Anyone else have these viruses

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Hi All
          I'm having trouble getting rid of these two viruses -
"Cryp_Xed-15" and "PE_VIRUX.GEN-1".
I have Trend Micro and know these viruses attack most "exe" files, stops the
antivirus and stops you from logging in.
I have formatted the hard drives and external drives, then reload Xp and do
all the updates etc. then a few days later it starts affecting things and
Trend picks it up and tells me to do a scan which it finds it in a lot of
exe files and removes/repairs them, but it cannot stop it. Any ideas or
solutions.
Thanks Gaz



Re: Anyone else have these viruses

Gaz wrote:
Quoted text here. Click to load it

Hello Gaz:

Please answer the following questions with /interspersed/ replies:

Exactly what version of XP do you have? Home, Professional or MCE, x86
or x64, OEM or retail?

At what service pack level have you brought the rebuild to?

Do you use a router when connecting to the Internet?

What is the exact Trend Micro product you are using?  Be precise!

Do you use /any/ other antimalware products in use?

Did you rebuild your system from backups, such as a restore, or did
you rebuild from trusted Microsoft provided media?

Did you re-install your user applications from trusted media?

Have you introduced any media that was untrusted such as CDs, DVDs or
 USB storage devices of any sort?

Did you download recently from any untrusted web site?

Does a family member, friend or colleague have access to your system?

--
1PW

Re: Anyone else have these viruses


Quoted text here. Click to load it
XP PRO Genuine version
Quoted text here. Click to load it
Service Pack 3
Quoted text here. Click to load it
Yes- Datalink RTA1046VW connect via cable
Quoted text here. Click to load it
Trend Micro Internet Security Pro Full Version  17.50.1366.0000
Quoted text here. Click to load it
No
Used Killdisk, then from original XP Pro disk
Quoted text here. Click to load it
Yes, all the driver disks that came with computer, all genuine
Quoted text here. Click to load it
No
No, I haven't hardly had time to download anything before I get infected
Quoted text here. Click to load it
No



Re: Anyone else have these viruses




| Hi All
|           I'm having trouble getting rid of these two viruses -
| "Cryp_Xed-15" and "PE_VIRUX.GEN-1".
| I have Trend Micro and know these viruses attack most "exe" files, stops the
| antivirus and stops you from logging in.
| I have formatted the hard drives and external drives, then reload Xp and do
| all the updates etc. then a few days later it starts affecting things and
| Trend picks it up and tells me to do a scan which it finds it in a lot of
| exe files and removes/repairs them, but it cannot stop it. Any ideas or
| solutions.
| Thanks Gaz



Who said they were viruses ?
What are the fully qualified names and paths deemed to be infected ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Anyone else have these viruses






Gaz wrote:
Quoted text here. Click to load it

do you use a firewall?
--
Tommy



Re: Anyone else have these viruses



Yes Windows Firewall, plus Trend





Quoted text here. Click to load it



Re: Anyone else have these viruses



Quoted text here. Click to load it

Did you read this, and have to submitted the suspect files to further
scrutiny?

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=CRYP_XED-15

If you do actually have it, it is a very nasty virus. If you don't
actually have it, that would explain the strange "reappearance" after
formatting and reinstalling. The only other way is to keep reinfecting
yourself somehow, But Trend should be able to prevent that from
happening.



Re: Anyone else have these viruses



Hi
     I have submitted logs created by Trend programs they have sent me and
they have shown that Trend has deleted the affected files, which
unfortunately are all the exe files that run the system.
Trend detects it but can't stop it by which time it is too late, Trend
cannot stop the reinfection and this and the last clean have been sqeeky
clean, this one I'm putting things back one at a time to see what happens.
I'm 100% sure it's not on the drives or in the genuine programs I'm
installing, so can I ask, could it be in the the-
Bios or
the modem or
can someone see my computer from outside and infect it?





Quoted text here. Click to load it
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=CRYP_XED-15
Quoted text here. Click to load it



Re: Anyone else have these viruses



Quoted text here. Click to load it

System files may be "protected" in the sense that they are replaced with
(archived) copies when the system is rebooted.

