Network Infected with W32.DownAdUp.B - How to Remove

A

allanc

Well-Known Member
Reaction score
387
Location
Toronto, Ontario, Canada
A new client contacted me yesterday with a network of about 50 PCs and 8 servers protected with Symantec EndPoint.
Apparently, the PCs and servers are infected with W32.DownAdUp.B (according to Symantec EndPoint).

The Network Administrator had used a Symantec removal tool on the PCs and servers (Windows 2003/2008 all 32-bit).
Symantec EndPoint did not detect any issues for about 6 hours after using the tool and then it started detecting the W32.DownAdUp.B virus on many PCs and the servers.
Now, I am being called in to remove this virus.

What I have done so far on one PC in regular mode is:
Process Explorer and AutoRuns which both seem to be OK.
Disabled Symantec EndPoint
RKill - nothing.
TDSSKILLER & TDSS_TDL4 - nothing
GMer - message is displayed 'GMer stopped working'. Runs to completion in SAFE mode with no issues.
HitManPro - nothing
MalwareBytes & SuperAntiSpyware - nothing

The only program that seemed to find anything is ComboFix (regular mode).
In the category of 'other deletions' the following files were found:
C:\windows\system32\spool\prtprocs\w32x86\x5pp.dll
C:\windows\system32\spool\prtprocs\w32x86\xpd5pp.dll
c:\windows\winhelp.ini

This company is a health care facility and are willing to shut down the complete network during the day only if I can guarantee that the virus will be removed and not reappear (assuming that they do not introduce it again).
Otherwise, the network is only available after 5 PM.
They are located about 1.5 hours away so I would like to really get a handle on the resolution before traveling to their location again.

Thank you in advance for suggestions.
 
have seen this on a network before, it afects usb pens, and removable media as well as network locations.
what we did was to scan every computer with endpoint every server and every usb device in the location and it cleared it up.

scan all removable media from one computer and then you can iolate that computer form the network
 
coreyspeed said:
have seen this on a network before, it afects usb pens, and removable media as well as network locations.
what we did was to scan every computer with endpoint every server and every usb device in the location and it cleared it up.

scan all removable media from one computer and then you can iolate that computer form the network
Click to expand...
I wasted 4.5 hours there yesterday (a paid waste that is).
The Admin. said that all service packs and patches were up to date.
The computer that he thinks infected the network is running XP 32-bit SP2!
 
coreyspeed said:
have seen this on a network before, it afects usb pens, and removable media as well as network locations.
what we did was to scan every computer with endpoint every server and every usb device in the location and it cleared it up.

scan all removable media from one computer and then you can iolate that computer form the network
Click to expand...
A couple of questions:
1. How effective (if at all) is Symantec EndPoint if the notebook is removed from the network and connected to a home network?
2. I assume that the computers were still connected to the network while you scanned their hard drives and the removable media?
 
1, It works the same apart from it is not managed, still scans, gets updates etc.

2, yep most computers were connected to the network, we scanned all removable media on one machine which was not connected to the network, scanned all servers as well. affected our storage drives.
 
I think that's conficker. You could probably find some removal tools specifically for conficker but you need to make sure the machines don't reinfect each other or get reinfected by USB sticks. Good Luck.
 
coreyspeed said:
have seen this on a network before, it afects usb pens, and removable media as well as network locations.
what we did was to scan every computer with endpoint every server and every usb device in the location and it cleared it up.

scan all removable media from one computer and then you can iolate that computer form the network
Click to expand...
How about using the BitDefender Removal Tool or maybe both (BD and EndPoint)?
 
There are different versions of conficker; see if any of the removal tools have command line switches - that way you could automate running them consecutively.

Rumour has it that the Windows Malicous Software Removal Tool can take this. Also when battling this foe, apply this security patch and disable autorun to help prevent reinfection.
 
Ah, this is a fun one to clean up after, there was one site last year where a bunch of computer got hit. Not fun, but a lot of work :)
 
You must log in or register to reply here.

Similar threads

dee001
Local Downlevel Document error
Replies
6
Views
1K
britechguy
britechguy
callthatgirl
New Outlook Accounts are grayed out cannot remove (IP)
Replies
5
Views
710
callthatgirl
callthatgirl
LordX
Can't get Bitlocker to work - Path specified in BCD is incorrect
Replies
10
Views
3K
Philippe
Philippe
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
862
NviGate Systems
NviGate Systems
Diggs
Spectrum Security Alert
Replies
10
Views
2K
Diggs
Diggs
Back
Top