Manual Removal of Re_file.exe

Re_file.exe (W32.Beagle)
This worm spreads via the Internet as an attachment to infected messages. Infected messages will be sent to all email addresses harvested from the victim machine.The worm is also able to download other files from the Internet without the knowledge or consent of the user. The worm itself is a PE EXE file. The file is 40,565 bytes in size.
Damage Level: Highly Dangerous
Distribution Level: High
Removal Tools:
Tools From Bitdefender:
Win32.Bagle.A@mm - Download
Win32.Bagle.AU@mm - Download
Win32.Bagle.FO@mm - Download (recommended)
Win32.Bagle.{C-E}@mm - Download
Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

• %System%\wind2ll2.exe
• %System%\re_file.exe
• %WinDir%\elist.xpt
• Documents and Settings%\Application Data\hidn
• It then copies its body to this folder under the following names:
• Documents and Settings%\Application Data\hidn\hidn2.exe
• Documents and Settings%\Application Data\hidn\hldrrr.exe

Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

The worm deletes the following registry key, making it impossible to boot the infected computer in Safe Mode:
HKLM\System\CurrentControlSet\Control\SafeBoot

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 ”winshost.exe” = “%winsysdir%\winshost.exe”

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“winshost.exe” = “%winsysdir%\winshost.exe”

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
“drv_st_key” = “%Documents and Settings%\Application Data\hidn\hidn2.exe”

where ‘%winsysdir%’ represents Windows System folder. This ensures the trojan is run every time Windows starts.
When the dropped DLL is activated, it will check for the following registry value:

HKCU\Software\FirstRun
 ”FirstRunRR” = dword:value

If the value doesn’t exist, the trojan creates it and sets it as 1. The DLL also opens MS paint (mspaint.exe) as a decoy and executes the actual payload.

Exit the Registry Editor.
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Popularity: 1%

Written by FireFly. Read more great feeds at is source WEBSITE
no comments.
Read more articles on Danger processes and email virus/worm and Re_file.exe and manual removal and virus process and otherSoftware and Removal and Windows.

• [+] Digg: Feature this article
• [+] Del.icio.us: Bookmark this article
• [+] Furl: Bookmark this article

Related articles

• Manual Removal of W32/Agent.Enu.Dropper (November 26th, 2008)
• Manual removal of svcnet.exe (November 23rd, 2008)
• Manual removal of xxx.exe (November 20th, 2008)
• Manual removal of Wupdt.exe (November 19th, 2008)
• Manual removal of Wmon32.exe (November 17th, 2008)