Vista ARTICLES TOP 50 Spyware Virus Vista SOFT Vista HELP

Manual Removal of W32/Downadup.AL Worm

Manual Removal of W32/Downadup.AL Worm.

W32/Downadup.AL is a Worm. The worm will infect Windows systems.
This worm first appeared on January 19, 2009.
Other names of W32/Downadup.AL Worm:
This Worm is also known as Win32/Conficker, W32/Conficker.worm.gen, Mal/Conficker.
Read F-Secure Downadup.AL Details
Read Symantec Downadup.AL Details

Damage Level : Medium/High
Distribution Level: Medium

Symantec Removal Tool for W32/Downadup.AL Worm
F-Secure Removal Tool for W32/Downadup.AL Worm
Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

[ Kill the Process, Use Killbox if your Access Denied ]
The Worm copies itself with the random name with *.dll extension in the following locations
%Windows System
%Programs Files\Internet Explorer
%Programs Files\Movie Maker
%All Users Application Data
%Windows Temp
———————————————
%System%\[Random].dll
%Program Files%\Internet Explorer\[Random].dll
%Program Files%\Movie Maker\[Random].dll
%All Users Application Data%\[Random].dll
%Temp%\[Random].dll
%System%\[Random].tmp
%Temp%\[Random].tmp
%DriveLetter\RECYCLER\[Folder]\[1fe.a3d][3 random characters]
%DriveLetter%\autorun.inf
The Worm copies itself with the random name with .tmp extension in the following locations
Windows System
Windows Temp
The worm disables the following services:
Windows Automatic Update Service (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Security Center Service (wscsvc)
Windows Defender Service (WinDefend)
Windows Error Reporting Service (ERSvc)
Windows Error Reporting Service (WerSvc)
The worm attempts to block the access to the following security sites which contain the following strings
virus, spyware, malware, rootkit, defender, microsoft, symantec, norton, mcafee, trendmicro, sophos, panda, etrust, networkassociates, computerassociates, f-secure, kaspersky, jotti, f-prot, nod32, eset, grisoft, drweb, centralcommand, ahnlab, esafe, avast, avira, quickheal, comodo, clamav, ewido, fortinet, gdata, hacksoft, hauri, ikarus, k7computing, norman, pctools, prevx, rising, securecomputing, sunbelt, emsisoft, arcabit, cpsecure, spamhaus, castlecops, threatexpert, wilderssecurity, windowsupdate, nai, ca, avp, avg, vet, bit9, sans, cert
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.

Worm Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
After booting into the Safe Mode or VGA Mode
Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Worm modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
“TcpNumConnections” = dword:0×00FFFFFE
The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List, [PortNumber]:TCP = “[PortNumber]:TCP:*Enabled:[random]”
To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%
During infection, the worm may create a temporary (TMP) file in the the System or Temp folders. The TMP file created is registered as a service kernel driver using the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]
Type = dword:00000001
Start = dword:00000003
ErrorControl = dword:00000000
ImagePath = “\…\%Path%\[random].tmp”
DisplayName = [Random]
Once the key is created, the file %MalwarePath%\[random].tmp is deleted.An interesting change the worm makes to the registry involves the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DisplayName = %ServiceName%
Type = dword:00000020
Start = dword:00000002
ErrorControl = dword:00000000
ImagePath = “%SystemRoot%\system32\svchost.exe -k netsvcs”
ObjectName = “LocalSystem”
Description = %description%
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]\Parameters
ServiceDll = %Path%