Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

ave.exe: A multiple-rogues-in-one Trojan FakeRean

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

ave.exe is a variant of av.exe installed by the Trojan FakeRean. Just like av.exe, this variant also chooses randomly from a list of names each time it is installed. It has a list of names for all the current versions of Windows with a mathching fake Windows Security Center or a fake Windows Action Center.

So far I have seen the follwing names:

On Windows XP:

  • Antivirus XP
  • XP Smart Security
  • XP Smart Security 2010
  • XP Antimalware
  • XP Antimalware 2010
  • XP Security Tool
  • XP Security Tool 2010
  • XP Internet Security
  • XP Defender Pro
  • XP Security

On Windows Vista:

  • Vista Antimalware
  • Vista Security Tool 2010
  • Vista Smart Security
  • Vista Smart Security 2010
  • Total Vista Security
  • Vista Security
  • Vista Defender Pro
  • Vista Internet Security

On Windows 7:

  • Win 7 Defender
  • Win 7 Defender Pro
  • Total Win 7 Security
  • Win 7 Smart Security 2010
  • Win 7 Internet Security
  • Win 7 Security Tool
  • Win 7 Antimalware
  • Antispyware Win 7
  • Win 7 Security

ave exe scare message ave.exe: A multiple rogues in one Trojan FakeRean

.ave.exe Analysis on Windows XP

When executed the trojan drops ave.exe (hidden and system) in the %AppData% folder. Then ave.exe drops a file without extension named y7V11 in multiple folders including %AppData% and %Temp% folders. User needs to enable viewing hidden folders and protected operating system files in folder options control panel to view them. ave.exe further performs the following modifications to the Windows registry, so that:

  • The scareware executes (ave.exe) every time a .exe file is run, another way to autostart with Windows or to restart when killed via TaskManager. It also makes it difficult to install and run security programs.
  • Makes Internet Explorer as the default browser and promptly hijacks it to display a scare message whenever it is run.
  • Hijacks Firefox normal mode and Firefox safe mode (no addons), so that the scareware starts whenever Firefox is run and a fake alert is displayed.
  • Disables Windows Firewall
  • Disables genuine Windows Security Center notifications

ave.exe Associated Files and Folders

  • C:\Documents and Settings\All Users\Application Data\y7V11
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\y7V11
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\y7V11
  • C:\Documents and Settings\malwarehelp.org\Templates\y7V11
  • C:\WINDOWS\Prefetch\AVE.EXE-3098ECAE.pf

Some of the file names may be randomly generated. The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

ave.exe Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet IEXPLORE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\ “C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\ C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1

The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine

ave.exe Removal (How to remove ave.exe)

When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

  1. Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  2. MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download)
    • Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
    • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
    • Turn System Restore off and on

    You should now be clean of this rogue.

    The full version of Malwarebytes’ Anti-Malware would have protected you against this scareware. The real-time component of the paid version would have cautioned you before the rogue software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

    If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

    Note: The ave.exe installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

    Trojan FakeRean clones on Windows XP: XP Security Tool 2010 Analysis and Removal, XP Defender Pro Analysis and Removal, XP Internet Security Analysis and Removal, XP Security Analysis and Removal, XP Security Tool Analysis and Removal, Antivirus XP Analysis and Removal, XP AntiMalware Analysis and Removal, XP AntiMalware 2010 Removal and Analysis, XP Smart Security Analysis and Removal, XP Smart Security 2010 Analysis and Removal.

    You may also like to read



{ 105 comments… read them below or add one }

DrVC March 20, 2010 at 7:35 AM

Thank you for your timely posting, Shanmuga, it was very helpful to me today!

I was able to get rid of the Total Vista Security maware/trojan and clean up the registry successfully… Here is what I did in addition to what’s indicated in the above article:

I was able to see ave.exe process in the Task Manager and right-click on it to “Open File Location” but did not see the file since it is hidden. I was somehow not able to see this file even after I turned on View Hidden/System files option in file explorer on Vista…

To find and delete ave.exe and related files, I then opened a DOS window (“cmd” command from Start-Run menu), went to the directory for infected user as stated in the above article:

C:\> CD C:\Documents and Settings\[username]\Local Settings\Application Data\

Then, I executed the following command to list all files with Attribute=Hidden and ordered by date:
DIR/AH/OD

There are multiple files – ave.exe, a dll file with a number in its name, and one or more additional files that are downloaded after ave.exe (based on file date). I deleted them all after killing the ave.exe process tree in the Task Manager.

Then I looked for ave*.* and found it in C:\WINDOWS\Prefetch directorty as stated in malwarehelp.org url listed below.

Then I opened regedit, saved/exported a backup file, and searched for ave.exe. I corrected each entry (removed “C:/../ave.exe /Start” etc from each entry. This requires knowledge of regedit file syntax. I also used the regedit script provided above but it did not fix all registry entries modified to include ave.exe.

