home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.f-secure.com
/
2014.06.ftp.f-secure.com.tar
/
ftp.f-secure.com
/
anti-virus
/
tools
/
beta
/
f-downadup.txt
< prev
next >
Wrap
Text File
|
2009-09-01
|
4KB
|
129 lines
F-SECURE MALWARE REMOVAL TOOL (F-Downadup)
Copyright (C) 2005-2009 F-Secure Corporation. All rights reserved.
------------------------------------------------------------------
DISCLAIMER
----------
This tool is currently in beta stage and has gone through very
minimal testing. F-Secure Corporation is not responsible for any
possible damages resulted from the usage of this tool.
Please read the End User Licence Terms in the accompanied
eult_eng.pdf file before running the tool.
USAGE
-----
f-downadup.exe
* This will run the tool in the default (non-interactive) mode.
f-downadup.exe --disinfect
* This will enable disinfection mode. Please read a warning below.
WARNING!
The tool detects certain malicious files heuristically, so the
disinfection mode is not enabled by default as a precaution.
To enable disinfection mode please use the "--disinfect" option
in the command line. Please be advised that disinfecting a file
that is detected heuristically is risky. So it is recommended
to first scan a computer without this option to find possibly
infected files. If the suspected files do not look legitimate,
then disinfection mode can be enabled. Detection logs can be
found in the \%windir%\temp\ folder (where %windir% is a
Windows folder).
NOTES
-----
Recent variants of Downadup worm attempt to block the execution
of F-Secure malware removal tools. So if the downloaded tool does
not work, please rename its file and try running it again. For
example you can rename 'f-downadup.exe' into 'file.exe' to fool
the malware.
The tool requires local admininistrator rights in order to run
properly. It is recommended to run the tool from a logon script
or via F-Secure Policy Manager (for JAR-packaged version of the
tool).
The tool must be copied to a local hard disk and started from
there, otherwise it won't be able to restart itself after reboot
and as a result, disinfection may fail.
As the tool may automatically reboot a system, all unsaved work
might be lost. So please make sure that all applications are
closed before running this tool. If an active infection is found,
the tool will automatically remove it after system restart. In
this case, the tool may be running for some time when Windows
starts after reboot.
Please do not start another copy of the tool while the previous
one is still running. A running (active) copy of the tool can be
identified by the F-DOWNADUP.EXE process visible in the list of
processes in Windows Task Manager.
Please do not restart a computer or attempt to terminate the
tool's process while it is scanning a system.
SCANNING AND DISINFECTION
-------------------------
The tool is a complex program that scans and removes Downadup
worm infection. The features of the tool include:
- scanning of worm's files and Registry keys with modified ACL
- scanning of root folders of removable (USB) and network drives
- parsing of Autorun.inf files and scanning files they refer to
- parsing of scheduled task files, scanning files they refer to
- scanning of special locations where the worm drops its files
- scanning of Windows and Windows System folders (miniscan)
- disabling ADMIN$ share when scanning (prevents re-infection)
In case a file that a scheduled task file (.job) or Autorun.inf
file refers to is malicious, the tool deletes both files.
EXIT CODES
----------
The tool returns the following exit codes:
* 0 - No infection found
* 1 - Infection was found and removed, reboot is required
* 2 - Infection was found but not removed
* 10 - Reboot is requred, but not yet performed
TROUBLESHOOTING
---------------
If the tool shows the "Removal tool failed startup logic 10"
message, it means that it could not remove a malware during
system restart or that scanning operation was interrupted.
To be able to use the tool again, please delete the following
Registry keys:
HKLM\Software\F-SecureRemovalToolsState
HKLM\Software\F-SecureRemovalToolsStatePendingDelete
CONTACT INFORMATION
-------------------
If you have problems with disinfection please contact our
Support Team by sending a message to this e-mail address:
anti-virus-support@f-secure.com
Our Support's webpages can be found here:
http://support.f-secure.com/enu/home/