• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

W32.Downandup.B

Just scanned a flash drive and Norton detected W32.Downandup.B

It says it is only partially removed

Affected Areas:
Files & Directories
j:\recycler\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Registry Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS->Start:2
Network & Browser Items
Browser Cache

 

what steps do I take next?

NAV2008 on Vista Home Premium 32 bit

Replies

Kudos0

Re: W32.Downandup.B

Just scanned a flash drive and Norton detected W32.Downandup.B

It says it is only partially removed

Affected Areas:
Files & Directories
j:\recycler\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Registry Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS->Start:2
Network & Browser Items
Browser Cache

 

what steps do I take next?

NAV2008 on Vista Home Premium 32 bit

Kudos0

Re: W32.Downandup.B

 it show partially removed because I took out the flash drive before completing the fix?

Big concern is why it indicates registry issue if it was just a flash drive

Kudos1 Stats

Re: W32.Downandup.B

Ho-ho , this is something I have almost forgotten , except that I have recently read a blog post in the Symantec Securiry Response blog.

Norton is capable of protecting your computer .

Scan again the flash drive in order to clean it .

Then , to ensure yourself there is no problem on your own computer , download and run the Downadup removal tool from here http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D.exe

More information here : http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

At the end , it is crutial to upgrade your Norton version . If your subscription is active , you are entitled to free upgrade to the newest Norton 2010 , which is way better than 2008 and has new inovatiove technologies , runs faster and ligther than any other version.

Download and save on your Desktop Norton Antivirus 2010 from www.norton.com/nav10

Uninstall Norton 2008 from Control Panel -> Programs and feautures

Reboot the computer .

Download and save on your Symantec Norton removal tool from www.symantec.com/nrt . Run this program with Administrator rights (just to ensure there are no leftovers).

At the end , install Norton AV 2010 . Make sure you run Live Update immediately.

As for your last question why is there a registry entry - it is not that important if it has been removed by Norton . That is why I'd prefer not to answer that question.

More about Downadup (also known as Conficker) : http://en.wikipedia.org/wiki/Conficker

More about Norton 2010 and its feautures : http://www.symantec.com/norton/antivirus ,  http://www.everyclickmatters.com , http://community.norton.com/t5/Norton-Protection-Blog/bg-p/npb1

Happy holidays!

Kudos0

Re: W32.Downandup.B

Do I need to use the removal tool if Norton has already partially removed it?

That is where I'm confused. It says no action needed and resolved, yet then it says "partially removed"

do I need to reboot to fully remove?

 are all these items noted below removed? Or is this information saying they are still an issue?

Action taken: Partially removed
Affected Areas:
Files & Directories
j:\recycler\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Registry Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS->Start:2
Network & Browser Items
Browser Cache

Kudos1 Stats

Re: W32.Downandup.B


Calls wrote:

Do I need to use the removal tool if Norton has already partially removed it?

No , but you can use to re-ensure YOURSELF your computer is clean from Downadup

That is where I'm confused. It says no action needed and resolved, yet then it says "partially removed"

Resolved but you must reboot to complete the removal process. If you haven't , it will say "partially removed".

do I need to reboot to fully remove?

 Strongly recommended to restart the computer.

are all these items noted below removed? Or is this information saying they are still an issue?

Most likely yes . Reboot and perform quick scan and you'll see . Upgrade to Norton 2010!
Kudos0

Re: W32.Downandup.B

Major Question- Why did my Norton not stop this from the start?

Kudos0

Re: W32.Downandup.B


Calls wrote:

Major Question- Why did my Norton not stop this from the start?


Probably for the same reason given to you last time. It would help if you could explain why you are so hesitant to upgrade to the 2010 version.

Kudos0

Re: W32.Downandup.B

I appreciate the suggestions to upgrade and at some point I will, but that is not the question I have now. My qquestion revolve around an infection, removal, and why it might have happened. To suggest the reason is because I should upgrade to 2010, while an excellent recommendation,  is not an answer to the questions.

A few  questions remain-

1. This was a def that came out that NAV2008 or NAV 2009 should have protected against right?? I mean it is an issue that was detectable by the two previous NAv editions before 2010.

2. So does the information below showing the "infected file" suggest that it was not on my machine, but rather the jump drive? When I look at my ssytem now with the flash drive not connected, I see no "J Drive", so that would mean the "J Drive" is the flash stick right?

And thus was not detected by Norton because it was not actually on my system? And then when I ran the scan of the "J drive" then it was noted?

j:\recycler\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

So the above indicates infection on the flash drive and not my comp(c and D drive)?

