I would like to know how to completely removed the w32.downadup.b worm from my entire network. I have been struggling with this thing since the beginning of the year and I can't seem to beat it. It still seems to be lingering around and causing problems. All I have been able to do so far is work-arounds.
I have found and successfully removed the virus from four computers on my network. The way I discovered that these computers were infected was by looking at the Security Event log and determining the machines that were failing the security audits. The thing that got me to look here was the fact that the users were being locked out of their systems b/c of false log in attempts and I didn't know why. I then assumed that the computer that was attempting all the login attempts was infected with the worm. I used the Symantec removal tool to remove the worm. I would then confirm that Symantec was working and had the latest virus definitions and everything would be fine. I wouldn't have anymore users getting locked out. Like I said, this happened on four separate occasions and took the same steps each time and it has worked. However, this hasn't been the end of it.
I have computers that the Computer Browser service is stopping so they can't access file shares on the server. I have computers where Windows audio service is stopping and the sound won't work anymore. I have computers that are receiving the 'Generic Host Process for Win32 Services' error and the entire computer stops responding and they must perform a hard boot. I have computers that get a memory instruction error, but nothing ever happens after that. The problems are so vast and so different and so computer specific that it is impossible to explain and even less likely to find trends or commonalities. Some of these users are system administrators and some are not. Some are local users and some are domain users. Each have access to different file shares. It is extremely frustrating and I really need some help.
Even though I currently don't have any computers that I'm aware of that are infected with this worm, I'm still getting system wide Auto-protect messages from Symantec. Not all computers get this message, but many do and sometimes they number up to as many as 10 messages a day. Attached is a screen shot of an example of a the auto-protect from Symantec. As you can see if removes part of the threat but leaves a .jpg file. Not sure why it does this, but my guess is b/c it doesn't have rights to the folder where this file is usually located. In my experiences this file is usually located in the following location: C:\Documents and Settings\NetworkService\Lo
cal Settings\Temporary Internet Files\Content.IE5\....... I have deleted this file manually on some machines, but is doesn't seem to help.
I'm aware of the microsoft patch, but all my computers should be patched with XP sp3. Plus doesn't this security whole address how the virus is spread over the network and not getting rid of it? Symantec is doing it's job by auto protecting against this worm, right? But where is the source and how do I find it and get rid of it?
Please help me....I can't take it any longer!