About Win32.Worm.Downadup and its removal

How do I disable System Restore and download and install MS08-067 vulnerability patch? and run removal tool?

Hi Todd,

in order to disable the System Restore feature please follow one of these links:
1. for Windows ME: http://support.microsoft.com/kb/264887
2. for Windows XP: http://support.microsoft.com/kb/310405
3. for Windows Vista: http://windowshelp.microsoft.com/Windows/en-us/help/f0688925-5abe-4caf-b49a-018f8cfcaf4d1033.mspx#E3

A link is already provided for the MS08-067 patch, just click it, then select your operating system, and click download on the page that shows. Just in case you didn't notice the link, here it is again: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

As for the removal tool, download the zip file provided in the article, extract the content anywhere on your computer and just run one of the files. They both do the same, just the appearance differs.

Best regards.

Thanks for your post regarding this worm.

As for this link:http://support.microsoft.com/kb/310405, if your system is infected with the Win32.Worm.Downadup, then the download will be prevented. The worm stops access to any URL that contains any word that the worm checks for.

I have not been able to download the security patch because the worm stops access to any URL with the word microsoft in it.

Bitdefender can't delete my infected shared folder. I can't even manually delete the files using administrator log in:(

Hello Raymond,

we ahve uploaded the removal to a public file sharing website in order to avoid the worms filters. You can find the archive here: http://drop.io/bd_cleaner

After removal restart your system and you should be clean. You can download and apply the Microsoft path as described before.

Thanks for your giving me access to the BitDefender removal tool. I got a "clean" notice after I ran the tool, restarted my computer and saw that I still can't access the forbidden websites. Perhaps I am infected with a different, but similar, worm or virus.

Regards, Ray

Thanks for your help. I got the anti-downadup and ran it. It reported "clean" It ran so fast that I doubt it really scanned anything.

In order to apply Microsoft's patches you can stop "DNS client" service and then you will have access to Microsoft website, at least it's working for me in my network

That's a good idea David, also if you're part of a network, make sure to disconnet ALL the computers from it and then apply our removal tool, or else after each reboot you will get infected again from the other computers.

Hi Jeff,

in order to successfully get rid of the worm download the removal tool provided by the BitDefender Labs from: http://drop.io/bd_cleaner

If you are part of a network, make sure to download the tool separately on every computer then disconnect them from the network.
Also remove all the removable devices from them and run the removal tool.

After each computer has rebooted your network should be clean.

I also got infected by such worm...I Also run OS patches Provided by Microsoft and run BD removing tools,,,I will give my suggetions soon

Hello, how can I verify if the worm infected my computer without performing an antivirus scan?

Hello Daniel,

one of the most obvious symptoms of the worm is its blocking of certain websites. www.bitdefender.com should be blocked since it contains the string defender.

Try accessing the worms description at: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
If you can't, it means you're infected with the worm, or something similar.

Hi! I was wondering if there was a way to scan a thumbdrive for the virus. Any help is appreciated.

Hi

my pc sound infected some trojan like this...

it stop internet explorer from start, make system restore malfunction, cant disk check, slowing internet connection,
cant visit some website, system unstable and all the symtoms above...

i using bitdefender antivirus 2008, it disappointing me this time..

the symtoms start after i installed this ->aquaplay setup

i try everthing still cant get rid of it..sad

Thanks Andrei for the very informative blog. I will certainly use the tips found here to ensure my network is clean. That being said, am I correct in assuming that if BD's signature files are up to date, we are protected by this threat?

Hello,

The worm wont allow me to turn off the DNS service, and when I run the tool it says the system is clean, and I cant connect to the microsoft website, so can someone please put the MS patch on another site? or is that impossible?

How do you know you have this worm. I understand the symptoms may be subtle, but what are they?

I can access these websites fine,AVG finds nothing, the only instance i found was on my USB but i did not do autorun or anythnig iwth it. Simply clicked my computer then right clicked the USB and scanned with AVG of which this worm was found on. Am i safe?
I ran the bitDefender tool to be safe but after scannnig it jsut closes, how do i know if it found and removed anything?