Thereafter, I ran my anti-virus software (AVG) – which was not able to catch this trojan! – to ensure I do not have any other problems and rebooted…

I also found the following two sites to be very valuable:

Microsoft:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fFakeRean

Reply

Ted March 20, 2010 at 11:04 AM

Shanmuga,

Thank you so much for your post. I have been fighting this ave.exe for hours today. I’ve tried right clicking the file in task manager, opening location, and deleting it, but could not find where it was. I also tried running one of the other more well know anti-virus softwares with no luck. I followed your directions step by step and my computer appears to be fixed now. Again, I greatly appreciate the post and the help…….after reviewing several blogs, sites, and articles about how to get rid of the ave.exe, your method is by far the easiest and most effective. THANKS!!

Reply

tony March 21, 2010 at 6:55 AM

thanks so much, I spent the HOURS trying to get rid of ave.exe, it is really the link to Macrosoft’s site that helped me, my sister’s laptop is fixed now…

Reply

Deep March 21, 2010 at 6:59 AM

Shanmuga,

Thank you so much for your post, this is a really helpful website and your post most of all was quite helpful in understanding how to get rid of this issue. I actually ended up hitting F8 on Vista boot up sequence and restored the registry to the last working version in order to get rid of it. The remainder of the maintenance was done afterwards.

I did have Malwarebytes running on my computer, not sure why I still caught this stupid malware. Anyway, thanks again for your helpful and thorough post.

Reply

james March 21, 2010 at 7:00 AM

i also got hit with this virus the other day, the first time it was just av.exe, but it went away for a while, but now it’s back and worse than ever. it is now ave.exe and also has another process called csrss.exe which is blocking any files from opening on my computer. ave.exe seems to be responsible for all the annoying windows that pop up, and for redirecting internet explorer to porn and erectile dysfunction websites, when i close the popups using the x in them, it doesnt do it everytime though. csrss.exe is the one preventing me from opening any files, and will not let me open up the task manager and it cannot be closed by the task manager (and yes i know about the legit csrss.exe but this is not it). and anything i do manage to get open is promply closed by the exe. i found a bit of a way to get around it though, as soon as my computer restarts and i log in, i open the task manager immediately and shut down ave.exe, sometimes this prevents csrss.exe from starting itself and i have been able to open all my files now. i dont know if this will work again. i am updating my computer hoping that windows put in an update to stop this virus. also i had a question, are the programs you listed free? i would like to get rid of this virus for free, otherwise im just gonna back up my files and delete the whole partition.—-also, a word to the wise, stay away from http://thepiratebay.org, both times i got the virus i was downloading torrents from that site and doing nothing else, now it is no coincidence that 30 seconds after clicking on the torrent download that this virus showed itself on my computer.

Reply

Amrit March 22, 2010 at 12:43 AM

Thank you so much for your advice. This really works !! You guys are really great.

Reply

Dan March 23, 2010 at 12:57 AM

thanks DrVC !!!
your instructions worked perfectly. Also had to use the attrib command prior to deleting the hidden files in DOS:
> attrib a*.exe -r -s -h
> del a*.exe
> attrib 32*.dll -r -s -h (or whatever your random number dll is)
> del 32*.dll

There was also a file called OIXQ that I wiped too. I didn’t see that indicated on any posts, but my system is running ok without that file.

thanks all!

Reply

Fatima March 23, 2010 at 10:06 AM

Thanks so much for posting this!
I’m using a laptop from school, and it’s ridiculous that this virus has just been eating at this computer with no one to fix it! I tried doing your method, but every time I try to run the downloaded .exe files for setup, stupid ave.exe pops up again. I’m not sure how to exactly install these programs on my computer, and I can’t install another browser either (of course the school would use IE) because that requires launching an .exe file. Is there any way I can get these programs onto my computer, or even install Chrome without having to run an .exe file, or even managing to keep the virus away for the five seconds it takes to run it? Any knowledge of how you guys managed to get around this is appreciated :) thank you guys!

Reply

Kerri March 24, 2010 at 1:48 AM

Followed your instructions and it worked GREAT! Thank you so much for helping the common people out! This would have cost me hundreds of dollars had I called my Computer guy. My computer is running great!

Reply

Chris March 24, 2010 at 6:06 AM

FYI, one of the computers at work had this. Just used System Restore to get rid of it but thought I’d mention I also found OIXQ in both “All Users\Application Data” and “%USERNAME%\Application Data” so would guess it is a part of the virus. Scanned with both AVG and Avira with no detection.

Reply

Samson March 24, 2010 at 7:25 AM

THANK-YOU so much Shanmuga!
I ran McAfee Virus scanner twice it it overlooked all these files. Your step by step was easy to follow and worked like a charm. Unfortunately I am in the same boat as James and got this nasty Trojan via http://thepiratebay.org as well. I download torrents occasionally and I am ALWAYS very careful but this one found a way to get into my PC and compromised my entire system. I was fearing a total reformat until I came across this web site. Thanks again.

