W32.Downadup

Have you done the restart like it said? (Restart required)

Install NTP as well and Enable Risk Tracer in File system auto-protect
In NTP the IPS will block and log the entries of attacking PC.
Risk tracer will show you which computer is attacking 

It can be Via USB as well..So clean everything in  temp folders

NTP is meaning Network Therath Protection? it is install already. I close risk tracert because i was affaid it will be reason slow network. I will open it again.
But Mr Vikram I bloked USB Devices With Application and device policy already.
and there is one more thing. i want to know "how downadup can create service on this computer?" If it can create service why my SEP client block it Before create service? because Downadup create service after that SEP understand it is a virus service. why sep understand before? I looked logs and sep services works good. didn't stop.
I love SEP realy love it. very good program but i am asking to myself am i doing wrong? I want never infected computer in my WAN.
Is it posible? Am i want imposible thing?
Thank you for answer Mr Vikram.
Best Regards.

Hi, try to scan of safe mode first. Run also the Removal Tool: http://www.symantec.com/content/en/us/global/remov...

Can you post the risk log, and lets analyze the first infection.

Based from your post,  your pc is the source, you may not have removed the downadup completely.

hi,
as from the capture the source is localsystem is the source.
check is Autoprotection is on on this system. Since the detection has been done, you need to reboot the system to completely clean the file ( threat partially cleaned).

As Paul mentioned scan the system in safe mode,  if the threat is memory resident then it would be detected in safe mode.

good luck!
Pete

I have got d.exe for remove downdup. I'll use it in safe mode. you mean this client never clean? i don't think so d.exe will help me. Because i try it another infected computer.
I will try in safe mode  and i i will write again. But this is not my answer. I want how it be posible?
there are 2 things in my head.
1- this clieant already have Downadup since april 1. and sep cannot clean it.
2- this client new infected?

Am I wrong?

not exactly, if the process is use, then you need to scan it in safe mode. Becuase it locks certain dll's.
 
The infection is from localhost, hence it could have been infected when SEP service was not working.

check the other detection logs as well.

Cheers
Pete

I had this problem before, did you just use again a usb drive? You need to run the removal tool with the usb drive still inserted so that it can be cleaned also. Check the log it generates after you run the rmoval tool.

Hi,

Let me know the No of users in your network and No of Branch office connected.

Downadup virus is too good.  Just plays from the other way.

Like If your account are getting locked out.  These Bad Credentials will sent by other infected systems on your login id.
 
Ex:  There are 5 systems in Network A,B,C,D,E
System C (infected system)

System C  will be trying to acces the Domain Server by sending Bad Credentials using other system accounts of  A, B,D,E.

Then accounts of A, B,D,E will be locked out.

But the user will be in impression that A, B,D,E are infected.

The best way is to schedule Custom scans on all the systems for Windows, System and System32 folders Daily and set the options to delete because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed Sharing should be with Read Only access or by using password protection.

i have 2 weekly scan already. I read about Downadup. yes it is very good. But still not my answer.
How Downadup can infected my computer in 25.06.2009?? I told before Sep is have last definition,sp3 and latest pacthes.
but i can be infected..
Am i wrong or what is the problem?
Thank you for asnwer
Best regards.

The thing is that there nothing perfect in the world, their will never be a software that will catch 100% of the virus out there. Even if they upgrade the software, they also "upgrade" their virus to be tougher to catch. It will never end.

@frank019
I know what is perfect. But we are talking about Symantec. And did you know whan can the downadup do?? i lost very much client !!! Thats why i must to be very carefull and must to follow every action.
The Downadup start april 1 and now 3 jully.  I am asking Am i wrong or what is wrong???
I already Sep clients and windows with Wsus. please tell me what can i do more?

"But we are talking about Symantec" it ain't perfect either. Try other anti-virus software if you think they are better. I might not know everything downadup can do but it the computer world. Something you have problem that won't be fix. Worst case you have to reformat.

Have you try that?
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=3

Ok post the Risk Log post the first infection.. then lets analyze.

