Solved

At1.job and Associated Malware

Posted on 2011-09-09
9
2,003 Views
Last Modified: 2013-12-09
Plaform Windows 2008 Server Service Pack 2
Worry Free Business Security Version 7

Recently my client always have the Trend Micro ICOn showing required restart. And notification always shown lots of virus detected. But either being resolved of clean.
Even my servers was affected.
Can someone advise me how to clean up this malware.
Have attached a logs on the detection.
 Malware Detected
0
Comment
Question by:wchoonhei
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36509517
Hi,

It is in your task scheduler but the real one that writing the task and do monitoring is in memory.

You can use tools, process monitor from sysinternal to kill the in memory culprit and use autorun to remove it from startup and task scheduler.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36509520
Do the restart and scan the virus in safe mode.
0
 

Author Comment

by:wchoonhei
ID: 36510563
How do i use the Tools mention? Can you be more specifiec? My computer knowledge is not good. Just a Normal user.

I restart in safe mode but the Trend micro doen't work.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 13

Expert Comment

by:khairil
ID: 36516321
Hi,

Yup that tools require some IT knowledge. At1.job can be generated by more than one viruses, here is some of them:

1. AutoIT
2. Brontok.i
3. Nuqel
4. Vundo
5. Kido

Kido or confiker is nasty.

There are some cleaning up tools available on the net, like this one for confiker by sophos, http://www.sophos.com/support/knowledgebase/article/51169.html

However, cleaning up is one part, the other part is to make sure your system full patch. Without patching, virus from other computer can simple enter your. It will be quite a challenge as you need to connect to internet to download patches and the virus attack your computer when they found you connected to the network.

So, try download all the tools suspected for the viruses. run it in safe mode to clean the computer. Try download any critical security update and run it on the affected computer. Once you got all critical update patch then run in normal mode, connect to internet and run full update.

I not so sure if Trend cannot run in safe mode, it should. If it can't then you might want to look other AV as well.

If you cannot do it by yourself, then better bring it to the experts. It will worth your money and time and also your precious data. Make sure you backup your data first before sending it to them, and ask them too to backup your data (just in case). Make sure your copy all things in my documents, outlook pst file (if you are using outlook), your IE favourites and any other file you feel important.

In wrost cases, they might suggest to format your computer, so you need to supply them with cd drivers or other cd that comes with your computer.
0
 

Author Comment

by:wchoonhei
ID: 36518978
Does any one familiar with the trend micro worry free version 7? On the client or the server that I can enable the safe mode scanning . Or does it support this function ?
0
 
LVL 13

Expert Comment

by:khairil
ID: 36520807
You can try use command line of TM when running in safe mode, but for Worry Free, I do not know the executeble files. For Trend Micro OfficeScan in safe mode, you will have to use command lined based scanning. Logon using safemode, then open a command prompt, navigate to your trend micro folder and run VSCANWIN32. This will show you a few command line switches you can use. Use VSCANWIN32 /S C: for C drive. The executables might be different for Worry Free.

You still can use some of other antivirus  as well, here is shareware version of free malwarebytes, http://www.majorgeeks.com/Malwarebyte's_Anti-Malware_d5756.html, id done job fine in most cases when other AV cannot function well.

There are some advanced steps but I tried not go get to that first, like scanning for the rootkit, because it requires some advanced knowledge of your computer and the application. Tried step above first.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36532142
You could also use Trend Micro System Cleaner to clean the system. Below are the details

http://esupport.trendmicro.com/solution/en-us/1057836.aspx

Sudeep
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36532151
The above is not designed to work with the server family though. So you may need other tools to run on servers, however you could run it on Client OS
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 500 total points
ID: 36532216
Below are the details from Trend on its behaviour and removal instructions

http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_DOWNAD.AD

Below is tools designed by them to remove it

http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question