Link to home
Start Free TrialLog in
Avatar of JerseyGuyIT
JerseyGuyITFlag for United States of America

asked on

Removing WORM_DOWNAD.AD from Windows 2000 Server SP4

For the last week I have been trying to get rid of the WORM_DOWNAD.AD off of a Windows Server 2000 with SP4.  I have installed the Microsoft Security Patch (MS06-040: Vulnerability in Server service could allow remote code execution).  Our main anti-virus scan is TrendMicro OfficeScan 7.3  it finds and deletes the files replicated by the worm, however, it ONLY identifies the WORM itself which is giving itself a name of gkdf.dll in the System32/directory  when attempting to see this file it is invisible.  

I have to turn off the local DNS client service in order to go to security sites.  I download Malware Bytes and it finds and deletes the replicated files and does not see the main WORM .dll file.

I am able to reboot into safe mode

I have tried doing the Trend Micro manual thing but it does not work.

Anyone out there with success removing the WORM_DOWNAD.AD virus  specifically from a Windows 2000 Server?  Any direction will be a great help.
Avatar of Jason Watkins
Jason Watkins
Flag of United States of America image
Hi,

on a separate computer, place the name of the worm into Google and run a search.

Disable all start-up items, except the necessary Microsoft services.

Pay a visit to Symantec's web-site and search their database. They often have very detailed removal instructions for free.

It is safe to declare this machine compromised. Your time may be better spent, backing up all data and rebuilding the server.
ASKER CERTIFIED SOLUTION
Avatar of optoma
optoma
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial