Couple days ago, one of my friend just borrowed my USB drive. When he returned it, I plugged my USB drive as usual to my laptop, and to my surprise, my Avast Anti Virus warned me that my USB drive was just infected by “XeAyAl.eXE” worm. I immediately remove the worm file through my antivirus, and performed full scan to my USB drive. I’m actually not sure what’s going to happen if my antivirus didn’t detect the worm and executed it.
According to prvex.com, here’s what’s gonna happen if you executed it.
XEAYAL.EXE has been seen to perform the following behavior:
- Executes a Process
- This process creates other processes on disk
- Registers a Dynamic Link Library File
- Uses DNS to retrieve the IP address for web sites
- Visits web sites on your PC without you knowing
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Writes to another Process’s Virtual Memory (Process Hijacking)
- Can communicate with other computer systems using HTTP protocols
- Injects code into other processes
- This Process Deletes Other Processes From Disk
XEAYAL.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Registered as a Dynamic Link Library File
- Added as a Registry auto start to load Program on Boot up
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
I personally didn’t really trust that website to fix my computer. I am afraid that website will give me more trouble than “XeAyAl.eXE” if I used the website only scanner to remove the worm. So, I did more research on ways to fix my USB drive. What happened now after I deleted the “XeAyAl.eXE” using Avast Anti Virus, is that I can’t open my USB drive. Every time I am trying to open it, my computer gives me this message:
Windows cannot find ‘XeAyAl.eXE’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click search.
After I found a post from forospyware.com, I was kinda guessing that the problem was in my USB drive autorun.inf. Lo and behold, here’s the content of my autorun.inf from my USB drive:
[AutoRUn]
acTioN=Open folder to view files
sHElLexECuTE=XeAyAl.eXE
ICOn=%SYsteMROOt%\SYSTEm32\shELL32.dlL,4
USEAUTopLay=1
Apparently, the actual worm itself, “XeAyAl.eXE”, has been deleted. However, it modified my autorun.inf before it got deleted by Avast antivirus. This modified autorun.inf was causing the USB drive to give me the ‘XeAyAl.eXE’ not-found warning, because the ‘XeAyAl.eXE’ file has been deleted, therefore the OS can’t find the file. To fix this, I deleted the autorun.inf itself. You can also just delete the content of autorun.inf while still keeping the file, if you still want to use autorun.inf for your autorun behaviour of this USB drive. This will fix the problem, guys.
If you want to follow what’s being said in forospyware.com in the section of how to clean USB drive using flashdesinfector, you can try that too. Let me know if it gives better result for you or not.
I hope my post will help you to handle ‘XeAyAl.eXE’ worm. If you have any questions or encounter something different, please drop me a comment.
Hi, I have exactly the same problem that your flash drive had, but mine is on 2 of my external drives. I can’t get into them to delete or change the autorun.ini file because one external drive has been changed into a folder and the other drive is apparently corrupted. Can you please suggest how I can get into these drives again?
Sorry for the late reply Nola.nnTry to access the drive by typing in the drive letter in your windows explorer address bar. For example, if your drive is in “f:/”, go to your windows explorer address bar and type “f:” and then press enter. You should be able to access your drive again and modify the autorun.inf. It happened to me once that I failed to open my drive by clicking it. I have to directly access the drive through the address bar.nnIf your drive is corrupted, try to run error-checking tools. Right-click your drive -> Properties -> Tools Tab -> Error Checking. Make sure you check the “Automatically fix system errors.”