Anyone else have these viruses

[Gaz]

Hi All
I'm having trouble getting rid of these two viruses -
"Cryp_Xed-15" and "PE_VIRUX.GEN-1".
I have Trend Micro and know these viruses attack most "exe" files, stops the
antivirus and stops you from logging in.
I have formatted the hard drives and external drives, then reload Xp and do
all the updates etc. then a few days later it starts affecting things and
Trend picks it up and tells me to do a scan which it finds it in a lot of
exe files and removes/repairs them, but it cannot stop it. Any ideas or
solutions.
Thanks Gaz

 

[1PW]

Hi All
I'm having trouble getting rid of these two viruses -
"Cryp_Xed-15" and "PE_VIRUX.GEN-1".
I have Trend Micro and know these viruses attack most "exe" files, stops the
antivirus and stops you from logging in.
I have formatted the hard drives and external drives, then reload Xp and do
all the updates etc. then a few days later it starts affecting things and
Trend picks it up and tells me to do a scan which it finds it in a lot of
exe files and removes/repairs them, but it cannot stop it. Any ideas or
solutions.
Thanks Gaz

Hello Gaz:

Please answer the following questions with /interspersed/ replies:

Exactly what version of XP do you have? Home, Professional or MCE, x86
or x64, OEM or retail?

At what service pack level have you brought the rebuild to?

Do you use a router when connecting to the Internet?

What is the exact Trend Micro product you are using? Be precise!

Do you use /any/ other antimalware products in use?

Did you rebuild your system from backups, such as a restore, or did
you rebuild from trusted Microsoft provided media?

Did you re-install your user applications from trusted media?

Have you introduced any media that was untrusted such as CDs, DVDs or
USB storage devices of any sort?

Did you download recently from any untrusted web site?

Does a family member, friend or colleague have access to your system?

 

[Gaz]

Hello Gaz:

Please answer the following questions with /interspersed/ replies:

Exactly what version of XP do you have? Home, Professional or MCE, x86
or x64, OEM or retail? XP PRO Genuine version

At what service pack level have you brought the rebuild to? Service Pack 3

Do you use a router when connecting to the Internet?

Yes- Datalink RTA1046VW connect via cable

What is the exact Trend Micro product you are using? Be precise!

Trend Micro Internet Security Pro Full Version 17.50.1366.0000

Do you use /any/ other antimalware products in use? No

Did you rebuild your system from backups, such as a restore, or did
you rebuild from trusted Microsoft provided media?

Used Killdisk, then from original XP Pro disk

Did you re-install your user applications from trusted media?

Yes, all the driver disks that came with computer, all genuine

Have you introduced any media that was untrusted such as CDs, DVDs or
USB storage devices of any sort? No

Did you download recently from any untrusted web site?

No, I haven't hardly had time to download anything before I get infected

 

[David H. Lipman]

From: "Gaz" <[email protected]>

| Hi All
| I'm having trouble getting rid of these two viruses -
| "Cryp_Xed-15" and "PE_VIRUX.GEN-1".
| I have Trend Micro and know these viruses attack most "exe" files, stops the
| antivirus and stops you from logging in.
| I have formatted the hard drives and external drives, then reload Xp and do
| all the updates etc. then a few days later it starts affecting things and
| Trend picks it up and tells me to do a scan which it finds it in a lot of
| exe files and removes/repairs them, but it cannot stop it. Any ideas or
| solutions.
| Thanks Gaz



Who said they were viruses ?
What are the fully qualified names and paths deemed to be infected ?

 

[tommy]

Hi All
I'm having trouble getting rid of these two viruses -
"Cryp_Xed-15" and "PE_VIRUX.GEN-1".
I have Trend Micro and know these viruses attack most "exe" files,
stops the antivirus and stops you from logging in.
I have formatted the hard drives and external drives, then reload Xp
and do all the updates etc. then a few days later it starts affecting
things and Trend picks it up and tells me to do a scan which it finds
it in a lot of exe files and removes/repairs them, but it cannot stop
it. Any ideas or solutions.
Thanks Gaz

do you use a firewall?

 

[FromTheRafters]

Hi All
I'm having trouble getting rid of these two viruses -
"Cryp_Xed-15" and "PE_VIRUX.GEN-1".
I have Trend Micro and know these viruses attack most "exe" files,
stops the antivirus and stops you from logging in.
I have formatted the hard drives and external drives, then reload Xp
and do all the updates etc. then a few days later it starts affecting
things and Trend picks it up and tells me to do a scan which it finds
it in a lot of exe files and removes/repairs them, but it cannot stop
it. Any ideas or solutions.

