The Downadup, or Conficker, infection is
a worm that predominantly spreads via exploiting the MS08-067
Windows vulnerability, but also includes the ability to infect other computers
via network shares and removable media. Not since the Sasser and MSBlaster worms
have we seen such a widespread infection as we are seeing with the Downadup
worm. In fact, according to anti-virus vendor, F-Secure, the Downadup worm has
8.9 million infected computers. Microsoft has addressed the problem by releasing
a patch to fix the Windows vulnerability, but there are still many computers
that do not have this patch installed, and thus the worm has been able to propagate
throughout the world.
When installed, Conficker / Downadup will copy itself to your C:\Windows\System32
folder as a random named DLL file. If it has problems copying itself to the
System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer
or %ProgramFiles%\Movie Maker folders. It will then create a Windows service
that automatically loads this DLL via svchost.exe, which is a legitimate file,
every time you turn on your computer. The infection will then change a variety
of Windows settings that will allow it to efficiently infect other computers
over your network or the Internet.
Once the infection is running, you will find that you are no longer able to
access a variety of sites such as Microsoft.com and many anti-virus vendors.
It does this so that you cannot download removal tools or update your anti-virus
programs. It will then perform the following actions in no specific order:
- Stop and start System Restore in order to remove all your current System
Restore points so that you cannot roll back to a previous date where your
computer was working properly.
- Check for Internet connectivity by attempting to connect to one of the following
- Attempts to determine the infection computer's IP address by visiting one
of the following sites:
- Download other files to be used as necessary.
- Scan the infected computer's network for vulnerable computers and try to
Some symptoms that may hint that you are infected with this malware are as
- Anti-malware software stating you are infected with infections using the
- Automatic updates no longer working.
- Anti-virus software is no longer able to update itself.
- Unable to access a variety of security sites, such as anti-virus software
- Random svchost.exe errors.
Using the following guide we will walk you through removing this worm from your
computer and securing your computer so it does not get infected again with Downadup
again. Due to the fact that this worm stops us from accessing the sites we need
to download the removal tools from, you will need to be able to access another
computer that is clean and have the ability to copy files from that computer
to the infected one. If at all possible, I suggest you copy the files using
a burnable DVD or CD in order to prevent your computer USB drives from possibly
Downadup / Conficker scanning a range of IP Addresses
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.
This guide will walk you through removing the Conficker and Downadup worms
for free. If you would like to read more information about this infection, we
have provided some links below.
information from Microsoft
Worm Dubbed 'Epidemic'
Tools Needed for this fix:
01/23/09 - Initial Guide Creation
Automated Removal Instructions for Downadup and Conficker using BitDefender's Anti-Downadup tool:
- Print out these instructions as we will need to close every window that
is open later in the fix.
- Due to the fact that Downadup and Conficker do not allow you to connect
to Microsoft and a variety of security sites you must first download the Windows
patch and the removal tool from another computer and transfer the file to
your infected PC. On a clean computer, download BitDefender's Anti-Downadup
tool from the following location and save the file to your desktop. The current
name of the file is bd_rem_tool.zip.
Conficker Removal Tool
- Next visit the following link and download the KB958644/MS08-067 security
patch for your particular Windows operating system:
Patch Download Link
Look through the list and click on the link that corresponds to the version
of Windows that is running on the infected machine. Then download the file
from the page that opens and save it your desktop.
- Now copy bd_rem_tool.zip and the Windows patch file to a floppy, CD, or
USB drive so we can copy it to the infected PC.
- Once the files are stored on a removable device, copy it back onto your
infected PC's Windows desktop.
- Once the Windows patch and bd_rem_tool.zip file are on your infected computer's
desktop, you will need to first install the Windows patch. Simply double-click
on the file that you downloaded from Microsoft's web site and follow the prompts
to install the patch. This will make it so your computer does not become reinfected
again after we clean the current infection. If the patch is already installed,
the Microsoft patch will detect that and not reinstall it.
- Now we need to extract the files from the bd_rem_tool.zip. You can do this
by right-clicking on the bd_rem_tool.zip and then selecting the Extract
All... menu option as shown in the image below.
- At the next screen, keep clicking the Next button until
you see a screen similar to the one below.
Now that the file has finished being extracted, click on the Finish
- A folder will open containing two files. These files are named bd_rem_tool_console.exe
and bd_rem_tool_gui.exe. Please double-click on the bd_rem_tool_gui.exe
file to start the program. When you run this program, Windows may display
a warning similar to the image shown below.
If you receive this warning, please click on the Run button
to continue starting Anti-Downadup on your computer. If you did not receive
this warning, then Anti-Downadup should have started and you can proceed to
- You will now see a screen prompting you to start the scan or close the program.
Please click on the Start button to have the program scan
your computer and remove any Downadup and Conficker infections on your computer.
- Anti-Downadup will now start to scan your computer and determine if you
are infected as shown below.
This process can take 10 minutes, so please be patient. When it is done, if
your computer is clean it will tell you so and you can close the program.
Otherwise, continue with the rest of the steps.
- When Anti-Downadup has finished scanning your computer it will prompt you
to reboot your computer in order to finish the cleaning process.
Press Yes button to allow the infected computer to be rebooted.
If you do not reboot your computer, you will be left with a blue screen as
Explorer was terminated during the cleaning process.
- When the computer has finished rebooting you should no longer have the Conficker
or Downadup infections on your computer. To see a log of what was deleted
you can open the C:\Win32.Worm.Downladup.Gen.log file in
Though the infection is now removed from your computer, we need to make sure
you do not get infected again. As you should have already installed the Windows
patch, you will not be able to be infected again via the MS08-067
exploit . This infection, though, does infect you through network shares and
removable devices as well. So please examine your computer for any network shares
and disable any that are not necessary to have open.
The next step is to disable Autorun on your computer. Autorun is a feature
that allows executables to automatically run when you insert removable media
such as a CD/DVD, Flash Drive, or other USB device. Having Autorun enabled is
a security risk due to a fact that a virus can spread through the use of removable
media. For example, if you had used your flash drive on a computer infected
with a removable media worm, then your flash drive will become infected. Then
when you use that infected flash drive on a computer that has Autorun enabled,
the infection will automatically run and infect the new computer. As you can
see, disabling Autorun is an important step to security your computer. Please
note that if you disable this feature, then any time you insert a removable
media, including a CD or DVD, they will not automatically open or start. Instead
you will need to open My Computer and right click on the specific drive and
select Explore or Play in order to access the contents of the media. If you
would prefer security over convenience then please download the following file
and save it on your desktop:
Once the file is downloaded, simply double-click on it. When Windows asks if
you would like to merge the data, click on the Yes button.
Now that Autorun is disabled, reboot your computer to make the setting effective.
Congratulations! Your computer should now be free of the
Downadup and Conficker
program and you will no longer be vulnerable to infection from this
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.