W32.Downadup
W32.Downadup is a worm that can kill antivirus programs and block infected computers from visiting legitimate security web sites. This worm also spreads on local and network drives by taking advantage of the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup also creates its own Service on Windows to run itself each time Windows starts. Its method to spread stretches from local network and the Internet by taking advantages of software and security weaknesses.
Characteristics
When executed, W32.Downadup will drop files on various locations on the hard drive. It will also modify the registry and add an entry that will result to automatic loading of the virus when Windows starts.
Alternative way for self start-up is to create a service driver. It drops the following file for the said process.
%System%\0[RANDOM FILE NAME].tmp
Once inside the computer, user may notice several abnormalities. One of which is presence of files and folders consisting of random names. This worm may also modify and delete files and folders. It also lowers security setting by deleting registry entries that are associated to antivirus and other protection software.
The primary goal of W32.Downadup is to spread other types of threats. In its initial release, the worm involves in various activities that causes spread of fake antivirus software, also known as rogue security program. This fraud behavior will push computer users to purchase a useless program through misleading techniques.
This worm heavily operates on peer-to-peer network connection to distribute another harmful code in the form of W32.Waledac.
Distribution
W32.Downadup family of worms is probably the most productive in current era. It quickly spread and infected at least half a million computers in its initial released. It uses various propagation channels and maximizes the Internet to reach interconnected victims via this method.
- Exploiting security in Internet browsers to enter the computer
- Take advantage of Windows and Server vulnerability
- Make a copy of itself to removable media drives and execute through Autorun functions
- Drop malicious files on network shared folder and drives
Technical Details and Additional Information:
Alias: Win32/Conficker.A, W32/Downadup.A, Conficker.A, Net-Worm.Win32.Kido.bt, WORM_DOWNAD.AP, W32/Conficker
Damage Level: High
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Other functionalities of this Worm:
- W32.Downadup will create files and folders with random characters.
- This Worm W32.Downadup will connect to a remote server to download an updated copy of itself.
- It can block access to security web sites by monitoring and redirecting domain request.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[Random Characters]" = "rundll32.exe [RANDOM DLL File], [RANDOM Parameter String]"Associated Files and Folders:
%ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll %System%\[RANDOM FILE NAME].dll %System%\000[RANDOM FILE NAME].tmp %System%\[RANDOM FILE NAME].dll %Temp%\[CLSID 3]\[NUMBER].tmp %Temp%\[RANDOM FILE NAME].dll %Temp%\[RANDOM FILE NAME].exeFile Location for Windows Versions: %System% for all versions of Windows is located under C:\Windows\System32 %Temp% refers to C:\Windows\Temp\.
How to Remove W32.Downadup
Restore Windows Components
If the worm have compromised the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with W32.Downadup, please restore Windows to previous configuration.W32.Downadup Removal Tool
1. Download the tool D.exe from Symantec web site.
2. Save it to a desired location.
3. After download completes, disconnect the computer from Internet.
4. Computers who are running under operating system Windows ME and Windows XP must disable System Restore.
5. Reboot Windows in Safe Mode.
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
6. Go to D.exe download location on your hard drive.
7. Double click D.exe to run the tool.
8. Let the tool thoroughly scan the computer and perform another scan after rebooting Windows in normal mode.
Manual Removal Procedure:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
3. Thoroughly scan the system and clean/delete all infected files.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
- Click on Start. Search or Run regedit.exe to begin registry editor.
5. Exit registry editor and restart Windows.
precisesecurity
Nov 26, 2008 @ 08:36:45
Try this one.
1. Download removal tool from this page and save it on your Desktop.
2. After downloading, double-click on to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart Windows.
Husin Lim
Nov 26, 2008 @ 10:58:21
Hi,
I already try to update the Symantec antivirus to November 24th, and run full scan, but can’t found the worm.
I also can’t found the register : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”
Last, I try to install Malwarebytes and update it.
But, the same alert still pop up.
bogus
Nov 28, 2008 @ 09:24:11
Download and install the patch available from Microsoft(958644): microsoft.com/technet/security/Bulletin/MS08-067.mspx
Gen
Nov 28, 2008 @ 15:49:52
>Go and check your windows services and observe any unfamiliar services running make sure you disable it.
I got 3 unfamiliar running namely vzyeevv,xbmaoar and uweytn.
Run> type msconfig > Services
>Delete the following folders from regedit
HKEY_Local_Machine\System\CurrentControlSet\Services
> Delete the following entries at
HKEY_Local_Machine\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
GloballyOpenPorts\List
137:UDP:*:Enabled:@xpsp2res.dll,-22001
138:UDP:*:Enabled:@xpsp2res.dll,-22002
139:TCP:*:Enabled:@xpsp2res.dll,-22004
3389:TCP:*:Enabled:@xpsp2res.dll,-22009
445:TCP:*:Enabled:@xpsp2res.dll,-22005
hodish
Nov 30, 2008 @ 16:55:07
We have Symantec AntiVirus Corporate Edition With
Full Version :8.1.0.825
License No. : 00140V-11CQ- 1112
License Type : Server/Client Gold ( mfg only )
And Updated up to today date when scan virus it cash the virus like W32.Downadup but after 2 mentis appeared again and other virus’s
What can I do For Removed Finally
Please tell me what action do for old or new virus appeared .
Best reg.
Hodish
Yemen Dairy
mathias_from-france
Dec 01, 2008 @ 17:36:56
Download process explorer (sysinternal)and the MS Patch (958644)
1.Kill the process svchost (image netsvsc) with process explorer. There are several svhcost processes so have a look in “image” section (the one with option -netsvcs must be killed).
2.Install MS Patch.
3.Update your Antivirus.
4.Scan your hard drive (and above all C::\documents and settings and C::\windows\system32) using your updated anti-virus. It should find w32.downadup. There are 2 infected files (one *.jpg, and one *.DLL).
5.Reboot.
weiloon yap
Dec 03, 2008 @ 03:01:10
Most of our company PCs are infected with this type of worms.
Here are the steps that I used.
-certain services in MSconfig are disable
-off system restore
-clear all temp file
-run full scan by using Symantec antivirus and ad-aware
-clear all infected/quarantine file.
-patch Microsoft(958644)
The captured virus were successfully clear. but the problem is my PC performance getting slower. everyone, any idea for this?
Thanks
kaka
Dec 04, 2008 @ 04:43:25
My system is Windows XP. W32.Downadup virus is detected on my PC, so what can I do to protect my PC. I scanned using Norton anti-virus, it scans all, but cannot deleted detected viruses.
Please help me.
Best regards.
Randy
Dec 09, 2008 @ 10:37:58
Message from Symantec:
Developer notes:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AG7D98FV\rnihr[1].jpg is detected and repaired by NAV. Please follow the instruction at the end of this email message to install the latest available definitions.
The current definitions are capable of detecting this virus. Please update your definitions by clicking the “LiveUpdate” button in your NAV program.
My comment:
Symantec AntiVirus Corporate Edition cannot totally heal or delete it. It cannot stop W32.Downadup. My Realtime protection always detect it. Please help.
Randy
Dec 12, 2008 @ 03:17:15
Even the following anti-virus system cannot heal or delete it totally:
AVG Anti-Virus 8.0 Free
Avira AntiVir Personal
Trend Micro Internet Security 2009
Kaspersky Internet Security 2009
thegreatnair
Dec 16, 2008 @ 06:58:18
Only Symantec can heal it for me.
Heather Bowman
Dec 17, 2008 @ 02:52:58
Symantec currently WILL NOT heal it. It will only detect and remove the .dll file and .jpg payload file. The virus remains in memory and will not be deleted. This is the same with eTrust by CA.
This is one stubborn PITA. If anyone can come up with a solution, please post it as soon as possible. This thing has to be rootkit based, but I cannot locate it.
proadmin
Dec 20, 2008 @ 07:56:22
I got hit by w32.downadup virus. I have about 20 systems with XP and 2003 Server systems that this virus resides.
I did all updated Symantec, still keeps coming up. Please help.
precisesecurity
Dec 21, 2008 @ 01:55:38
1. Download removal tool from this page and save it on your Desktop.
2. After downloading, double-click on to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart Windows.
Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
Greg
Jan 01, 2009 @ 22:56:57
I’ve got over 100 windows xp machines and servers that’s effected with this. It blocks access to security sites like avg.com, symantec.com, etc. It also blocks access to microsoft.com.
Therefore, we can’t update virus signatures or install critical microsoft patches like MS Patch (958644).
we first saw signs of this early on when the browser service kept bouncing on our Windows Server 2003 computers.
We’ve downloaded Malwarebytes and installed update. But it does not find the culprit.
Has anyone successfully removed this thing yet?
Greg
Jan 01, 2009 @ 23:09:48
Malwarebytes finds the following:
1. Trojan.Agent in C:\windows\Downloaded Programs Files\atmgr.exe
2. Hijack.System.Hidden in HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\Showall\CheckedValue
Greg
Jan 01, 2009 @ 23:11:15
here is saved log from MalwareBytes on infected machine:
Malwarebytes’ Anti-Malware 1.31
Database version: 1590
Windows 5.1.2600 Service Pack 2
1/1/2009 5:10:47 PM
mbam-log-2009-01-01 (17-10-47).txt
Scan type: Quick Scan
Objects scanned: 90771
Time elapsed: 13 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Juk
Jan 04, 2009 @ 15:36:41
Greg,
Disable clients DNS.
Its a DNS poisoning.
If you stop and disable the service you’ll be working in front of your dns server directly and wont be blocked.
Juk
Jan 04, 2009 @ 15:37:56
And about the DLL that keeps coming back,
Open and edit it using notepad and it will stop the damage
still working my way to find a final and total solution.
Good luck everybody.
Greg
Jan 04, 2009 @ 23:45:30
Juk,
Do you know how I can find out what the name of the DLL is? I’ve used sysinternals utilities to find it but no luck yet.
Greg
Greg
Jan 05, 2009 @ 00:14:56
Juk,
We’ve been able to clean some computers in safe mode using the one care live web site. It finds W32.Conficker.B virus and removes it accordingly.
This doesn’t work on all computers though.
Your suggestion to stop dns client has allowed us to perform Windows update. However, AVG still does not find it.
proadmin
Jan 05, 2009 @ 06:14:40
Virus Detail :
ca.com/us/security advisor/virus info/virus.aspx?ID=75911
1- Download and install the patch available from Microsoft
WindowsServer2003-KB958644-x86-ENU for WindowsServer2003(sp2)
WindowsXP-KB958644-x86-ENU for WindowsXP (sp3)
2- Run a full system scan
Juk
Jan 05, 2009 @ 11:17:52
Greg,
You can use Prevx CSI to find the nasty DLL the dll file size will always be 149Kb
prevx.com/freescan.asp
I haven’t pass the hole tread but you can find random services with good-fakenames like “Windows Security” or “Config Shell” and others
these are not real Services. they have a few things in common:
1. the services name itself is weird
2. its always on the status of “Automatic” and “stopped”
3. you wont have permission to change the status
refer Symantec web site for Registry settings you need to clean up
I’m still looking for an easy way to clean it up
good luck with everything
Juk
Jan 05, 2009 @ 11:49:34
By the way, the files are probably hidden and you won’t have the ability to change it..
Its also a part of the virus.
Fix it by changing the reg key in the following -
windows.ittoolbox.com/groups/technical-functional/windows-xp-pro-l/cant-view-my-hidden-file-and-folders-1774650
Greg
Jan 06, 2009 @ 02:00:03
We’ve recovered from the Conficker outbreak. Disabling DNS Client was key to cleaning and patching systems.
Thanks,
Greg
Mon
Jan 07, 2009 @ 12:42:06
We are using Windows 2000 Server and Windows Professional with our workstations. We were also hit by W32.Downadup. After reading several Technical details specially that of Symantec, we also cannot find the registry entry :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”
What we found out is \Services\netman\Parameters…..
Are they the same?
Anybody out there who can help us.
Mon
naresh Verma
Jan 07, 2009 @ 15:54:22
Hi,
I have resolve this issue using Symantec antivirus/end point security.
1. check your antivirus must be updated.
2. if not use the following link and download the AV update on not infected system.
symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95
3. copy the update file on infected system and run than reboot the system.
4 after 15 min system re-reboot your system .
Now you able to open the antivirus web site and your system will be virus free.
Regards,
Naresh
Jason
Jan 07, 2009 @ 21:51:16
I am surprised nobody posted the f-secure page yet. It is the most comprehensive page on this.
f-secure.com/v-descs/worm_w32_downadup_al.shtml
We wrote a script that remotely checks for virus activity by looking up installed services for suspicious names and checking for the services it disables.
USE AT YOUR OWN RISK
Located here:
quickfilepost.com/download.do?get=adeca8fcf76bae0e56ab5641b9224368
George
Jan 07, 2009 @ 22:08:10
Look through the tech specs for W32.Downadup.B on Symantec… if this started happening after the 1st if may be that one and not the first… I’m finding it by looking in services.msc for two word services (may not be started) that have weird service name… the searching the registry for that random service name.
Jason
Jan 08, 2009 @ 02:52:30
This is the latest script, don’t bother with the original
http://www.quickfilepost.com/download.do?get=08f4634a747471ecaeaca268b77d0e39
Jason
Jan 08, 2009 @ 02:55:11
George, the script I posted searches for those random service names and is very effective. I will update it again later tonight.
biggy
Jan 08, 2009 @ 22:45:53
We are trying to suppress this virus too but it’s quite hard.
Does some of you has tested the F Secure removal tool ?
With process explorer, I can see a lot of svchost process with argument like -netsvsc [random characters].
Jason
Jan 08, 2009 @ 23:10:34
The F-Secure removal tool is almost useless. I’ve have it work twice for me. There is a brand new one that is named f-downadup. It’s only 4MB and it didn’t work me the one time I wanted to use it.
The virus will disable services and it appears that upon reboot it creates the services and writes out the DLL, etc so that it can start back up again.
The script I posted checks to see if the specific services are disabled (which is the tell-tale sign of the virus) and if there are any suspicious services that it created (which you delete and let your AV clean up the mess). However, after the virus is gone, you will need to fix some of the things such as the disabled services and the registry settings.
One way to see if the machine is one of the ones trying to spread or disable accounts is to run Sysinternal’s TCP VIEW which will show hundreds of [System:Process]:0 processes. A few (under 10) are ok, but hundreds is very likely the virus.
ob1denobi
Jan 09, 2009 @ 22:38:09
Guys,
Please check what version of Symantec you are running, we run version 7, 8 & 9 and have been having problems removing this virus, we have been in touch with Symantec and they advised us that we need to be on version 10. We tried version 10 with 8th January definition files and the system has been cleaned. we will be rolling out version 10 to get rid of this.
Below is a copy of the email, I have removed the specific end user addresses
From: [mailto:xxxxxxxc@symantec.com]
Sent: den 9 January 2009
To: xxxxxxx
Subject: RE: Case ID: xxxxxxxx W32.Downadup.B outbreak
SAV 9. Didn’t have the same capabilities as SAV 10 and SEP 11 – the side effects will not be removed.
I guess going through the removal instructions and having an infected machine to play with you’ll be able to determine whethere removal is feasible (can be scripted) or not.
let me know how they are getting on.
xxxxxx
I hope this helps you guys
ob1denobi
ob1denobi
Jan 09, 2009 @ 22:49:24
Also the site f-secure.com/v-descs/worm_w32_downadup_al.shtml has a removal tool. I have not tested it as I am at home. I will get it tested when I’m back at work. Has anyone else used this tool?
