I believe that the executable “AV1.exe” is the last remaining piece of the removal of AV 2010 by malwarebytes. My Comodo Internet Suite at each start up (or a few minutes after start up) alerts me with “AV1.exe” trying to execute, leave this program in the sandbox? I always answer YES, but next start up I receive the same alert. I have tried to find this file (in safe mode). Comodo says it lives in \user\me\AppData\local\temp.
I have looked there and found nothing.
Would disabling my “restore points” and rebooting several times help with problem? Is AV1.exe hiding out in the Hive possibility? Any hints or suggestions would be appreciated.
Have you tried enabling the option to show hidden files and folders? If this isn’t enabled that’s probably why you can’t see the file at that location.
Also, which OS are you using?
check in scheduler, there must be a job file left over from the install that mbam did not remove.
maybe just cleaning the temp files will work (:NRD)
Thanks to all for suggestions, really beating my head against the wall on this one. Currently running Vista Home Premium SP2 and have enabled “show hidden files & folders”. Haven’t checked the scheduler, will do so and report the results. I have found files “hidden” in “\System Volume Information\Microsoft” on other machines with this malware (AV(K) 2010). It is really going around here in Beaufort, SC. I have disinfected about 30 systems so far in about a 2 month periods. Each infection seems to develop new tricks and take longer to clean out. Again thanks for pointing me into some new territory.
New input is always welcomed, you can get too close to a problem I have learned over the years, and a fresh outside set of eyes will see something you have overlooked.
Will report back as to success or failure on these tracks. Sandbox just popped up again as I am typing this replay to tell me that “AV1.exe” will be kept running in the Sandbox, and not to be concerned.
Progress report on Stamp out AV1.exe problem. Well I checked the scheduler, nothing suspicious there that I could detect. I shut down a few un-needed tasks (bluetooth, don’t use bluetooth so why start it up right?). Looked in every /temp file I could find, again nada, nothing.
While I was investigating I did run across another symptom (clue) maybe? I have three accounts on my affected laptop running Vista SP2 Home Preminin. I have an Admin account, one for myself, and another account for my wife (she doesn’t use her account very often, because she has a PowerBook Pro). She a teacher! What can I say, seriously, love Macs, no flame wars please, I have nothing against any hardware or OS personally. I had to work with CPM, VMS, OS8,9, OSX, Win3 and on, GEOS, remember GEOS? DEC.
But I digress, about my three accounts, the only account that Comodo pops up the AV1.exe alert is in my account, not in the Admin account, not in my wife’s account. So something confined just to my profile, does that ring a bell with anyone?
I have attached a screen shot of the Comodo alert I get every few minutes, I don’t have to do anything, it just is a nuisance.
[attachment deleted by admin]
please download malwarebytes and superantispyware run and scan with both of them, and remove anything they find. Download Malwarebytes Anti-Malware 188.8.131.526 for Windows - Filehippo.com Download SUPERAntiSpyware Free Edition
Thanks for the suggestion to try Matwarebytes and SuperAntiSpyware. Both are regular resident programs on my laptop, unfortunately I was running the free version of Malwarebytes at the time of the infection and have since upgraded to the “full” version.
I continue to run both of these programs after downloading current updates and neither one will pickup the location of “AV1.exe” in Comodo’s Sandbox. The “Sandbox” must be very well hidden as I have tried to find it also myself without success.
As an interim solution to the annoying pop up I have just turned off the “alert me” box in the Sandbox settings. Maybe since you are “on the inside” you could shed some light on the physical location of the “sandbox”? Again, I don’t view this as a major problem as Comodo appears to be handling the “bad” file each time by placing it in the Sandbox automatically, nut as a Computer/Network Engineer (retired) I just can’t let it go. I think everyone on this forum knows how this goes with us old techs.
did you check the scheduler like I said before for left over tasks?
also the automatic sandbox is not accessible from anywhere, programs sandboxed automatically are done so in ram, and when you reboot it gets cleared out. also just for giggles try the new emsisoft emergency kit, download it, update the definitions and do a deep scan. http://www.emsisoft.com/en/software/eek/
I did check out my scheduler as you suggested, but did see anything out of the ordinary (to me). I will see if I can copy the contents of my scheduler and paste it for you to look through, perhaps you’ll spot something that I have overlooked. At this point I just might be able to “see the forest for all the GD trees”.
Will also try the new antivirus/malware link download you attached and let you know if it turns up anything interesting. Thank you and everyone else who has pipped up with suggestions so far. I just hate it if a problem beats me, it ruins my 99.9999% near perfect record. Don’t you just hate that also, so I always look forward to learning a new trick or tool to add to my toolbox.
Will let you know the results.
John B. a.k.a. TaiChiBabbo
You can always find and remove it manually, if you know the file names (I’d do this in safe mode)
click on “edit”
Click on “find”
remove all the files by deleting it and click next
Do the same thing with windows search
DON’T DELETE THE WRONG FILE
Will it is late here in Beaufort, SC (09:30 they roll up the sidewalks downtown at 6:00pm) but I think I have stumbled on the elusive file. Thanks to the original suggestion to dig into my task scheduler (which I did from my Admin account and didn’t see anything hocky). Then when I realized the alerts were only popping up in only “my user account” did I think to see what was different going on in the scheduler from my login on.
So back into the scheduler in “my account” login as Admin and I saw this, see attached JPG picture. A task that was constantly trying to start but being killed (Sandboxed I realized) every time (by Comodo). Like I said I was so far into the woods I couldn’t see the trees anymore. But thanks to some constant prodding from members of this forum, we have prevailed!
I have turn the “alerts” back on in my Sandbox settings after boot up in “safe mode” and going into /windows/system32/Tasks and renaming the “suspect” task. Just added my favorite .bak to the end of the file name (old UNIX habit, don’t kill it until you are absolutely sure), rebooted back into normal mode and so far no more “AV1.exe” alerts from Comodo Sandbox.
I will hold my breath for awhile but I think I will be able to put this post to bed tomorrow if all stays quiet.
Thanks to all for the fresh ideas and helpful suggestions, will let everyone know.
[attachment deleted by admin]
sounds good, I knew it had to be in task manager some where.
Yep, you were right on the money! Just had to get into the correct scheduler view (under my login, after I signed on). That was the last piece of the puzzle for me to plug into your suggestion. It was only happening in my account and none of the other accounts on my laptop.
Again, thanks, hope we can put this one to bed.
Question, what should I place in the “Subject” line to indicate a “dead” topic? Most forums vary is why I ask.
So just used “Solution Found - Topic Closed” or words to that effect. What is this forum’s form, I did a quick look around but didn’t see any closed topics.
normally we put [SOLVED] I’ll change it and close the thread, if you have a different problem please open a new thread or if this problem keeps happening please PM one of the mods to reopen this thread.