XP-E9EF8E2E.EXE removal
Quickheal: Worm.AutoRun.soq:
Avira: TR/Drop.VB.1509591:
McAfee: W32/Autorun.worm.dq.gen:
The last update of this worm was seen in August 2009. Many versions of this worm had been troubling several computers since more than a year. The worm mainly targets the "C:\WINDOWS\System" directory. When executed first, it drops several list of files in various unknown formats such as fne, run ,edt, fnr, etc. It also adds a few dlls to the folder and edits the registry such that it is run at every system Start up. A file with name "XP-E9EF8E2E.EXE" is added to the registry as well as the %System% directory and this is the main file that affects your system. When a Removable disk is detected, the worm immediately adds an autorun.inf to the drive along with a file named "Recycled.exe" which consists of the code to launch "XP-E9EF8E2E.EXE". Not only that, it also adds several unknown characters like "´ò¿ª(&O)" and "ä¯ÀÀ(&B)" to the autorun file such that these symbols are added to the options when you right-click the removable disk. In addition to all this, the worm also adds a shortcut of the file to "C:\Documents and Settings\User\Start Menu\Programs\Startup\" thus assuring the launch of "XP-E9EF8E2E.EXE" at start up. Now lets take a look at the removal instructions of this worm.
Manual instructions to remove XP-E9EF8E2E.EXE:
Posts that might help you here:
Enabling registry, enabling Command Prompt, enable Safe Mode booting, unregistering a dll.
Avira: TR/Drop.VB.1509591:
McAfee: W32/Autorun.worm.dq.gen:
The last update of this worm was seen in August 2009. Many versions of this worm had been troubling several computers since more than a year. The worm mainly targets the "C:\WINDOWS\System" directory. When executed first, it drops several list of files in various unknown formats such as fne, run ,edt, fnr, etc. It also adds a few dlls to the folder and edits the registry such that it is run at every system Start up. A file with name "XP-E9EF8E2E.EXE" is added to the registry as well as the %System% directory and this is the main file that affects your system. When a Removable disk is detected, the worm immediately adds an autorun.inf to the drive along with a file named "Recycled.exe" which consists of the code to launch "XP-E9EF8E2E.EXE". Not only that, it also adds several unknown characters like "´ò¿ª(&O)" and "ä¯ÀÀ(&B)" to the autorun file such that these symbols are added to the options when you right-click the removable disk. In addition to all this, the worm also adds a shortcut of the file to "C:\Documents and Settings\User\Start Menu\Programs\Startup\" thus assuring the launch of "XP-E9EF8E2E.EXE" at start up. Now lets take a look at the removal instructions of this worm.
Manual instructions to remove XP-E9EF8E2E.EXE:
- First, reboot your system in the Safe Mode. Go to Start--> Run and type "regedit". Navigate to the following point
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Once you're there, look for the following key on the right column of the registryXP-E9EF8E2E = "%System%\XP-E9EF8E2E.EXE"
Delete the key. - Go to your Start-->Run again and type "msconfig" in the box. A window would open where you'll need to open the "Startup" tab and uncheck the "XP-E9EF8E2E.EXE" button (if you find any).
- Restart your computer again for the changes to take effect. Navigate to "C:\Documents and Settings\User\Start Menu\Programs\Startup\" and delete the file "iiiiii.lnk". This is the shortcut pasted to launch the worm at startup.
- Now you'll need to delete the files created by the virus through the command shell. To do this, go to Start --> Run and type "cmd". Once the shell is opened, type "cd C:\WINDOWS\System" and remove the attributes of the following files by typing "attrib -r -a -s -h {filename}". The files are
dp1.fne
com.run
og.EDT
krnln.fnr
shell.fne
eAPI.fne
internet.fne
spec.fne
RegEx.fnr
XP-E9EF8E2E.EXE
After removing the attributes, type "del {filename}" to delete the files. - Once you're done, unregister the following dlls created by the worm in the same directory(click here to know how to unregister dlls)
ul.dll
og.dll - Congratulations! you've successfully deleted the worm.
Posts that might help you here:
Enabling registry, enabling Command Prompt, enable Safe Mode booting, unregistering a dll.