Rescue Disk

The Trend Micro Rescue Disk is a free tool that allows you to use a CD, DVD, or USB drive to examine your computer without launching Microsoft Windows. It finds and removes persistent or difficult-to-clean security threats that can lurk deep within your operating system.

More details on this free tool are available here. Below are steps to help you run this free tool in VMWare:

NOTE: Trend Micro Rescue Disk does not work on the following:

  • -RAID storage set-up
  • -SCSI connected HDD
  1. In VMWare Menu Bars select VM then Settings.

  2. In Hardware tab, select CD/DVD then choose Use ISO image file. Browse for Trend Micro Rescue Disk ISO. Make sure Connected and Connect at power on are checked.

  3. Restart your VMWare Workstation then press F2 to enter SETUP. Set it to boot on CD-ROM Drive.

  4. Reboot your VMWare Workstation. Your Workstation should now boot on Trend Micro’s Rescue Disk.

  5. In the main menu, select option [3] Advanced Options then [1] MBR Cleanup. To clean your MBR choose [Yes].

  6. After cleanup, press Enter to restart your Workstation.

  7. To scan your Workstation and remove possible threats, from the main menu select option [1] Remove Threats. Choose between [1] Quick Scan or [2] Full Scan.



  8. Once scan is complete, choose the first option (as seen below):

  9. Restart the Workstation in normal mode.

Note: Perform the remaining steps below ONLY if there are still unclean files or remnants of PE_XPAJ left

  1. Copy pe_xpaj-cleantool-32bit-vsapi9716.com to the local drive (C:\):

    pe_xpaj-cleantool-32bit-vsapi9716.com - for 32bit machines
    pe_xpaj-cleantool-64bit-vsapi9716.com - for 64bit machines

  2. Run scan using pe_xpaj-cleantool-32bit-vsapi9716.com
  3. The window for the scan closes once the scan is finished.

To know if cleanup is successful:

  1. Check the Windows folder for {Random File name}.{random extension}, e.g. (example: C:\WINDOWS\adfs.msp).
  2. Use IPCONFIG /DISPLAYDNS to check for XPAJ DNS related queries, you can export the results to Notepad to see if there are unknown/XPAJ queries.

You may download the PE_XPAJ tool from the following Trend Micro link:

You may use the following credentials when downloading the tool:

  • User name: ftpuser
  • Password: tmftp-s3cured