W32.Downadup

If your computer is infected with W32.Downadup, you may follow the procedure on this page to contain this threat. Remove the virus at once before it can further harm the system.

W32.Downadup is a worm that can kill antivirus programs and block infected computers from visiting legitimate security web sites. This worm also spreads on local and network drives by taking advantage of the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup also creates its own Service on Windows to run itself each time Windows starts. Its method to spread stretches from local network and the Internet by taking advantages of software and security weaknesses.

Characteristics
When executed, W32.Downadup will drop files on various locations on the hard drive. It will also modify the registry and add an entry that will result to automatic loading of the virus when Windows starts.

Alternative way for self start-up is to create a service driver. It drops the following file for the said process.
%System%\0[RANDOM FILE NAME].tmp

Once inside the computer, user may notice several abnormalities. One of which is presence of files and folders consisting of random names. This worm may also modify and delete files and folders. It also lowers security setting by deleting registry entries that are associated to antivirus and other protection software.

The primary goal of W32.Downadup is to spread other types of threats. In its initial release, the worm involves in various activities that causes spread of fake antivirus software, also known as rogue security program. This fraud behavior will push computer users to purchase a useless program through misleading techniques.

This worm heavily operates on peer-to-peer network connection to distribute another harmful code in the form of W32.Waledac.

Distribution
W32.Downadup family of worms is probably the most productive in current era. It quickly spread and infected at least half a million computers in its initial released. It uses various propagation channels and maximizes the Internet to reach interconnected victims via this method.

  • Exploiting security in Internet browsers to enter the computer
  • Take advantage of Windows and Server vulnerability
  • Make a copy of itself to removable media drives and execute through Autorun functions
  • Drop malicious files on network shared folder and drives

Technical Details and Additional Information:

Alias: Win32/Conficker.A, W32/Downadup.A, Conficker.A, Net-Worm.Win32.Kido.bt, WORM_DOWNAD.AP, W32/Conficker

Damage Level: High

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Other functionalities of this Worm:
– W32.Downadup will create files and folders with random characters.
– This Worm W32.Downadup will connect to a remote server to download an updated copy of itself.
– It can block access to security web sites by monitoring and redirecting domain request.

How to Remove W32.Downadup

Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.

NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

Step 1 : Scan and remove W32.Downadup with this special tool

1. Download the Downadup removal tool from this link and save it on your Desktop or any accessible location.

This tool is available free. It can delete members of the Downadup family of Trojan. The tool is created with removal function; it cannot protect the computer from threats.

Download bd_rem_tool.zip

2. Double click on downloaded file, chose "Extract all files..." from the File menu, and follow the wizard's instructions. You can use any other archiver, like WinZip. This will create a folder called bd_rem_tool.

3. Double click on the file "bd_rem_tool_gui.exe" (or just "bd_rem_tool_gui"). Make sure that all files have been extracted from the zip archive, because all the contents are required for the removal tool to run. Follow the tool's instructions.

4. If you have Restricted Access (not Admin) on Windows Vista and XP, right click the "bd_rem_tool_gui" program and choose "Run as Administrator". Enter the computer Administrator User name and Password when prompted. This will scan the computer for presence of W32.Downadup. Remove all detected threats.

Scan in progress

5. Reboot your computer when scanning is finished.

Step 2 : Run a scan with your antivirus program

1. Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer and please do the following:

Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

Start computer in Safe Mode with Networking using Windows 8
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode with Networking from the selections menu.

SafeMode

2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of W32.Downadup.

Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

3. Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

Step 3: Run another test with online virus scanner

Another way to remove W32.Downadup without the need to install additional antivirus software is to perform a thorough scan with free online virus scanner. It can be found on websites of legitimate antivirus and security provider.

1. Click the button below to proceed to the list of suggested Online Virus Scanner. Choose your desired provider. You can run each scan individually, one at a time, to ensure that all threats will be removed from the computer. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.

