Help my pc has worm_downad.ah

**thugs_07** · 01-14-2009, 10:30 AM

Guys need help my pc has this worm_downad.ah virus.My antivirus is trend micro office scan. When i scan the whole pc 0 detected will display after scanning but every now and then it will prompt the virus. I tried AVG and still problem still occurs. Help.....

**sactus** · 01-14-2009, 12:59 PM

try to system restore bro, pilia tong time nga wa pa mi-occur ang problem.
after that, run combofix...

**thugs_07** · 01-14-2009, 03:12 PM

Originally Posted by sactus

try to system restore bro, pilia tong time nga wa pa mi-occur ang problem.
after that, run combofix...

Ok i'll try but i have to consult the IS first. Thanks for the suggestion

**SHADOW_LUDWIG** · 01-15-2009, 01:41 AM

if naa gihapon..
pag gamit og kaspersky na anti virus.. ayaw nah trend micro..... bati kaayo nah.. wala nay klaro..
iv been using kaspersky for 3yrs wala jud koy problem in terms of virus, worms...

**Dondon** · 01-15-2009, 01:53 AM

Sus, mao gyud na problema namo rn, downadup. Grrr.

**thugs_07** · 01-16-2009, 02:39 PM

Na resolve na ang akong problema gmanual lang ug remove sa among IS sa registry hehehehe

**ChaosOrb** · 01-16-2009, 02:51 PM

hehe, naigo diay ka ug virus don? How come?

**rockford_fosgate09** · 01-16-2009, 06:42 PM

asa na under sa registry e removed? ty

**SmaRkieS** · 01-16-2009, 07:51 PM

a.k.a Confliker.worm

Characteristics

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{random}\Parameters\"ServiceDll" = "Path to worm"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

* hxxp://www.getmyip.org
* hxxp://getmyip.co.uk
* hxxp://checkip.dyndns.org
* hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

* hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Symptoms:

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Users being locked out of directory

Access to admin shares denied

Scheduled tasks being created

Access to security related web sites is blocked.

Method of infection:

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.

Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.

Scheduled tasks have been seen to be created on the system to re-activate the worm.

Autorun.inf files have been seen to be used to re-activate the worm.

Solutions:

Download: CCleaner
|MG| CCleaner Slim (No Toolbar) 2.15.815
CCleaner - Home
Once installed, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok

Then click Run Cleaner (bottom right) then Exit
Reboot

Please download Malwarebytes' Anti-Malware:
http://www.spywarefri.dk/downloads1/mbam-setup.exe

Or here:
Malwarebytes' Anti-Malware - Free software downloads and reviews - CNET Download.com

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Please connect all your external hard drive/flash drive before running Malwarebyte

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

Other solutions:

Combofix

**cliff_drew** · 01-22-2009, 10:31 AM

Originally Posted by Dondon

Sus, mao gyud na problema namo rn, downadup. Grrr.

... and you are one of the 3 million users infected by this worm.

Have you fix this already?

Worm infects over three million PCs since New Year

Thread: Help my pc has worm_downad.ah

Thread Tools

Search Thread