Removing WORM_DOWNAD.AD from Windows 2000 Server SP4

For the last week I have been trying to get rid of the WORM_DOWNAD.AD off of a Windows Server 2000 with SP4.  I have installed the Microsoft Security Patch (MS06-040: Vulnerability in Server service could allow remote code execution).  Our main anti-virus scan is TrendMicro OfficeScan 7.3  it finds and deletes the files replicated by the worm, however, it ONLY identifies the WORM itself which is giving itself a name of gkdf.dll in the System32/directory  when attempting to see this file it is invisible.  

I have to turn off the local DNS client service in order to go to security sites.  I download Malware Bytes and it finds and deletes the replicated files and does not see the main WORM .dll file.

I am able to reboot into safe mode

I have tried doing the Trend Micro manual thing but it does not work.

Anyone out there with success removing the WORM_DOWNAD.AD virus  specifically from a Windows 2000 Server?  Any direction will be a great help.
JerseyGuyITAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
optomaConnect With a Mentor Commented:
This also may help
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_23940558.html

Check out Xmachines post at the end
0
 
Jason WatkinsIT Project LeaderCommented:
Hi,

on a separate computer, place the name of the worm into Google and run a search.

Disable all start-up items, except the necessary Microsoft services.

Pay a visit to Symantec's web-site and search their database. They often have very detailed removal instructions for free.

It is safe to declare this machine compromised. Your time may be better spent, backing up all data and rebuilding the server.
0
All Courses

From novice to tech pro — start learning today.