Comments on: W32.Downadup http://www.precisesecurity.com/worms/w32downadup Thu, 09 Feb 2012 05:23:27 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: zeehttp://www.precisesecurity.com/worms/w32downadup#comment-4488 zee Thu, 24 Dec 2009 03:23:24 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-4488 i tried almost all the solutions from you guys but it didnt work.. after deleting the worm and it came back..help me i tried almost all the solutions from you guys but it didnt work.. after deleting the worm and it came back..help me

]]> By: Dayalanhttp://www.precisesecurity.com/worms/w32downadup#comment-4159 Dayalan Fri, 06 Nov 2009 10:06:21 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-4159 hi, please help i need some help to remove Downadup. i tried Malewerebytes,the symantec tool, the f-secure tool even the bit defender...checked the registry and no sign there...any other ideas? hi,
please help i need some help to remove Downadup.
i tried Malewerebytes,the symantec tool, the f-secure tool even the bit defender…checked the registry and no sign there…any other ideas?

]]> By: amarhttp://www.precisesecurity.com/worms/w32downadup#comment-4088 amar Tue, 27 Oct 2009 15:09:45 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-4088 if we format the laptop, can it delete the worm? if we format the laptop, can it delete the worm?

]]> By: PC Antivirus Updatehttp://www.precisesecurity.com/worms/w32downadup#comment-3934 PC Antivirus Update Sat, 10 Oct 2009 12:15:18 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-3934 Hi Thanks for sharing useful information about W32.Downadup. But i suggest Best Virus Protection software. This software fully protects your Computer . Hi
Thanks for sharing useful information about W32.Downadup. But i suggest Best Virus Protection software. This software fully protects your Computer .

]]> By: Emyhttp://www.precisesecurity.com/worms/w32downadup#comment-3218 Emy Mon, 10 Aug 2009 11:04:07 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-3218 I've got a Flush Memory from China, found it on Ebay and when i put into my laptop Avira came out saying about that W32.Downadup.B worm. Cleaned it and that's it. everything is fine I’ve got a Flush Memory from China, found it on Ebay and when i put into my laptop Avira came out saying about that W32.Downadup.B worm. Cleaned it and that’s it. everything is fine

]]> By: precisesecurityhttp://www.precisesecurity.com/worms/w32downadup#comment-2504 precisesecurity Sun, 26 Apr 2009 11:53:43 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-2504 Formatting is the least thing that should be done. But if you are willing to format, it can remove the threat. Formatting is the least thing that should be done. But if you are willing to format, it can remove the threat.

]]> By: abigailhttp://www.precisesecurity.com/worms/w32downadup#comment-2478 abigail Wed, 22 Apr 2009 16:00:35 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-2478 If we format the laptop, can it delete the worm? If we format the laptop, can it delete the worm?

