Question

pe_virux.a (trend micro) infects every .exe new virus

Asked by: alvareztg

one of our pc's has every .exe file infected with the virus, when I run a trend micro scan it attempts to quarrantine all of these files including things like notepad, explorer, iexplore etc. this is obviously not a good solution. does anyone know what this virus does and or a better way to remove it?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-02-06 at 16:08:13ID24121346
Tags

Virus

,

Win32/Virut

,

PE infection

,

PE_VIRUX.a

Topic

Anti-Virus

Participating Experts
10
Points
250
Comments
24

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Trend Micro Virus Alerts
    Hi sorry to bother I have a windows 2000 server with SP4 and Trend Micro Officescan 6.5. I have setup Standard Alert vir E-mail on the administrative console but now I would like to know how to test it?.And I want to know on the smtp domain option must I type the local domain...
  2. Trend Micro detected b122.exe.bin
    I am on a SBS 2003 server running Trend Micro. The blue icon on the task bar has a red question mark in it. When I drag my mouse over it, I get some info and it says it is outdated. When I run an update, it downloads it and says its is updated, but I still get a outdated mes...
  3. Trend-Micro viruses detected but infected file not cleaned …
    We have Trend-Micro on our Server and pushed to all clients in the network. The log says that "Virus were detected but infected files can neither be cleaned or quarrantined". Does this mean the viruses are now in the network and what to do with them. There were a...
  4. Symantec or Trend Micro
    Need you assistance in deciding to either go with Symantec or Trend Micro for AV for an office that has 6 locations. We are implementing a MPLS network within the next few weeks. I have used Symantec in the past, but have really good things about Trend Micro. Before I pull...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: tercex11Posted on 2009-02-06 at 16:26:06ID: 23575696

Can you choose to clean the files instead of quarrantining them? That may help. If some files can't be cleaned, you can try another AV or you may have to quarrantine the files.

Here are some specifics on the virus and a link to cleaning insructions from both Trend and Symantec
Discovered: February 4, 2009
Updated: February 4, 2009 6:14:14 PM
Also Known As: W32/Virut.n [McAfee], PE_VIRUX.A [Trend]
Type: Virus
Infection Length: 17,044 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
When the virus executes, it attempts to infect any file accessed with the following extensions:
.exe
.scr

http://www.symantec.com/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=3
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=PE_VIRUX.A&vsect=Sn

 

by: alvareztgPosted on 2009-02-06 at 17:01:07ID: 23575874

Cleaning fails using the trend command line scanner, and the secondary action is to quarrantine the file. Thanks for the information

 

by: ibu1Posted on 2009-02-06 at 21:56:40ID: 23576758

 

by: rpggamergirlPosted on 2009-02-06 at 22:13:40ID: 23576829

Virux or Virut is a buggy file infector that infects every .exe and .scr files. Antivirus can't cure the file so the infected files are getting corrupted and deleted. So the user would need to replace all deleted files. If the system has been infected for a while, so many files have been infected/deleted, it's a wise decision to just a reformat the drive and start from scratch.

If the system hasn't been infected that long which means only a few files needs to be replaced, then DrWebCrueIt is a good scanner to use, or the online Panda scanner.
Combofix will detect the critical infected system files but i doubt it will delete them as infected system files are whitelisted.

If you reformat and reinstall, you can't back up any .exe and scr files as they could be infected.

 

by: Admin3kPosted on 2009-02-07 at 12:54:41ID: 23580183

This virus can be removed with a bit of difficulty, as advised above the format & reinstall is the safer option, but it can still be done if you remove the hard drive & atach it elsewhere , then try using the Specific cleaner by GRISOFT

http://www.softpedia.com/get/Antivirus/Win32-Virut-Remover.shtml

the trick is not to use the infected operating system to boot up

and the tool  does fix most of the infected files , the ones that it can't clean should be deleted & restored from backup or by reinstalling the associated application(s).

hope this helps.