Sandeep Sharma
Jan 13, 2009 @ 19:18:09
Facing the same problem in my environment and just got the news that Symantec has finally released a removal tool.
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
Not tested yet, will test it tomorrow.
Paolo
Jan 14, 2009 @ 15:18:36
In my workplace we have removed McAfee and installed Symantec Endpoint Protection 11.0.3. SEP works better than McAfee but cannot remove the infection on all the PCs.
I will try Fsecure tool and manual procedure using Process Explorer.
Paolo
TMARC
Jan 15, 2009 @ 15:19:35
It is possible to remove the virus without failsafe etc…
The user32.dll can be removed from cache and the running, from within a windows session.
The only thing needed is a reboot.
Verified on 2000,XP
MSN: Netguard3 @ Hotmail (dot) com
Paolo
Jan 16, 2009 @ 08:38:48
Many Windows NT accounts become locked because of this virus, I supposed.
But the virus isn’t into the PC (Symantec and Fsecure tools says).
Paolo
Paolo
Jan 16, 2009 @ 14:11:20
We are just using the Symantec antivirus system and I hadn’t think about a Symantec fix tool.
Just downloaded it and distribute to the colleagues.
Paolo
Sparky
Jan 16, 2009 @ 21:22:10
Our network has been hit by this really hard. We run Symantec products version 10 but it is still no match for this worm. We ran all of their removal tools and the machines scanned as clean, then put them back on the network and had the administrative scan run at midnight and about 60% of the ones I had cleaned show infected again. Symantec has just sent us a new W32.Downadup removal tool this morning and I am testing it out to see if it works.
George
Jan 19, 2009 @ 09:30:34
hello Sparky I have same problem. I can’t get ride off it on some station. The Symantec tool worked on 90% of PC but I don’t understand why doesn’t work on all of them. I also scan with a BitDefender removal tool and I had the same results.If you find a solution please tell us.
Thank you!
bruce
Jan 19, 2009 @ 17:42:55
Download and run VIPRE (Free trial version). It kills it.
Paolo
Jan 22, 2009 @ 09:19:55
I’m worrying about all these new free antivirus programs.
Too many. How many of these are really fighting the viruses? Or creating new one or getting computers information?
A.
Jan 22, 2009 @ 14:52:34
I think I fixed the problem on my personal company PC: I downloaded the following Microsoft Windows XP Patch: WindowsXP-KB958644-x86-ITA.exe (ITA because I have the italian version of Windows XP installed), I executed it, followed the instructions and, after rebooting, I scanned the PC with AVG and removed the menaces that it found.
Extremesecurity
Jan 22, 2009 @ 21:46:59
I’ve created a batch file for system administrators to clean/patch/cure infected systems in their networks.
check it out here:
extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html
david
Jan 27, 2009 @ 17:06:33
It took me about 50 hours for 6 servers and 70 PC’s to get rid of this. This is what I did.
1. Disable system restore.
2. Boot in safe mode.
3. Run the windows-kb890830-v2.6.exe from microsoft(RUN FULL SCAN). When it finds it you will need to reboot system to get ride of it.
4. Run windows updates and make sure everything is updated.
5. Update virus definition with live update. We have Symantec Endpoint 11.0 MR4
6. Run full scan on system.
Everything is OK for 2 days now.
You should be clean after that.
subrmananiyan
Jan 31, 2009 @ 06:05:40
I am getting one pop-up like “w32.Downadup in rfitdc.h” can any one help me to clean this virus?
eric
Jan 31, 2009 @ 18:23:05
This is how you remove it.
