F-SECURE MALWARE REMOVAL TOOL (F-Downadup) Copyright (C) 2005-2009 F-Secure Corporation. All rights reserved. ------------------------------------------------------------------ DISCLAIMER ---------- This tool is currently in beta stage and has gone through very minimal testing. F-Secure Corporation is not responsible for any possible damages resulted from the usage of this tool. Please read the End User Licence Terms in the accompanied eult_eng.pdf file before running the tool. USAGE ----- f-downadup.exe * This will run the tool in the default (non-interactive) mode. f-downadup.exe --disinfect * This will enable disinfection mode. Please read a warning below. WARNING! The tool detects certain malicious files heuristically, so the disinfection mode is not enabled by default as a precaution. To enable disinfection mode please use the "--disinfect" option in the command line. Please be advised that disinfecting a file that is detected heuristically is risky. So it is recommended to first scan a computer without this option to find possibly infected files. If the suspected files do not look legitimate, then disinfection mode can be enabled. Detection logs can be found in the \%windir%\temp\ folder (where %windir% is a Windows folder). NOTES ----- Recent variants of Downadup worm attempt to block the execution of F-Secure malware removal tools. So if the downloaded tool does not work, please rename its file and try running it again. For example you can rename 'f-downadup.exe' into 'file.exe' to fool the malware. The tool requires local admininistrator rights in order to run properly. It is recommended to run the tool from a logon script or via F-Secure Policy Manager (for JAR-packaged version of the tool). The tool must be copied to a local hard disk and started from there, otherwise it won't be able to restart itself after reboot and as a result, disinfection may fail. As the tool may automatically reboot a system, all unsaved work might be lost. So please make sure that all applications are closed before running this tool. If an active infection is found, the tool will automatically remove it after system restart. In this case, the tool may be running for some time when Windows starts after reboot. Please do not start another copy of the tool while the previous one is still running. A running (active) copy of the tool can be identified by the F-DOWNADUP.EXE process visible in the list of processes in Windows Task Manager. Please do not restart a computer or attempt to terminate the tool's process while it is scanning a system. SCANNING AND DISINFECTION ------------------------- The tool is a complex program that scans and removes Downadup worm infection. The features of the tool include: - scanning of worm's files and Registry keys with modified ACL - scanning of root folders of removable (USB) and network drives - parsing of Autorun.inf files and scanning files they refer to - parsing of scheduled task files, scanning files they refer to - scanning of special locations where the worm drops its files - scanning of Windows and Windows System folders (miniscan) - disabling ADMIN$ share when scanning (prevents re-infection) In case a file that a scheduled task file (.job) or Autorun.inf file refers to is malicious, the tool deletes both files. EXIT CODES ---------- The tool returns the following exit codes: * 0 - No infection found * 1 - Infection was found and removed, reboot is required * 2 - Infection was found but not removed * 10 - Reboot is requred, but not yet performed TROUBLESHOOTING --------------- If the tool shows the "Removal tool failed startup logic 10" message, it means that it could not remove a malware during system restart or that scanning operation was interrupted. To be able to use the tool again, please delete the following Registry keys: HKLM\Software\F-SecureRemovalToolsState HKLM\Software\F-SecureRemovalToolsStatePendingDelete CONTACT INFORMATION ------------------- If you have problems with disinfection please contact our Support Team by sending a message to this e-mail address: anti-virus-support@f-secure.com Our Support's webpages can be found here: http://support.f-secure.com/enu/home/