Online Virus Scan

2. After completing the necessary download, your system is now ready to scan and remove W32.Downadup and other kinds of threats.
3. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
4. Remove or delete all detected items.
5. When scanning is finished, you may now restart the computer in normal mode.

Alternative Removal Procedures for W32.Downadup

Option 1 : Use Windows System Restore to return Windows to previous state

During an infection, W32.Downadup drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.

rstrui-win7

Open System Restore on Windows 8

a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.

rstrui-win8

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

Option 2 : W32.Downadup manual uninstall guide

IMPORTANT! Manual removal of W32.Downadup requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to W32.Downadup.

- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Downadup files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.

- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random charaters.exe]"
- Close registry editor. Changes made will be save automatically.

Run Regedit

3. Scan the computer with antivirus program.

- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode using the procedures above.
- Open your anti-virus program and thoroughly run a scan on the computer. Delete/Quarantine all identified threats to remove W32.Downadup effectively.

4. Delete all files dropped by W32.Downadup.

- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Associated Files and Folders:Added Registry Entries:

Ways to Prevent W32.Downadup Infection

Take the following steps to protect the computer from threats. Suggested tools and security setup within installed software helps prevent the same attack on your PC.

Install an effective anti-malware program

Your first line of defense would be an effective security program that provides real-time protection. We have a list of anti-malware program that are tried and tested. It does not only scan files but also monitors your Internet traffic and is extremely active on blocking malicious communication. Click on the button below to download our recommended anti-malware program.

Get Protection Software

Always update your installed software

Software vendors constantly releases updates for programs whenever a flaw is discovered. Getting the updates makes the computer more secured and help prevents Trojan, virus, malware, and W32.Downadup similar attacks. If in case your program is not set for instant update, it usually offered from vendor's web site, which you can download anytime.

Maximize the security potential of your Internet browser

Each browser has their own feature where in you can adjust the security settings that fit your browsing habit. We highly encourage you to maximize the setup to tighten the security of your browser.

Apply full caution when using the Internet

Internet is full of fraud, malware, and many forms of computer threats including W32.Downadup. Implement full caution with links that you may receive from emails, social networking sites, and instant messaging programs. It might lead you to malicious sites that can cause harm to your computer. Avoid strange web sites that offers free services and software downloads.

53 Responses

  1. precisesecurity says:

    Try this one.
    1. Download removal tool from this page and save it on your Desktop.
    2. After downloading, double-click on to install the application.
    3. Follow the prompts and install as “default” only
    4. If it prompts to update the database after installation, please proceed.

    5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
    6. Scan your computer thoroughly.
    7. When scanning is finished, click on the “Show Results”
    8. Make sure that all detected threats are marked, click on Remove Selected.
    9. Restart Windows.

  2. Husin Lim says:

    Hi,
    I already try to update the Symantec antivirus to November 24th, and run full scan, but can’t found the worm.
    I also can’t found the register : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”

    Last, I try to install Malwarebytes and update it.

    But, the same alert still pop up.

  3. bogus says:

    Download and install the patch available from Microsoft(958644): microsoft.com/technet/security/Bulletin/MS08-067.mspx

  4. Gen says:

    >Go and check your windows services and observe any unfamiliar services running make sure you disable it.

    I got 3 unfamiliar running namely vzyeevv,xbmaoar and uweytn.

    Run> type msconfig > Services

    >Delete the following folders from regedit

    HKEY_Local_Machine\System\CurrentControlSet\Services

    > Delete the following entries at

    HKEY_Local_Machine\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
    GloballyOpenPorts\List

    137:UDP:*:Enabled:@xpsp2res.dll,-22001
    138:UDP:*:Enabled:@xpsp2res.dll,-22002
    139:TCP:*:Enabled:@xpsp2res.dll,-22004
    3389:TCP:*:Enabled:@xpsp2res.dll,-22009
    445:TCP:*:Enabled:@xpsp2res.dll,-22005

  5. hodish says:

    We have Symantec AntiVirus Corporate Edition With
    Full Version :8.1.0.825
    License No. : 00140V-11CQ- 1112
    License Type : Server/Client Gold ( mfg only )

    And Updated up to today date when scan virus it cash the virus like W32.Downadup but after 2 mentis appeared again and other virus’s
    What can I do For Removed Finally

    Please tell me what action do for old or new virus appeared .

