Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Network WORM.. Mal_DownadJ / WORM_DOWNAD.AD


  • Please log in to reply
3 replies to this topic

#1 jminnebo

jminnebo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 03 May 2013 - 08:31 AM

Hello,

 

First of all I would like to say thanks for reading and trying to help me out here. We are having a problem at a customer, Trend Micro keeps giving popups to reboot to finish cleaning the computer, when you press reboot, and the computer is ready to use again, after 5 minutes you get the same popup.

 

ive did some research about this worm, and tried cleaning it with Malwarebytes/combofix (which mostly does the trick), but sadly the popup wont dissappear and the problem persists.

 

Few days back I found this tool http://www.bdtools.net/ -> deploy from Domain Controller, succes on every machine in the network, I was feeling lucky, but it didnt work either.

 

Ive used the approach that is listed on the the website of trend micro -> force manual update, schedule custom scan, ... no go. I also used their secundary method. with sysclean (also no go : /)..

 

I think the main problem is because the company is rather large (+/- 150 clients in 5 offices, +/- 25 virtual servers, all connected to eachother over VPN). I think the problem is that when I clean one PC, and you reboot after 15 to 30 min you get the message again. So could it be that by the time that I clean it, the worm already nested itself again?

 

At this time when I check the dashboard of trend micro I see 44523 entries of Mal_DownadJ and WORM_DOWNAD.AD..

 

What approach could I try to kill the worm?

 

Thanks in advance

 

Best regards

 

 

 

 

  
 

 

 



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:12 PM

Posted 03 May 2013 - 03:59 PM

What's the file name and location detected by Trend?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 jminnebo

jminnebo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 May 2013 - 01:55 PM

2/05/2013 13:23:11 Mal_DownadJ  C:\WINDOWS\Tasks\At1.job
2/05/2013 13:22:49 WORM_DOWNAD.AD  C:\WINDOWS\System32\yjrlfjb.ug
 
but is also DLL files, with random generated names

 



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:12 PM

Posted 04 May 2013 - 02:18 PM

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif NOTE. Make sure all logs are pasted not attached.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users