Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

How to beat W32.Downadup infections - Outbreak Scenario

Created: 03 Jan 2010 • Updated: 13 Jan 2010 | 5 comments
Language Translations
Aaed Alqarta's picture
+3 3 Votes
Login to vote
This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000:

Windows 2003:

Windows XP:

Windows Vista SP0 + SP1:

Symantec FixDownadupTool:

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec ( to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:


Use netscan to ping a range of IP's and save the results as a text file (

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

2) Use Nessus (, and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)

Important Note: Please check the batch file before you run it on "Production Servers", becuase it will disable some features in Windows to prevent Conficker infection.

Rename "Clean-Downadup.txt" to "Clean-Downadup.bat "

Comments 5 CommentsJump to latest comment

Nel Ramos's picture

Thanks Aaed for the quickfix for downadup...

Nel Ramos

Login to vote
prashant_sh03's picture

is it restart the machine also.?

Login to vote