Reply

Keyswest March 24, 2010 at 12:08 PM

First of all thanks much to Shanmuga for your guide.
I am able to do something, the programs are working, but……
Its look like the ave.exe stops the malwarebytes, McAfee websides, and I am not able to update these programs.
Is this happens to anyone.

Thanks

Reply

Shanmuga March 24, 2010 at 12:27 PM

Rename mbam.exe to anything, my favorite is “notmbalm.com”. You can find mbam.exe in the Malwarebytes Antimalware folder in your program files directory.

Shanmuga March 24, 2010 at 12:31 PM

If you are able to open but unable to update, try it in “safe mode with networking”.

Unless the definitions are very old, MBAM should be able to detect and remove ave.exe even without the most current update.

Reply

Nick March 24, 2010 at 1:19 PM

Just like to say that this helped a lot, ran into this nasty thing when I thought I had emphasis in on a website and just typed a ton of keys then all kinds of fake windows security things came up.

Reply

Henry March 25, 2010 at 11:36 AM

This worked a treat on my PC and found a lot of other things too lurking in files. It did take about 6 hours to scan the PC though for Malware.

It found the ave.exe file in exactly the right place, even though I could not see it in Windows Explorer after turning on view hidden files.

Many thanks for a simple update that saved me having to manually delete things that were in the registry.

Reply

Shanmuga March 25, 2010 at 11:52 AM

Henry, You also need to uncheck “hide protected operating system files” to view those files.

Made_my_day March 27, 2010 at 10:54 AM

Thank you so much for this information Shanmuga, I have been working on getting this off my computer for hours. You are my new hero.

Reply

jinu March 28, 2010 at 12:58 AM

really great !!! thank you for your help ….

Reply

Joshua March 30, 2010 at 6:00 AM

This worked great. Thank you so much.

Reply

Ed March 30, 2010 at 5:48 PM

I’m cautiously optimistic! I picked up this fakerean last night. I found this removal tutorial and tried it out. So far it seems the tips provided have killed this trojan.

Thanks for the excellent tips Shanmuga!

Reply

Gman March 30, 2010 at 6:51 PM

I found the fastest way to get rid of ave. This program is date stamped.set you date ahead 8 days. Then restart. This works for most scarebots. It has an automatic erase.

Reply

Mo March 30, 2010 at 8:08 PM

Thank you! xxx

Reply

Prohletariat March 30, 2010 at 9:46 PM

Malwarebytes’ alone seems to have eliminated an otherwise ilusive and pesky as @#$% virus… it also revealed the complete file path so if it isn’t gone then i am slightly more prepared this time around!!!

thanks shanmuga and MWB!

Reply

Prohletariat March 30, 2010 at 9:56 PM

I forgot to add: I had much better luck running and installing programs as Administrator. They actually ran that way. Keep your taskmanager open and your mouse-hand poised for the quickdraw!

Reply

JD March 31, 2010 at 11:07 PM

Thanks for the help. Got rid of that damn ave.exe plus another trojan that I thought I had completely cleared earlier. I will be more careful from now on in my downloads. :)

Reply

Anonymous March 31, 2010 at 11:27 PM

Good news and bad news. I followed the instructions to remove this horrible ave virus/trojan. Then I reset my windows firewall and checked out my files. Miraculously everything worked (you guys are great). BUT, after about 10 minutes on the internet, it came back.

Any suggestions? I wasn’t downloading anything. I checked my incredimail email I did a couple of searches (using “mystart” “google” and “yahoo”.

Reply

CowboyCoder April 1, 2010 at 10:17 AM

Anonymous,

You may be infected with TDSS rootkit most likely in ATAPI.SYS. Download TDSSKILLER and it will tell you if you are infected. In my case it found the rootkit – which made ave.exe kept coming back – in atapi.sys.

Note: TDSSKILLER replaced atapi.sys on reboot, but my system locked up before booting into Windows. Was only able to reboot when I selected ‘Last good working…’ Before you let TDSSKILLER fix the problem, make sure you have the ‘Last good working…’ option when you try Safe Mode (F8 key when you start).

Also search for ‘tdss rootkit atapi.sys’ for problems in replacing atapi.sys.

Reply

Anonymous April 1, 2010 at 5:20 PM

i downloaded MalwareBytes’s Anti-Malware but im not able to run the mbam-setup. any help here would be appreciated, thanks.

Reply

Shanmuga April 1, 2010 at 5:36 PM

Rename the setup file to anything you like and once installed rename the executable file to something else as well. If you are still unable to run Malwarebyte’s AntiMalware, please visit one of the recommended forums for malware help and post about your problem.

Bernardo Cruz April 1, 2010 at 11:46 PM

You rock man!!!! I just had to deal with this virus and your post was 100% useful for me… and yeah, I now I got this from the piratebay . So from now on I’m away from that torrents.

