Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm Downad.ad, Help needed for removal


  • This topic is locked This topic is locked
4 replies to this topic

#1 Wajeeh Rahman

Wajeeh Rahman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 10 February 2011 - 02:12 AM

Dear Experts

I have Trend Micro WFBS 5x Advanced, Recently my Windows 2003 SP2 Enterprise Server got infected with worm.downad.ad.

Now the Client Server Agent of Trend Micro show me last threat found as worm.downad.ad and in real time scan status shows number of infected files as 2 but which files I dont know , how to see them and take action on them I dont know.

I make scanning using malwarebytes, and house call, Hijack this but no success. I installed the MS patch 08-067 now but need to know from you if the CSA of trend micro is showing me last threat detected and worm name does this mean that my computer is safe and file is not spreading? In other words how can now I confirm that my Server is not affected with the mentioned worm.

Awaiting your reply.

Sincerely,
Wajeeh Rahman
Jeddah, Saudi Arabia

Attached Files


Edited by Wajeeh Rahman, 10 February 2011 - 02:13 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:13 PM

Posted 10 February 2011 - 05:01 PM

Hi,

I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Wajeeh Rahman

Wajeeh Rahman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 February 2011 - 12:15 PM

Dear Myrti,

Thank you for your reply, but this server has no confidential information, it is only acting as a DHCP Server in my network no other roles. So, please let me know steps for removal. I don't know if Trend Micro CSA is showing 2 files infected , does this mean that it is holding the infected files and not allowing them to move further in my network ?

Awaiting your reply.

Regards,
Wajeeh

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:13 PM

Posted 13 February 2011 - 10:54 AM

Hi,

the utilities we use will frequently need to reboot your server, in addition until we are sure that the infection is contained can you cut it off the network, or does it have to be running at all time?

please run a scan with OTL then:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:13 PM

Posted 13 March 2011 - 05:07 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users