...if you have copies of those files on read only media (like the
original pressed installation disk) and they still get detected as
infected by Trend's scanner, inform Trend that they have a false
positive (heuristic) detection.

Quoted text here. Click to load it

Are you speculating here?

Quoted text here. Click to load it

Both of the malware names given seem to be heuristic detections rather
than actual identifications of this virus. Submit any file found (by
Trend) to be infected to further scrutiny by using jotti.org or
virustotal.com.

It is not completely unheard of for a malware to taint the "archived"
backup copy used to restore (protect) system files - it is not very
common though. Read only media cannot be infected however (but that is
not to say that content on them can't have been infected previously).
Your read only (pressed) installation media content cannot have been
previously infected with virux as it is too new I think.

Quoted text here. Click to load it

The only thing I am ever 100% sure of anymore is that I may be missing
something. :o\

Quoted text here. Click to load it

Extremely unlikely


Some malware can alter "router" firmware (DNS Changer) to send your
browser requests to malicious webpages.

 or can someone see my computer from outside and infect it?

Also possible, but I have a hunch that that is not the case here.

Quoted text here. Click to load it



Re: Anyone else have these viruses



wrote:
Quoted text here. Click to load it
    Sure, windows has always had backdoors built in. When the
hackers find it Microsoft "patches" it and opens another backdoor.
    Read about the blaster worm.

    http://en.wikipedia.org/wiki/Blaster_%28computer_worm%29

    I always install windows, my antivirus, a firewall, disable a
load of "services" using xpy and only THEN I connect to the internet.

    http://code.google.com/p/xpy /
    
    FWIW

Re: Anyone else have these viruses



Quoted text here. Click to load it

System files may be "protected" in the sense that they are replaced with
(archived) copies when the system is rebooted.

...if you have copies of those files on read only media (like the
original pressed installation disk) and they still get detected as
infected by Trend's scanner, inform Trend that they have a false
positive (heuristic) detection.

Quoted text here. Click to load it

Are you speculating here?

Quoted text here. Click to load it

Both of the malware names given seem to be heuristic detections rather
than actual identifications of this virus. Submit any file found (by
Trend) to be infected to further scrutiny by using jotti.org or
virustotal.com.

It is not completely unheard of for a malware to taint the "archived"
backup copy used to restore (protect) system files - it is not very
common though. Read only media cannot be infected however (but that is
not to say that content on them can't have been infected previously).
Your read only (pressed) installation media content cannot have been
previously infected with virux as it is too new I think.

Quoted text here. Click to load it

The only thing I am ever 100% sure of anymore is that I may be missing
something. :o\

Quoted text here. Click to load it

Extremely unlikely


Some malware can alter "router" firmware (DNS Changer) to send your
browser requests to malicious webpages.

 or can someone see my computer from outside and infect it?

Also possible, but I have a hunch that that is not the case here.

Quoted text here. Click to load it




Re: Anyone else have these viruses



[...]
Quoted text here. Click to load it

It can be W32.Virut plus some trojans it downloads

Please scan some infected files on jotti,
http://virusscan.jotti.org

and if it is indeed Virut, then
after loading clean winXP image (or format and clean installation)
do _not_ run or install any old program you saved on CD-R or pen
drives
or any removable drive.

If you run it only once and it will not be blocked by anty-virus,
you got reinfection.

Also, configure your winXP so as it will not open and run pen-drive
or removable hard drive you connect to it.
Prepare yourself autorun.inf with some clean program, maybe calc.exe
and test it. It should _not_ run.
You can still use you drives by right click
on drive icon and choose "explore".

Reagrds,
kamil

Re: Anyone else have these viruses



Hi Again
              I haven't connected any pen or external drives and got a
friend to disable autorun. This virus does sit anywhere on it's own, it
infects exe files, which when cleaned, do not work anymore.