    Best reg.
    Hodish
    Yemen Dairy

  6. mathias_from-france says:

    Download process explorer (sysinternal)and the MS Patch (958644)

    1.Kill the process svchost (image netsvsc) with process explorer. There are several svhcost processes so have a look in “image” section (the one with option -netsvcs must be killed).
    2.Install MS Patch.
    3.Update your Antivirus.
    4.Scan your hard drive (and above all C::\documents and settings and C::\windows\system32) using your updated anti-virus. It should find w32.downadup. There are 2 infected files (one *.jpg, and one *.DLL).
    5.Reboot.

  7. weiloon yap says:

    Most of our company PCs are infected with this type of worms.
    Here are the steps that I used.

    -certain services in MSconfig are disable
    -off system restore
    -clear all temp file
    -run full scan by using Symantec antivirus and ad-aware
    -clear all infected/quarantine file.
    -patch Microsoft(958644)

    The captured virus were successfully clear. but the problem is my PC performance getting slower. everyone, any idea for this?
    Thanks

  8. kaka says:

    My system is Windows XP. W32.Downadup virus is detected on my PC, so what can I do to protect my PC. I scanned using Norton anti-virus, it scans all, but cannot deleted detected viruses.

    Please help me.

    Best regards.

  9. Randy says:

    Message from Symantec:

    Developer notes:
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AG7D98FV\rnihr[1].jpg is detected and repaired by NAV. Please follow the instruction at the end of this email message to install the latest available definitions.

    The current definitions are capable of detecting this virus. Please update your definitions by clicking the “LiveUpdate” button in your NAV program.

    My comment:
    Symantec AntiVirus Corporate Edition cannot totally heal or delete it. It cannot stop W32.Downadup. My Realtime protection always detect it. Please help.

  10. Randy says:

    Even the following anti-virus system cannot heal or delete it totally:

    AVG Anti-Virus 8.0 Free
    Avira AntiVir Personal
    Trend Micro Internet Security 2009
    Kaspersky Internet Security 2009

  11. Heather Bowman says:

    Symantec currently WILL NOT heal it. It will only detect and remove the .dll file and .jpg payload file. The virus remains in memory and will not be deleted. This is the same with eTrust by CA.

    This is one stubborn PITA. If anyone can come up with a solution, please post it as soon as possible. This thing has to be rootkit based, but I cannot locate it.

  12. proadmin says:

    I got hit by w32.downadup virus. I have about 20 systems with XP and 2003 Server systems that this virus resides.
    I did all updated Symantec, still keeps coming up. Please help.

  13. precisesecurity says:

    1. Download removal tool from this page and save it on your Desktop.
    2. After downloading, double-click on to install the application.
    3. Follow the prompts and install as “default” only
    4. If it prompts to update the database after installation, please proceed.

    5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
    6. Scan your computer thoroughly.
    7. When scanning is finished, click on the “Show Results”
    8. Make sure that all detected threats are marked, click on Remove Selected.
    9. Restart Windows.

    Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

  14. Greg says:

    I’ve got over 100 windows xp machines and servers that’s effected with this. It blocks access to security sites like avg.com, symantec.com, etc. It also blocks access to microsoft.com.

    Therefore, we can’t update virus signatures or install critical microsoft patches like MS Patch (958644).

    we first saw signs of this early on when the browser service kept bouncing on our Windows Server 2003 computers.

    We’ve downloaded Malwarebytes and installed update. But it does not find the culprit.