I just can add that to erase the ave.exe I used slax linux live cd and it was a piece of cake.

Reply

Anonymous April 2, 2010 at 4:14 AM

I haven’t been lucky. Ave.exe seems to have locked my registry and I can’t run the .reg file.

Reply

Physician April 2, 2010 at 6:03 AM

Smart! Thanks

Reply

JL April 3, 2010 at 7:16 AM

I’m running Malwarebytes right now…biggest concern is that I had to run an update on it before scanning and was told that it needed to restart the machine for the update to take effect…which I was scared to do since I’ve seen several people mention that their machines didn’t come back up after they were infected with this thing. I’ve had MBAM on my machine for about 6 months, I think. What are the chances that it won’t catch this thing without having done the restart?

Reply

JL April 3, 2010 at 8:26 AM

And I seem to have answered my own question. It found 6 infected files, removed them all, and after running the rest of the steps I seem to be okay. *fingers crossed* Thank you so very much for this, Shanmuga!

Reply

Mars April 4, 2010 at 3:11 AM

I have the same problem as “Anonymous” up there — AVE returned in ten minutes. The recommended thing by Cowboy turned up nothing, so it must not be that. Any other solutions? Please say yes.

Reply

Shazamer April 4, 2010 at 5:19 AM

To Anonymous @ 4/2 4:14 — go to start/run type cmd. In the command window type regedit. This should start the registry editor. Then select File/Import and open the *.reg file.

For people that can’t run the various .exe files this approach should work also. That is, open a command window and run the exe file from there.

good luck all.

Reply

CowboyCoder April 4, 2010 at 10:26 AM

Mars,

Check these directories for weirdly named files -without- extension:

C:\Documents and settings\\

– Local Settings\Application Data
– Local Settings\Temp
– Templates

C:\Documents and settings\All Users\Application Data
C:\Documents and settings\NetworkService\Local Settings\Application Data

C:\Windows\Temp

C:\WINDOWS\Prefetch\AVE.EXE-3098ECAE.pf

In my case, there was one copy of ave.exe and 2 or 3 instances of files without extension. MBAM detects ave.exe, but not the ones without extension. They stopped re-appearing only after TDSSkiller removed the rootkit in atapi.sys.

Reply

Smit April 5, 2010 at 4:17 AM

I followed the directions as they appear here and got rid of the virus no problem (*knock on wood*). I also believe that I got it from piratebay.org.

Reply

Anonymous April 5, 2010 at 5:26 AM

thanks – worked for me

Reply

Ally Rae J April 5, 2010 at 12:26 PM

I would just like to say THANK YOU SO MUCH you are a saint. I instantly become super freaked the hell out whenever anything like this happens to my computer. Thanks to your help all is well again and BY GUM I can sleep tonight!

Thank you thank you THANK YOU <3

Reply

Winter April 5, 2010 at 8:18 PM

This is one nasty bugger. Unfortunately for me, Google Chrome isn’t really working so I will either do a system restore or a complete reformat. I’m never using The Pirate Bay again.

Reply

Curtis Kemmerle April 5, 2010 at 8:51 PM

This is a nasty one, my Avast AntiVirus did not catch it nor did my Uniblue SpyEraser. I was able to recover completely by starting up in SAFE mode(WXP) with the primary Administrator account and doing a system restore going back 10 days. I then did a detailed search of C: for anything AVE.EXE and found it in prefetch with a longer name as a PDF and Temporary Internet Files as AVE.EXE.

System Restore took 20 minutes after which I immediately booted the UBCD and did the search from Windows CE via the CD ROM. Upon removal I restarted the system normally and have no ill effects except having to re-update Firefox and Incredimail.

I realize that this thing can come from anywhere but for me is came via flash advertisement on one of the torrent search pages in the form of a PDF and landed in c:\windows\prefetch. I was able to do a trace from the download logs that lead me back to www dot tasmaniantigerrose dot com. the whois information leads to:
Vladimir Lavrov teens at fastermail.ru
+7212420306 fax: +7212420306
ul.Sovetskaya d.26 kv.6
Syktyvkar Respublika Komi 167000
RU

Reply

Curtis Kemmerle April 5, 2010 at 9:21 PM

Added note:
The SysInternals Process Explorer is a tool that replaces the Windows Task Manager. It provides greater detail of what exactly is running in memory, handles, hooks address, the specific file/program source, any nested subroutines and their sources, real time processor time allotment and more. I use to monitor my processor when it is doing a labor-intensive job to determine if there is a lock-up or it’s just busy. I also used it to find out that AVE.EXE was my problem and was able to immediately dump AVE.EXE from memory before irrepairable damage occurred.

http://www.sysinternals.com

Reply

Amy April 5, 2010 at 10:37 PM

You guys saved my neck with this. I followed the instructions to the letter. And it not only cleaned this up, but now my computer is running better than it has in years. Thanks you, thank you, thank you!

Reply

malc April 5, 2010 at 10:38 PM

Hey folks

Thx for this info.

I downloaded your file trojan_fakerean_exe_fix.reg, which allowed me to run Malwarebytes. Brilliant.

I got a very similar virus from pirate bay (drive-by download) a month ago. At the time I was running McAfee. A techie friends said it was safer to avoid the leading av software and rec. Zonealarm and Spybot S and D. I got both, and kept Spybot resident. Thought I had it sussed now. So ‘drove’ back to piratebay – and in 20 seconds I had this version of the virus.

Anyway, you helped me get rid. Last time ended up reinstalling (on secondary machine fortunately).

Thx again

Moral: avoid Piratebay. (Someone else reported getting it at isohunt. I am investing in private torrent anyway – uses proxy.)

I have also invested in a paid version of Malwarebytes which checks realtime. (Found a voucher code making it £17, or $25)

These drive-bys are a sod!

cheers

M

Reply

Anonymous12 April 5, 2010 at 10:43 PM

Works perfectly!

Reply

deepj April 6, 2010 at 1:38 AM

hi guys
Just find the ave.exe file in your PC by searching it. ake sure you search the hidden files too You might get 3 to 4 items. Open Task Manager and under process if you find any AV…… process- kill that and delete those files found above. After that you will get the file association error for sure.

So you have to follow below instruction—————————

For XP
********

Open Registry Editor- Start->Run->Regedit

STEP 1 : Go to the following location of HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*”

and delete the items in bold and rename it to correct entry which is “%1″%*

STEP 2 : Go to the following location of HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*”

and delete the items in bold and rename it to correct entry which is “%1″%*

STEP 3 : Go to the following location of HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*

and delete the items in bold and rename it to correct entry which is “%1″%*

STEP 4 : Go to the following location of HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*

and delete the items in bold and rename it to correct entry which is “%1″%*

STEP 5 : Go to the following location of HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “av.exe” /START “iexplore.exe”

and delete the items in bold and rename it to correct entry which is C:\Program Files\Internet Explorer\iexplore.exe

For VIsta
***********

1. Just go to c:\windows
2. Right click on regedit and click on run as administrator
• Once registry editor is open Navigate to:
HKEY_CLASSES_ROOT\.exe
3. Change the default value to exefile from secfile.
4. Close Registry editor and check.

Let me know guys if you need more help

Reply

jim April 6, 2010 at 4:43 AM

I mapped a drive to the infected PC and dropped the reg, MWB and CCleaner Lite onto the desktop, then ran them in that order. The next issue was IE did not run from the QL toolbar. I pasted a new copy there and it was ok. But all the things that show up in Start\All Programs, (on XP/SP3), don’t work. ie: MS Office shortcuts won’t launch but if you dclick on a doc, word opens the file, xls launches Excel etc. So XP still has the file extension to app reference intact, but the shortcuts will all have to be remapped to their respective exe. I can copy/paste across a mapped drive but it’s gonna take hours to get them all back. Anyone know a faster way to restore them?

Reply

Epsilon April 6, 2010 at 9:09 AM

Hey.
I just wanted to say thanks for the help, its working perfectly!
This thing is really annoying, I’m glad to be getting rid of it ;) .

Keep up the good work!

Reply

tony April 6, 2010 at 3:07 PM

i was infected with the antivirus xp spyware.
i have cured it by downloading and running superantispyware

after this my .exe files would not work but i followed the instructions on http://www.adamsdvds.co.uk/tutorials/windowsxp/file_extensions/exe_not_working.php
and now everything is back to normal with no infection!
success!!!!!!!!!!!!!!!

i hope this helps.

Reply

jaconway88 April 7, 2010 at 12:59 AM

bravo for mbam & benevolent people who know how to write to registries

Reply

Anonymous April 7, 2010 at 1:07 AM

I got this nasty thing today on mys desktop (using laptop to send this). I ran the registry fix but did not see “Click Yes to merge the registry data.” It did ask me something like if I wanted to update the registry — I said yes. Am I OK? Malwarebytes is running as we speak. It hasn’t found anything yet and I think it is halfway through.

After Mbam finishes and turn off/on sys restore and run ccleaner, is there anything else I need to do? (why is everyone talking about deleting files — will mbam do all of that for me)?

Reply

FrankScully April 7, 2010 at 5:59 AM

1. I removed the ave.exe from my disk wherever the scan found it
2. I called up system restore and fortunately a restore point was established just a few hours before I go infected

This a simple one step recovery which if left turned on saved me a lot of grief

So far no problems.