[...]
Quoted text here. Click to load it

It can be W32.Virut plus some trojans it downloads

Please scan some infected files on jotti,
http://virusscan.jotti.org

and if it is indeed Virut, then
after loading clean winXP image (or format and clean installation)
do _not_ run or install any old program you saved on CD-R or pen
drives
or any removable drive.

If you run it only once and it will not be blocked by anty-virus,
you got reinfection.

Also, configure your winXP so as it will not open and run pen-drive
or removable hard drive you connect to it.
Prepare yourself autorun.inf with some clean program, maybe calc.exe
and test it. It should _not_ run.
You can still use you drives by right click
on drive icon and choose "explore".

Reagrds,
kamil



Re: Anyone else have these viruses


Quoted text here. Click to load it

Either Trend has a bad FP issue, or you have infected media someplace which
is re-introducing virut into the system. It wouldn't be such a royal pita
if the damn thing infected files properly; but sadly it doesn't preserve
everything due to bugs in the code, and winds up damaging it's host file.

It does not live in your modem, nor your mbr. It's an exe infector that
spreads fast and causes harm to the files it infects ie: irreversible
damage as you have noticed. No cleaning option. Delete/replace is your only
choice.

Have you tried updating to the latest trend micro definitions and scanning
your system again? Try uploading some of the "infected" files to
www.virustotal.com or jotti. This will provide you with opinions from other
antivirus scanners. If the majority of them say it's virut, then again, you
have infected media someplace which is being reintroduced into the system.



--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: Anyone else have these viruses



I had a problem and found the problem was being kept alive in the bios
and living of the motherboard battery supply
I to did multiple formats and the like  but to no avail
unfortunately I can't remember what I used to get rid of it sorry
--
Old Fart
Work Is A Dirty 4 Letter Word




Quoted text here. Click to load it
the
do



Re: Anyone else have these viruses




| I had a problem and found the problem was being kept alive in the bios
| and living of the motherboard battery supply
| I to did multiple formats and the like  but to no avail
| unfortunately I can't remember what I used to get rid of it sorry
| --
| Old Fart
| Work Is A Dirty 4 Letter Word


Bwahahahahahahahahahahahahahaha

Thanx for the laugh.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Anyone else have these viruses



I had stuff getting into my box through Alliant Energy. I installed my
own generator and have never had any problems since.

Older Fart


Quoted text here. Click to load it



--
        --- Everybody has a right to my opinion. ---

Re: Anyone else have these viruses




Quoted text here. Click to load it

Download Avira Antivir Free:
http://www.free-av.com/en/download/download_servers.php
Download the latest virus definition file:
http://www1.avira.com/en/support/vdf_update.html
( Download IVDF (Unicode) )

Disconnect from internet.
Uninstall Trend Micro thoroughly.

Install Avira Antivir.
Update manually (using the downloaded definitions)

Reconnect to internet.
Update Avira Antivir.
Do a complete scan.

Is the "infection" still there?

By the way, do you use any register tool (cleaner, tweaker, repair
register, fix-speed up-maintain your computer, etc.)

--
Fred W. (NL)

Re: Anyone else have these viruses




Quoted text here. Click to load it

Hi
     I don't use any cleaning programs, I tried you help and it is not
there - yet.
I'm still putting everything back on my computer bit by bit, one at a time
to see what happens. So far all disks cleaned using Killdisk,
installed XP Pro SP2,
installed Realtek driver off Asus motherboard disc to get internet,
installed Trend and updated it while Windows updated to SP3 and IE8 and all
security fixes,
installed ABF Outlook Backup, Windows Live Messenger, Canon printer drivers
and programs.
I'll wait a couple of days and see what happens.
Gaz



Re: Anyone else have these viruses



Gaz wrote:
Quoted text here. Click to load it

Hello Gaz:

The above is an extremely poor way to rebuild your system and is a
dangerous example to others!  Your system should have /never/ been
connected to the internet till /everything/ was installed from
*trusted* sources first.

If you are not going to rebuild your system in the correct manner now,
then run full updated scans with all your antimalware to see what you
may have contracted.

Best wishes,

--
1PW

Site Timeline