We also had this issue when clients were using their infected USB..
The removal tool realy helped.
but sometimes since they tend to remove thier USB without cleaning and placing it to another PC tends to infect the next PC...
thanks...

first thank you for answers.
All usb disk closed by device control in "application and device control policy" thats why it cannot access with usb. 
@Paul Mapacpac how can i import risk log in here? copy paste or another?
Thank you.

On the client pc, Open SEP, go to Logs, choose risk log, then export the risk log.

when did you disable usb access, is it before or after the infection?

@ paul
I know how i export risk log :) but how can i import in here? I can upload picture but can i upload doc files?
@ Mon_raralio

i taken mail from server like this;

Message from:
Server name: baynorton
Server IP: 10.0.3.26

At least one security risk found:

Risk name: W32.Downadup.B
Event time: 2009-07-05 17:00:50 GMT
Database insert time: 2009-07-06 05:31:01 GMT
User: SYSTEM
Computer: burakomeroglu
IP Address: 10.0.30.145
Domain: Default
Server: baynorton
Client Group: My Company\Kirac\Client
Action taken on risk: Quarantined
-------------------------------------------------------
And everyday i taken full report from server. I can see infected computers in report.
Best Regards.

Copy and paste the log file

This computer might be infected some time back when this system was not patched and it downloaded a bot on this computer. Which was doing nothing but just waiting for commands from its master server..then once Downadup sent command to upgrade itself or download the new variant..it might have downloaded it and then it installed it most probably at the time of  bootup and once Auto-Protect was enabled it detected few files but since mopst of the files were installed in thememory or were runnig as rootkits so sep was not able to detec it..so they get detected only in safe mode..because in safe mode no 3rd party application work.

There is one universal truth that everyone has to agree "Once compromised..Can never be trusted"

This is all I can think of why you got infected.

did you try to check your version of SP3? i mean is it really for XP? or did you try downloading it again and also the security patch as well? if not, then it might help somehow resolving your problem.... before installing the SP3 and sec patch, removed first the clients workstation from the network, because downadup will continously  gets in to your system. (do the installation and full system scan in safemode)

Vikram Thank you for answer. you should be rigth. i am going to copy and paste risk log in here tomorrow.
Please don't understand me wrong.  I never say SEP i not good. No doupt ! i am asking to myself Am i doing wrong thing? Because I must to control 500 clients and 30 server only myself. And If I cannot do that I must to find a new job :((
 Thats why i must to be sure My system is work fine like another security admins.
 I am doing 2 schuled scan in week for clients. and 2 scan for servers. and I was open risk detector.
Please don't understand me wrong. Because I  know my English is not perfect. I just want never infected computers.
I will paste risk log tomorrow in here.
Thank you again for answers.
Best Regards.

When did you patch the compute? The patch was released october 2008 and downadup was discovered nov 2008, fyi

