28 Juli 2010

How I kick out HOIPEE.EXE, FOAXEE.EXE, and other ????EE.EXE Viruses

This is some information found on the internet
source: prevx.com

HOIPEE.EXE

Associated Malware Groups

The filename is associated with the malware group:

  • Cloaked Malware

File Behavior

HOIPEE.EXE has been the subject of the following behavior:

  • Added as a Registry auto start to load Program on Boot up

Country Of Origin

The filename HOIPEE.EXE was first seen on Jul 26 2010 in the following geographical regions of the Prevx community:

  • Mexico on Jul 26 2010
  • The United Arab Emirates on Jul 27 2010

File Name Aliases

HOIPEE.EXE can also use the following file names:

  • HOIPEEX.EXE
  • 46346975.EXE
  • 54494944.EXE

Filesizes

Files using the name HOIPEE.EXE have been seen with the following file size:

  • 138,240 bytes

File Type

The filename HOIPEE.EXE refers to many versions of an executable program.

=========================

How I delete this file:

  1. First, identify the file name. I identify this virus has many aliases. From what I know, it named ????ee.exe (mine was foaxee.exe, on the other computer was hoipee.exe).
    Press CTRL+ALT+DEL will bring up Task Manager.
    Click CPU tab to sort it by CPU usage.On my CPU, this virus took all the idle CPU capacity to the max (100%).
    Therefore it made my PC much-much slower.
    Mine is P4, but I noticed there was different behavior on Intel i7 (no lag nor taking all idle cpu usage to 100%). Intel i7 still run smoothly even with this virus activated.

  2. Once you know the file name. Go to Registry editor.
    Start > Run > type regedit ... press Enter
    Then Find (CTRL+F) that file name on Windows Registry.
    Once found, select and press Del to delete this registry.
    Note that this registry was found at C:\Document and Setting\

  3. Restart your computer. Right after HDD detected on booting, press repeatedly F5 to go to OS Menu Choice. Choose Safe mode with Command Prompt.
    Once loaded, type:
    cd C:\Document and Setting\ (your Windows username)

    then type

    attrib

    it will showup files that are attributed (system file, hidden, archived,read-only).
    This virus was attributed as system, hidden, read-only file. Normally we can't find this file since it was hidden, and could not delete this since it was a system and read-only file. We must remove these attributes so it can be deleted.
    To do that, type:

    attrib -s -h -r ????ee.exe

    (mine was foaxee.exe, thus I wrote attrib -s -h -r foaxee.exe)

    next step is force delete it. type:

    del/f/p ????.exe

  4. Now we have deleted this nasty file.
    Then press CTRL+ALT+DEL to bring up Task Manager on Win XP Safe Mode
    Choose Shutdown > Restart
    and boot normally.

I recommend Autorun Virus Remover (www.autorunremover.com) to prevent
most viruses that were activated by USB Flash Disk or USB HDD.
It will detect any autorun.inf file, then delete it automatically the first time USB device is recognized by Windows.

Hope this helps.
Kris Budi S. Halim

Tidak ada komentar: