it looks like one of the systems on your network is still infected or the infection happened before there was definitions for that. if it's infected then boot you have to disable system restore before cleaning the machine (in safe mode).

W32.Downadup

You're already half way there, with the System Restore being shut off.
How much time do you have?

Every time you reboot the macine, the infection wil come back as long as there is an infected system on the network...

Here is what I would do.

- Download the removal tool. 

- Copy it to a generic location on ALL the machines in your network.  c:\temp for example.

- Create a batch file to run the Removal Tool.  RemoveDUP.bat (or something)

** Batch file should look something like **
c:\temp\FixDwndp.exe
** **

- Create a scheduled task to run at say: 12:30 (lunch time) while everyone is away.

- Once all these steps are taken and you are 100% sure that every machine is ready to go simultaneously...  Move to your Server Room.  Also make sure your servers are going to run it as well.

- Shut down ALL you switches.  By shutting down all the switches, you save yourself the headache of unplugging 150+ machines.  No communication on the network, no virus spreading, removal tool can do it's job. 

- Once you are sure all the infections have been removed, you can turn the switches back on.  And the infection should be clear on the network.

Jason, pbogu thanks for the replies. Yes I have thought of that but I cant shut down the network. We run 24/7 and have totally 32,000 live nodes.
We have gotten rid off Downadup on other affected systems.
I am hoping someone knows how to fix the MS patch on these. I could simply re-ghost these 150, but would really like to solve the patch issue with a view to future similar mess ups.

The problem is, once the system is infected and the patch applied on top of it, it is already too late...  

Do you know when the patch was initially applied to these machines?  Part of the imgae or WSUS server?  If the latter, than it should be in the WSUS logs...

Are you removing the patch, than removing the virus, than reapplying the patch?  (No reboots, unless only after patch)

Unless, do you have a switch room for only those PCs?

Also, Downadup will not allow you to "properly" install updates whilst it is hanging out on the system... 

Jason we tried all combinations problem is the patch does not get properly installed, hence its getting reinfected.

Do you have an idea on the source of the worm? We experienced that a few months back when a user with the virus infects a few dozen PCs. We received alerts that the PCs were infected and that the worm was cleaned/quarantined except for the source PC. Try finding the source PC.

downadup virus spread using 445 port and netbios protocol 

remove  n/wlink netbios protocol in network connection adn disable netbios in "wins" option

and also block TCP 445 /139 port

Regards
Mani

Blocking 445/139 with Active Directory in use is not OK.

Port 445/139 blocked is only a easy way to isolate the virus. But the other actions need to be done for a complete virus removal.

We had exactly the same problem.
The virus spreads all sorts of ways, from network shares, to autorun's.
We have now removed the virus from our network by doing the following:-

1.Ensure everymachine has the Microsoft patch is installed
2.Ensure every machine has endpoint with the latest definitions on.
3.Turn off system restore points on all machines (by Group Policy)
4.Turn off all local administrator accounts (by Group Policy)
5.Configure all scans to scan network drives also (in the SEPM policy)
6.On the local endpoint clients the attacks by machines get logged, (do a trace back function on them using the lcoal client) you will see the option there, to find the machine that is spreading the virus
7. run constant reports on the server identifying machines require restarts, infected pc's and machines top sources of attacks.

After that we cleared the virus..,....

Need and help, let me know.

Thanks

Hi, it could be that your update server is the source of the virus.. try checking.. also generate a report from your SEPM to trace the source.

Hi,

Here's a sample from the reporting server on a single PC which was being infected by Downadup with the actions made:
C:/WINDOWS/system32/x   - cleaned by delete
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/9IESDEXF/eipgycqy[1].gif   - left alone
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/Content.IE5/P9VDSQP0/owaa[1].bmp  - left alone
C:/WINDOWS/system32/x  - cleaned by delete

I can't pinpoint the point of origin. I'm currently using hostory viewer for the web browser but it only checks at the history folder of users so there's no way of knowing who accessed what website to download the following files. On a positive note, the files placed on the system folder was deleted.

Can you try to generate a full report from SEPM? look for the source.

cable mite,

do you have a way of knowing the source of the virus? it should be in the SEP reports.

Hi Cable,

Now Downadup is stable and symantec is able to cleaned properly.

Hi cable,

The very first thing to prevent the infection is to make sure that your machines are having SAV/SEP with latest version as well as latest deinition.

Secondly, USB must be blocked or Autorun on USB must be removed.

MS08-067 vulnerability must be patched up on all the systems and make sure that the systems are rebooted after applying this patch as reboot is mandatory.

Open shares and weak password must be removed. User must be make aware for disabling the open shares an having complex passwords.

These steps will make your network safe not only for W32.Downadup family but most of the other viruses/worms too.

Rgrds,
SAM

One of the most effective reactions against the Downadup worm is to kill its service.
To find the service there are two methods:

1- Sort the services by description. You will find out that there are two services with a same description! The reason is that the worm acquire a description of a valid service so that it looks like a real one!

2- If you sort the services by Startup Type, there are few services which are Autorun but are not started, manual nor disable. One of them is the Downadup service.

to find out which service is the one, double click on each, and you will see that one of them has a crazy name! such as jhhyf or whatever.

Afterward, by using the SC command from the command prompt delete the service by the display name (not the random characters). for instance:
SC delete File Cache

Immediately after killing the service you should restart the computer and then update the antivirus and perform the cleaning treatment and any other remediation you find necessary.

Another way of troubleshooting this is to generate a report or list from the SEPM server and then trace the first/earliest infection. This could probably be the source.

I agree with Ghafourian, kill the service but it's difficult to trace the fake service. You need to run the Downadup removal tool from Symantec and then check the logs. Be sure to insert the usb used on the infected pc's so that it will be scanned also.

The removal tool then will generate what services it killed, files deleted etc.. the log will be located in the same directory where you run the tool.