    Has anyone successfully removed this thing yet?

  15. Greg says:

    Malwarebytes finds the following:

    1. Trojan.Agent in C:\windows\Downloaded Programs Files\atmgr.exe

    2. Hijack.System.Hidden in HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\Showall\CheckedValue

  16. Greg says:

    here is saved log from MalwareBytes on infected machine:

    Malwarebytes’ Anti-Malware 1.31
    Database version: 1590
    Windows 5.1.2600 Service Pack 2

    1/1/2009 5:10:47 PM
    mbam-log-2009-01-01 (17-10-47).txt

    Scan type: Quick Scan
    Objects scanned: 90771
    Time elapsed: 13 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

  17. Juk says:

    Greg,
    Disable clients DNS.
    Its a DNS poisoning.
    If you stop and disable the service you’ll be working in front of your dns server directly and wont be blocked.

  18. Juk says:

    And about the DLL that keeps coming back,
    Open and edit it using notepad and it will stop the damage
    still working my way to find a final and total solution.

    Good luck everybody.

  19. Greg says:

    Juk,
    We’ve been able to clean some computers in safe mode using the one care live web site. It finds W32.Conficker.B virus and removes it accordingly.

    This doesn’t work on all computers though.

    Your suggestion to stop dns client has allowed us to perform Windows update. However, AVG still does not find it.

  20. proadmin says:

    Virus Detail :
    ca.com/us/security advisor/virus info/virus.aspx?ID=75911

    1- Download and install the patch available from Microsoft

    WindowsServer2003-KB958644-x86-ENU for WindowsServer2003(sp2)
    WindowsXP-KB958644-x86-ENU for WindowsXP (sp3)

    2- Run a full system scan

  21. Juk says:

    Greg,
    You can use Prevx CSI to find the nasty DLL the dll file size will always be 149Kb
    prevx.com/freescan.asp

    I haven’t pass the hole tread but you can find random services with good-fakenames like “Windows Security” or “Config Shell” and others
    these are not real Services. they have a few things in common:
    1. the services name itself is weird
    2. its always on the status of “Automatic” and “stopped”
    3. you wont have permission to change the status
    refer Symantec web site for Registry settings you need to clean up

    I’m still looking for an easy way to clean it up
    good luck with everything

  22. Juk says:

    By the way, the files are probably hidden and you won’t have the ability to change it..
    Its also a part of the virus.
    Fix it by changing the reg key in the following –
    windows.ittoolbox.com/groups/technical-functional/windows-xp-pro-l/cant-view-my-hidden-file-and-folders-1774650

  23. Greg says:

    We’ve recovered from the Conficker outbreak. Disabling DNS Client was key to cleaning and patching systems.

    Thanks,

    Greg

  24. Mon says:

    We are using Windows 2000 Server and Windows Professional with our workstations. We were also hit by W32.Downadup. After reading several Technical details specially that of Symantec, we also cannot find the registry entry :

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”

    What we found out is \Services\netman\Parameters…..

    Are they the same?

    Anybody out there who can help us.

    Mon

  25. naresh Verma says:

    Hi,
    I have resolve this issue using Symantec antivirus/end point security.
    1. check your antivirus must be updated.
    2. if not use the following link and download the AV update on not infected system.
    symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95
    3. copy the update file on infected system and run than reboot the system.
    4 after 15 min system re-reboot your system .
    Now you able to open the antivirus web site and your system will be virus free.

    Regards,
    Naresh

  26. Jason says:

    I am surprised nobody posted the f-secure page yet. It is the most comprehensive page on this.

    f-secure.com/v-descs/worm_w32_downadup_al.shtml

    We wrote a script that remotely checks for virus activity by looking up installed services for suspicious names and checking for the services it disables.