 

by: tpezetPosted on 2009-02-08 at 05:45:57ID: 23583565

Our network was hit by this virus last friday night and quickly spread to about 20 machines in 3 different locations. My fix was as follows;
1)   I disabled system restore via group policy,
2)  Booted the machines off a Bart PE CD with Trend Micro Sysclean with the latest signature DAT file and a copy of regedit.  
3)  I used regedit to connect to the infected machine and checked any dodgy entries in HKLM\Softw\microsft\windows\currentcontrol\RUN.
4) used sysclean to scan for the infected files which were deleted by sysclean.
5) If the machine only had a few infected files I copied over a good copy of the files.  really badley affected machines will be rebuilt.

This got the crisis under control.  In the medium term i will rebuild all machines that were infected.

Hope this helps.

 

by: bciengineerPosted on 2009-02-09 at 04:19:19ID: 23589353

I have been fighting the same problem at a client's site for 3 days now.  It was not until McAfee released DAT version 5519 that McAfee was able to clean the virus from infected files.  So if you scanned prior to that update it is likely a large number of important files were moved to quarantine.

From McAfee's website:
W32/Virut.n connects to the following domains or IP addresses:

irc.zief.pl
proxim.ircgalaxy.pl
horobl.cn
goasi.cn
setdoc.cn
209.205.196.18
66.232.126.195
It can connect to an IRC server to receive commands.
Emails are harvested from the infected machine and posted to the following server:
69.46.16.191

I would recommend doing a fresh install of the OS.  Even after getting a clean scan with McAfee and Malwarebytes, the infected PC's had connected to servers in Turkey (seen using Active Ports 1.4) and downloaded several rootkits and backdoors.  I only found those using Combofix.

Good Luck

 

by: janmishkinPosted on 2009-02-09 at 07:07:36ID: 23590623

I also have a badly infected machine and am considering a total wipe.  If I do not copy any EXE or SCR files to a USB drive, can I be sure the virus is not on the USB drive when I go to put on the files I backed up prior to the rebuild?

 

by: janmishkinPosted on 2009-02-09 at 07:08:47ID: 23590634

I also have a badly infected machine and am considering a total wipe.  If I do not copy any EXE or SCR files to a USB drive, can I be sure the virus is not on the USB drive when I go to put on the files I backed up prior to the rebuild?

 

by: Admin3kPosted on 2009-02-09 at 12:33:26ID: 23594132

have you tried he solution in my earlier post ? Post ID 23580183

After so much trouble with this virus, we managed to clean a heavily infected system , and restored about 80% of the executables to a clean functional state, however as mentioned above , due to some bad coding fon he virus author end , some of the executables were damaged after cleanup, so we had to reinstall the associated applications.

Given the choice I would have wiped the machine clean on the spot after backing up critical files, but this was not an option at the time, however after reinstalling the affected programs & a repair install , the machine appears to be stable & in good shape.

 

by: janmishkinPosted on 2009-02-09 at 15:08:54ID: 23595642

I did buy and download the Bart PE CD but after reading through all the steps needed and now seeing that someone got only 80% of their executables, I would rather got for a clean sweep.  So my question still is:  If I do not copy any EXE or SCR files to a USB drive, can I be sure the virus is not on the USB drive when I go to put on the files I backed up prior to the rebuild?

 

by: rpggamergirlPosted on 2009-02-09 at 15:58:52ID: 23595954

The best solution for Virut infection is a reformat and reinstall of the OS.
Depending on how long the system has been infected, it is VERY irresponsible of us techs to advise on cleaning a virut-infected machine. Virut infection is the case of where "virus wins" and we lose.

The new variant now also infects htm. and html files, so when you backup files remember not to back up  all executables, .scr, dowloaded archives .zip or .rar, and htm, html files. All these have to go as these could be infected and you'll just be risking a newly reformatted system..

>>>can I be sure the virus is not on the USB drive when I go to put on the files I backed up prior to the rebuild?<<<
You need to scan the USB on a clean machine make sure the USB is clean, and don't backup those files I listed above.

 

by: bciengineerPosted on 2009-02-09 at 17:16:40ID: 23596407

I've discovered an interesting trend, or maybe just a coincidence, today.  Has anyone else seen this specifically target businesses that deal with Tax software?

The two clients I have seen infected with this were both using the same software.  It has been reported to that company so I do not wish to name them.  I just would like to know if anyone has seen the same thing.

