Removing WORM_DOWNAD.AD from Windows 2000 Server SP4

Posted on 2009-12-17
Last Modified: 2013-12-05
For the last week I have been trying to get rid of the WORM_DOWNAD.AD off of a Windows Server 2000 with SP4.  I have installed the Microsoft Security Patch (MS06-040: Vulnerability in Server service could allow remote code execution).  Our main anti-virus scan is TrendMicro OfficeScan 7.3  it finds and deletes the files replicated by the worm, however, it ONLY identifies the WORM itself which is giving itself a name of gkdf.dll in the System32/directory  when attempting to see this file it is invisible.  

I have to turn off the local DNS client service in order to go to security sites.  I download Malware Bytes and it finds and deletes the replicated files and does not see the main WORM .dll file.

I am able to reboot into safe mode

I have tried doing the Trend Micro manual thing but it does not work.

Anyone out there with success removing the WORM_DOWNAD.AD virus  specifically from a Windows 2000 Server?  Any direction will be a great help.
Question by:JerseyGuyIT
    LVL 27

    Expert Comment

    by:Jason Watkins

    on a separate computer, place the name of the worm into Google and run a search.

    Disable all start-up items, except the necessary Microsoft services.

    Pay a visit to Symantec's web-site and search their database. They often have very detailed removal instructions for free.

    It is safe to declare this machine compromised. Your time may be better spent, backing up all data and rebuilding the server.
    LVL 22

    Accepted Solution

    This also may help

    Check out Xmachines post at the end

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Citrix XenApp and Microsoft CALs 6 49
    AD user account created date 2 35
    How to remove Odin ransomware ? 10 107
    Server 2016 licensing 9 62
    The month of August was another action packed month for hackers and a security nightmare for many retailers and restaurant establishments. Some of the more notable data breach victims this past month included supermarket giants SUPERVALU and Alberts…
    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now