XP-E9EF8E2E.EXE removal

Quickheal: Worm.AutoRun.soq:
Avira: TR/Drop.VB.1509591:
McAfee: W32/Autorun.worm.dq.gen:


The last update of this worm was seen in August 2009. Many versions of this worm had been troubling several computers since more than a year. The worm mainly targets the "C:\WINDOWS\System" directory. When executed first, it drops several list of files in various unknown formats such as fne, run ,edt, fnr, etc. It also adds a few dlls to the folder and edits the registry such that it is run at every system Start up. A file with name "XP-E9EF8E2E.EXE" is added to the registry as well as the %System% directory and this is the main file that affects your system. When a Removable disk is detected, the worm immediately adds an autorun.inf to the drive along with a file named "Recycled.exe" which consists of the code to launch "XP-E9EF8E2E.EXE". Not only that, it also adds several unknown characters like "´ò¿ª(&O)" and "ä¯ÀÀ(&B)" to the autorun file such that these symbols are added to the options when you right-click the removable disk. In addition to all this, the worm also adds a shortcut of the file to "C:\Documents and Settings\User\Start Menu\Programs\Startup\" thus assuring the launch of "XP-E9EF8E2E.EXE" at start up. Now lets take a look at the removal instructions of this worm.

Manual instructions to remove XP-E9EF8E2E.EXE:

  1. First, reboot your system in the Safe Mode. Go to Start--> Run and type "regedit". Navigate to the following point

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Once you're there, look for the following key on the right column of the registry

    XP-E9EF8E2E = "%System%\XP-E9EF8E2E.EXE"

    Delete the key.

  2. Go to your Start-->Run again and type "msconfig" in the box. A window would open where you'll need to open the "Startup" tab and uncheck the "XP-E9EF8E2E.EXE" button (if you find any).

  3. Restart your computer again for the changes to take effect. Navigate to "C:\Documents and Settings\User\Start Menu\Programs\Startup\" and delete the file "iiiiii.lnk". This is the shortcut pasted to launch the worm at startup.
  4. Now you'll need to delete the files created by the virus through the command shell. To do this, go to Start --> Run and type "cmd". Once the shell is opened, type "cd C:\WINDOWS\System" and remove the attributes of the following files by typing "attrib -r -a -s -h {filename}". The files are

    dp1.fne
    com.run
    og.EDT
    krnln.fnr
    shell.fne
    eAPI.fne
    internet.fne
    spec.fne
    RegEx.fnr
    XP-E9EF8E2E.EXE

    After removing the attributes, type "del {filename}" to delete the files.
  5. Once you're done, unregister the following dlls created by the worm in the same directory(click here to know how to unregister dlls)

    ul.dll
    og.dll

  6. Congratulations! you've successfully deleted the worm.


Posts that might help you here:
Enabling registry, enabling Command Prompt, enable Safe Mode booting, unregistering a dll.
VShop
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme