Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

At1.job and Associated Malware

Posted on 2011-09-09
9
1,960 Views
Last Modified: 2013-12-09
Plaform Windows 2008 Server Service Pack 2
Worry Free Business Security Version 7

Recently my client always have the Trend Micro ICOn showing required restart. And notification always shown lots of virus detected. But either being resolved of clean.
Even my servers was affected.
Can someone advise me how to clean up this malware.
Have attached a logs on the detection.
 Malware Detected
0
Comment
Question by:wchoonhei
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36509517
Hi,

It is in your task scheduler but the real one that writing the task and do monitoring is in memory.

You can use tools, process monitor from sysinternal to kill the in memory culprit and use autorun to remove it from startup and task scheduler.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36509520
Do the restart and scan the virus in safe mode.
0
 

Author Comment

by:wchoonhei
ID: 36510563
How do i use the Tools mention? Can you be more specifiec? My computer knowledge is not good. Just a Normal user.

I restart in safe mode but the Trend micro doen't work.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Expert Comment

by:khairil
ID: 36516321
Hi,

Yup that tools require some IT knowledge. At1.job can be generated by more than one viruses, here is some of them:

1. AutoIT
2. Brontok.i
3. Nuqel
4. Vundo
5. Kido

Kido or confiker is nasty.

There are some cleaning up tools available on the net, like this one for confiker by sophos, http://www.sophos.com/support/knowledgebase/article/51169.html

However, cleaning up is one part, the other part is to make sure your system full patch. Without patching, virus from other computer can simple enter your. It will be quite a challenge as you need to connect to internet to download patches and the virus attack your computer when they found you connected to the network.

So, try download all the tools suspected for the viruses. run it in safe mode to clean the computer. Try download any critical security update and run it on the affected computer. Once you got all critical update patch then run in normal mode, connect to internet and run full update.

I not so sure if Trend cannot run in safe mode, it should. If it can't then you might want to look other AV as well.

If you cannot do it by yourself, then better bring it to the experts. It will worth your money and time and also your precious data. Make sure you backup your data first before sending it to them, and ask them too to backup your data (just in case). Make sure your copy all things in my documents, outlook pst file (if you are using outlook), your IE favourites and any other file you feel important.

In wrost cases, they might suggest to format your computer, so you need to supply them with cd drivers or other cd that comes with your computer.
0
 

Author Comment

by:wchoonhei
ID: 36518978
Does any one familiar with the trend micro worry free version 7? On the client or the server that I can enable the safe mode scanning . Or does it support this function ?
0
 
LVL 13

Expert Comment

by:khairil
ID: 36520807
You can try use command line of TM when running in safe mode, but for Worry Free, I do not know the executeble files. For Trend Micro OfficeScan in safe mode, you will have to use command lined based scanning. Logon using safemode, then open a command prompt, navigate to your trend micro folder and run VSCANWIN32. This will show you a few command line switches you can use. Use VSCANWIN32 /S C: for C drive. The executables might be different for Worry Free.

You still can use some of other antivirus  as well, here is shareware version of free malwarebytes, http://www.majorgeeks.com/Malwarebyte's_Anti-Malware_d5756.html, id done job fine in most cases when other AV cannot function well.

There are some advanced steps but I tried not go get to that first, like scanning for the rootkit, because it requires some advanced knowledge of your computer and the application. Tried step above first.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 36532142
You could also use Trend Micro System Cleaner to clean the system. Below are the details

http://esupport.trendmicro.com/solution/en-us/1057836.aspx

Sudeep
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 36532151
The above is not designed to work with the server family though. So you may need other tools to run on servers, however you could run it on Client OS
0
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 500 total points
ID: 36532216
Below are the details from Trend on its behaviour and removal instructions

http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_DOWNAD.AD

Below is tools designed by them to remove it

http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question