]]> By: Stephen Tzintzishttp://www.precisesecurity.com/worms/w32downadup#comment-2418 Stephen Tzintzis Wed, 01 Apr 2009 20:15:41 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-2418 After spending almost 3 weeks virtually devoting all my time on understanding, studying, and researching this virus I've finally come up with the best utilities and steps to overcome this stubborn worm.There are currently three variants of the virus, .A,.B, and .C. Of the three .C is the hardest to inoculate, with .B being the most widespread.How do I know if I'm infected with .B or .C?It's pretty simple. If you managed to download MS security patch and various scanners/cleaning utilities that don't run when you open them (i.e., the open and close extremely quickly, processes being killed by the virus) and if you tried booting into Safe Mode but couldn't then you most certainly have the .C variant of the virus lurking on your PC. If you've noticed this happen on your PC and are having a nightmare to remove it (the way I had) the proceed to the .C Clean and Removal Steps below..B is fairly simple to remove/clean. Therefore I'll start with.B Clean and Removal Steps ------------------------------------- (a) download the following four files (1)- http: //iv.cs.uni-bonn.de/uploads/media/conficker_mem_killer.exe (2)- http: //iv.cs.uni-bonn.de/uploads/media/regnfile_01.exe (3)- http: //www.bdtools.net/download/bd_rem_tool.zip (4)- http: //www.microsoft.com/technet/security/Bulletin/MS08-067.mspx and download the appropriate MS-Hot Fix for your Operating System(b) if you cannot get to one or any of the above links, stop your DNS Client Service(c) boot the PC in Safe Mode(d) run conficker_mem_killer.exe, then run regnfile_01.exe, then bd_rem_tool_console.exe (unzipped from the bd_rem_tool.zip files), and then finally patch the system with the appropriate MS-Hot Fix you downloaded.(e) reboot in normal mode and re-run all those files except for the patch again(f) Go to your Services and Start and set the following services to Automaitc - Windows Update - BITS - Error Reporting - Security Server (if applicable) - Windows Firewall(g) For extended protection, stop the Computer Browser service and set it to Disabled(h) For extended protection, stop the Task Scheduler service and set it to Disabled(i) For extended protection, stop the Server service (and any dependant services) and set it to Disabled (note that if your PC needs to share files or printers this service must be started and set to automatic)(j) Enable your Windows Firewall and set the appropriate Exceptions you need (highly recommended)(k) apply the latest Windows Service Pack and Fully Windows Update your PC (absolutely required)(l) Set Windows Update to run daily and automatically update your PC - open gpedit.msc (start>run and type in 'gpedit.msc') if you're using XP SP2+ and go to Computer Configuration>Administrative Templates>Windows Components>Windows Update>No Auto Restart .... (Enable) so that after windows updates your PC automatically in the background it WILL NOT automatically restart the PC if there is a currently logged on user. (highly recommended)(n) if you want to take furthere preventative measures disable autorun by going to gpedit.msc and go to Computer Configuration>Administrative Templates>Windows Components>System>Turn Off Autoplay (Enable)(o) Install the latest version of your Antivirus Software and make the virus definitions are fully updated and set to check and install updates daily. (highly recommended).C Clean and Removal Steps ------------------------------------- Do steps (a) and (b) as in the .B Removal Steps.Now you just need to get your PC to boot into Safe.To do so you need to get the Safe Mode registry keys from a like PC (O/S), export them from there and then import them on the infected PC.This should allow you to boot into safe Mode on the infected PC.Once you're in safe Mode you can proceed with steps (c) onward without any problems.The SafeMode keys you need to get are located in: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot Export the entire SafeBoot Hive (folder)To import this file on the infected PC, simply double click on the .REG file you just exported.The .C variant also prevents you from viewing hidden files on your PC. The following Batch file should resolve this problem:@ECHO OFF BREAK ON reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f pause exitGood Luck. After spending almost 3 weeks virtually devoting all my time on understanding, studying, and researching this virus I’ve finally come up with the best utilities and steps to overcome this stubborn worm.

There are currently three variants of the virus, .A,.B, and .C.
Of the three .C is the hardest to inoculate, with .B being the most widespread.

How do I know if I’m infected with .B or .C?

It’s pretty simple. If you managed to download MS security patch and various scanners/cleaning utilities that don’t run when you open them (i.e., the open and close extremely quickly, processes being killed by the virus) and if you tried booting into Safe Mode but couldn’t then you most certainly have the .C variant of the virus lurking on your PC. If you’ve noticed this happen on your PC and are having a nightmare to remove it (the way I had) the proceed to the .C Clean and Removal Steps below.

.B is fairly simple to remove/clean. Therefore I’ll start with

.B Clean and Removal Steps
————————————-
(a) download the following four files
(1)- http: //iv.cs.uni-bonn.de/uploads/media/conficker_mem_killer.exe
(2)- http: //iv.cs.uni-bonn.de/uploads/media/regnfile_01.exe
(3)- http: //www.bdtools.net/download/bd_rem_tool.zip
(4)- http: //www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
and download the appropriate MS-Hot Fix for your Operating System

(b) if you cannot get to one or any of the above links, stop your DNS Client Service

(c) boot the PC in Safe Mode

(d) run conficker_mem_killer.exe, then run regnfile_01.exe, then bd_rem_tool_console.exe (unzipped from the bd_rem_tool.zip files), and then finally patch the system with the appropriate MS-Hot Fix you downloaded.