Reply

Brent April 7, 2010 at 6:04 PM

I got this virus last week and took the steps outlined above. It was easy, and it looks like I’m in the clear. Question about one thing, though. I now get a message in the system status tray saying a couple of programs are not being allowed to run at startup. Not sure why I’m getting this message now, as I didn’t previously. And the source is supposedly Windows Defender. Since the virus masqueraded as Defender, I’m a bit hesitant to accept what it’s telling me. The two programs the Defender window refers to appear to be toscdspd.exe and NDSTray.exe.

Reply

Shanmuga April 7, 2010 at 11:24 PM

@Brent. Its difficult to confirm the legitimacy of the mentioned files without analyzing them. A quick search in Google says that they are normal on a Toshiba laptop, so if you are on one, they are probably safe.

Homeworker April 7, 2010 at 11:54 PM

THANK YOU FROM THE BOTTOM OF MY HEART! LOL! I have tried everything reading all forums to get rid of this wretched AVE.exe i followed what you said STEP by STEP and that monster is GONE! Thank you so much, nothing else worked except YOUR INSTRUCTIONS! BRAVO!

Reply

mojo_risin April 8, 2010 at 4:21 PM

Hi thanks for the advice. This was a mother of a virus and took me 6 hours to fix properly.

I deleted the ave.exe file under C:\Documents and Settings\[username]\Local Settings\Application Data\

and ran Malwarebytes –

then i also did a system restore from a couple of weeks old.

Now i have taken admin privs away from my user account and created a separate admin user. 99% of the viruses need admin privs to be successfull.

Reply

bittybotty April 9, 2010 at 5:36 PM

I have just followed this piece of advice and deleted ave.exe from the directoryu. Yet I can’t load the PC into safe mode. I have no permissions to run firefox. And it only runs for a minute or so before it then crashes and I have to reboot.

Please can somebody help me, been at this for 2 hours now

Reply

CowboyCoder April 10, 2010 at 10:42 AM

bittybotty,

Are you following the removal steps outlined by Shanmuga in the above under this heading:

ave.exe Removal (How to remove ave.exe)

Reply

tida April 11, 2010 at 9:52 PM

please bear with me, im not computer savy whatsoever… i have malwarebytes, superantispyware avast… malwarebytes and avast dont find the virus but superantispyware sort of does.. it finds 2 trojans that when removed, stops the lovely and not at all annoying pop ups from xp antimalware 2010. once i quarantine and reboot they go away temporarily. somehow eventually they come back. ok so i did a search of my computer and found a AVE.EXE – 2b480EEE.pf in windows/prefetch. is this the ave.exe file im supposed to delete? i havent seen anyone else call it that.

Reply

Jut April 12, 2010 at 11:52 AM

THANK YOU SOO MUCH FOR YOUR WISDOM. but now i cannot open my exe files correctly. what do i do?!?!?!?

Reply

Shanmuga April 12, 2010 at 12:35 PM

“Right click and save the registry file as trojan_fakerean_exe_fix.reg – trojan_fakerean_exe_fix – 156 Bytes. Left click to run the registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.”

tida April 12, 2010 at 6:23 PM

virus not showing up/being caught by malwarebytes and other programs. dont know much about computers, can someone help please. how do i manually remove them? is AVE.EXE – 2b480EEE.pf the same as the ave.exe file mentioned about? do i just right click and delete it? help please.

Reply

Shanmuga April 12, 2010 at 7:11 PM

A file with an extension of .pf is not malicious by itself. Its just a Windows prefetch file. Instead of trying to remove the malware manually by yourself, please post about your problem in one of the recommended forums for malware help. BTW can you tell me the actual name of the scareware affecting your system?

dan April 13, 2010 at 2:36 AM

Perfect solution! Thank you.

Reply

Flyingspongebob April 15, 2010 at 6:49 PM

thx, very, very useful

Reply

Joe April 16, 2010 at 3:47 AM

You rock Shanmuga, I was able to clean the PC using your directions as a reference!

Reply

Manson April 16, 2010 at 8:19 AM

I right click to save and put .reg at the end, but its still a text file… under options, i can only save it as text or all files…

Reply

Shanmuga April 16, 2010 at 8:28 AM

Yes, save it and then rename it so that it ends with .reg.

Manson April 16, 2010 at 8:34 AM

Ok, I think i got it to become .reg… but when i click merge, it says “Cannot import trojan_fakerean_exe_fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.”

Reply

Shanmuga April 16, 2010 at 8:58 AM

It’s not being saved as a registry file? Right click and open the file in notepad. In file menu click “Save as” and save it as “trojan_fakerean_exe_fix.reg” and file type as “Text Documents(*.txt). Now right click “trojan_fakerean_exe_fix.reg” and choose “Merge”.

Gary April 16, 2010 at 4:07 PM

Thanks SOOOO much for your solution!
I’ve been computing a long time and I’ve never had such a nasty and cunning piece of Malware. Furthermore, 2 full scans by my well known and registered antivirus program did not detect it, and let it infect my computer. You can bet I won’t re-register with them!
Your solution was, clear simple and elegant. Other than the 2.5 hour wait for the clean scan it was a breeze!

