Thursday, September 3, 2009

exiap6415386.exe creeped into my windows startup

During browsing the computer suddenly rebooted itself. This was suspicious, I instantly thought some badware installed itself and rebooted, so it can hook into the boot process. When Windows restarted something started to eat the CPU. Windows firewall warned about Conficker.C. Downloaded Conficker cleaners, they found nothing.

Booted into safe mode, checked startup with msconfig and exiap6415386.exe was there. Removed it and also svchost which was added to startup, but it wasn't there previously as far as I remember. Is my svhcost infected? >:-/

Now things seems okay, but I checked online exiap6415386. It is some new variant, antivirus tools don't even recognize it yet apparently.

Update: Spybot says it's SmitFraud.C Or is it a different one which also creeped in? :P

Update2: Make sure you always have a Live CD at home for situations like this, so you have a clean system to get info from the net about removing the badware. Using the infected OS is not a good idea. I used an Ubuntu Live CD, but any other will do.

Also, check out the comments here. There is good info there.


  1. Ive got this too. no wonder no antivirus could remove it if its so new.

  2. The only solution right now:
    - turn off System Restore
    - Boot in safe mode
    - Search file: exiap6415386.exe
    - Delete the file
    - Open regedit
    - Search:exiap6415386 and delele the key.
    - Boot
    - Enable System Restore


  3. When you write that Windows firewall caught Conflicker.C and downloaded cleaners, you just installed a Trojan.

    It wasn't really Windows Firewall, and you are not downloading from Microsoft. It's a new Trojan and works with a program called "Proof Defender 2009". That is not a real program and is a Trojan designed to get you to buy the product after they themselves infect your system.

    What I had to do was this. Uninstall Proof Defender from the control panel (Uninstall Programs).

    Then you have to delete the new keys in your registry that point to these files. You should go to the HKEY_Local_Machine/Software/Microsoft/Windows/Current Version/Run

    Also look in RunOnce and RunOnceEx. Delete all the pointers to abnormal files. Do the same thing with HKEY_Current_User/software/Microsoft/Windows/Current Version/Run , RunOnce, RunOnceEx

    This site lists some names:

    But I had different file names, they seem to change the file names so users will miss them. You should also back up your Registry before you make any changes, just in case.

    That's not all you have to do, because this Trojan is persistent and hides in different folders. I had a file in the Documents and Settings/Owner/Application Data folder, as well as a folder in the Application Data folder created and called GMail.

    First, reboot the PC and start in safe mode. Go to the GMail folder and delete it. Those two files are viruses.

    When you should do is search your C: drive with Windows Search Companion, choose "When was it modified" and then "Specify dates". Choose only the date when the first warning happened. Make sure the options search hidden and system files. This will take a few minutes.

    You will see a file called "Shutdown.EXE-*****.Pf", or something like that. That is the time your PC was ordered to reboot by the virus. Most of the programs that were created during that time are part of the Virus. I had regs32.exe in one of my real folders in the Application Data, I had kls.dll in a Apple Computer folder. Ven32.exe and pup.exe were created at the same time.

    I would delete them all, reboot, and see if there are any problems. If there are no problems and the virus is gone, empty the trash can.

  4. Thanks for this info. I really did find some of the files you mentioned scattered in the file system.