Thanks.

 

by: jeremybevinsPosted on 2009-02-09 at 23:51:21ID: 23598168

Fighting it all day today. Pro System Fx.

 

by: Admin3kPosted on 2009-02-10 at 05:07:29ID: 23599927

@rpggamergirl: sometimes in a business environment , rebuilding the machine is not an option, it may be easy for a home user to rebuild a machine & start from scratch, but we have to put into consideration specific scenarios where formatting is not an option, e.g. (legacy applications where installation disks are not available, very complex setup that could not be rebuilt easily, and if the user opted for a rebuild, they may be looking forward at business down time ).

my initial advice is to rebuild, but the solution I proposed will fix the machine long enough for system admin to be able to backup critical configuration & files (not Programs) , then go for the rebuild solution just to be safe, regardless of how the machine is performing, which is basically what we have done in our case.

it does not have anything to do with being responsible or irresponsible , these cases should be dealt with on a case by case basis , what works for home users & SMB , does not neccessarily work for another client / setup.

 

by: bciengineerPosted on 2009-02-10 at 06:23:12ID: 23600552

It looks like Pro System has been infected both of my customer's use and suspected that was where the infection came from.

 

by: jeremybevinsPosted on 2009-02-10 at 06:50:50ID: 23600912

Have you contacted them about this?  My client updated the software on saturday and soon as the users used it on monday they were hit. It looks like the winlog is our main issue after we try to clean a machine.

 

by: crescomPosted on 2009-02-10 at 09:32:40ID: 23602799

After getting myself infected, I was on situation that reformating C didn't worked... Well, because almost every .exe and .scr files was infected on ALL drives.

I did spend 3 days for testing all kind of cures, learning what to do... Until I did found ONE AV-program that DID cured my exe files, without destroying them. I was bit suprised of that, it was from Microsoft ... Until this day, I have thinked that Defender and others are just joke... But This, Windows Live OneCure did job for me.

I think that people would like to know that there is many programs that tries to do something, usually BAD (remove/quarantize)... Wel, Norton did say 'clean' and didn't found that virus again... but it just hide that from itself :) ... virustotal.com helped me a lot, and I did see that virus was there, even Norton didn't see it.

After OneCare virustotal.com didn't see any virus on my files, but I'm yet trying to get rock solid solution.

Next I try restore 'infected' system and then I would try what OneCare would do on that.

 

by: bciengineerPosted on 2009-02-10 at 09:41:44ID: 23602922

I have spoken with the Tax software company that was mentioned.  I think it is just a effect of the virus attaching to the .exe for that program, and that it did not, does not, originate from it.
      
My client was hit on 2/4/09.  I do not know yet when they updated their software.

 

by: alvareztgPosted on 2009-02-10 at 15:10:32ID: 31543917

Thanks for the help this is great

 

by: alvareztgPosted on 2009-02-10 at 15:13:55ID: 23606644

Thanks for the help guys, this is really great, for the majority of the PC's on our clients network we ended up doing clean reinstall's but in the future we may try some of the bootPE options.

 

by: crescomPosted on 2009-02-11 at 09:28:59ID: 23613722

Well, I must correct myself. Today I ran scan+clean with Norton AntiVirus 2009 from clean system, to infected partition. And I'm glad to inform that cleaning seems to be working.

Cleaning with Norton or OneCare does not return files to exact state before infection, and it seems that infection+cleaning will left some 'signatures' that would trigger some other AV programs.
I'm not sure if you can call these as 'false-positive', but my system seems to be running just fine, without problems. (Now I have also outgoing firewall, so I can see if there is unknown traffic from my system).

 

by: alvareztgPosted on 2009-02-11 at 10:45:20ID: 23614550

 

by: DominionTechPosted on 2009-04-28 at 11:52:26ID: 24253885

As far as infecting a USB stick, Virut infected the two .exe files I ran on that infected computer. Since I have about 20 exe's in the root of my USB stick and only the two I ran were infected I would assume just copping  documents and data files should be fine. You can tell the AVG removal tool to scan your memory stick in command prompt. ex. "rmvirut.exe E:" (E=usb drive letter)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...