Local\av.exe” /START “%1″ %*
I changed these entries to: "%1" %*
This appears to have corrected my problems with opening up *.exe apps.
Now have a similar poroblem after removing the trojan, but McFee didn't detect it had to use ESET to find and delete. Although I don't mind having a go in the registery etc I understand you have to be careful. What about creating a new user account and deleting the old one ? (As a new account appears to be ok as does my admin account) .Appreciate that might leave the reg with "errors" but would that be a problem ?
Same problem as the OP... Any Help?!?!
And McAfee is disabled and won't fix itself... I am using McAfee Security SuiteMessage was edited by: owlshead on 2/24/10 8:15:50 AM CST
I have run into this problem on a Vista system after cleaning av.exe off of it. I had to go into the registry and fix several settings. First check these registry entries to make sure they do NOT contain the following:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
These lines should look like this below, if not then modify them until they do. Add the value to the (Default) line:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%1" %*
I hope this fixes your problem.
Thanks - would the registry entries look the same in XP?
Also, would fixing them fix my disabled McAfee... which, as I mentioned, has been disabled after grabbing/quarantine the "Av.exe"
Won't fix itself...
This is the same on XP as it is on Vista. I don't know if it will fix your anti-virus. I did find out some more information since I last posted because I had to clean another system that had this virus. Some of the registry entries that I posted don't need to be fixed but can be removed entirely as they were added by the virus.
An article here http://www.2-spyware.com/remove-xp-internet-security-2010.html shows you how to create a reg file and run it to fix the issues caused by the virus. Follow steps 1 through 5. FYI on the reg file, the lines that start with [- remove the keys/values from the registry. The other lines modify existing keys/values. I double-checked that these registry entries can be removed by referencing a freshly installed XP system sitting on my desk).