?
Solved

At1.job and Associated Malware

Posted on 2011-09-09
9
Medium Priority
?
2,027 Views
Last Modified: 2013-12-09
Plaform Windows 2008 Server Service Pack 2
Worry Free Business Security Version 7

Recently my client always have the Trend Micro ICOn showing required restart. And notification always shown lots of virus detected. But either being resolved of clean.
Even my servers was affected.
Can someone advise me how to clean up this malware.
Have attached a logs on the detection.
 Malware Detected
0
Comment
Question by:wchoonhei
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36509517
Hi,

It is in your task scheduler but the real one that writing the task and do monitoring is in memory.

You can use tools, process monitor from sysinternal to kill the in memory culprit and use autorun to remove it from startup and task scheduler.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36509520
Do the restart and scan the virus in safe mode.
0
 

Author Comment

by:wchoonhei
ID: 36510563
How do i use the Tools mention? Can you be more specifiec? My computer knowledge is not good. Just a Normal user.

I restart in safe mode but the Trend micro doen't work.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 13

Expert Comment

by:khairil
ID: 36516321
Hi,

Yup that tools require some IT knowledge. At1.job can be generated by more than one viruses, here is some of them:

1. AutoIT
2. Brontok.i
3. Nuqel
4. Vundo
5. Kido

Kido or confiker is nasty.

There are some cleaning up tools available on the net, like this one for confiker by sophos, http://www.sophos.com/support/knowledgebase/article/51169.html

However, cleaning up is one part, the other part is to make sure your system full patch. Without patching, virus from other computer can simple enter your. It will be quite a challenge as you need to connect to internet to download patches and the virus attack your computer when they found you connected to the network.

So, try download all the tools suspected for the viruses. run it in safe mode to clean the computer. Try download any critical security update and run it on the affected computer. Once you got all critical update patch then run in normal mode, connect to internet and run full update.

I not so sure if Trend cannot run in safe mode, it should. If it can't then you might want to look other AV as well.

If you cannot do it by yourself, then better bring it to the experts. It will worth your money and time and also your precious data. Make sure you backup your data first before sending it to them, and ask them too to backup your data (just in case). Make sure your copy all things in my documents, outlook pst file (if you are using outlook), your IE favourites and any other file you feel important.

In wrost cases, they might suggest to format your computer, so you need to supply them with cd drivers or other cd that comes with your computer.
0
 

Author Comment

by:wchoonhei
ID: 36518978
Does any one familiar with the trend micro worry free version 7? On the client or the server that I can enable the safe mode scanning . Or does it support this function ?
0
 
LVL 13

Expert Comment

by:khairil
ID: 36520807
You can try use command line of TM when running in safe mode, but for Worry Free, I do not know the executeble files. For Trend Micro OfficeScan in safe mode, you will have to use command lined based scanning. Logon using safemode, then open a command prompt, navigate to your trend micro folder and run VSCANWIN32. This will show you a few command line switches you can use. Use VSCANWIN32 /S C: for C drive. The executables might be different for Worry Free.

You still can use some of other antivirus  as well, here is shareware version of free malwarebytes, http://www.majorgeeks.com/Malwarebyte's_Anti-Malware_d5756.html, id done job fine in most cases when other AV cannot function well.

There are some advanced steps but I tried not go get to that first, like scanning for the rootkit, because it requires some advanced knowledge of your computer and the application. Tried step above first.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36532142
You could also use Trend Micro System Cleaner to clean the system. Below are the details

http://esupport.trendmicro.com/solution/en-us/1057836.aspx

Sudeep
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36532151
The above is not designed to work with the server family though. So you may need other tools to run on servers, however you could run it on Client OS
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 2000 total points
ID: 36532216
Below are the details from Trend on its behaviour and removal instructions

http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_DOWNAD.AD

Below is tools designed by them to remove it

http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question