Did you read this, and have to submitted the suspect files to further
scrutiny?

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=CRYP_XED-15

If you do actually have it, it is a very nasty virus. If you don't
actually have it, that would explain the strange "reappearance" after
formatting and reinstalling. The only other way is to keep reinfecting
yourself somehow, But Trend should be able to prevent that from
happening.

 

[Kamil Konieczny]

I have formatted the hard drives and external drives, then reload Xp and do
all the updates etc. then a few days later it starts affecting things and
Trend picks it up and tells me to do a scan which it finds it in a lot of
exe files and removes/repairs them, but it cannot stop it. Any ideas or
solutions.

It can be W32.Virut plus some trojans it downloads

Please scan some infected files on jotti,
http://virusscan.jotti.org

and if it is indeed Virut, then
after loading clean winXP image (or format and clean installation)
do _not_ run or install any old program you saved on CD-R or pen
drives
or any removable drive.

If you run it only once and it will not be blocked by anty-virus,
you got reinfection.

Also, configure your winXP so as it will not open and run pen-drive
or removable hard drive you connect to it.
Prepare yourself autorun.inf with some clean program, maybe calc.exe
and test it. It should _not_ run.
You can still use you drives by right click
on drive icon and choose "explore".

Reagrds,
kamil

 

[Gaz]

Yes Windows Firewall, plus Trend

do you use a firewall?

 

[Gaz]

Hi
I have submitted logs created by Trend programs they have sent me and
they have shown that Trend has deleted the affected files, which
unfortunately are all the exe files that run the system.
Trend detects it but can't stop it by which time it is too late, Trend
cannot stop the reinfection and this and the last clean have been sqeeky
clean, this one I'm putting things back one at a time to see what happens.
I'm 100% sure it's not on the drives or in the genuine programs I'm
installing, so can I ask, could it be in the the-
Bios or
the modem or
can someone see my computer from outside and infect it?

 

[Gaz]

Hi Again
I haven't connected any pen or external drives and got a
friend to disable autorun. This virus does sit anywhere on it's own, it
infects exe files, which when cleaned, do not work anymore.

I have formatted the hard drives and external drives, then reload Xp and
do
all the updates etc. then a few days later it starts affecting things and
Trend picks it up and tells me to do a scan which it finds it in a lot of
exe files and removes/repairs them, but it cannot stop it. Any ideas or
solutions.

It can be W32.Virut plus some trojans it downloads

Please scan some infected files on jotti,
http://virusscan.jotti.org

and if it is indeed Virut, then
after loading clean winXP image (or format and clean installation)
do _not_ run or install any old program you saved on CD-R or pen
drives
or any removable drive.

If you run it only once and it will not be blocked by anty-virus,
you got reinfection.

Also, configure your winXP so as it will not open and run pen-drive
or removable hard drive you connect to it.
Prepare yourself autorun.inf with some clean program, maybe calc.exe
and test it. It should _not_ run.
You can still use you drives by right click
on drive icon and choose "explore".

Reagrds,
kamil

 

[FromTheRafters]

Hi
I have submitted logs created by Trend programs they have sent me
and they have shown that Trend has deleted the affected files, which
unfortunately are all the exe files that run the system.

System files may be "protected" in the sense that they are replaced with
(archived) copies when the system is rebooted.

....if you have copies of those files on read only media (like the
original pressed installation disk) and they still get detected as
infected by Trend's scanner, inform Trend that they have a false
positive (heuristic) detection.

Trend detects it but can't stop it by which time it is too late,

Are you speculating here?

Trend cannot stop the reinfection and this and the last clean have
been sqeeky clean, this one I'm putting things back one at a time to
see what happens.

Both of the malware names given seem to be heuristic detections rather
than actual identifications of this virus. Submit any file found (by
Trend) to be infected to further scrutiny by using jotti.org or
virustotal.com.

It is not completely unheard of for a malware to taint the "archived"
backup copy used to restore (protect) system files - it is not very
common though. Read only media cannot be infected however (but that is
not to say that content on them can't have been infected previously).
Your read only (pressed) installation media content cannot have been
previously infected with virux as it is too new I think.

