How to remove the Downadup and Conficker worm (Uninstall Instructions)

  • January 23, 2009

The Downadup, or Conficker, infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability, but also includes the ability to infect other computers via network shares and removable media. Not since the Sasser and MSBlaster worms have we seen such a widespread infection as we are seeing with the Downadup worm. In fact, according to anti-virus vendor, F-Secure, the Downadup worm has infected over 8.9 million infected computers. Microsoft has addressed the problem by releasing a patch to fix the Windows vulnerability, but there are still many computers that do not have this patch installed, and thus the worm has been able to propagate throughout the world.

When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder as a random named DLL file. If it has problems copying itself to the System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders. It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer. The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.

Once the infection is running, you will find that you are no longer able to access a variety of sites such as Microsoft.com and many anti-virus vendors. It does this so that you cannot download removal tools or update your anti-virus programs. It will then perform the following actions in no specific order:

  • Stop and start System Restore in order to remove all your current System Restore points so that you cannot roll back to a previous date where your computer was working properly.

  • Check for Internet connectivity by attempting to connect to one of the following sites:

    • aol.com
    • cnn.com
    • ebay.com
    • msn.com
    • myspace.com

  • Attempts to determine the infection computer's IP address by visiting one of the following sites:

    • http://www.getmyip.org
    • http://getmyip.co.uk
    • http://checkip.dyndns.org
    • http://www.whatismyip.com/

  • Download other files to be used as necessary.

  • Scan the infected computer's network for vulnerable computers and try to infect them.

Some symptoms that may hint that you are infected with this malware are as follows:

  • Anti-malware software stating you are infected with infections using the following names:

    • Net-Worm.Win32.Kido
    • W32/Conficker.worm.gen
    • Worm.Conficker
    • W32.Downadup
    • W32/Downadup.AL
    • W32/Confick-A
    • Win32/Conficker.A
    • Mal/Conficker
    • Worm:Win32/Conficker.B
    • Win32.Worm.Downadup.Gen

  • Automatic updates no longer working.

  • Anti-virus software is no longer able to update itself.

  • Unable to access a variety of security sites, such as anti-virus software companies.

  • Random svchost.exe errors.


Using the following guide we will walk you through removing this worm from your computer and securing your computer so it does not get infected again with Downadup again. Due to the fact that this worm stops us from accessing the sites we need to download the removal tools from, you will need to be able to access another computer that is clean and have the ability to copy files from that computer to the infected one. If at all possible, I suggest you copy the files using a burnable DVD or CD in order to prevent your computer USB drives from possibly becoming infected.

  • Downadup / Conficker scanning a range of IP Addresses

This guide will walk you through removing the Conficker and Downadup worms for free. If you would like to read more information about this infection, we have provided some links below.

Reference Links:

F-Secure Downadup information

Windows MS08-067 Patch

Worm:Win32/Conficker.B information from Microsoft

Conficker/Downadup Worm Dubbed 'Epidemic'

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
  1. Print out these instructions as we will need to close every window that is open later in the fix.

  2. Due to the fact that Downadup and Conficker do not allow you to connect to Microsoft and a variety of security sites you must first download the Windows patch and the removal tool from another computer and transfer the file to your infected PC. On a clean computer, download BitDefender's Anti-Downadup tool from the following location and save the file to your desktop. The current name of the file is bd_rem_tool.zip.

    BitDefender's Conficker Removal Tool



  3. Next visit the following link and download the KB958644/MS08-067 security patch for your particular Windows operating system:

    MS08-067 Patch Download Link


    Look through the list and click on the link that corresponds to the version of Windows that is running on the infected machine. Then download the file from the page that opens and save it your desktop.

  4. Now copy bd_rem_tool.zip and the Windows patch file to a floppy, CD, or USB drive so we can copy it to the infected PC.

  5. Once the files are stored on a removable device, copy it back onto your infected PC's Windows desktop.

  6. Once the Windows patch and bd_rem_tool.zip file are on your infected computer's desktop, you will need to first install the Windows patch. Simply double-click on the file that you downloaded from Microsoft's web site and follow the prompts to install the patch. This will make it so your computer does not become reinfected again after we clean the current infection. If the patch is already installed, the Microsoft patch will detect that and not reinstall it.

  7. Now we need to extract the files from the bd_rem_tool.zip. You can do this by right-clicking on the bd_rem_tool.zip and then selecting the Extract All... menu option as shown in the image below.




  8. At the next screen, keep clicking the Next button until you see a screen similar to the one below.





    Now that the file has finished being extracted, click on the Finish button.

  9. A folder will open containing two files. These files are named bd_rem_tool_console.exe and bd_rem_tool_gui.exe. Please double-click on the bd_rem_tool_gui.exe file to start the program. When you run this program, Windows may display a warning similar to the image shown below.




    If you receive this warning, please click on the Run button to continue starting Anti-Downadup on your computer. If you did not receive this warning, then Anti-Downadup should have started and you can proceed to step 9.

  10. You will now see a screen prompting you to start the scan or close the program.





    Please click on the Start button to have the program scan your computer and remove any Downadup and Conficker infections on your computer.

  11. Anti-Downadup will now start to scan your computer and determine if you are infected as shown below.




    This process can take 10 minutes, so please be patient. When it is done, if your computer is clean it will tell you so and you can close the program. Otherwise, continue with the rest of the steps.

  12. When Anti-Downadup has finished scanning your computer it will prompt you to reboot your computer in order to finish the cleaning process.




    Press Yes button to allow the infected computer to be rebooted. If you do not reboot your computer, you will be left with a blue screen as Explorer was terminated during the cleaning process.

  13. When the computer has finished rebooting you should no longer have the Conficker or Downadup infections on your computer. To see a log of what was deleted you can open the C:\Win32.Worm.Downladup.Gen.log file in Notepad.

 

Though the infection is now removed from your computer, we need to make sure you do not get infected again. As you should have already installed the Windows patch, you will not be able to be infected again via the MS08-067 exploit . This infection, though, does infect you through network shares and removable devices as well. So please examine your computer for any network shares and disable any that are not necessary to have open.

The next step is to disable Autorun on your computer. Autorun is a feature that allows executables to automatically run when you insert removable media such as a CD/DVD, Flash Drive, or other USB device. Having Autorun enabled is a security risk due to a fact that a virus can spread through the use of removable media. For example, if you had used your flash drive on a computer infected with a removable media worm, then your flash drive will become infected. Then when you use that infected flash drive on a computer that has Autorun enabled, the infection will automatically run and infect the new computer. As you can see, disabling Autorun is an important step to security your computer. Please note that if you disable this feature, then any time you insert a removable media, including a CD or DVD, they will not automatically open or start. Instead you will need to open My Computer and right click on the specific drive and select Explore or Play in order to access the contents of the media. If you would prefer security over convenience then please download the following file and save it on your desktop:

Noauto.reg download link

Once the file is downloaded, simply double-click on it. When Windows asks if you would like to merge the data, click on the Yes button. Now that Autorun is disabled, reboot your computer to make the setting effective.

Congratulations! Your computer should now be free of the Downadup and Conficker program and you will no longer be vulnerable to infection from this malware.

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

search guides
Mandiant mWise Conference 2024

Login