THANK YOU!

Reply

Bailey April 16, 2010 at 8:20 PM

I can’t find anything that says, Yes to merge the registry data. I’m stuck at this step. :(

Reply

Shanmuga April 16, 2010 at 8:38 PM

Right click the downloaded “trojan_fakerean_exe_fix.reg” and choose “Merge”. You will see a dialogue box pop-up with a message similar to “Are you sure you want to add the information in trojan_fakerean_exe_fix.reg to the registry”. Click “Yes” to merge the registry data

Reply

Marek G April 16, 2010 at 11:29 PM

Hey Thanks a lot man, Im the admin at a college and i couldnt get rid of this thing even by running mb in safe mode.

And BAILEY u need to remove the .txt from the filename so it becomes .reg as mentionned in the instructions.

Reply

andrew April 17, 2010 at 1:03 AM

I am having problems with the .reg file as well…i dont have a ‘merge’ option…please help!

Reply

andrew April 17, 2010 at 1:04 AM

nevermind, fixed! thanks!

Reply

Ant April 17, 2010 at 1:24 AM

it might be useful to know, i have windows 7 ultimate and this appeared suddenly, after installing an microsoft update. a little confusing to get my head around but on my windows 7 its coming up as antivirus WIN7. I found the AVE.EXE file from a pop up notification, clicked the setting icon and found the file name there. the malwarebytes soft ware is brilliant ,found 367 infections from 1,345,897 in under 3 minutes! really good thanks for this, was getting really p*ssed off with the constant fake thing coming up!

Reply

Bailey April 17, 2010 at 1:31 AM

I saw no ‘merge’ of any kind. I dragged and dropped it into the registry. That seems to have done the job. >_< Am I doing it right…?

Reply

Ant April 17, 2010 at 1:40 AM

if your having trouble with the registry file, try this way. This is the way i’ve done it many a time to my computers/laptops and many friends and families laptops/computers.

open the registry file on the website the link in step one of removing the ave.exe file,
copy all the text you can see,
now open word pad,
paste everything in,
click “save as”and make sure it goes onto the desktop, (there should a desktop icon on the left) and make sure its saved with the file name docs.reg
now go on to you desktop and look for the icon, it looks a little strange bit like a aqua colored rubix cube, double-click it and click yes to anything that comes up.

then click finish or ok.

it should of worked if not try step 2 on this website worked for me

hope this helps

ant

Reply

Bailey April 17, 2010 at 1:49 AM

Hey Marek, actually the way you put it is more clear than the instructions, which I did take note of and tried to do over and over. I even read all these comments and saw people have a similar problem and tried to again do what the instructions said. It’s just that part of the instructions is confusing I guess (to a newb like me, excuse me).

This whole thing has been really helpful. I hope it works.

Reply

dom April 17, 2010 at 5:14 AM

just got this pesky virus and having some problems removing it (like most). i am running windows in safe mode with networking in an attempt to use malwarebytes but it’s refusing to load the program so that i can remove it. any ideas as to what i should do?

thanks

Reply

Gaurav April 17, 2010 at 7:46 AM

I was really frustated to remove this virus since my anti virus software was not reporting that ave is installed.I was not able to open any website as the virus had hacked my internet explorer.Then i looged with my other user profile ans was able to serach internet for possible causes.Then I found that ave.exe is the file that causes problem,I also installed STOPZILLA anti virus.After this I again logged in with my previous user profile and at the start itself I opened task manager and killed ave.exe.Now i ran complete scan using StopZilla.It showed the path where the infected file was but it did not delete it.Then I went to microsoft support site http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fFakeRean

Here I used online scan feature and this step corrected three registery enteries for me.After this I again unsinstalled stopzilla and logged of.Next time when I again looged in I did not see ave running on its on.I did complete scan using my anti virus and found no problems.Since then I think sytem is running fine.

Microsoft site was really helpful.Also I got whole information on this site.Thanks to all!!!

Reply

Charlie April 17, 2010 at 3:16 PM

You guys got me out of a deep hole called ave.exe. Brilliant.

Reply

christian carlsen April 17, 2010 at 8:42 PM

After removing the ave.exe I cannot use my Lan connection. I just get at standard 169 adress with says there is no connection to the internet. The pc im writing on is on the same router an work perfectly. Any idees?!

Reply

big al April 18, 2010 at 2:52 PM

Thanks for this help!!! Your advice worked perfectly.

Reply

Anon01 April 19, 2010 at 9:18 AM

Instructions worked perfectly.

Many thanks.