I'm 100% sure it's not on the drives or in the genuine programs I'm
installing,

The only thing I am ever 100% sure of anymore is that I may be missing
something. \

so can I ask, could it be in the the- Bios

Extremely unlikely

or the modem

Some malware can alter "router" firmware (DNS Changer) to send your
browser requests to malicious webpages.

or can someone see my computer from outside and infect it?

Also possible, but I have a hunch that that is not the case here.

 

[Shadow]

can someone see my computer from outside and infect it?

Sure, windows has always had backdoors built in. When the
hackers find it Microsoft "patches" it and opens another backdoor.
Read about the blaster worm.

http://en.wikipedia.org/wiki/Blaster_(computer_worm)

I always install windows, my antivirus, a firewall, disable a
load of "services" using xpy and only THEN I connect to the internet.

http://code.google.com/p/xpy/

FWIW

 

[FromTheRafters]

Hi
I have submitted logs created by Trend programs they have sent me
and they have shown that Trend has deleted the affected files, which
unfortunately are all the exe files that run the system.

System files may be "protected" in the sense that they are replaced with
(archived) copies when the system is rebooted.

....if you have copies of those files on read only media (like the
original pressed installation disk) and they still get detected as
infected by Trend's scanner, inform Trend that they have a false
positive (heuristic) detection.

Trend detects it but can't stop it by which time it is too late,

Are you speculating here?

Trend cannot stop the reinfection and this and the last clean have
been sqeeky clean, this one I'm putting things back one at a time to
see what happens.

Both of the malware names given seem to be heuristic detections rather
than actual identifications of this virus. Submit any file found (by
Trend) to be infected to further scrutiny by using jotti.org or
virustotal.com.

It is not completely unheard of for a malware to taint the "archived"
backup copy used to restore (protect) system files - it is not very
common though. Read only media cannot be infected however (but that is
not to say that content on them can't have been infected previously).
Your read only (pressed) installation media content cannot have been
previously infected with virux as it is too new I think.

I'm 100% sure it's not on the drives or in the genuine programs I'm
installing,

The only thing I am ever 100% sure of anymore is that I may be missing
something. \

so can I ask, could it be in the the- Bios

Extremely unlikely

or the modem

Some malware can alter "router" firmware (DNS Changer) to send your
browser requests to malicious webpages.

or can someone see my computer from outside and infect it?

Also possible, but I have a hunch that that is not the case here.

 

[Old Fart]

I had a problem and found the problem was being kept alive in the bios
and living of the motherboard battery supply
I to did multiple formats and the like but to no avail
unfortunately I can't remember what I used to get rid of it sorry

 

[David H. Lipman]

From: "Old Fart" <[email protected]>

| I had a problem and found the problem was being kept alive in the bios
| and living of the motherboard battery supply
| I to did multiple formats and the like but to no avail
| unfortunately I can't remember what I used to get rid of it sorry
| --
| Old Fart
| Work Is A Dirty 4 Letter Word


Bwahahahahahahahahahahahahahaha

Thanx for the laugh.

 

[Gaz]

Download Avira Antivir Free:
http://www.free-av.com/en/download/download_servers.php
Download the latest virus definition file:
http://www1.avira.com/en/support/vdf_update.html
( Download IVDF (Unicode) )

Disconnect from internet.
Uninstall Trend Micro thoroughly.

Install Avira Antivir.
Update manually (using the downloaded definitions)

Reconnect to internet.
Update Avira Antivir.
Do a complete scan.

Is the "infection" still there?

By the way, do you use any register tool (cleaner, tweaker, repair
register, fix-speed up-maintain your computer, etc.)

Hi
I don't use any cleaning programs, I tried you help and it is not
there - yet.
I'm still putting everything back on my computer bit by bit, one at a time
to see what happens. So far all disks cleaned using Killdisk,
installed XP Pro SP2,
installed Realtek driver off Asus motherboard disc to get internet,
installed Trend and updated it while Windows updated to SP3 and IE8 and all
security fixes,
installed ABF Outlook Backup, Windows Live Messenger, Canon printer drivers
and programs.
I'll wait a couple of days and see what happens.
Gaz

 

[1PW]

Hi
I don't use any cleaning programs, I tried you help and it is not
there - yet.
I'm still putting everything back on my computer bit by bit, one at a time
to see what happens. So far all disks cleaned using Killdisk,
installed XP Pro SP2,
installed Realtek driver off Asus motherboard disc to get internet,
installed Trend and updated it while Windows updated to SP3 and IE8 and all
security fixes,
installed ABF Outlook Backup, Windows Live Messenger, Canon printer drivers
and programs.
I'll wait a couple of days and see what happens.
Gaz

Hello Gaz:

The above is an extremely poor way to rebuild your system and is a
dangerous example to others! Your system should have /never/ been
connected to the internet till /everything/ was installed from
*trusted* sources first.

