Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Clearing up malware remnants and restoring policies using GeneriClean

    • Updated:
    • 5 Feb 2016
    • Product/Version:
    • ServerProtect for Microsoft Windows/Novell Netware 5.7
    • ServerProtect for Microsoft Windows/Novell Netware 5.8
    • Platform:
    • Windows 2000 Advanced Server
    • Windows 2000 Datacenter Server
    • Windows 2000 Professional
    • Windows 2000 Server
    • Windows 2000 Small Business Server
    • Windows 2003 Compute Cluster Server
    • Windows 2003 Datacenter Server
    • Windows 2003 Datacenter Server Edition 64-bit
    • Windows 2003 Enterprise Server
    • Windows 2003 Home Server
    • Windows 2003 Small Business Server
    • Windows 2003 Standard Server Edition
    • Windows 2003 Standard Server Edition 64-bit
    • Windows 2003 Storage Server
    • Windows 2003 Web Server Edition
    • Windows 2008 Datacenter Server
    • Windows 2008 Enterprise Server
    • Windows 2008 Essential Business Server
    • Windows 2008 Small Business Server
    • Windows 2008 Standard Server Edition
    • Windows 2008 Standard Server Edition 64-bit
    • Windows 2008 Storage Server
    • Windows 7 32-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file. There is also a possibility that the malware payload can modify local security policies of the machine that restrict certain functionalities (i.e. Task Manager).

Usually, malware remnants or security policies are restored automatically by a Trend Micro product. However, there are times when this should be triggered manually. The malware remnants can still be cleaned and changes in system policies can still be restored using GeneriClean.

OfficeScan 10 and Worry-Free Business Security (WFBS)

In OfficeScan 10, GeneriClean (GC) is called every time a malware is detected – whether the malware is running or not. Therefore, if the malware has been deleted by VSAPI, the GeneriClean will still (1) undo the changes made by the malware and/or (2) restore the system policies.

OfficeScan 8.0 and ServerProtect for Windows (SPNT)

In OfficeScan 8.0, GeneriClean is called whenever the malware cannot be cleaned. If the malware already executed itself on the system and VSAPI is able to delete the file, it will not call the GeneriClean and is likely to have malware remnants and/or changes in system policies.

This document aims to help Trend Micro customers on how to manually clean up registry remnants or restore local security policies.

Details
Public

To clean malware remnants and/or restore system policies, please follow the steps below.

 
If the DEADLINKS.INI file already exists, and the malware full path and filename is already in the DEADLINKS.INI file, you can restart the machine to clean out any remnants or restore policies.

To restore system policies and clean the registry remnants left by malware when the files have already been cleaned up by a scan (i.e. real-time or manual scan):

  1. Go to the folder where the TSC.EXE file is located.

    The default locations are:

    1. OfficeScan: C:\Program Files\Trend Micro\OfficeScan Client
    2. WFBS/Client Server Security Agent: C:\Program Files\Trend Micro\Client Server Security Agent
    3. SPNT: C:\Program Files\Trend\Sprotect
  2. Create the DEADLINKS.INI file if it does not exist yet.
  3. Add the “[MAL_FILE]” entry on the first line.
  4. Add the following on the next line:

    DEADLINKSFILE=<malware full path and filename>

    For example:

    DEADLINKSFILE=C:\test\bad.exe

  5. Save and close the file.
  6. Run TSC.EXE.
  7. Restart the system for the policies to take effect.

If the files and registry remnants of the malware have already been cleaned up, but certain functionalities still do not work on the machine (i.e. Task Manager), then please do the following:

  1. Go to the folder when the TSC.EXE file is located.

    The default locations are:

    1. OfficeScan: C:\Program Files\Trend Micro\OfficeScan Client
    2. WFBS/Client Server Security Agent: C:\Program Files\Trend Micro\Client Server Security Agent
    3. SPNT: C:\Program Files\Trend\Sprotect
  2. Create the DEADLINKS.INI file if it does not exist yet.
  3. Add the “[MAL_FILE]” entry on the first line.
  4. Add the “DEADLINKSFILE=” parameter on the next line.
  5. Save and close the file.
  6. Run TSC.EXE.
  7. Restart the system for the policies to take effect.

For more information about GeneriClean, please read the following article: Applying the Enhanced GeneriClean.

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1055470
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.