I have virus av.exe and cannot remove it
This trojan runs as a rootkit, so you won't see it when it's running. It is a single file in C:\Users\username\AppData\Local (Vista), or C:\Documents and Settings\username\Local Settings\AppData (XP), It is marked as a system file, so you'll need to use the Folder Options in the control panel, to unhide hidden and system files and folders. As I said, with the rootkit loaded, you still won't see it there until you unload it. It runs by changing the registry so that any .exe run, will instead load the trojan. Attempts to run Internet Explorer or Mozilla Firefox will also instead run it. If you delete the file, or your antivirus finds it and deletes it, the changes to the registry will mean that from then on, whenever you try to run a program, you'll get a windows message asking you to select the file you want to use to open the .exe. (if this is the case, you'll need to use regedit in safe mode with command prompt, or rename regedit.exe to regedit.com).
To defeat the trojan, you must undo the registry changes, then reboot to reveal the file, then delete it. Here's how.
Run regedit. The trojan will load and give you all the fake warnings hassle. Do Ctrl-Alt_Del, and find the process 'av.exe'. End the process. Now in the registry editor, search for 'av.exe'. You should find a section HKEY_CLASSES_ROOT\.exe, where the (Default) REG_SZ has been set to 'secfile'. Edit this back to 'exefile'. Keep searching and you'll find HKEY_CLASSES_ROOT\secfile. Delete the whole secfile section. Keep searching - you'll find the odd line where it may be a recently 'searched for' item, where you can just delete the line, and you'll find it in a command line to run Internet Explorer. The full path to the trojan will be specified before the path to Internet Explorer. Edit this line to remove the path to the trojan, leaving just the path to Internet Explorer. A similar edit may be required for Mozilla Firefox. Find any other occurences of av.exe and deal with them in the same way.
Now, reboot the PC, and the trojan will not start up. Display system and hidden files, then go to the location of the trojan. Now you can see the little swine. Delete it, and empty the recycle bin.
Feb 07, 2010 |
ASUS Eee PC 900 Notebook