If you are not going to rebuild your system in the correct manner now,
then run full updated scans with all your antimalware to see what you
may have contracted.

Best wishes,

 

[Gaz]

Hello Gaz:

The above is an extremely poor way to rebuild your system and is a
dangerous example to others! Your system should have /never/ been
connected to the internet till /everything/ was installed from
*trusted* sources first.

If you are not going to rebuild your system in the correct manner now,
then run full updated scans with all your antimalware to see what you
may have contracted.

Best wishes,

Trend won't instal without an internet connection and everything installed
is from genuine trusted installation disks and I want to monitor all
suspicious activities as early as possible.
I don't want to instal all the programs on my computer which may take a
couple of days without have things monitored, most programs need to update.
I've never heard it done that way, I thought the most important thing was to
get antivirus monitoring as soon as possible, and as I'm asking for advice I
hope knowone is using this as an example.
Gaz

 

[1PW]

Trend won't install without an internet connection and everything installed
is from genuine trusted installation disks and I want to monitor all
suspicious activities as early as possible.

Not so...

I don't want to install all the programs on my computer which may take a
couple of days without have things monitored, most programs need to update.
I've never heard it done that way, I thought the most important thing was to
get antivirus monitoring as soon as possible, and as I'm asking for advice I
hope nobody is using this as an example.
Gaz

Antivirus monitoring is only one facet of the overall problem.
Malware takes many other forms that aren't virus.



Hello Gaz:

I apologize if my last post was a bit harsh.

Your approach to reload incrementally is /somewhat/ sound. However,
you must have maximized your protection against all malware before
your system can be allowed to "see" the Internet.

"Slipstreaming" SP3 with your Windows install media, and all
subsequent updates, will help to meet that requirement. You may also
include all the special drivers your system requires if you build a
slipstream CD with "nLite". A cloned backup of your complete clean &
current system would be the fastest solution.

For about $12AUD, Trend Micro will sell you a CD to go with your
downloaded suite as a backup. Not many of us recommend Trend Micro,
as we prefer individual solutions for the most part.

By letting your system "see" the Internet without updates, patches &
all its antimalware protection, you are offering up a "Honey pot" to
all the ne'er do wells. Honey pots can be infected in mere seconds.
The "bots" that infect similar systems can test with exploits in
milliseconds and install any manner of malware a short time later.
Remember in the above procedure you used, your system was a honey pot
while you were downloading SP3 and Trend Micro IS Pro.

Best wishes,

 

[Gaz]

Antivirus monitoring is only one facet of the overall problem.
Malware takes many other forms that aren't virus.



Hello Gaz:

I apologize if my last post was a bit harsh.

Your approach to reload incrementally is /somewhat/ sound. However,
you must have maximized your protection against all malware before
your system can be allowed to "see" the Internet.

"Slipstreaming" SP3 with your Windows install media, and all
subsequent updates, will help to meet that requirement. You may also
include all the special drivers your system requires if you build a
slipstream CD with "nLite". A cloned backup of your complete clean &
current system would be the fastest solution.

For about $12AUD, Trend Micro will sell you a CD to go with your
downloaded suite as a backup. Not many of us recommend Trend Micro,
as we prefer individual solutions for the most part.

By letting your system "see" the Internet without updates, patches &
all its antimalware protection, you are offering up a "Honey pot" to
all the ne'er do wells. Honey pots can be infected in mere seconds.
The "bots" that infect similar systems can test with exploits in
milliseconds and install any manner of malware a short time later.
Remember in the above procedure you used, your system was a honey pot
while you were downloading SP3 and Trend Micro IS Pro.

Best wishes,

Hi
I just got nLite but I cannot find that Trend CD anywhere on there site,
do you have a link? thanks.
I chose Trend as we have it at work and nothing seems to get through it
(except this). I didn't know any other way of doing the instal and was
worried about being on the net unprotected, but now I know if I have to do
it again.
Gaz