Enter your Keyword, Search here,

Manual Removal of W32/Downadup.AL Worm

Manual Removal of W32/Downadup.AL Worm.
W32/Downadup.AL is a Worm. The W32/Downadup.AL worm will infect Windows systems.
This worm first appeared on January 19, 2009.
Other names of W32/Downadup.AL Worm:
This Worm is also known as Win32/Conficker, W32/Conficker.worm.gen, Mal/Conficker.
Read F-Secure Downadup.AL Details
Read Symantec Downadup.AL Details
Damage Level : Medium/High
Distribution Level:
Medium
Symantec Removal Tool for W32/Downadup.AL Worm
F-Secure Removal Tool for W32/Downadup.AL Worm
W32/Downadup.AL Worm Manual Removal Instructions
Recommend Removal from Safe Mode:

How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • [ Kill the Process, Use Killbox if your Access Denied ]
  • The W32/Downadup.AL Worm copies itself with the random name with *.dll extension in the following locations
  • %Windows System
  • %Programs Files\Internet Explorer
  • %Programs Files\Movie Maker
  • %All Users Application Data
  • %Windows Temp
    ---------------------------------------------
  • %System%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %All Users Application Data%\[Random].dll
  • %Temp%\[Random].dll
  • %System%\[Random].tmp
  • %Temp%\[Random].tmp
  • %DriveLetter\RECYCLER\[Folder]\[1fe.a3d][3 random characters]
  • %DriveLetter%\autorun.inf
  • The W32/Downadup.AL Worm copies itself with the random name with .tmp extension in the following locations
  • Windows System
  • Windows Temp
  • The W32/Downadup.AL Worm disables the following services:
  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Security Center Service (wscsvc)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)
  • The W32/Downadup.AL Worm attempts to block the access to the following security sites which contain the following strings
  • virus, spyware, malware, rootkit, defender, microsoft, symantec, norton, mcafee, trendmicro, sophos, panda, etrust, networkassociates, computerassociates, f-secure, kaspersky, jotti, f-prot, nod32, eset, grisoft, drweb, centralcommand, ahnlab, esafe, avast, avira, quickheal, comodo, clamav, ewido, fortinet, gdata, hacksoft, hauri, ikarus, k7computing, norman, pctools, prevx, rising, securecomputing, sunbelt, emsisoft, arcabit, cpsecure, spamhaus, castlecops, threatexpert, wilderssecurity, windowsupdate, nai, ca, avp, avg, vet, bit9, sans, cert
    If you have any of these files in running process from task manger, end the process before removal.
    Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    [ Right Click - Save Target As/Linked Content As ]
    Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
W32/Downadup.AL Worm Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
    and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The W32/Downadup.AL Worm modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "TcpNumConnections" = dword:0x00FFFFFE
  • The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List, [PortNumber]:TCP = "[PortNumber]:TCP:*Enabled:[random]"
  • To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%
  • During infection, the worm may create a temporary (TMP) file in the the System or Temp folders. The TMP file created is registered as a service kernel driver using the following registry entry:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]
    Type = dword:00000001
    Start = dword:00000003
    ErrorControl = dword:00000000
    ImagePath = "\...\%Path%\[random].tmp"
    DisplayName = [Random]
  • Once the key is created, the file %MalwarePath%\[random].tmp is deleted.An interesting change the worm makes to the registry involves the following registry entries:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    DisplayName = %ServiceName%
    Type = dword:00000020
    Start = dword:00000002
    ErrorControl = dword:00000000
    ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
    ObjectName = "LocalSystem"
    Description = %description%
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]\Parameters
    ServiceDll = %Path%

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find
, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Killbox (Freeware)

No comments :

Post a Comment

Comment on this Post!!

More Posts that you may be interested...