AVE.EXE Trojan made it through

Just wanted to let everyone know that I had a trojan on my computer last night that snuck through Avast. It ran a program that was similar to the Windows Firewall Update. Luckily I run my own stuff on my computer and spotted it before it got out of control. The program is run as AVE.EXE on your process list. It basically shut down all access to .EXE files. I even did a boot scan with Avast last night and it didn’t catch it. So, I kept the task manager open, shutting down the app as soon as it would start, while working on deleting it. I ran a regedit (goto your Run icon on your start bar and type it in) and then went to the Edit tab and then under the Find button, type AVE.EXE. I deleted all the files associated with this program, always selecting the Find Next in the Edit Tab, but be careful to only delete the files associated with AVE.EXE though. After doing this, my computer still would not run any .EXE programs, but at least the annoying program was gone. So, I selected my Firefox .EXE (can be done with any .EXE file) and right clicked and went to Tools and File Options, and then created a file extension: .EXE and associated with Applications. And like that it was gone. Ran another boot scan and everything was fine. Hope this helps if you are as unlucky as me.

Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
OR
avast5 - Send the sample to avast as a Undetected Malware:
Open the chest and right click in the Chest and Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

The malware has set itself to run through the following keys, which can safely be deleted

[-HKEY_CURRENT_USER\Software\Classes\exefile]
[-HKEY_CURRENT_USER\Software\Classes.exe]

Sometimes the HKU key is added/altered as well

Hi Breeze,

Additional info here:
http://www.malwarehelp.org/ave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html

polonus

This happened to me just now – no idea how. Installed on my machine despite having Ad Aware and Avast both running. I had shut off Zone Alarm however. Very disappointing – please fix this hole ASAP!
:-[

One of my users just got infected with this. Any chance Avast (managed) could be updated to catch this? This is the first compromise we’ve had since we started with Avast two years ago.