W32.Downadup

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

hai ,

I am tried this method for removing w32.downadup worm .but the same alerts is coming .

Try this one.
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.

hi,

I already try to update the symantec antivirus to november 24th, and run fullscan, but can’t found the worm.
i also can’t found the register : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”

Last, i try to install malwarebytes and update it..

But, the same alert still pop up.

please help me..

Thank you.

PUEDEN DAR UNA EXPLICACION EN ESPAÑOL (SPANISH) PORFAVOR QUE LA VERDAD ES QUE ME COMPLICA ESTE ERROR..

Segun los problemas que tuve yo, lo que pasa es que pese a que el antivirus me reconoce la amenaza, no lo desinfecta totalmente. En varios lugares dicen de modificar el registro, pero la entrada no me aparece (afortunadamente no soy al unico), en consecuencia lo debemos tener con una entrada distinta… habrá que esperar porque el virus es aun muy nuevo y no tiene ni una semana.
Yo por lo pronto me vengo fijando todos los dias hasta que symantec saque el removal tool.

Download and install the patch available from Microsoft(958644): microsoft.com/technet/security/Bulletin/MS08-067.mspx

>Go and check your windows services and observe any unfamiliar services running make sure you disable it.

I got 3 unfamilar running namely vzyeevv,xbmaoar and uweytn.

Run> type msconfig > Services

>Delete the following folders from regedit

HKEY_Local_Machine\System\CurrentControlSet\Services

> Delete the following entries at

HKEY_Local_Machine\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
GloballyOpenPorts\List

137:UDP:*:Enabled:@xpsp2res.dll,-22001
138:UDP:*:Enabled:@xpsp2res.dll,-22002
139:TCP:*:Enabled:@xpsp2res.dll,-22004
3389:TCP:*:Enabled:@xpsp2res.dll,-22009
445:TCP:*:Enabled:@xpsp2res.dll,-22005

We have Symantec AntiVirus Corporate Edition With
Full Version :8.1.0.825
License No. : 00140V-11CQ- 1112
License Type : Server/Client Gold ( mfg only )

And Updated upto today date when scan virus it cash the virus like W32.Downadup but after 2 mentis appeared again and other virus’s
What can I do For Removed Finally

Please Tell me What Action do for old or new virus Appeared

Best reg.
Hodish
Yemen Dairy

Download process explorer (sysinternal)and the MS Patch (958644)

1.Kill the process svchost (image netsvsc) with process explorer. There are several svhcost processes so have a look in “image” section (the one with option -netsvcs must be killed).
2.Install MS Patch.
3.Update your Antivirus.
4.Scan your harddrive (and above all c:\documents and settings and c:\windows\system32) using your updated anti-virus. It should find w32.downadup. There are 2 infected files (one *.jpg, and one *.dll).
5.Reboot.

Most of our company PCs are infected with this type of worms.
here are the steps that i used.

-certain services in MSconfig are disable
-off system restore
-clear all temp file
-run full scan by using symantec antivirus and ad-aware
-clear all infected/quarantine file.
-patch Microsoft(958644)

The captured virus were sucessfully clear. but the problem is my PC performance getting slower. everyone, any idea for this??
Thanks/

My wins xp, so detected virus W32.Downadup to my pc, so what can i do to protect my pc. i must be scan by Norton anti-virus, its scan all, but can not deleted all.

Ple, Help my Pc now.

Best reg.

Message from Symantec:

Developer notes:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AG7D98FV\rnihr[1].jpg is detected and repaired by NAV. Please follow the instruction at the end of this email message to install the latest available definitions.

The current definitions are capable of detecting this virus. Please update your definitions by clicking the “LiveUpdate” button in your NAV program.

My comment:
Symantec AntiVirus Corporate Edition cannot totally heal or delete it. It cannot stop W32.Downadup. My Realtime protection always detect it. Please help.

