W32.Downadup is a worm that can kill antivirus programs and block infected computers from visiting legitimate security web sites. This worm also spreads on local and network drives by taking advantage of the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup also creates its own Service on Windows to run itself each time Windows starts. Its method to spread stretches from local network and the Internet by taking advantages of software and security weaknesses.
When executed, W32.Downadup will drop files on various locations on the hard drive. It will also modify the registry and add an entry that will result to automatic loading of the virus when Windows starts.
Alternative way for self start-up is to create a service driver. It drops the following file for the said process.
%System%\0[RANDOM FILE NAME].tmp
Once inside the computer, user may notice several abnormalities. One of which is presence of files and folders consisting of random names. This worm may also modify and delete files and folders. It also lowers security setting by deleting registry entries that are associated to antivirus and other protection software.
The primary goal of W32.Downadup is to spread other types of threats. In its initial release, the worm involves in various activities that causes spread of fake antivirus software, also known as rogue security program. This fraud behavior will push computer users to purchase a useless program through misleading techniques.
This worm heavily operates on peer-to-peer network connection to distribute another harmful code in the form of W32.Waledac.
W32.Downadup family of worms is probably the most productive in current era. It quickly spread and infected at least half a million computers in its initial released. It uses various propagation channels and maximizes the Internet to reach interconnected victims via this method.
- Exploiting security in Internet browsers to enter the computer
- Take advantage of Windows and Server vulnerability
- Make a copy of itself to removable media drives and execute through Autorun functions
- Drop malicious files on network shared folder and drives
Technical Details and Additional Information:
Alias: Win32/Conficker.A, W32/Downadup.A, Conficker.A, Net-Worm.Win32.Kido.bt, WORM_DOWNAD.AP, W32/Conficker
Damage Level: High
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Other functionalities of this Worm:
– W32.Downadup will create files and folders with random characters.
– This Worm W32.Downadup will connect to a remote server to download an updated copy of itself.
– It can block access to security web sites by monitoring and redirecting domain request.
How to Remove W32.Downadup
Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.
NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.
Step 1 : Scan and remove W32.Downadup with this special tool
1. Download the Downadup removal tool from this link and save it on your Desktop or any accessible location.
This tool is available free. It can delete members of the Downadup family of Trojan. The tool is created with removal function; it cannot protect the computer from threats.
2. Double click on downloaded file, chose "Extract all files..." from the File menu, and follow the wizard's instructions. You can use any other archiver, like WinZip. This will create a folder called bd_rem_tool.
3. Double click on the file "bd_rem_tool_gui.exe" (or just "bd_rem_tool_gui"). Make sure that all files have been extracted from the zip archive, because all the contents are required for the removal tool to run. Follow the tool's instructions.
4. If you have Restricted Access (not Admin) on Windows Vista and XP, right click the "bd_rem_tool_gui" program and choose "Run as Administrator". Enter the computer Administrator User name and Password when prompted. This will scan the computer for presence of W32.Downadup. Remove all detected threats.
5. Reboot your computer when scanning is finished.
Step 2 : Run a scan with your antivirus program
1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.
Start computer in Safe Mode with Networking using Windows 8
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode with Networking from the selections menu.
2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of W32.Downadup.
Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.
3. Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.
Step 3: Run another test with online virus scanner
Another way to remove W32.Downadup without the need to install additional antivirus software is to perform a thorough scan with free online virus scanner. It can be found on websites of legitimate antivirus and security provider.
1. Click the button below to proceed to the list of suggested Online Virus Scanner. Choose your desired provider. You can run each scan individually, one at a time, to ensure that all threats will be removed from the computer. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.
2. After completing the necessary download, your system is now ready to scan and remove W32.Downadup and other kinds of threats.
3. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
4. Remove or delete all detected items.
5. When scanning is finished, you may now restart the computer in normal mode.
Alternative Removal Procedures for W32.Downadup
Option 1 : Use Windows System Restore to return Windows to previous state
During an infection, W32.Downadup drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.
To verify if System Restore is active on your computer, please follow the instructions below to access this feature.
Access System Restore on Windows XP, Windows Vista, and Windows 7
a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.
Open System Restore on Windows 8
a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.
If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.
Option 2 : W32.Downadup manual uninstall guide
IMPORTANT! Manual removal of W32.Downadup requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.
1. Kill any running process that belongs to W32.Downadup.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Downadup files (refer to Technical Reference) and click End Process.
2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random charaters.exe]"
- Close registry editor. Changes made will be save automatically.
3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode using the procedures above.
- Open your anti-virus program and thoroughly run a scan on the computer. Delete/Quarantine all identified threats to remove W32.Downadup effectively.
4. Delete all files dropped by W32.Downadup.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.
Ways to Prevent W32.Downadup Infection
Take the following steps to protect the computer from threats. Suggested tools and security setup within installed software helps prevent the same attack on your PC.
Install an effective anti-malware program
Your first line of defense would be an effective security program that provides real-time protection. We have a list of anti-malware program that are tried and tested. It does not only scan files but also monitors your Internet traffic and is extremely active on blocking malicious communication. Click on the button below to download our recommended anti-malware program.
Always update your installed software
Software vendors constantly releases updates for programs whenever a flaw is discovered. Getting the updates makes the computer more secured and help prevents Trojan, virus, malware, and W32.Downadup similar attacks. If in case your program is not set for instant update, it usually offered from vendor's web site, which you can download anytime.
Maximize the security potential of your Internet browser
Each browser has their own feature where in you can adjust the security settings that fit your browsing habit. We highly encourage you to maximize the setup to tighten the security of your browser.
Apply full caution when using the Internet
Internet is full of fraud, malware, and many forms of computer threats including W32.Downadup. Implement full caution with links that you may receive from emails, social networking sites, and instant messaging programs. It might lead you to malicious sites that can cause harm to your computer. Avoid strange web sites that offers free services and software downloads.