Video Screencast Help

W32.Downadup.B pop-ups

Created: 27 Nov 2012 | 6 comments

Hi,

 

Getting pop-ups for a machine that W32.Downadup.B has been detected and cleaned. Performed a full and active scan but didn't find any threats. Also, downloaded W32.Downadup removal tool but did't get any threats found but still pop-ups are still coming from symantec...!!!!

 

Regards.

Anish

Comments 6 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Same issue in the current Thread: https://www-secure.symantec.com/connect/forums/virus-information

Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Inaddition to this, please check the Article provided below and work upon the same.

1) Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

2) Simple steps to protect yourself from the Conficker Worm

http://www.symantec.com/docs/TECH93179

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Anishk's picture

Hi,

 

The microsoft patch mentioned does not seem to be available for windows 7 os.

 

Regards,

Anish

.Brian's picture

Because this vulnerability does not exist in Windows 7. This than means you have another machine on your network which is trying to infect this machine.

Have verified in the NTP logs the remote IP address of the attacker? This should tell you where the infection attempt is coming from.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I agree with the above comment.

I would suggest you turn on the Risk Tracer to understand the source of the Risk.

What is Risk Tracer?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/be1edccb0e39927280257363003a2bb3?OpenDocument

Note: Risk Tracer relies upon the Windows File and Printer Sharing. If this is disabled Risk Tracer will not work.

Also, check this Thread: https://www-secure.symantec.com/connect/forums/w32downadupb-how-could-you-find-source-if-there-are-1k-infected

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

waelhilal's picture

yes true, agree.

How to remove W32:

Step 1 : Scan and remove W32.Downadup with this special tool

1. Download the Downadup removal tool from http://download.precisesecurity.com/bd_rem_tool.zip and save it on your Desktop or any accessible location.

This tool is available free. It can delete members of the Downadup family of Trojan. The tool is created with removal function; it cannot protect the computer from threats.

 

2. Double click on downloaded file, chose "Extract all files..." from the File menu, and follow the wizard's instructions. You can use any other archiver, like WinZip. This will create a folder called bd_rem_tool.

3. Double click on the file "bd_rem_tool_gui.exe" (or just "bd_rem_tool_gui"). Make sure that all files have been extracted from the zip archive, because all the contents are required for the removal tool to run. Follow the tool's instructions.

4. If you have Restricted Access (not Admin) on Windows Vista and XP, right click the "bd_rem_tool_gui" program and choose "Run as Administrator". Enter the computer Administrator User name and Password when prompted. This will scan the computer for presence of W32.Downadup. Remove all detected threats.

5. Reboot your computer when scanning is finished.

 

Step 2 : Run a scan with your antivirus program

1. Repeat the process of starting Windows in Safe Mode with Networking.
2. Open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of W32.Downadup.

Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

3. Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

Step 3: Run another test with online virus scanner

Another way to remove W32.Downadup without the need to install additional antivirus software is to perform a thorough scan with free online virus scanner. It can be found on websites of legitimate antivirus and security provider.

1. Click the button below to proceed to the list of suggested Online Virus Scanner. Choose your desired provider. You can run each scan individually, one at a time, to ensure that all threats will be removed from the computer. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.

 

 

2. After completing the necessary download, your system is now ready to scan and remove W32.Downadup and other kinds of threats.
3. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
4. Remove or delete all detected items.
5. When scanning is finished, you may now restart the computer in normal mode.

Alternative Removal Procedures for W32.Downadup

Option 1 : Use Windows System Restore to return Windows to previous state

If W32.Downadup enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Downadup infiltrates the PC, we highly encourage you to execute this procedure if none of the above works.

To verify if System Restore is active on your computer, you can type system restore into the Start menu search box. Typingrstrui on the same box and pressing Enter also opens this function.

 

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

Option 2 : W32.Downadup manual uninstall guide

IMPORTANT! Manual removal of W32.Downadup requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to W32.Downadup.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Downadup files (refer to Technical Reference) and click End Process.

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random charaters.exe]"
- Close registry editor. Changes made will be save automatically.

 

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.

4. Delete all files dropped by W32.Downadup.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

reference: http://www.precisesecurity.com/worms/w32downadupe

Hope this is a good selution.

Thanks

 

 

 

 

 

Wael Hilal

Mobile: 00966531377132

Mithun Sanghavi's picture

Hello,

An additional link that will be of interest:

The Downadup Codex, Edition 2.0
https://www-secure.symantec.com/connect/blogs/downadup-codex-edition-20

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.