Even the following anti-virus system cannot heal or delete it totally:

AVG Anti-Virus 8.0 Free
Avira AntiVir Personal
Trend Micro Internet Security 2009
Kaspersky Internet Security 2009

only symantec can heal it

Symantec currently WILL NOT heal it. It will only detect and remove the .dll file and .jpg payload file. The virus remains in memory and will not be deleted. This is the same with eTrust by CA.

This is one stubborn PITA. If anyone can come up with a solution, please post it as soon as possible. This thing has to be rootkit based, but I cannot locate it.

I got hit by w32.downadup virus. I have about 20 systems with XP and 2003 Server systems that this virus resides.
I did all updated symantec, still keeps coming up…..
please help……

1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.

Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

I’ve got over 100 windows xp machines and servers that’s effected with this. It blocks access to security sites like avg.com, symantec.com, etc. It also blocks access to microsoft.com.

Therefore, we can’t update virus signatures or install critical microsoft patches like MS Patch (958644).

we first saw signs of this early on when the browser service kept bouncing on our Windows Server 2003 computers.

We’ve downloaded Malwarebytes and installed update. But it does not find the culprit.

Has anyone successfully removed this thing yet?

Malwarebytes finds the following:

1. Trojan.Agent in C:\windows\Downloaded Programs Files\atmgr.exe

2. Hijack.System.Hidden in HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\Showall\CheckedValue

here is saved log from MalwareBytes on infected machine:

Malwarebytes’ Anti-Malware 1.31
Database version: 1590
Windows 5.1.2600 Service Pack 2

1/1/2009 5:10:47 PM
mbam-log-2009-01-01 (17-10-47).txt

Scan type: Quick Scan
Objects scanned: 90771
Time elapsed: 13 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Greg,
Disable clients DNS
its a dns poisoning
if you stop and disable the service ull be working infront of your dns server directlt and wont be blocked

and about the DLL that keeps coming back
open and edit it using notepad and it will stop the dmg
still working my way to find a final\total selution

good luck everybody

Juk,
Do you know how I can find out what the name of the DLL is? I’ve used sysinternals utilities to find it but no luck yet.

Greg

Juk,
We’ve been able to clean some computers in safe mode using the one care live web site. It finds W32.Conficker.B virus and removes it accordingly.

This doesn’t work on all computers though.

Your suggestion to stop dns client has allowed us to perform windows update. However, AVG still does not find it.

Virus Detail :
ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=75911

1- Download and install the patch available from Microsoft

WindowsServer2003-KB958644-x86-ENU for WindowsServer2003(sp2)
WindowsXP-KB958644-x86-ENU for WindowsXP (sp3)

2- Run a full system scan

Greg,

You can use Prevx CSI to find the nasty DLL the dll filesize will always be 149Kb

prevx.com/freescan.asp

i havent pass the hole tread but you can find random services with good-fakenames like “Windows Securety” or “Config Shell” and others
these are not real Services. they have a few things in common:
1. the services name itselfe is weird
2. its alwasys on the status of “Automatic” and “stopped”
3. you wont have premission to change the status
refer Symantec website for Registery settings you need to clean up

im still looking for an easy way to clean it up
good luck with everything

btw, the files are probbly hidden and u wont have the ability to change it..
its also a part of the virus
fix it by changing the reg key in the following -
windows.ittoolbox.com/groups/technical-functional/windows-xp-pro-l/cant-view-my-hidden-file-and-folders-1774650

We’ve recovered from the Conficker outbreak. Disabling DNS Client was key to cleaning and patching systems.

Thanks,

Greg

We are using Windows 2000 Server and Windows Professional with our workstations. We were also hit by W32.Downadup. After reading several Technical details specially that of symantec, we also cannot find the registry entry :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”

What we found out is \Services\netman\Parameters…..

Are they the same?

Anybody out there who can help us.

Mon

hi,

I have resolve this issue using Symantec antivirus/end point security.
1. check your antivirus must be updated.
2. if not use the following link and download the av update on not infected system.
symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95
3. copy the update file on infected system and run than reboot the system.
4 after 15 min system re-reboot your system .
Now you able to open the antivirus website and your system will be virus free.
Regards,
Naresh

I am surprised nobody posted the f-secure page yet. It is the most comprehensive page on this.

f-secure.com/v-descs/worm_w32_downadup_al.shtml

We wrote a script that remotely checks for virus activity by looking up installed services for suspicious names and checking for the services it disables.

USE AT YOUR OWN RISK

Located here:
quickfilepost.com/download.do?get=adeca8fcf76bae0e56ab5641b9224368

Look throught the tech specs for W32.Downadup.B on Symantec… if this started happening after the 1st if may be that one and not the first… I’m finding it by looking in services.msc for two word services (may not be started) that have weird service name… the searching the registry for that random service name.

This is the latest script, don’t bother with the original
http://www.quickfilepost.com/download.do?get=08f4634a747471ecaeaca268b77d0e39

George, the script I posted searches for those random service names and is very effective. I will update it again later tonight.

We are trying to suppress this virus too but it s quite hard.

Does some of you has tested the F Secure removal tool ?

With process explorer, I can see a lot of svchost process with argument like -netsvsc [random char],[random char]

The F-Secure removal tool is almost useless. I’ve have it work twice for me. There is a brand new one that is named f-downadup. It’s only 4MB and it didn’t work me the one time I wanted to use it.

The virus will disable services and it appears that upon reboot it creates the services and writes out the DLL, etc so that it can start back up again.

The script I posted checks to see if the specific services are disabled (which is the tell-tale sign of the virus) and if there are any suspicious services that it created (which you delete and let your AV clean up the mess). However, after the virus is gone, you will need to fix some of the things such as the disabled services and the registry settings.

One way to see if the machine is one of the ones trying to spread or disable accounts is to run Sysinternal’s TCP VIEW which will show hundreds of [System:Process]:0 processes. A few (under 10) are ok, but hundreds is very likely the virus.

Guys,

Please check what version of symantec you are running, we run version 7, 8 & 9 and have been having problems removing this virus, we have been in touch with symantec and they advised us that we need to be on version 10. We tried version 10 with 8th january definition files and the system has been cleaned. we will be rolling out version 10 to get rid of this.

Below is a copy of the email, i have removed the specific end user addresses

From: [mailto:xxxxxxxc@symantec.com]
Sent: den 9 januari 2009
To: xxxxxxx
Subject: RE: Case ID: xxxxxxxx W32.Downadup.B outbreak
SAV 9. Didn’t have the same capabilities as SAV 10 and SEP 11 – the side effects will not be removed.

I guess going through the removal instructions and having an infected machine to play with you’ll be able to determine whether removal is feasible (can be scripted) or not.

let me know how they are getting on.

xxxxxx

I hope this helps you guys
ob1denobi

also the site f-secure.com/v-descs/worm_w32_downadup_al.shtml

has a removal tool, i have not tested it as i am at home, I will be getting it tested when i’m back at work.
has anyone else used this tool ?

The file in url ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip is corrupt.

I heard the McaFee remove this vírus. Is true?

facing the same problem in my environment and just got the new that symantec has finally released a removal tool

http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

not tested yet will test it tomorrow.

In my workplace we have removed McAfee and installed Symantec Endpoint Protection 11.0.3. Sep works better than McAfee but cannot remove the infection on all the pcs.
I will try Fsecure tool and manual procedure using Process Explorer.

Paolo

It is possbile to remove the virus without failsafe ect.
The user32.dll can be removed from cache and the running, from within a windows session.

the only thing needed is a reboot.

Verified on 2000,XP
MSN: Netguard3 @ Hotmail (dot) com

Many NT accounts become locked cause the virus, I suppose
But the virus isn’t into the pc (Symantec and Fsecure tools says)!

Paolo

Stesso problema in azienda, in un dominio ActiveDirectory… circa 90 pc e sto passando giornate d’inferno…
Il virus tenta di scoprire le password degli utenti e quindi il DomainServer, dopo tot tentativi, blocca l’account credendo in un tentativo “d’effrazione”. Molti PC sono stati disinfettati usando il tool FixDownadup.exe, tre/quattro pc invece non si riescono a pulire (ancora). Attenzione che il virus è molto aggressivo e si “nasconde” bene agli antivirus. Devi provare a scansionare il sistema in modalità provvisoria oppure, meglio ancora, al boot con qualche live-cd (prova Dr.Web : è free…)

Uhu!… we are just using the Symantec antivirus system and I hadn’t think about a Symantec fix tool.
Just downloaded it and distribute to the collegues :)

Paolo

Our network has been hit by this really hard. We run Symantec products version 10 but it is still no match for this worm. We ran all of their removal tools and the machines scanned as clean, then put them back on the network and had the administrative scan run at midnight and about 60% of the ones I had cleaned show infected again. Symantec has just sent us a new W32.Downadup removal tool this morning and I am testing it out to see if it works.

hello Sparky i have same problem. I can’t get ride off it on some station. The Symantec tool worked on 90% of pc but I don’t understand why doesn’t work on all of them. I also scan with a BitDefender removal tool and I had the same results.If you find a solution please tell us.
Thank you!

Download and run VIPRE (Free trial version). It kills it.

I’m worrying about all these new free antivirus programs.
Too many. How many of these are really fighting the viruses? Or creating new one or getting computers informations?

I think I fixed the problem on my personal company PC: I downloaded the following Microsoft Windows XP Patch: WindowsXP-KB958644-x86-ITA.exe (ITA because I have the italian version of Windows XP installed), I executed it, followed the instructions and, after rebooting, I scanned the PC with AVG and removed the menaces that it found.

Penso di aver risolto il problema sul mio PC aziendale: ho scaricato la seguente patch per MS Windows XP: WindowsXP-KB958644-x86-ITA.exe (ITA perché ho la versione italiana di XP installata), l’ho eseguita, ho seguito le istruzioni e, dopo aver riavviato, ho fatto una scansione del PC con AVG e rimosso le minacce che ha rilevato.

I’ve created a batch file for system administrators to clean/patch/cure infected systems in their networks.

check it out here:

extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html

It took me about 50 man hours for 6 servers and 70 PC’s to get rid of this. This is what I did.

1. Disable ysstem restore.
2. Boot in safe mode.
3. Run the windows-kb890830-v2.6.exe from microsoft(RUN FULL SCAN). When it finds it you will need to reboot system to get ride of it.
4. Run windows updates and make sure everything is updated.
5. Update virus definition with live update. We have Symanyec Endpoint 11.0 MR4
6. Run full scan on system.
Everything is OK for 2 days now.

You should be clean after that.

6. Run full scan of system

i am getting one popup like “w32.Downadup in rfitdc.h” can any one help me to clean this virus

This is how you remove it.

1. goto registry HKEY_Local_Machine\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
GloballyOpenPorts\List

137:UDP:*:Enabled:@xpsp2res.dll,-22001
138:UDP:*:Enabled:@xpsp2res.dll,-22002
139:TCP:*:Enabled:@xpsp2res.dll,-22004
3389:TCP:*:Enabled:@xpsp2res.dll,-22009
445:TCP:*:Enabled:@xpsp2res.dll,-22005

-delete these files (usually 3389 is the only one the appears.
-run symantac
-run windows update
-goto dos type in cd c:\windows\system32
-then type in dir *.dll /ahs it will one dll file
-goto the location c:\window\system32 then tools in menu bar, then view tab and uncheck hide protected operating system files
-search for the file you found in dos
-right click the file, select properties, then security tab, and then owner tab and select another owner such administrator hit apply. close the properties window
-right click file, select properties, security tab and allow all permissions for that file, hit ok.
-wait like 10 seconds and the file should delete
-rebbot PC and its gones

run windows update for this virus. link is in a post above

ok so i think i caught the tail end of this worm

unfortinatly it burrowed its head into my system first.

avg caught it on its way in howver it seems to have made EVERY exe file on my computer try to access that dll when they run some programs shoot off the error message and then work normally others wont work at all. when avg has the dll quarentined i basically get spammed with error messages if i restore the file i get the 0xc0000022 messages and nothing works then either… any ideas?

i am getting one popup like “w32.Downadup.B from my symantic anti virus ..Clean Failed . quarantine failed access denied in
C:\Windows\systesm32\fbdmvazf.dll

can any one help me to clean this virus

hi,

I already try to update the symantec antivirus to february 5th, and run fullscan, but can’t found the worm. but i am getting one popup like “w32.Downadup, from my symantic anti virus ..Clean Failed . quarantine failed and some delete successed,

can any one help me to clean this virus,

Regards,
mike

This virus use admin share to infect other machines. It is very important to log of any administrator account, put some difficult password. You can use my computer/manage/share folders/sessions to see what computer is trying to infect. Very important is to check share folders for autorun.inf file. Also very important is to disable autorun options. Task scheduler service must be stop. Admin shares admin$, c$ must be stooped. This help me for a network of 200 computers and 20 servers. Use symantec removal tool and microsoft patch. Once computers are patched and AV database updated, virus can’t infect them.

ps
For anyone who is boring with pop up messages from AV disable admin and c shares on computer and it will stop. Scan and patch it and clear task sheduler.

How to Remove W32.Downadup.B:

the only site that I could access when I had downadap is bdtools.net, a BitDefender site. the removal tool there is great. and they have one for networks also.

After spending almost 3 weeks virtually devoting all my time on understanding, studying, and researching this virus I’ve finally come up with the best utilities and steps to overcome this stubborn worm.

There are currently three variants of the virus, .A,.B, and .C.
Of the three .C is the hardest to innoculate, with .B being the most widespread.

How do I know if I’m infected with .B or .C?

It’s pretty simple. If you managed to download MS security patch and various scanners/cleaning utilities that don’t run when you open them (i.e., the open and close extremely quickly, processes being killed by the virus) and if you tried booting into Safe Mode but couldn’t then you most certainly have the .C variant of the virus lurking on your PC. If you’ve noticed this happen on your PC and are having a nightmare to remove it (the way I had) the proceed to the .C Clean and Removal Steps below.

.B is fairly simple to remove/clean. Therefore I’ll start wi

.B Clean and Removal Steps
————————————-
(a) download the following four files
(1)- http://iv.cs.uni-bonn.de/uploads/media/conficker_mem_killer.exe
(2)- http://iv.cs.uni-bonn.de/uploads/media/regnfile_01.exe
(3)- http://www.bdtools.net/download/bd_rem_tool.zip
(4)- http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
and download the appropriate MS-Hot Fix for your Operating System

(b) if you cannot get to one or any of the above links, stop your DNS Client Service

(c) boot the PC in Safe Mode

(d) run conficker_mem_killer.exe, then run regnfile_01.exe, then bd_rem_tool_console.exe (unzipped from the bd_rem_tool.zip files), and then finally patch the system with the appropriate MS-Hot Fix you downloaded.