Or does it move to the C and/or D drive once you pull out the flash drive?

Wondering if I had removed the flash stick without scanning, would my machine itself have been infected? Or was as asked before, the infection of just the flash drive?

(let me also add that since this detection I have run several malwarebytes scans, SpyBot scans and Norton scans, none of which detect anything other than tracking cookies. My connection logs show no unusual connections, and I am able to get def updates for Norton, malware bytes, and Windows)

Kudos0

Re: W32.Downandup.B

Calls wrote:

Big concern is why it indicates registry issue if it was just a flash drive


I agree, why not run a full scan with the free version of MBAM just to make sure your PC is clean?  Dont forget to update it first:  cnet

Kudos0

Re: W32.Downandup.B

booted but still showing only partially removed

Do I need to run the removal tool?

Kudos1 Stats

Re: W32.Downandup.B


Calls wrote:

 it show partially removed because I took out the flash drive before completing the fix?

Big concern is why it indicates registry issue if it was just a flash drive


Downandup (Conficker) is and Autorun worm that transfers to clean partitions, if it in fact has done so that is,

The other reason that Norton has shown detected registry entries is due to the Phantom object listings when certain infections are detected. http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Vundo-capable-to-unzip-itself-from-zip/m-p/130717#M65313 

I am sure the Registry entry start value is surpose to be a "4" not a "2"


HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start = "4"

Calls over the time you have been on this forum under the different user name(s) also I wonder why you are still with Norton 2008.

Quads

Kudos0

Re: W32.Downandup.B


Quads wrote:

Calls wrote:

 it show partially removed because I took out the flash drive before completing the fix?

Big concern is why it indicates registry issue if it was just a flash drive


Downandup (Conficker) is and Autorun worm that transfers to clean partitions, if it in fact has done so that is,

The other reason that Norton has shown detected registry entries is due to the Phantom object listings when certain infections are detected. http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Vundo-capable-to-unzip-itself-from-zip/m-p/130717#M65313 

I am sure the Registry entry start value is surpose to be a "4" not a "2"


HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start = "4"

Calls over the time you have been on this forum under the different user name(s) also I wonder why you are still with Norton 2008.

Quads


Thanks for your response Quads. I have in the past had screen name different than Calls, but Calls is what I now only use and have been doing so for at least 6 months

Waiting to get the funds to get NIS 2010

when you say

HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start = "4"

 

Do you mean thats what it shoud read if NOT infected? Or is that what it reads WHEN infected?

When I currently look at

HKLM\SYSTEM\CurrentControlSet\Services\BITS\

it shows

Name       type                         data

Start        REG_DWORD         0x00000002

 

Is this how it should read if clean?

Kudos0

Re: W32.Downandup.B

Just want to make sure I have the current, most recent removal tool for W32.Downandup.B

I have downloaded  W32.Downandup removal tool 1.1.0.7

I ask this because the tool doesn't specifically say W32.Downandup.B

Kudos0

Re: W32.Downandup.B


Calls wrote:

 ...

 Waiting to get the funds to get NIS 2010

 ...


The NAV product upgrade is free and can be obtained here. Why not get this upgrade in the interim? At least, you'll then have the 2010 version of the NAV software protecting your computer until you are ready to purchase NIS 2010.
Kudos0

Re: W32.Downandup.B

Elsewhere- Reason why I don't upgrade to NAV2010 is taht NAV2008 has a firewall componenet. If I upgrade to NAV2010 I'd have ti install a firewall from somewhere (which I do not want to do), or use Windows Vista firewall (which I think would just be asking for trouble)

I MAY HAVE NEGLECTED TO INDICATE THIS EARLIER- BUT NORTON DETECTED THE INFECTION ON  A FLASH DRIVE. THE FLASH DRIVE WAS IN THE COMPUTER SEVERAL HOURS. I DECIDED TO RUN A NORTON SCAN ON IT AND THE DETECTION OCCURRED. DONT KNOW IF THIS INFORMATION CLARIFIES THINGS

I apprecaite all that you an dthe others have to offer. I'm still stuck on a few things regarding the detection of W32.Downandup.B

1. It ( W32.Downandup.B) is shown that it is in quarantine.

    It says

    status:  removed

   Recommended action: Resolved- No action 

 

But then under Risk state it indicates partially removed

 

I have rebooted many times since the detection. Could this "Partially removed risk state" be due to the fact the virus was on a flash drive and the flash drive was removed too quickly?

In other words, is it saying "partially removed" because the flash drive was not completely cleaned?