Reply

Anon007 April 20, 2010 at 1:18 AM

I had this virus the other day and by following the directions here, I got rid of it. However the next time I turned on my computer, the virus came back with newfound vengeance. I’m thinking there is some kind of hidden file in my computer that keeps on installing the virus on startup. Can anyone help me out here? :(

Reply

Anonymous April 20, 2010 at 7:29 AM

I still can’t run the (trojan_fakerean_exe_fix.reg) file!

it says “Cannot import……: Error accessing the registry.

I’ve already tried to import by running regedit with the same response.

HELP!!!

Reply

bouncer April 20, 2010 at 11:28 PM

I really am thankful, this virus has been killing me and have found no way of getting it deleted completely. I ran malware but the next morning antispyware xp pops up and I thought it went away. For days, I been trying to get it gone and came upon this site. THANK YOU! It’s completely gone, please do not go on pirate bay!!

Reply

Hannah April 21, 2010 at 2:36 AM

Thank you so much for this! I spent hours fighting this virus this evening and I finally think I won, thanks to the reg file posted above. You guys are the best! I dread to think how much this would have cost in the computer shop.

Reply

Marro April 21, 2010 at 8:59 AM

You made Malwarebytes sound so simple, I finally downloaded it. Took it down instantly. Btw, a name to add to your list in XP is AntiSpyware XP. Thanks for giving me the motivation to dl Malwarebytes. xD

Reply

boris April 22, 2010 at 8:06 PM

cannot open a regedit along with any exe,

Reply

boris April 22, 2010 at 8:19 PM

found a way to start exe: from : Start –>Run–>command.com
you get a black screen, then regedit works nicely

Reply

Heather W April 23, 2010 at 7:27 AM

If you deleted the ave.exe file and the exe files no longer run, when you get the windows asking which file to open it with, browse to C:\Windows\system32\ and selec tthe win.com file. That will let your exe run. You will need to do this to be able to edit the registry with regedit.exe.

In Regedit delete the Hkey_Classes_Root\.exe, HKey_Current_User\Software\Classes\.exe and HKey_CurrentUser\Software\Classes\secfile keys (folders).

Then edit the defailt entry in the Hkey_Classes_Root\exefile\shel\open\command folder to “%1″ %*.

Finally create a new HKey_Classes_Root\.exe key.
Edit the default entry to exefile. Add a new String Value an dname it Content Type.
Modify the data to “application/x-msdownload”. Now you can run your exe files and you can re-enable the firewall in the Windows Control Panel.

Reply

mouri April 24, 2010 at 7:07 PM

second time saved my butt.thank u.

Reply

bassmanuk April 26, 2010 at 2:39 AM

Thanks for this, found it too late, formatted disk and did a clean install

Reply

Dave April 28, 2010 at 9:03 AM

I always do everything that this page says and it’s good for a week then it comes back! I know exactly too when it comes back because my browser will crash then it begins all over again.

There has to be another fix rather than the ones already listed in here. It’s getting quite annoying have to battle this annoying trojan every week!

Is there any reason why the ave.exe file keeps on coming up on the C:\WINDOWA/Prefetch folder?

I’ve also gone as far as deleting any instances of the csrss.exe files that exist outside of the C:\WINDOWS/System folder

I don’t know what else I can do? Please help

Reply

Shanmuga April 28, 2010 at 9:49 AM

Do you use any updated antivirus program for real time protection? Reset System Restore. Use CCleaner to clear your temporary files. Also check the option to clear Prefetch folder.

boss April 29, 2010 at 10:07 AM

If you have a shortcut to a web page on your desktop. Right-click > Open with > Firefox. You may be able to get firefox open on your infected computer to download the fixes from this page. This bypasses executing your browser from the normal exe startup.

Reply

brendaj April 29, 2010 at 9:50 PM

I got this 2 days ago when my kids were once again downloading stuff without scanning it for virus’. This is the second time I’ve incountered this type of virus, where it acts like your security system. However, this one is really clever; it has blocked my attempts to access system restore and add and remove programs. I am going to work on my computer tonight with the downloads and instructions you gave. All of the previous reivews give me hope, so maybe I will have the same luck. I’ll let you know.

Reply

Ethermist May 15, 2011 at 1:41 AM

Shan,
Thank you so much for posting these easy-to-follow instructions.
Your method worked like a charm the very first time.

Reply

trvcic May 21, 2011 at 9:07 AM

omg thanx so much! this annoying little bug was obvious from minute one, getting rid of less so. i want to have your babies now!

Reply

bongo December 20, 2011 at 5:02 PM

Thanks for the great post. However, I have the kaspersky anti-virus (not the internet security) I started having this attack the very day I installed malwarebytes (chrome and firefox was crashing everytime). So I was a little apprehensive about installing it again. Instead I found two nos. of the file in the prefetch folder and after running the reg file, I manually selected the virus files to be quarantined by kaspersky. Now I have installed malwarebytes and presently doing a full scan. Have also re-installed chrome, and so far so good. My question is – do I restore the virus and let malwarebytes detect it or should I delete the files from the quarantine stage itself? Thanks

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: