Enter your Keyword, Search here,

Manual Removal of Re_file.exe

Re_file.exe (W32.Beagle)
This worm spreads via the Internet as an attachment to infected messages. Infected messages will be sent to all email addresses harvested from the victim machine.The worm is also able to download other files from the Internet without the knowledge or consent of the user. The worm itself is a PE EXE file. The file is 40,565 bytes in size.
Damage Level: Highly Dangerous
Distribution Level: High
Removal Tools:
Tools From Bitdefender:
Win32.Bagle.A@mm - Download
Win32.Bagle.AU@mm - Download
Win32.Bagle.FO@mm - Download (recommended)

Win32.Bagle.{C-E}@mm - Download
Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

    The Infected Files Can be Seen in these folders and names

    • %System%\wind2ll2.exe
    • %System%\re_file.exe
    • %WinDir%\elist.xpt
    • Documents and Settings%\Application Data\hidn
    • It then copies its body to this folder under the following names:
    • Documents and Settings%\Application Data\hidn\hidn2.exe
    • Documents and Settings%\Application Data\hidn\hldrrr.exe
    Manually Remove From Registry
    Click Start, Run,Type regedit,Click OK.
    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

    The worm deletes the following registry key, making it impossible to boot the infected computer in Safe Mode:
    HKLM\System\CurrentControlSet\Control\SafeBoot


    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
     "winshost.exe" = "%winsysdir%\winshost.exe"

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    "winshost.exe" = "%winsysdir%\winshost.exe"

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    "drv_st_key" = "%Documents and Settings%\Application Data\hidn\hidn2.exe"

    where '%winsysdir%' represents Windows System folder. This ensures the trojan is run every time Windows starts.
    When the dropped DLL is activated, it will check for the following registry value:

    HKCU\Software\FirstRun
     "FirstRunRR" = dword:value

    If the value doesn't exist, the trojan creates it and sets it as 1. The DLL also opens MS paint (mspaint.exe) as a decoy and executes the actual payload.


    Exit the Registry Editor.
    Restart your Computer.

    Recommended Removal Tools:
    Kaspersky Antivirus or Internet Security (Shareware)
    Spyware Doctor (Shareware)
    AVG Antivirus (Freeware)

    1 comment :

    1. it's really good, looking for a tool like this, thanks

      ReplyDelete

    Comment on this Post!!

    More Posts that you may be interested...