TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
PE_PATCHEP.A
Overview
Solution

Minimum scan engine version needed: 8.300

Pattern file needed: 5.331.00

Pattern release date: Jun 8, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: To fully remove all associated malware, perform the clean solutions for the following:

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as PE_PATCHEP.A .

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Restoring Deleted or Overwritten Files

The following file, which have been deleted or overwritten by the malware, can be restored from backup or using installers:

  • EXPLORER.EXE
  • LSSASS.EXE
  • SERVICES.EXE
  • SPOOLSV.EXE
  • SVCHOST.EXE
  • WINLOGON.EXE

(Note: If the preceding solution does not restore the said file, proceed to the following solution set.)

Deleting Malware Files using Recovery Console
On Windows NT, 2000, XP, and Server 2003 systems

This procedure allows the computer to restart by using the Windows installation CD.

  1. Insert your Windows Installation CD in your CD-rom.
  2. Press the restart button of your computer.
  3. When prompted, press any key to boot from the CD.
  4. When prompted on the Main Menu, type r to enter the recovery console.
    (Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
  5. When prompted, type your administrator password to log on.
  6. Type the following commands, then press Enter after each one:
    • {Drive letter of your CD-ROM where the Windows Installation CD is inserted}{colon}
      E.g. “D:”, “E:” (note: quotes not included)
    • CD I386
    • Expand {malware file name detected earlier with last character as underscore (_)} {path of malware detected earlier}
      E.g. if malware name is EXPLORER.EXE then type the following:
      Expand EXPLORER.EX_ c:\WINDOWS\system32
  7. Type exit to restart the system.

Deleting Malware Files using Windows Startup Disk
On Windows 98 and ME systems

This procedure allows the computer to restart by using the Windows Startup Disk.

  1. Click Start>Settings>Control Panel.
  2. In the Control Panel, double-click Add/Remove Programs. Click on the Startup Disk tab.
  3. Insert a working floppy disk and the Windows installation CD, and then click the Create Disk button to create the Startup Disk. Note that this deletes the contents of the floppy disk.
  4. Restart the system with the Startup Disk.
  5. Type the following commands, then press Enter after each one:
    • {Drive letter of your CD-ROM where the Windows Installation CD is inserted}{colon}
      E.g. “D:”, “E:” (note: quotes not included)
    • CD I386
    • Expand {malware filename detected earlier with last character as underscore (_)} {path of malware detected earlier}
      E.g. if malware name is EXPLORER.EXE then type the following:
      Expand EXPLORER.EX_ c:\WINDOWS\system32
  6. Restart the system.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

For additional information about this threat, see:
Overview
Technical Details

Search a new malware

Tell us how we did. Take our quick survey.