Well, I think I've just about tried everything now! Can't get rid of this worm, every scan just comes up clean as they can't access the infected files, and I'm locked out of regedit etc so can't remove them manually.
I have downloaded and installed all the recommended patches

@ redbean: try this: http://forums.spybot.info/showthread.php?p=285279

@ TBolt: yes, our products detect this threat, if you are not already infected you are safe and sound

@ John: if you ran the tool and it tells you the system is clean it means you get REinfected from a network computer. As mentioned before, unplug all network computers from the networks, unplug all removable devices, scan all computers from the network. You should be clean now.
Disable autorun to avoid getting infected from already infected usb sticks

@ John Bramfeld: for instance the worm blocks access to certain websites. autorun.inf files appear in the root folder of every disk drive.

@ Liam: you probably got your USB stick infected on another computer. Just delete the autorun.inf file and the executable it is supposed to execute and you should be fine (you can open the autorun.inf file in a simple text editor and check the path for the executable)

@ Jil: if our tool comes clean, then you're not infected with Win32.Worm.Downadup.

Hi there, I don't know for sure that I have this, but my PC is exhibiting some very similar signs. However, having followed the instructions, I cannot get your remover to run.

On asking it to scan the following error comes up:

GVM Engine internal error (scan)

Is this downadup protecting itself? I have tried downloading the remover twice, and it does appear to work correctly on my other PC - which came up as clean after using it.

Any thoughts gratefully received.

Does this virus disable your antivirus software updates? If it is, then I think I might have it.

I have this virus. I have used the bit defender removal tool and patched the system with Microsoft updates. Thje virus is detected and successfully removed. However, even though it removes the virus, it does not prevent reinfection if another computer on the network has it. Any suggestions? I did patch my systems for MS08-067 vulnerability. I even did a windows update and patched everything MS said was missing.

This happens on both Windows XP as well as Windows 2003 servers.

@Mark: the worm also spreads by bruteforcing weak administrator passwords or USB sticks.
The removal tool only disinfects the system, not the removable drives as well. In order to stop the spread via USB sticks disable autorun on your machine and delete the files manually.
Make sure your administrator passwords are hard to guess.

Hey i have this, AVG found it, its sitting in my virus vault and was wonder if it was safe to just delete the file, or if I need to follow your guys's steps to remove it (ie. restore it in my system and do it)?

Hi. After having followed all the steps that the virus apparently is gone, now I can turn on "System Restore" again?

@R Mottus: your system should be safe, but since you use AVG, you should request their support. @Iván: try "turn on system restore" on google and clock the first result. Should be a Knowledge Base article from Microsoft.

How do I turn this program off. I cannot upload pics to ebay now ??? Fred

@Fred Baines Did you try to reboot the computer? or at least...let us know which program are you talking about?

Hi,
I cant open the site http://drop.io/bd_cleaner.
Do you have any other site?

Okay so I'm a little confused. I'm not really sure if I actually do have this worm or not. My updates for AVG and Spyware Doctor keeps failing and SOMETIMES my browser fails to load a page. But I will reload it and it'll work. Maybe it's just my internet connection i thought..but my updates NEVER works. And some of the sites that you guys posted saying that it WILL NOT WORK because of the worm, still works for me.. so just a thought.. do I have it? My main concern is the AVG and Spyware Doc updates not working.

can this tutorial also solve system32/x virus problem??

i wouls like to anwer your first question why user dont update from microsoft website ,
the basic reason is that most of the patches which microsoft website releases tends to destabilize the system (through my own experience ) that's why they dont update windows through patches, rather prefers to update windows windows version,or install firewals antivirus suites,my own experience is like this :
previously my computer was working fine (more then year) but a windows security popup keeps on coming usually i ignore that warning (as i have disabled automatic updates updates)just then i decided to give it a try to apply some patches form microsoft windows after applying those patches when i rebooted my windows it become so slow that previously it takes only 2 minutes to come to starting windows screen now it takes almost an hour to come to starting screen only aprt from that other functinality also become so slow that i cant work on my pc anymore so i finally decided to switch back to the windows which was before (after reinstalling whole windows ofcourse) so i always recommend to everybody never to update from windows website rather upgrade ur xp

i have problem of c:windowssystem32x

i have a worm but i cant even get online to down load anything it is not letting me on the internet i have a connection just wont let me in.

Has this fix worked for anyone?