(e) reboot in normal mode and re-run all those files except for the patch again

(f) Go to your Services and Start and set the following services to Automaitc
– Windows Update
– BITS
– Error Reporting
– Security Server (if applicable)
– Windows Firewall

(g) For extended protection, stop the Computer Browser service and set it to Disabled

(h) For extended protection, stop the Task Scheduler service and set it to Disabled

(i) For extended protection, stop the Server service (and any dependant services) and set it to Disabled (note that if your PC needs to share files or printers this service must be started and set to automatic)

(j) Enable your Windows Firewall and set the appropriate Exceptions you need (highly recommended)

(k) apply the latest Windows Service Pack and Fully Windows Update your PC (absolutely required)

(l) Set Windows Update to run daily and automatically update your PC
– open gpedit.msc (start>run and type in ‘gpedit.msc’) if you’re using XP SP2+ and go to Computer Configuration>Administrative Templates>Windows Components>Windows Update>No Auto Restart …. (Enable) so that after windows updates your PC automatically in the background it WILL NOT automatically restart the PC if there is a currently logged on user. (highly recommended)

(n) if you want to take furthere preventative measures disable autorun by going to gpedit.msc and go to
Computer Configuration>Administrative Templates>Windows Components>System>Turn Off Autoplay (Enable)

(o) Install the latest version of your Antivirus Software and make the virus definitions are fully updated and set to check and install updates daily. (highly recommended)

.C Clean and Removal Steps
————————————-
Do steps (a) and (b) as in the .B Removal Steps.

Now you just need to get your PC to boot into Safe.

To do so you need to get the Safe Mode registry keys from a like PC (O/S), export them from there and then import them on the infected PC.

This should allow you to boot into safe Mode on the infected PC.

Once you’re in safe Mode you can proceed with steps (c) onward without any problems.

The SafeMode keys you need to get are located in:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Export the entire SafeBoot Hive (folder)

To import this file on the infected PC, simply double click on the .REG file you just exported.

The .C variant also prevents you from viewing hidden files on your PC.
The following Batch file should resolve this problem:

@ECHO OFF
BREAK ON
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0×1 /f
pause
exit

Good Luck.

]]> By: aryhttp://www.precisesecurity.com/worms/w32downadup#comment-2400 ary Tue, 24 Mar 2009 16:58:16 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-2400 The only site that I could access when I had downadap is bdtools.net, a BitDefender site. The removal tool there is great and they have one for networks also. The only site that I could access when I had downadap is bdtools.net, a BitDefender site. The removal tool there is great and they have one for networks also.

]]> By: Borishttp://www.precisesecurity.com/worms/w32downadup#comment-2262 Boris Mon, 16 Feb 2009 22:13:03 +0000 http://www.precisesecurity.com/threats/w32downadup/#comment-2262 This virus use admin share to infect other machines. It is very important to log of any administrator account, put some difficult password. You can use my computer/manage/share folders/sessions to see what computer is trying to infect. Very important is to check share folders for autorun.inf file. Also very important is to disable autorun options. Task scheduler service must be stop. Admin shares admin$, c$ must be stooped. This help me for a network of 200 computers and 20 servers. Use Symantec removal tool and Microsoft patch. Once computers are patched and AV database updated, virus can't infect them. P.S. For anyone who is boring with pop up messages from AV, disable admin and c shares on computer and it will stop. Scan and patch it and clear task scheduler. This virus use admin share to infect other machines. It is very important to log of any administrator account, put some difficult password. You can use my computer/manage/share folders/sessions to see what computer is trying to infect. Very important is to check share folders for autorun.inf file. Also very important is to disable autorun options. Task scheduler service must be stop. Admin shares admin$, c$ must be stooped. This help me for a network of 200 computers and 20 servers. Use Symantec removal tool and Microsoft patch. Once computers are patched and AV database updated, virus can’t infect them.

P.S.
For anyone who is boring with pop up messages from AV, disable admin and c shares on computer and it will stop. Scan and patch it and clear task scheduler.

]]>