i saw today client infected again :( i paste it down side. i didn't paste all

Date and Time Risk Action Filename Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action
06.07.2009 15:03:50 W32.Downadup.B Restart Required - Deleted hmdutoi.dll File c:\WINDOWS\system32\ BAY596 SYSTEM Deleted Deleted Restart Required - Delete Restart Required - Quarantine
05.07.2009 15:03:30 W32.Downadup.B Restart Required - Deleted hmdutoi.dll File c:\WINDOWS\system32\ BAY596 SYSTEM Deleted Deleted Restart Required - Delete Restart Required - Quarantine
04.07.2009 15:03:38 W32.Downadup.B Restart Required - Deleted hmdutoi.dll File c:\WINDOWS\system32\ BAY596 SYSTEM Deleted Deleted Restart Required - Delete Restart Required - Quarantine
03.07.2009 10:30:57 W32.Downadup.B Restart Processing hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Delete Leave alone (log only)
03.07.2009 10:30:57 W32.Downadup.B Restart Processing hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Delete Leave alone (log only)
03.07.2009 10:30:56 W32.Downadup.B Restart Processing hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Delete Leave alone (log only)
02.07.2009 12:02:32 W32.Downadup.B Restart Required - Partial (Non Critical Failure) hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Restart Required - Delete Restart Required - Quarantine
30.06.2009 12:02:32 W32.Downadup.B Restart Required - Partial (Non Critical Failure) hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Restart Required - Delete Restart Required - Quarantine
25.06.2009 12:17:44 W32.Downadup.B Restart Required - Partial (Non Critical Failure) hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Restart Required - Delete Restart Required - Quarantine
08.06.2009 13:35:48 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 11:55:15 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 07:50:58 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 07:37:34 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 06:09:03 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 05:26:45 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 05:14:17 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 04:23:04 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 04:20:26 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 03:26:45 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 03:15:39 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 00:50:20 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 00:21:53 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
08.06.2009 00:00:35 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 23:14:58 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 23:11:19 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 22:18:04 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 22:16:41 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 18:49:37 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 18:23:58 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 17:53:55 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 15:07:12 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 14:57:56 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 14:08:34 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 13:50:29 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 12:38:19 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 12:19:09 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 06:56:56 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 06:44:56 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 05:56:24 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 05:48:21 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 04:45:41 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 04:42:39 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 03:47:12 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 03:37:56 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 01:23:07 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 01:08:30 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
07.06.2009 00:09:46 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 23:11:19 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 23:09:49 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 22:13:11 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 21:57:21 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 15:55:07 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 15:38:48 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 14:35:11 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 12:14:29 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 11:40:16 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 09:41:17 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 08:57:31 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 08:31:02 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine
06.06.2009 07:39:37 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine

From the logs it seems the same file "hmdutoi.dll" is getting re-created or downloaded everyday.Then Auto-protect is taking its action.
I suspect there is a downloader on your computer which is downloading this file everyday or everytime it is getting deleted.
Most probably it is a rootkit and it is a new one that is not getting detected
c:\windows\System32\BAY596 looks like a suspicious folder
If you are not able to browse to this directory in user mode then download Icesword120_en and browse this location and find what other files are there in this location.Also check the services using this tool to check if there is any SYS file with any suspicious name.
Until and unless we find the main threat this will keep coming.
As a workaround you can block this DLL using application and device control for the time being till the main threat is found.

Vikram is correct, it seems that a process is still recreating the file, please scan under safe mode and run the removal tool.

Please also run the Loadpoint Diagnostic Tool from Symantec, then post/attach it here so we can analyze.

I scan system32 now. and there is nothing infected. I download Icesword120 and there is no hmdutoi.dll  file.
I'll block this dll. but Downanup can create random dlls.
you said "Most probably it is a rootkit and it is a new one that is not getting detected " but sep definition time is 07.06.09 (m.d.y)
is the symantec will create new definition for this problem? I can send all log from this client.
Now i will block dll.
Best regards.

Yes...Symantec will release definitions for the file ..but it should know which file it is and definitely it is not hmdutoi.dll
I would suggest you to call support as they will gather Loadpoint logs analyse it and will tell you to submit suspicious files. 

Did you run the tool in safe mode? What are the results?

Hello Bekir
I scan it safe mode today. I scan it d.exe and sep and here is result.
 d.exe result
Symantec W32.Downadup Removal Tool 1.1.0.7
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1f42c86d8717876354dc1b0621f5ffcc_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48175d99b17b9b5499ac880a11d1c57f_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6074b088feda04a7674f58bdff1af884_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c830d9f17fba73b0caad9ab90685388_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8cd97c61dd7ed2aa584de6d2de3f17ee_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bb0f3e724d7ad210b8edd09065b1a0ae_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e77e7ee2bf7030a9be155277375ddab0_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\edfba913bb0e09cd4d4e7e7db0185df4_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned
ERROR: Can't change ACL/permissions for file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7db081400462103cb28be953eb77011_ce994c0d-54db-48f9-bd79-f68e5d1d0fe5; file not scanned

W32.Downadup has not been found on your computer.

And Sep result.Include yesterday

Date and Time Risk Action Filename Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description
08.07.2009 10:48 Tracking Cookie Deleted Unavailable Trackware Unavailable BAY596 gurkan.yildiz Deleted Deleted Quarantine Leave alone (log only) Manual scan The file was deleted successfully.
07.07.2009 11:14 W32.Downadup.B Restart Processing Unavailable File Unavailable BAY596 SYSTEM Infected Unavailable Delete Leave alone (log only) Scheduled scan Performing Post-Reboot Risk Processing.
07.07.2009 11:14 W32.Downadup.B Restart Processing Unavailable File Unavailable BAY596 SYSTEM Infected Unavailable Delete Leave alone (log only) Scheduled scan Performing Post-Reboot Risk Processing.
07.07.2009 11:14 W32.Downadup.B Restart Processing Unavailable File Unavailable BAY596 SYSTEM Infected Unavailable Delete Leave alone (log only) Scheduled scan Performing Post-Reboot Risk Processing.
06.07.2009 15:03 W32.Downadup.B Restart Required - Deleted hmdutoi.dll File c:\WINDOWS\system32\ BAY596 SYSTEM Deleted Deleted Restart Required - Delete Restart Required - Quarantine Scheduled scan The file was deleted successfully.
05.07.2009 15:03 W32.Downadup.B Restart Required - Deleted hmdutoi.dll File c:\WINDOWS\system32\ BAY596 SYSTEM Deleted Deleted Restart Required - Delete Restart Required - Quarantine Scheduled scan The file was deleted successfully.
04.07.2009 15:03 W32.Downadup.B Restart Required - Deleted hmdutoi.dll File c:\WINDOWS\system32\ BAY596 SYSTEM Deleted Deleted Restart Required - Delete Restart Required - Quarantine Scheduled scan The file was deleted successfully.
03.07.2009 10:30 W32.Downadup.B Restart Processing hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Delete Leave alone (log only) Scheduled scan Performing Post-Reboot Risk Processing.
03.07.2009 10:30 W32.Downadup.B Restart Processing hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Delete Leave alone (log only) Scheduled scan Performing Post-Reboot Risk Processing.
03.07.2009 10:30 W32.Downadup.B Restart Processing hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Delete Leave alone (log only) Scheduled scan Performing Post-Reboot Risk Processing.
02.07.2009 12:02 W32.Downadup.B Restart Required - Partial (Non Critical Failure) hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Restart Required - Delete Restart Required - Quarantine Scheduled scan Risk was partially removed.
30.06.2009 12:02 W32.Downadup.B Restart Required - Partial (Non Critical Failure) hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Restart Required - Delete Restart Required - Quarantine Scheduled scan Risk was partially removed.
25.06.2009 12:17 W32.Downadup.B Restart Required - Partial (Non Critical Failure) hmdutoi.dll File c:\windows\system32\ BAY596 SYSTEM Infected c:\windows\system32\ Restart Required - Delete Restart Required - Quarantine Scheduled scan Risk was partially removed.
08.06.2009 13:35 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 11:55 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 07:50 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 07:37 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 06:09 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 05:26 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 05:14 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 04:23 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.
08.06.2009 04:20 W32.Downadup.B Cleaned by deletion hmdutoi.aw File C:\WINDOWS\system32\ BAY596 Administrator Deleted Deleted Clean security risk Quarantine Auto-Protect scan The file was deleted successfully.

Hello Mr. Vikram.
I use this tool and export report. \Sym_LoadPointDiag how can i send it to you? or attach in here?
Best Regards

In this log there should be an HTML log
that should be there in C:\Symtemp\Sym_Loadpoint...zip
You can attach it here.
 

there are many files in there. i add picture down side. please tell me which log you want it. there is  ESUGLPDU.html but it have got many information. i couldn't paste in here. If you say which information you want i can paste in here.
By the why realy thank you for help.

I think he want the ESUGLPDU.html since he said the "HTML log"

Yes you can attach ESUGLPDU.html ( ESUG Load Point Diagnostic Utility ) 
This file is zipped and is password protected the password is "symantec"

Just attach the zip here, then we will just download it.

hi Paul.
I am sorry I cannot upload zip file in here. Because i don't know how i do that :( there is only picture i can upload. How can I upload it in here? :$

Hello again.
I am realy need your help. My boss want to result about this problem I said " this is new variant and symantec will deploy new definitons" but I must to be sure It cannot infect another computers.
How can i import zip file in here?
Best Regards.

just update urs operating system.