I found out some details. the flash drive was my wife's from school that she has not used in nearly a year, so it was infected at the school computer level

I just want to make sure that the "partially removed" does not mean that it is still on MY PC

Kudos0

Re: W32.Downandup.B

The firewall in Norton 2008 is not that "full of feautures" compared to the one included in Norton Internet Security 2010 and Norton 360 version 4.

Let's forget what it was and concentrate on what is now . Agree ?

Make sure Norton is up-to-date . I don't know how often NAV2008 is updates and that is why I advise you to visit this page:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

and download the right installer . For your system it is this file
http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsv5i32.exe

Install it !

Then :

1) Place in the flash drive into your computer

2) Open My Computer

3) Right click the flash drive and scan it with Norton . It will clean whatever there is (if anything malicious).

At the end , perform full scan with your Norton and remove any possible threat!

You are ready !

As for the crutial (IMO) upgrade . There is nothing wrong in Windows Firewall . I don't know why do you think it is firewall incapable . If you prefer Norton firewall , get Norton Internet Security or Norton 360 .

If cost is a problem right now , download Norton 360 free OEM version which will work for your free for 90 days.

http://www.symantecstore.com/dr/sat2/ec_main.entry25?page=1582AIndexPage&client=Symantec&sid=37771&cid=273172&CUR=840&DSP=&PGRP=0&ABCODE=&CACHE_ID=273172

What is Norton 360:

http://www.symantec.com/norton/360

There are many many stores and online stores (legitimate ones) which offer Norton very cheap . Amazon is authorized reseller as far as I know and you can get N360 for 34.98 , right now . Note that this is a single licence for up to 3 computers.


Calls wrote:

Elsewhere- Reason why I don't upgrade to NAV2010 is taht NAV2008 has a firewall componenet. If I upgrade to NAV2010 I'd have ti install a firewall from somewhere (which I do not want to do), or use Windows Vista firewall (which I think would just be asking for trouble)

I MAY HAVE NEGLECTED TO INDICATE THIS EARLIER- BUT NORTON DETECTED THE INFECTION ON  A FLASH DRIVE. THE FLASH DRIVE WAS IN THE COMPUTER SEVERAL HOURS. I DECIDED TO RUN A NORTON SCAN ON IT AND THE DETECTION OCCURRED. DONT KNOW IF THIS INFORMATION CLARIFIES THINGS

I apprecaite all that you an dthe others have to offer. I'm still stuck on a few things regarding the detection of W32.Downandup.B

1. It ( W32.Downandup.B) is shown that it is in quarantine.

    It says

    status:  removed

   Recommended action: Resolved- No action 

 

But then under Risk state it indicates partially removed

 

I have rebooted many times since the detection. Could this "Partially removed risk state" be due to the fact the virus was on a flash drive and the flash drive was removed too quickly?

In other words, is it saying "partially removed" because the flash drive was not completely cleaned?

I found out some details. the flash drive was my wife's from school that she has not used in nearly a year, so it was infected at the school computer level

I just want to make sure that the "partially removed" does not mean that it is still on MY PC


Kudos0

Re: W32.Downandup.B

3play- thanks for your response  I want to rsolve this more than anyone. But before I can move on I NEED to understand the current state and this threat as it pertains to my PC

The flash drive that was the source of the infection, I no longer have. It belonged to someone else.  Two days after my detection, the flash drive owner scanned it with their antivirus(Trend Micro) and virus was on the flash drive,

 

So My main concern right now- Is MY COMPUTER clean.

 

What is  the whole "Risk state- Partially removed" message in the Alert Details about? That is what has me so concerned.

1. Is it indicating some form of threat or piece of the threat is still on my PC?

2. Is it saying that at the time of detection and removal, the threat was removed from my PC but not from the flash drive ?

(I told the flash ddrive owner and  two days later (after my infection) the Owner of the flash drive scanned the flash drive and infection was still detected on the flash drive)

 

 

Thank you all who have been helping. PLEASE if ANYONE can help me understand what this

"Risk state- Partially removed"  means  I would be greatful to  you forever.

Kudos0

Re: W32.Downandup.B

Hi Calls,

Since you asked me via PM to post to this thread, I am here and can only repeat what Quads and many others have suggested to you over the past months: you are still with Norton 2008, and it would be best if you upgraded to Norton 2010. If your computer meets the minimum system requirements for NAV 2010 as listed over here (under "System Requirements"), then there should be no obstacle, especially since you can upgrade for free. If you are hesitant about performing the upgrade on your own, then Symantec Customer Support can remove NAV 2008 and install NAV 2010 for you; or since you are thinking of obtaining NIS 2010, you should be able to get it at a discount since you are already a Symantec Customer.

