Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Cleaning the infected systems using the Rescue Disk

    • Updated:
    • 13 Apr 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • Platform:
    • Windows 2000 Professional
    • Windows 2000 Server
    • Windows 2003 Enterprise
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows XP Home
    • Windows XP Professional
Summary

PE_XPAJ.C is a file infector which affects the files with the following extensions:

  • SCR
  • SYS
  • DLL
  • EXE

It infects the Master Boot Record of the affected system in order to automatically load PE_XPAJ.C-O every time the system boots. The main payload of this file infector is related to advertising and ad-clicking scam to generate revenue. For more information about PE_XPAJ.C, check the Threat Encyclopedia.

Details
Public

What is Rescue Disk?

Trend Micro has created the Rescue Disk to clean infected systems. This tool has the following capabilities:

  • Clean infected MBR (Master Boot Record) of the machine
  • Scan and clean the infected files of the malware PE_XPAJ.C-1
  • Delete files detected as Cryp_Xin14

This tool uses a pattern that is only designed for PE_XPAJ.C-1 and Cryp_Xin14 only. If there are other malware involved, you need to use the latest pattern file. If the detected files cannot be cleaned, Rescue Disk will quarantine the said files.

 
There is one isolated report wherein the malicious code is not removed from DLLcache. The tool reports clean failed. If you encounter the same situation, run another tool (pe_xpaj-cleantool-32bit-vsapi9716.com) to completely clean the DLLcache.

Where to download Rescue Disk?

You can get the Rescue Disk using the following link:

  • Link: ftp://ftp-download.trendmicro.com/Pattern/Bandage/PE_XPAJ_RESCUE_DISK/
  • Username: ftpuser
  • Password: tmftp-s3cured

For more information about the tool, refer to the instruction manuals included in the package.

Recommended Actions

  1. Disable network shares if possible.
  2. Add the following URLs for blocking in the machine's host file to prevent re-infection:
    • alfafront.net
    • bargorando.com
    • kinstelertiong.com
    • miclominestar.org
    • newtimedescriptor.com
    • obweesysho.com
    • nortiniolosto.com
    • radiovaweonearch.com
    • unitmusiceditior.com
Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1095262
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.