Hi kajal, fatih already patched the operating system we are now currently wailting for the Loadpoint Diagnostic Log from sir fatih.

fatih, upload the file, on this thread, click the edit on the top, below the menus.

 Couldn't fnd anything suspicious from the log files...I compared it to the Loadpoint of my computer..and searched for the unknown ones..
However I am still looking into it..but if it is a Rootkit it wont show up in loadpoint thats what fears me.

Here is the location of HTML Log  file for Paul or if anybody else interested in analysing it.

http://www.2shared.com/file/6622810/59a01212/ESUGLPDU.html

Hi fatih, i have checked the logs and it seems normal, another request, can you list the directories on the root drive (please include the hidden files and folders), i have encountered before a virus which is not visible on the task manager but the process is running using explorer.exe.

I can look working exe with sysinternal tools. It show every application if it working. better than task manager.
Vikram said  there is no suspicious file. but you saw the all logs. there is no problem but downadup infected.
I'll write c:\ folders (with hidden folders)
Best Regards.

Just do a dir /ah > c:\log.txt

dir /ah there is only one hidden file
10.07.2009 08:27 1.509.949.440 pagefile.sys

and dir all

27.06.2008 19:41 <DIR> 10PARMAK (keyboard program)
23.03.2009 11:30 <DIR> 23Mart_ebyn (account program)
22.05.2009 13:11 41 aa.txt
03.03.2002 13:38 0 AClient.cfg
27.06.2008 19:41 <DIR> Always (program)
03.03.2002 14:06 0 AUTOEXEC.BAT
27.06.2008 20:01 211 boot.ini
22.11.2001 13:00 4.952 Bootfont.bin
17.08.2006 14:25 1.628 BP.TXT
17.08.2006 14:26 6.730 BP1.TXT
17.08.2006 14:21 5.170 BY.TXT
29.06.2009 16:52 85 citizen.bat (ı create this no problem)
03.03.2002 14:06 0 CONFIG.SYS
25.06.2009 12:06 2.348.928 D.exe (symantec remove tool)
10.07.2009 12:34 236 dir.txt
10.07.2009 12:35 0 dir2.txt
27.06.2008 19:41 <DIR> dmi
22.05.2009 13:12 <DIR> Documents and Settings
22.04.2009 09:59 <DIR> ebyn (account program)
13.08.2008 15:11 5.121.024 ebyn.exe (account program)
16.02.2009 14:55 <DIR> ebyn_16_02_09 (account program)
22.04.2009 09:58 <DIR> ebyn_22_04_2009 (account program)
13.08.2008 15:45 <DIR> EBYN_TEMMUZ_SONU (account program)
27.06.2008 19:46 <DIR> ESKI DISK D (account program)
24.01.2002 17:47 35 Eurojava.sys
08.07.2009 10:44 2.086 FixDwndp.log
27.06.2008 19:42 <DIR> gecici (folder)
18.08.2006 10:55 6.039 GUER.TXT
11.01.2002 19:31 764 hosts
07.07.2009 12:52 <DIR> IceSword120_en
27.06.2008 20:07 0 IO.SYS
15.02.2002 15:46 0 isemarket.alarm
15.02.2002 15:46 288 isemarket.port
17.08.2006 15:26 27.754 KASA.TXT
13.06.2007 13:13 55 Lisans Anahtari.txt
08.07.2009 11:25 28.176 log.csv
10.07.2009 12:29 117.121 logfile.txt
10.07.2009 10:40 <DIR> mail pst
27.06.2008 19:44 <DIR> mevzuat2003
27.06.2008 20:07 0 MSDOS.SYS
23.03.2009 10:59 <DIR> MSOCache
27.06.2008 19:44 <DIR> MTU
27.06.2008 19:44 <DIR> NEVER
03.08.2004 23:38 47.564 NTDETECT.COM
16.04.2009 10:36 250.560 ntldr
17.08.2006 15:27 15.808 OR.TXT
17.04.2009 06:15 <DIR> Program Files
27.06.2008 19:44 <DIR> RadminLog
08.07.2009 10:57 <DIR> RECYCLER
27.06.2008 19:44 <DIR> Reg
26.12.2008 14:04 1.280.512 REKLAM G˜DERLER˜.xls
27.06.2008 19:44 <DIR> Rel403
07.07.2009 11:14 27.367 risklog.csv
14.07.2008 16:07 <DIR> SET
07.11.2005 14:09 16.291.424 setup.exe
03.03.2002 11:38 814.629 SP20363.exe
07.07.2009 11:15 268 sqmdata00.sqm
08.07.2009 10:29 268 sqmdata01.sqm
09.07.2009 20:51 268 sqmdata02.sqm
07.07.2009 11:15 244 sqmnoopt00.sqm
08.07.2009 10:29 244 sqmnoopt01.sqm
09.07.2009 20:51 244 sqmnoopt02.sqm
08.07.2009 13:04 <DIR> Sym_LoadPointDiag
08.07.2009 13:08 272.056 Sym_LoadPointDiag.rar
16.04.2009 10:23 <DIR> System Volume Information
28.05.2009 15:20 <DIR> TEMP
13.04.2009 18:07 <DIR> tmp
27.06.2008 19:45 <DIR> TVK2003
27.06.2008 19:45 <DIR> TVK2003hesapplani
27.06.2008 19:45 <DIR> TVK2003hesapplan
27.06.2008 19:45 <DIR> TVK2003muktezalar
27.06.2008 19:45 <DIR> TVK2003_sozluk
27.06.2008 19:45 <DIR> TVK2004
27.06.2008 19:45 <DIR> TVK2005
08.07.2009 10:58 <DIR> WINDOWS
03.06.2009 10:08 513 xp key.txt
27.06.2008 19:45 <DIR> Y
08.07.2009 11:17 1.369 Yeliz Ayaz sep log 08.07.2009.csv
22.08.2001 20:09 326.217 YELLOW20.103
27.06.2008 19:45 <DIR> ywdwk

I was checking the latest alerts in our SEP environment. A lot of W32.Downadup came from temporary Internet files with jpg extensions.
Contrary to what the previous articles have said that it spreads using autorun.inf, it seems that they found a new method of spreading the threat.

So if you are still getting alerts on this, you can check what files are being detected. They will keep on coming back unless you block the source website.

Hi mon, what do you suggest? Fatih should post websites visited? (history)

Hi everyone!

I have the same problem with the SEP & w32.Downadup. Client have got Win XP SP3 and SEP client with last virus definition.
The virus was on a USB key and SEP does not block it. Downadup blocked several accounts in the domain. SEP has removed the virus after system reboot.
I had two such cases in the last month.

I saw logs now. the last attack 07.07.09 after that there is no new attack. is this machine now safe?

My server taken downadup still. it have last pages and last updates too. like another pc upside.
I add picture in here again. I look source its "local host" risk tracert is open. Why i cannot see the source? and what should i do for this computer?
I need your help.
Thanks.

please share me your ideas with me. If symantec need my reports for create new virus definition i can send all information.
Please Help.

@Fatih Teke: W32.Downadup.B seems to be deleted by Symantec. And unlike your first post which are dll infections, these are temporary internet files with extensions used by picture files. Have you updated your OS with all the necessary security patches?

I believe fatih already updated the system, it seems the infection came from a website.. check the ie/firefox history.

try downloading & installing rapidrelease defs & scan the pc in safe mode once.

the last picture taken from server 2003 and need a few security updates. Now I am checking them. But Why wsus don't send update to this server I don't know. I hope this problem will resolve with this update. I  will write result after the update.
Have a nice day.

Hi Faith,

Open services.msc then sort based on descripton column. If you find two services with same description then your computer is already infected with Downadup and it is download its complement from internet. One of those two services with same description is virus and the other is legitimate. For discovering it you need to open properities of each service and if you find garbage name in "service name" field then you find your service. You need to delete it with this command "SC DELETE <garbage service name> " and reboot and rescan. Symantec will take care of rest.

Hi everybody.
I think so i solve this problem. i didnt take attach from yesterday.
I check updates and one security updates need. (why wsus don't install it I don't know. I am not sure this happend for this security update.)
and scan in safe modde.
Now I am looking risk log. there is no attach more.
Thank you for answers
Everybody helped me for this problem.

Hey !! Sounds great..Its always a happy moment when we you get this of this beast.
Anyways will suggest you to still monitor it for a day or two.

You rigth Vikram. I will watch it. Now i am looking why wsus don't send this update this client? Thank you again.
Have a nice day

any automated solution for downadup virus because if our worstation is about 3000 PC's and most of this are infected of this kind of virus, do you mean I need to touch every worstation just to patch and scan in safe mode, it so very time comsuming and difficult to do so.

some of our enduser say that Symantec is very uneffective when it comes in detecting a virus particularly in downadup issue, although SEP can detect and delete downadup but it cannot totally block, please expedite the recommended solution before we lost a clients.

Take note it must be automated

any other update on this thread?

Hello Peterpan.
I did it like this.
First Check all security and critical updates. all must be install on machine.
Than update SEP.
close autorun.inf both of Active Directory Group Policy and SEP "Application and device manager"
and change your  antivirus and antispy rule. I change it first action and second action.
first action is delete second is move to quarantine.

Yes. You must update all pc in your company. Because i know downadup is very very fast and Clever. It try to crack administrator password if it easy. and try to copy itself in another networks.
you cannot delete downadup if pc need update. because SEP don't close windows's backdoors.
I know because I saw it.
my one pc taken attack from downadup everyday and every hour. Sep was update. but I saw computer need one critical security update. when i install it there is no more attack from downadup. (you can see pictures upside)
have you got a Wsus in your company? you must to install it for update. It is realy important. you can lost all computers. I know because we did :((
we install 5 servers (one of them domain controller another 2 server was addional server) and more than 100 pc.
(as you well know we install DC thats why we join all pc in new domain. Its take more time..)
I saw what downadup can do ! thats why please be fast and update all your pc in your company.
If your windows updates is ok and sep is update downadup cannot be infect.
Please write again if you have a problem or anything.

Change your all AV actions to immediate delete. You'll see that infection numbers will decrease in time.

yes bekir you rigth. infection numbers decrease.

“Best practice”for Win32/Conficker.B [MS] - w32.downadup.B[SYM]

Infection/propagation Method

-Flash drives/open shares/mapped drives [autorun.inf]
-Admin$ - Random brute force password attack on the networked systems
-Exploit MS08-67 – RPC BO vulnerability in netapi32.dll

How it works ?

Initial attack happens on one of the networked systems.

This initial attack and execution can be achieved by visiting any malware hosting website [cracks/music /free download/hacked etc.], plugging infected flash drive in the production network.

Mostly un-patched systems/Browsers are the initial victim of this attack.

Once executed it Installs a service under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName

This service is most of the time a .dll file [We need to submit this one if not already detected by SEP]

The service uses MS task scheduler to create multiple jobs
These jobs executes a file rundll32.exe random_name.random_ext <args> at random interval
These extensions are not always .dll it could be anything [i.e. .ifs,. jpg, .tmp, .c]
In task manager we’ll see multiple rundll32.exe running
That file in most cases detected by SEP not we need to submit that file.
That’s the file which again may attack other systems or download other threats.
Multiple instance of this file continuously runs in the memory and attack other systems.
The threat tries to plant autorun.inf & random_name.exe file in the mapped drives and open shares to execute itself across the network.
It also disables Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.

What’s the bad part ?

User account lockout policy. As known the threat tries to gain access different systems on the network by brute force password attack.
Because of this activity multiple users accounts get locked up. Apart from that the threat also may download multiple threats like w32.saility [a file infector] which would make the story even worst.

What is the PLAN OF ACTION if I get a case on w32.downadup.B

- Confirm in SEPM that all systems are with SEP up and running and up to date [with all the latest security updates from MS]

This step is very critical because we cannot afford to leave even 1 system in the network unprotected, and as observed it happens most of the time that some systems in the network are without SEP and/or not up to date/not patched and those machines are later found to be the source/attacking machines. We can simply check this in SEPM-clients tab and comparing the number with the total number of clients in the LAN.