1. go to registry HKEY_Local_Machine\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
GloballyOpenPorts\List
137:UDP:*:Enabled:@xpsp2res.dll,-22001
138:UDP:*:Enabled:@xpsp2res.dll,-22002
139:TCP:*:Enabled:@xpsp2res.dll,-22004
3389:TCP:*:Enabled:@xpsp2res.dll,-22009
445:TCP:*:Enabled:@xpsp2res.dll,-22005
-delete these files (usually 3389 is the only one the appears.
-run Symantec
-run windows update
-go to dos type in cd c:\windows\system32
-then type in dir *.dll /ahs it will one dll file
-go to the location c:\window\system32 then tools in menu bar, then view tab and uncheck hide protected operating system files
-search for the file you found in dos
-right click the file, select properties, then security tab, and then owner tab and select another owner such administrator hit apply. close the properties window
-right click file, select properties, security tab and allow all permissions for that file, hit ok.
-wait like 10 seconds and the file should delete
-reboot PC and its gone.
eric
Jan 31, 2009 @ 18:24:09
Run Windows update for this virus. Link is in a post above.
Ben
Feb 05, 2009 @ 02:48:35
Ok, so I think I caught the tail end of this worm.
Unfortunately it burrowed its head into my system first.
AVG caught it on its way in however it seems to have made EVERY exe file on my computer try to access that dll when they run some programs shoot off the error message and then work normally others wont work at all. when AVG has the dll quarantined I basically get spammed with error messages if I restore the file I get the 0xc0000022 messages and nothing works then eithere. Any ideas?
Murad
Feb 11, 2009 @ 08:53:01
I am getting one pop-up like “w32.Downadup.B from my Symantec anti virus. Clean failed, quarantine failed, access denied in
C:\Windows\systesm32\fbdmvazf.dll
Can any one help me to clean this virus?
mike
Feb 11, 2009 @ 12:56:40
Hi,
I already tried to update the Symantec Antivirus to February 5th, and run full scan, but can’t find the worm. But I am getting one pop-up like “w32.Downadup, from my Symantec anti virus, clean failed, quarantine failed and some delete succeeded. Can any one help me to clean this virus?
Regards,
mike
Boris
Feb 16, 2009 @ 22:13:03
This virus use admin share to infect other machines. It is very important to log of any administrator account, put some difficult password. You can use my computer/manage/share folders/sessions to see what computer is trying to infect. Very important is to check share folders for autorun.inf file. Also very important is to disable autorun options. Task scheduler service must be stop. Admin shares admin$, c$ must be stooped. This help me for a network of 200 computers and 20 servers. Use Symantec removal tool and Microsoft patch. Once computers are patched and AV database updated, virus can’t infect them.
P.S.
For anyone who is boring with pop up messages from AV, disable admin and c shares on computer and it will stop. Scan and patch it and clear task scheduler.
ary
Mar 24, 2009 @ 16:58:16
The only site that I could access when I had downadap is bdtools.net, a BitDefender site. The removal tool there is great and they have one for networks also.
Stephen Tzintzis
Apr 01, 2009 @ 20:15:41
After spending almost 3 weeks virtually devoting all my time on understanding, studying, and researching this virus I’ve finally come up with the best utilities and steps to overcome this stubborn worm.
There are currently three variants of the virus, .A,.B, and .C.
Of the three .C is the hardest to inoculate, with .B being the most widespread.
How do I know if I’m infected with .B or .C?
It’s pretty simple. If you managed to download MS security patch and various scanners/cleaning utilities that don’t run when you open them (i.e., the open and close extremely quickly, processes being killed by the virus) and if you tried booting into Safe Mode but couldn’t then you most certainly have the .C variant of the virus lurking on your PC. If you’ve noticed this happen on your PC and are having a nightmare to remove it (the way I had) the proceed to the .C Clean and Removal Steps below.
