meex.exe/juyplqk.exe/civoabs.exe Trojan/worm

F-Secure: W32/Todon.I

That's another worm on the loose which enters the target's computer either through removable disks or through network drives. According to the reports generated by the F-Secure anti-virus, it was also seen exhibiting the qualities of a Trojan downloader program since it may connect to malicious sites and therefrom download malware. These downloaded viruses are then executed by the worm thus posing a bigger threat to the computer. It creates multiple copies of itself in the inserted disk drives along with an autorun file to execute the copy of the worm present in the disk. Once executed, the worm deletes itself and saves the code safely in the %Program Files% folder from which it launches its processes. Several copies of the worm are created in the same computer and hence deletion would be little hectic. When the process of the worm is running in the computer, it terminates all processes that contain a specific words as strings in their associated windows and hence processes such as anti-viruses may be terminated once the worm gets executed. The user may thus face problems in protecting his system using an anti-virus application or any remover application of that sort. Like all viruses, this one also modifies the registry allowing itself to launch at every startup as a separate process. It creates an executable file which is registered in the Image File Execution location of the registry. The name of this executable can be [anything].exe and this acts as an advantage to the virus. However, the debugging file used by the virus can be estimated and hence the worm can be removed permanently from the computer. Since injection of code into windows processes wasn't observed, the deletion of this worm can be simpler than the others. Follow the instructions given below for deleting the worm.

Manual instructions to delete meex.exe/juyplqk.exe/civoabs.exe:

  1. It is always advisable to boot the system in the Safe Mode before trying to delete any virus. This is because, windows allows only the system processes to launch at a Safe Mode startup. Click here if you're having trouble booting in the Safe Mode.
  2. Lets begin by undoing the changes done to the registry by this virus. Go to Start --> Run and type regedit for the Registry editor to open. Navigate to the location
    and delete the entries
    vgjeuyj = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe"
    brgknyg = %Program Files%\Common Files\System\civoabs.exe
    Now, press Ctrl + F and search for juyplqk.exe. You'll find an entry that is present in the following registry location
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[something.exe]
    When this entry is found, make sure you delete the complete location i.e, [something].exe. You can make a thorough search for the files juyplqk.exe, civoabs.exe and meex.exe. Any other entries consisting of these names can be deleted from the registry.
  3. Now its time to delete the files created by the worm. To do so, you'll need to open the Command Prompt by typing cmd in the Run box of the Start menu. Once it is opened, type the following commands to delete the worm.
    • cd\
    • cd "program files"
    • del meex.exe
    • cd "Common files"
    • cd "Microsoft Shared"
    • del juyplqk.exe
    • del brgknyg.inf
    • cd..
    • cd System
    • del civoabs.exe
    • del brgknyg.inf
    Don't forget the inverted commas in the Command Prompt.
  4. Restart your system and you're done. 

Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme