Couple days ago, one of my friend just borrowed my USB drive. When he returned it, I plugged my USB drive as usual to my laptop, and to my surprise, my Avast Anti Virus warned me that my USB drive was just infected by “XeAyAl.eXE” worm. I immediately remove the worm file through my antivirus, and performed full scan to my USB drive. I’m actually not sure what’s going to happen if my antivirus didn’t detect the worm and executed it.
According to prvex.com, here’s what’s gonna happen if you executed it.
XEAYAL.EXE has been seen to perform the following behavior:
Executes a Process
This process creates other processes on disk
Registers a Dynamic Link Library File
Uses DNS to retrieve the IP address for web sites
Visits web sites on your PC without you knowing
Adds a Registry Key (RUN) to auto start Programs on system start up
Writes to another Process’s Virtual Memory (Process Hijacking)
Can communicate with other computer systems using HTTP protocols
Injects code into other processes
This Process Deletes Other Processes From Disk
XEAYAL.EXE has been the subject of the following behavior:
Created as a process on disk
Executed as a Process
Registered as a Dynamic Link Library File
Added as a Registry auto start to load Program on Boot up
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process
I personally didn’t really trust that website to fix my computer. I am afraid that website will give me more trouble than ”XeAyAl.eXE” if I used the website only scanner to remove the worm. So, I did more research on ways to fix my USB drive. What happened now after I deleted the “XeAyAl.eXE” using Avast Anti Virus, is that I can’t open my USB drive. Every time I am trying to open it, my computer gives me this message:
Windows cannot find ‘XeAyAl.eXE’. Make sure you typed the
name correctly, and then try again. To search for a file, click
the Start buttonm and then click search.
Windows cannot find ‘XeAyAl.eXE’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click search.
After I found a post from forospyware.com, I was kinda guessing that the problem was in my USB drive autorun.inf. Lo and behold, here’s the content of my autorun.inf from my USB drive:
[AutoRUn]
acTioN=Open folder to view files
sHElLexECuTE=XeAyAl.eXE
ICOn=%SYsteMROOt%\SYSTEm32\shELL32.dlL,4
USEAUTopLay=1
Apparently, the actual worm itself, “XeAyAl.eXE”, has been deleted. However, it modified my autorun.inf before it got deleted by Avast antivirus. This modified autorun.inf was causing the USB drive to give me the ‘XeAyAl.eXE’ not-found warning, because the ‘XeAyAl.eXE’ file has been deleted, therefore the OS can’t find the file. To fix this, I deleted the autorun.inf itself. You can also just delete the content of autorun.inf while still keeping the file, if you still want to use autorun.inf for your autorun behaviour of this USB drive. This will fix the problem, guys.
If you want to follow what’s being said in forospyware.com in the section of how to clean USB drive using flashdesinfector, you can try that too. Let me know if it gives better result for you or not.
I hope my post will help you to handle ‘XeAyAl.eXE’ worm. If you have any questions or encounter something different, please drop me a comment.
According to prvex.com, here’s what’s gonna happen if you executed it.
XEAYAL.EXE has been seen to perform the following behavior:
Executes a Process
This process creates other processes on disk
Registers a Dynamic Link Library File
Uses DNS to retrieve the IP address for web sites
Visits web sites on your PC without you knowing
Adds a Registry Key (RUN) to auto start Programs on system start up
Writes to another Process’s Virtual Memory (Process Hijacking)
Can communicate with other computer systems using HTTP protocols
Injects code into other processes
This Process Deletes Other Processes From Disk
XEAYAL.EXE has been the subject of the following behavior:
Created as a process on disk
Executed as a Process
Registered as a Dynamic Link Library File
Added as a Registry auto start to load Program on Boot up
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process
I personally didn’t really trust that website to fix my computer. I am afraid that website will give me more trouble than ”XeAyAl.eXE” if I used the website only scanner to remove the worm. So, I did more research on ways to fix my USB drive. What happened now after I deleted the “XeAyAl.eXE” using Avast Anti Virus, is that I can’t open my USB drive. Every time I am trying to open it, my computer gives me this message:
Windows cannot find ‘XeAyAl.eXE’. Make sure you typed the
name correctly, and then try again. To search for a file, click
the Start buttonm and then click search.
Windows cannot find ‘XeAyAl.eXE’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click search.
After I found a post from forospyware.com, I was kinda guessing that the problem was in my USB drive autorun.inf. Lo and behold, here’s the content of my autorun.inf from my USB drive:
[AutoRUn]
acTioN=Open folder to view files
sHElLexECuTE=XeAyAl.eXE
ICOn=%SYsteMROOt%\SYSTEm32\shELL32.dlL,4
USEAUTopLay=1
Apparently, the actual worm itself, “XeAyAl.eXE”, has been deleted. However, it modified my autorun.inf before it got deleted by Avast antivirus. This modified autorun.inf was causing the USB drive to give me the ‘XeAyAl.eXE’ not-found warning, because the ‘XeAyAl.eXE’ file has been deleted, therefore the OS can’t find the file. To fix this, I deleted the autorun.inf itself. You can also just delete the content of autorun.inf while still keeping the file, if you still want to use autorun.inf for your autorun behaviour of this USB drive. This will fix the problem, guys.
If you want to follow what’s being said in forospyware.com in the section of how to clean USB drive using flashdesinfector, you can try that too. Let me know if it gives better result for you or not.
I hope my post will help you to handle ‘XeAyAl.eXE’ worm. If you have any questions or encounter something different, please drop me a comment.
Facebook
No comments:
Post a Comment