.B is fairly simple to remove/clean. Therefore I’ll start with
.B Clean and Removal Steps
————————————-
(a) download the following four files
(1)- http: //iv.cs.uni-bonn.de/uploads/media/conficker_mem_killer.exe
(2)- http: //iv.cs.uni-bonn.de/uploads/media/regnfile_01.exe
(3)- http: //www.bdtools.net/download/bd_rem_tool.zip
(4)- http: //www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
and download the appropriate MS-Hot Fix for your Operating System
(b) if you cannot get to one or any of the above links, stop your DNS Client Service
(c) boot the PC in Safe Mode
(d) run conficker_mem_killer.exe, then run regnfile_01.exe, then bd_rem_tool_console.exe (unzipped from the bd_rem_tool.zip files), and then finally patch the system with the appropriate MS-Hot Fix you downloaded.
(e) reboot in normal mode and re-run all those files except for the patch again
(f) Go to your Services and Start and set the following services to Automaitc
– Windows Update
– BITS
– Error Reporting
– Security Server (if applicable)
– Windows Firewall
(g) For extended protection, stop the Computer Browser service and set it to Disabled
(h) For extended protection, stop the Task Scheduler service and set it to Disabled
(i) For extended protection, stop the Server service (and any dependant services) and set it to Disabled (note that if your PC needs to share files or printers this service must be started and set to automatic)
(j) Enable your Windows Firewall and set the appropriate Exceptions you need (highly recommended)
(k) apply the latest Windows Service Pack and Fully Windows Update your PC (absolutely required)
(l) Set Windows Update to run daily and automatically update your PC
– open gpedit.msc (start>run and type in ‘gpedit.msc’) if you’re using XP SP2+ and go to Computer Configuration>Administrative Templates>Windows Components>Windows Update>No Auto Restart …. (Enable) so that after windows updates your PC automatically in the background it WILL NOT automatically restart the PC if there is a currently logged on user. (highly recommended)
(n) if you want to take furthere preventative measures disable autorun by going to gpedit.msc and go to
Computer Configuration>Administrative Templates>Windows Components>System>Turn Off Autoplay (Enable)
(o) Install the latest version of your Antivirus Software and make the virus definitions are fully updated and set to check and install updates daily. (highly recommended)
.C Clean and Removal Steps
————————————-
Do steps (a) and (b) as in the .B Removal Steps.
Now you just need to get your PC to boot into Safe.
To do so you need to get the Safe Mode registry keys from a like PC (O/S), export them from there and then import them on the infected PC.
This should allow you to boot into safe Mode on the infected PC.
Once you’re in safe Mode you can proceed with steps (c) onward without any problems.
The SafeMode keys you need to get are located in:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Export the entire SafeBoot Hive (folder)
To import this file on the infected PC, simply double click on the .REG file you just exported.
The .C variant also prevents you from viewing hidden files on your PC.
The following Batch file should resolve this problem:
@ECHO OFF
BREAK ON
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0×1 /f
pause
exit
Good Luck.
abigail
Apr 22, 2009 @ 16:00:35
If we format the laptop, can it delete the worm?
precisesecurity
Apr 26, 2009 @ 11:53:43
Formatting is the least thing that should be done. But if you are willing to format, it can remove the threat.
Emy
Aug 10, 2009 @ 11:04:07
I’ve got a Flush Memory from China, found it on Ebay and when i put into my laptop Avira came out saying about that W32.Downadup.B worm. Cleaned it and that’s it. everything is fine
PC Antivirus Update
Oct 10, 2009 @ 12:15:18
Hi
Thanks for sharing useful information about W32.Downadup. But i suggest Best Virus Protection software. This software fully protects your Computer .
amar
Oct 27, 2009 @ 15:09:45
if we format the laptop, can it delete the worm?
Dayalan
Nov 06, 2009 @ 10:06:21
hi,
please help i need some help to remove Downadup.
i tried Malewerebytes,the symantec tool, the f-secure tool even the bit defender…checked the registry and no sign there…any other ideas?
zee
Dec 24, 2009 @ 03:23:24
i tried almost all the solutions from you guys but it didnt work.. after deleting the worm and it came back..help me