- Get the exact number of systems infected and the threats names.
SEPM-Monitors-logs-risk logs would help

- Confirm if server is infected too
Find possible infection in Server..check scheduled tasks/autorun.inf in open shares/unknown services/disabled services [BITS/AU etc.] [analyzing ESUG log would be a good idea]

-Disable Auto play from GPO [across the domain] we can use application device control policy as well. [see the links in the bottom of this article]

-Disable Task Scheduler service [If it’s not being used in the network]

-Back trace the “source systems” from where the attack is being originated

This is one more critical steps to narrow down the network. We need to find that from which systems actually the attack is being originated.
We can find this out by 3 ways ..

1-IPS logs [log only mode coz’ block mode will block the system for 600 secs which the customer may not like]
2-Event viewer-Security logs- Failure Audits [We’ve to enable the Failure audits in GPO if not enabled already]
3-Net logon debug log [see the links in the bottom of this article]

-Once we find the above information we can use Nlparse from Microsoft account lockout tools to analyze Netlogon.log [see the links in the bottom of this article]

-The above logs will give us an idea about the systems which are attacking other systems in the network.

-We need to first target these machines and get the ESUG logs from them.

-We need to avoid logging in to the system as “domain administrator” coz’ by doing this we would make the job of the threat more easy as it uses {impersonates} the currently logged on account to access/infect other systems in the network. IF ‘isolating’ these systems is possible then that would certainly help us.

-We need to confirm the patch KB 958644/AV status /disabled services / registry entries on these systems. [ESUG]

-Once these systems are cleaned hopefully the situation would be under control.

For the MS specific steps[Editing GPO / enabling Netlogon log] we may consult MS tech support if the customer has support contract with MS[To be on the safer side] If not then we can help him as a best effort support.

Links we Need

Below is our write up
http://www.symantec.com/security_response/writeup....

here is an article by SRT on 01-09-2009 07:11 AM
https://forums.symantec.com/t5/blogs/blogarticlepa...

Here is another analysis by security Intel analysis team
https://forums.symantec.com/t5/Malicious-Code/W32-...

This is a MS-KB on the removal process/best practice of w32.downadup.B
http://support.microsoft.com/kb/962007

Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

MS Account Lockout Tools
http://www.microsoft.com/downloads/details.aspx?Fa...

MS08-67 patch download [KB 958644]
http://www.microsoft.com/technet/security/Bulletin...

Disable Auto play with GPO
http://support.microsoft.com/kb/953252

Disable Scheduled Tasks with GPO
http://support.microsoft.com/kb/310208

Enable Security Auditing with GPO
http://support.microsoft.com/kb/300549

really nice information
thanks Mithun

The Above Given Troubleshooting Steps are a Sure Shot Fix... I have applied the same steps to all my Customers...a dn it has given me 100% result.

I week two days ago If you have same problem please do it this
solition is

autorun.inf is only one way that w32.downadup infects a PC. There are also alerts on our network indicating a W32.Downadup infection but from the Temporary Internet Files folder and it is not of the filename autorun.inf. They usually have .jpg extensions.

Patch KB958644 is famous for Downadup but nowadays thats not all you have to have all the security patches updated to be free from this threat.

@ Nourbakhsh -- If you have one system that is not patched with the above patch in your whole network it enough to infect the computers that it can communicate with no matter what definitions it has
Yes if your computer has updated AV defs it won't let it propogate or work as it does but it will get into your computer due to high encryption methods used.

So if you think you have all the systems patched with the above KB and all updated virus definitions still you are infected with Downadup then you are wrong.
There is one guy who is either not having this patch / does have updated defs / not using AV (turned off/un-installed) etall

There are many ways of find this culprit computer two of them present in house with SEP is the IPS logs/alerts and Risk Tracer feature of Auto-Protect for more information read this article
https://www-secure.symantec.com/connect/articles/worms-and-threats-spread-across-networks-network-shares-have-become-more-common-recent-yea-0
And there other ways of doing it using Nmap or Netlogon logs or security audit most of them are only use when it is locking your user accounts but Risk Tracer works in all scenarios..

Once you find that system remove it from network patch it updated the AV defs..bring it back to the network.