    USE AT YOUR OWN RISK

    Located here:
    quickfilepost.com/download.do?get=adeca8fcf76bae0e56ab5641b9224368

  27. George says:

    Look through the tech specs for W32.Downadup.B on Symantec… if this started happening after the 1st if may be that one and not the first… I’m finding it by looking in services.msc for two word services (may not be started) that have weird service name… the searching the registry for that random service name.

  28. Jason says:

    George, the script I posted searches for those random service names and is very effective. I will update it again later tonight.

  29. biggy says:

    We are trying to suppress this virus too but it’s quite hard.
    Does some of you has tested the F Secure removal tool ?
    With process explorer, I can see a lot of svchost process with argument like -netsvsc [random characters].

  30. Jason says:

    The F-Secure removal tool is almost useless. I’ve have it work twice for me. There is a brand new one that is named f-downadup. It’s only 4MB and it didn’t work me the one time I wanted to use it.

    The virus will disable services and it appears that upon reboot it creates the services and writes out the DLL, etc so that it can start back up again.

    The script I posted checks to see if the specific services are disabled (which is the tell-tale sign of the virus) and if there are any suspicious services that it created (which you delete and let your AV clean up the mess). However, after the virus is gone, you will need to fix some of the things such as the disabled services and the registry settings.

    One way to see if the machine is one of the ones trying to spread or disable accounts is to run Sysinternal’s TCP VIEW which will show hundreds of [System:Process]:0 processes. A few (under 10) are ok, but hundreds is very likely the virus.

  31. ob1denobi says:

    Also the site f-secure.com/v-descs/worm_w32_downadup_al.shtml has a removal tool. I have not tested it as I am at home. I will get it tested when I’m back at work. Has anyone else used this tool?

  32. Sandeep Sharma says:

    Facing the same problem in my environment and just got the news that Symantec has finally released a removal tool.

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

    Not tested yet, will test it tomorrow.

  33. Paolo says:

    In my workplace we have removed McAfee and installed Symantec Endpoint Protection 11.0.3. SEP works better than McAfee but cannot remove the infection on all the PCs.
    I will try Fsecure tool and manual procedure using Process Explorer.

    Paolo

  34. TMARC says:

    It is possible to remove the virus without failsafe etc…
    The user32.dll can be removed from cache and the running, from within a windows session.
    The only thing needed is a reboot.

    Verified on 2000,XP
    MSN: Netguard3 @ Hotmail (dot) com

  35. Paolo says:

    Many Windows NT accounts become locked because of this virus, I supposed.
    But the virus isn’t into the PC (Symantec and Fsecure tools says).

    Paolo

  36. Paolo says:

    We are just using the Symantec antivirus system and I hadn’t think about a Symantec fix tool.
    Just downloaded it and distribute to the colleagues.

    Paolo

  37. Sparky says:

    Our network has been hit by this really hard. We run Symantec products version 10 but it is still no match for this worm. We ran all of their removal tools and the machines scanned as clean, then put them back on the network and had the administrative scan run at midnight and about 60% of the ones I had cleaned show infected again. Symantec has just sent us a new W32.Downadup removal tool this morning and I am testing it out to see if it works.

  38. George says:

    hello Sparky I have same problem. I can’t get ride off it on some station. The Symantec tool worked on 90% of PC but I don’t understand why doesn’t work on all of them. I also scan with a BitDefender removal tool and I had the same results.If you find a solution please tell us.
    Thank you!

  39. A. says:

    I think I fixed the problem on my personal company PC: I downloaded the following Microsoft Windows XP Patch: WindowsXP-KB958644-x86-ITA.exe (ITA because I have the italian version of Windows XP installed), I executed it, followed the instructions and, after rebooting, I scanned the PC with AVG and removed the menaces that it found.

  40. david says:

    It took me about 50 hours for 6 servers and 70 PC’s to get rid of this. This is what I did.