(e) reboot in normal mode and re-run all those files except for the patch again

(f) Go to your Services and Start and set the following services to Automaitc
- Windows Update
- BITS
- Error Reporting
- Security Server (if applicable)
- Windows Firewall

(g) For extended protection, stop the Computer Browser service and set it to Disabled

(h) For extended protection, stop the Task Scheduler service and set it to Disabled

(i) For extended protection, stop the Server service (and any dependant services) and set it to Disabled (note that if your PC needs to share files or printers this service must be started and set to automatic)

(j) Enable your Windows Firewall and set the appropriate Exceptions you need (highly recommended)

(k) apply the latest Windows Service Pack and Fully Windows Udpate your PC (absolutely required)

(l) Set Windows Update to run daily and automatically update your PC
- open gpedit.msc (start>run and type in ‘gpedit.msc’) if you’re using XP SP2+ and go to Computer Configuration>Administrative Templates>WIndows Components>Windows Update>No Auto Restart …. (Enable) so that after windows updates your PC automatically in the background it WILL NOT automatically restart the PC if there is a currently logged on user. (highly recommended)

(n) if you want to take further preventative measures disable autorun by going to gpedit.msc and go to
Computer Configuration>Administrative Templates>WIndows Components>System>Turn Off Autoplay (Enable)

(o) Install the latest version of your AntiVirus Software and make the virus definitions are fully updated and set to check and install updates daily. (highly recommended)

.C Clean and Removal Steps
————————————-
Do steps (a) and (b) as in the .B Removal Steps.

Now you just need to get your PC to boot into Safe.

To do so you need to get the Safe Mode registry keys from a like PC (O/S), export them from there and then import them on the infected PC.

This should allow you to boot into safe Mode on the infected PC.

Once you’re in safe Mode you can proceed with steps (c) onward without any problems.

The SafeMode keys you need to get are located in:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Export the entire SafeBoot Hive (folder)

To import this file on the infected PC, simply double click on the .REG file you just exported.

The .C variant also prevents you from viewing hidden files on your PC.
The following Batch file should resolve this problem:

@ECHO OFF
BREAK ON
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0×1 /f
pause
exit

Good Luck.

Yo tenia una red de 4 pcs y no abria esas páginas ni de microsoft ni de antivirus y otras.

bajé en otro pc la herramienta windows-kb890830-v2.8.exe

( o busquen en google KB890830 )

se llama Microsoft Windows Malicious Software Removal Tool (KB890830) - Setup Self-Extracting Cabinet

http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=es

Pero al copiarlos a los infectados no de ejecuta, asi que debes entrar a Inicio-Ejecutar y escribir MSCONFIG

en la pesaña general selecciona INICIO CON DIAGNÓSTICOS.

Reinicia el pc, y ya se va a poder ejecutar la herramienta de microsoft, al ejecutarla se selecciona la opción ANÁLISIS COMPLETO, al finalizar me detectó varios virus y eliminó el Win32/conficker.gen!A

al reiniciar deben volver al MSCONFIG y seleccionar modo normal y en la pestaña SERVICIOS activar todos los de microsoft, en caso que al hacer esto no les cargue los dispositivos de RED deben ir al panel de control HERRAMIENTAS ADMINISTRATIVAS - SERVICIOS , ahi deben dejar automático e inicar los procesos de red como el cliente DHCP, mejor dejar todos los de microsoft habilitados, en caso de que no puedan por MSCONFIG habilitar todos los servicios de microsoft o traten primero por modo seguro, si no ejecuta el limpiador haganlo con esto de msconfig.

depues de esto ya puden entrar a todas las páginas.

if we format the laptop, can it delete the worm?

Formatting is the least thing that should be done. But if you are willing to format, it can remove the threat.

I ve got a Flush Memory from China, found it on Ebay and when i put intu my laptop Avira came out saying about that W32.Downadup.B worm. Cleaned it and taht’s it. everything is fine

Hi
Thanks for sharing useful information about W32.Downadup. But i suggest Best Virus Protection software. This software fully protects your Computer .

if we format the laptop, can it delete the worm?

hi,
please help i need some help to remove Downadup.
i tried Malewerebytes,the symantec tool, the f-secure tool even the bit defender…checked the registry and no sign there…any other ideas?