Your Norton Ladybug.
Kudos1 Stats

Re: W32.Downandup.B

Hi Calls,


I think that, some process from the threat or related to the threat started running in the background and because of that NAV 2008 showed that "partially removed". But, NAV 2008 is able to remove the critical viral part in the threat so that it can't spread to your computer and that is why it showed the result as "Resolved". You could have tried to run a scan in the pendrive by booting into Safe Mode. If you have the infected file in your Quarantine, try to Submit it to Symantec for further analysis.


Just would like to know whether the Trend Micro is able to detect and remove the threat completely and what was the threat name indicated by the Trend Micro.


As you have asked for my suggestion through PM, my opinion is that your computer is safe and the threat didn't get the chance to spread, so you are safe to go. As a side note, I would like to add this - if you had Norton 2009/2010 with SONAR protection, then there is a chance for showing it as "Removed" instead of "Partially Removed"; the behavioural blocking may be able terminate the unauthorized process to run in your computer.


Yogesh

Kudos1 Stats

Re: W32.Downandup.B


Calls wrote: 

Thank you all who have been helping. PLEASE if ANYONE can help me understand what this

"Risk state- Partially removed"  means  I would be greatful to  you forever.


I don't understand people like you who keep on digging and digging into the same things . Your question was actually answered . Furthermore , if you now perform scan with any antivirus including Norton , it will give you a clean bill regarding Downadup (Conficker) . It is not important what it was , important is NOW and TOMORROW.

Sending PMs to certain users is not necessary , IMHO , so that they repeat what has already been posted.

Kudos0

Re: W32.Downandup.B

Hello

It looks like just about everyone who posts here was asked by pm, well, let's say a number of people have been asked.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.18.0.213 Core Firmware 282 I E 11 Chrome latest version.
Kudos2 Stats

Re: W32.Downandup.B


Calls wrote:

 it show partially removed because I took out the flash drive before completing the fix?


... and bingo was his nameo!

Just let nortons finish the job it started. update to norton 2010. i think you're causing more harm to yourself then what nortons can protect you from. do you still have the receipt from your compter?

i joke (i think).

----"you better watch out for the whiplash!! thank you for taking the time to read my signature lol! ;]" -- Kaiser Wilhelm
Kudos0

Re: W32.Downandup.B


yogesh_mohan wrote:

Hi Calls,


I think that, some process from the threat or related to the threat started running in the background and because of that NAV 2008 showed that "partially removed". But, NAV 2008 is able to remove the critical viral part in the threat so that it can't spread to your computer and that is why it showed the result as "Resolved". You could have tried to run a scan in the pendrive by booting into Safe Mode. If you have the infected file in your Quarantine, try to Submit it to Symantec for further analysis.


Thank you Yogesh

To everyone who offered help, thanks.

I was merely trying to understand what the wording "risk state- partially removed " meant and if it meant that it could cause reinfection.  I appologize that I am not that computer savy and require real basic explanations over and over in an effort to understand. As far as rehashing things, I'm just a simple person trying to understand very complicated problems

A tech friend of mine who also uses Norton (NAV2008 I should add) said that what probably happened is that when I scanned the flash drive, Norton detected the infection on my computer and removed it (thus the Status-Removed and Recommended Action- Resolved, No Action  indications). My friend said that I probably removed the  the flash drive before Norton could clean the flash drive as well. But that it did clean my computer and that I should have no infection.

I beleive that was the same thing that Yogesh and 3Play were also saying.

Yogesh and 3 play, please let me know if I now have the proper understing as outlined above

I would also like to note that I have run several Norton, Malwarebytes, and SpyBot scans in regular and safe modes since the infection.

ALL COME UP CLEAN. In addition I am receiving my automatic updates from Windows and Norton without problem.

SO I think it is pretty clear that this infection is gone.

Again, I appreciate evryone's help.

As far as PMing, I did so to those that have been great help to me in the past. I promise you all I shall no longer PM without permission first.

and the item was sent automatically to Norton for examination

All Gurus and staff again I appologize. I wil be upgrading soon and will require some help at that time. Please allow me to continue here on the forums. Again Much thanks

Kudos0

Re: W32.Downandup.B

thanks all

Kudos0

Re: W32.Downandup.B

For anyone else looking for information, this Thread holds all the information you need: http://community.norton.com/t5/Norton-Internet-Security-Norton/W32-Downadup-Information/td-p/58725.  Hope this is useful, and happy reading!

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

This thread is closed from further comment. Please visit the forum to start a new thread.