    1. Disable system restore.
    2. Boot in safe mode.
    3. Run the windows-kb890830-v2.6.exe from microsoft(RUN FULL SCAN). When it finds it you will need to reboot system to get ride of it.
    4. Run windows updates and make sure everything is updated.
    5. Update virus definition with live update. We have Symantec Endpoint 11.0 MR4
    6. Run full scan on system.
    Everything is OK for 2 days now.

    You should be clean after that.

  41. eric says:

    This is how you remove it.

    1. go to registry HKEY_Local_Machine\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
    GloballyOpenPorts\List

    137:UDP:*:Enabled:@xpsp2res.dll,-22001
    138:UDP:*:Enabled:@xpsp2res.dll,-22002
    139:TCP:*:Enabled:@xpsp2res.dll,-22004
    3389:TCP:*:Enabled:@xpsp2res.dll,-22009
    445:TCP:*:Enabled:@xpsp2res.dll,-22005

    -delete these files (usually 3389 is the only one the appears.
    -run Symantec
    -run windows update
    -go to dos type in cd c:\windows\system32
    -then type in dir *.dll /ahs it will one dll file
    -go to the location c:\window\system32 then tools in menu bar, then view tab and uncheck hide protected operating system files
    -search for the file you found in dos
    -right click the file, select properties, then security tab, and then owner tab and select another owner such administrator hit apply. close the properties window
    -right click file, select properties, security tab and allow all permissions for that file, hit ok.
    -wait like 10 seconds and the file should delete
    -reboot PC and its gone.

  42. eric says:

    Run Windows update for this virus. Link is in a post above.

  43. Ben says:

    Ok, so I think I caught the tail end of this worm.
    Unfortunately it burrowed its head into my system first.

    AVG caught it on its way in however it seems to have made EVERY exe file on my computer try to access that dll when they run some programs shoot off the error message and then work normally others wont work at all. when AVG has the dll quarantined I basically get spammed with error messages if I restore the file I get the 0xc0000022 messages and nothing works then eithere. Any ideas?

  44. mike says:

    Hi,

    I already tried to update the Symantec Antivirus to February 5th, and run full scan, but can’t find the worm. But I am getting one pop-up like “w32.Downadup, from my Symantec anti virus, clean failed, quarantine failed and some delete succeeded. Can any one help me to clean this virus?

    Regards,
    mike

  45. Boris says:

    This virus use admin share to infect other machines. It is very important to log of any administrator account, put some difficult password. You can use my computer/manage/share folders/sessions to see what computer is trying to infect. Very important is to check share folders for autorun.inf file. Also very important is to disable autorun options. Task scheduler service must be stop. Admin shares admin$, c$ must be stooped. This help me for a network of 200 computers and 20 servers. Use Symantec removal tool and Microsoft patch. Once computers are patched and AV database updated, virus can’t infect them.

    P.S.
    For anyone who is boring with pop up messages from AV, disable admin and c shares on computer and it will stop. Scan and patch it and clear task scheduler.

  46. ary says:

    The only site that I could access when I had downadap is bdtools.net, a BitDefender site. The removal tool there is great and they have one for networks also.

  47. Stephen Tzintzis says:

    After spending almost 3 weeks virtually devoting all my time on understanding, studying, and researching this virus I’ve finally come up with the best utilities and steps to overcome this stubborn worm.

    There are currently three variants of the virus, .A,.B, and .C.
    Of the three .C is the hardest to inoculate, with .B being the most widespread.

    How do I know if I’m infected with .B or .C?

    It’s pretty simple. If you managed to download MS security patch and various scanners/cleaning utilities that don’t run when you open them (i.e., the open and close extremely quickly, processes being killed by the virus) and if you tried booting into Safe Mode but couldn’t then you most certainly have the .C variant of the virus lurking on your PC. If you’ve noticed this happen on your PC and are having a nightmare to remove it (the way I had) the proceed to the .C Clean and Removal Steps below.

    .B is fairly simple to remove/clean. Therefore I’ll start with

    .B Clean and Removal Steps
    ————————————-
    (a) download the following four files
    (1)- http: //iv.cs.uni-bonn.de/uploads/media/conficker_mem_killer.exe
    (2)- http: //iv.cs.uni-bonn.de/uploads/media/regnfile_01.exe
    (3)- http: //www.bdtools.net/download/bd_rem_tool.zip
    (4)- http: //www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
    and download the appropriate MS-Hot Fix for your Operating System

    (b) if you cannot get to one or any of the above links, stop your DNS Client Service

    (c) boot the PC in Safe Mode

    (d) run conficker_mem_killer.exe, then run regnfile_01.exe, then bd_rem_tool_console.exe (unzipped from the bd_rem_tool.zip files), and then finally patch the system with the appropriate MS-Hot Fix you downloaded.

    (e) reboot in normal mode and re-run all those files except for the patch again

    (f) Go to your Services and Start and set the following services to Automaitc
    – Windows Update
    – BITS
    – Error Reporting
    – Security Server (if applicable)
    – Windows Firewall

    (g) For extended protection, stop the Computer Browser service and set it to Disabled

    (h) For extended protection, stop the Task Scheduler service and set it to Disabled

    (i) For extended protection, stop the Server service (and any dependant services) and set it to Disabled (note that if your PC needs to share files or printers this service must be started and set to automatic)

    (j) Enable your Windows Firewall and set the appropriate Exceptions you need (highly recommended)

    (k) apply the latest Windows Service Pack and Fully Windows Update your PC (absolutely required)

    (l) Set Windows Update to run daily and automatically update your PC
    – open gpedit.msc (start>run and type in ‘gpedit.msc’) if you’re using XP SP2+ and go to Computer Configuration>Administrative Templates>Windows Components>Windows Update>No Auto Restart …. (Enable) so that after windows updates your PC automatically in the background it WILL NOT automatically restart the PC if there is a currently logged on user. (highly recommended)

    (n) if you want to take furthere preventative measures disable autorun by going to gpedit.msc and go to
    Computer Configuration>Administrative Templates>Windows Components>System>Turn Off Autoplay (Enable)

    (o) Install the latest version of your Antivirus Software and make the virus definitions are fully updated and set to check and install updates daily. (highly recommended)

    .C Clean and Removal Steps
    ————————————-
    Do steps (a) and (b) as in the .B Removal Steps.

    Now you just need to get your PC to boot into Safe.

    To do so you need to get the Safe Mode registry keys from a like PC (O/S), export them from there and then import them on the infected PC.

    This should allow you to boot into safe Mode on the infected PC.

    Once you’re in safe Mode you can proceed with steps (c) onward without any problems.

    The SafeMode keys you need to get are located in:
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
    Export the entire SafeBoot Hive (folder)

    To import this file on the infected PC, simply double click on the .REG file you just exported.

    The .C variant also prevents you from viewing hidden files on your PC.
    The following Batch file should resolve this problem:

    @ECHO OFF
    BREAK ON
    reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
    pause
    exit

    Good Luck.

  48. precisesecurity says:

    Formatting is the least thing that should be done. But if you are willing to format, it can remove the threat.

  49. Emy says:

    I’ve got a Flush Memory from China, found it on Ebay and when i put into my laptop Avira came out saying about that W32.Downadup.B worm. Cleaned it and that’s it. everything is fine

  50. PC Antivirus Update says:

    Hi
    Thanks for sharing useful information about W32.Downadup. But i suggest Best Virus Protection software. This software fully protects your Computer .

  51. amar says:

    if we format the laptop, can it delete the worm?

  52. Dayalan says:

    hi,
    please help i need some help to remove Downadup.
    i tried Malewerebytes,the symantec tool, the f-secure tool even the bit defender…checked the registry and no sign there…any other ideas?

  53. zee says:

    i tried almost all the solutions from you guys but it didnt work.. after deleting the worm and it came back..help me

Leave a Reply

Your email address will not be published. Required fields are marked *