W32.Downandup.B

Wife just put in a flash drive that she uses at school. The drive was scanned and an item was quarantined

jwgkvsq.vmx

It indicated that this is W32.Downandup.B

 

It shows 3 actions taken

File removed

and 2 registry items repaired

 

Is there anything more we need to do?

Ho-ho , this is something I have almost forgotten , except that I have recently read a blog post in the Symantec Securiry Response blog.

 

Norton is capable of protecting your computer .

 

Scan again the flash drive in order to clean it .

 

Then , to ensure yourself there is no problem on your own computer , download and run the Downadup removal tool from here http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D.exe

 

More information here : http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

 

At the end , it is crutial to upgrade your Norton version . If your subscription is active , you are entitled to free upgrade to the newest Norton 2010 , which is way better than 2008 and has new inovatiove technologies , runs faster and ligther than any other version.

 

Download and save on your Desktop Norton Antivirus 2010 from www.norton.com/nav10

Uninstall Norton 2008 from Control Panel -> Programs and feautures

Reboot the computer .

Download and save on your Symantec Norton removal tool from www.symantec.com/nrt . Run this program with Administrator rights (just to ensure there are no leftovers).

At the end , install Norton AV 2010 . Make sure you run Live Update immediately.

 

As for your last question why is there a registry entry - it is not that important if it has been removed by Norton . That is why I'd prefer not to answer that question.

 

More about Downadup (also known as Conficker) : http://en.wikipedia.org/wiki/Conficker

More about Norton 2010 and its feautures : http://www.symantec.com/norton/antivirus ,  http://www.everyclickmatters.com , http://community.norton.com/t5/Norton-Protection-Blog/bg-p/npb1

 

Happy holidays!

Do I need to use the removal tool if Norton has already partially removed it?

That is where I'm confused. It says no action needed and resolved, yet then it says "partially removed"

 

do I need to reboot to fully remove?

 

 are all these items noted below removed? Or is this information saying they are still an issue?

 

Action taken: Partially removed
Affected Areas:
Files & Directories
j:\recycler\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Registry Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS->Start:2
Network & Browser Items
Browser Cache

 

Just scanned a flash drive and Norton detected W32.Downandup.B

It says it is only partially removed

 

Affected Areas:
Files & Directories
j:\recycler\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Registry Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS->Start:2
Network & Browser Items
Browser Cache

 

what steps do I take next?

NAV2008 on Vista Home Premium 32 bit


Calls wrote:

Do I need to use the removal tool if Norton has already partially removed it?

 

No , but you can use to re-ensure YOURSELF your computer is clean from Downadup :smileyhappy:

 

 

That is where I'm confused. It says no action needed and resolved, yet then it says "partially removed"

 

Resolved but you must reboot to complete the removal process. If you haven't , it will say "partially removed".

 

do I need to reboot to fully remove?

 

 Strongly recommended to restart the computer.

 

are all these items noted below removed? Or is this information saying they are still an issue?

 

Most likely yes . Reboot and perform quick scan and you'll see . Upgrade to Norton 2010!

 

Major Question- Why did my Norton not stop this from the start?


Calls wrote:

Major Question- Why did my Norton not stop this from the start?


 

Probably for the same reason given to you last time. It would help if you could explain why you are so hesitant to upgrade to the 2010 version.

I appreciate the suggestions to upgrade and at some point I will, but that is not the question I have now. My qquestion revolve around an infection, removal, and why it might have happened. To suggest the reason is because I should upgrade to 2010, while an excellent recommendation,  is not an answer to the questions.

A few  questions remain-

 

1. This was a def that came out that NAV2008 or NAV 2009 should have protected against right?? I mean it is an issue that was detectable by the two previous NAv editions before 2010.

2. So does the information below showing the "infected file" suggest that it was not on my machine, but rather the jump drive? When I look at my ssytem now with the flash drive not connected, I see no "J Drive", so that would mean the "J Drive" is the flash stick right?

And thus was not detected by Norton because it was not actually on my system? And then when I ran the scan of the "J drive" then it was noted?

j:\recycler\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

So the above indicates infection on the flash drive and not my comp(c and D drive)?

Or does it move to the C and/or D drive once you pull out the flash drive?

 

Wondering if I had removed the flash stick without scanning, would my machine itself have been infected? Or was as asked before, the infection of just the flash drive?

(let me also add that since this detection I have run several malwarebytes scans, SpyBot scans and Norton scans, none of which detect anything other than tracking cookies. My connection logs show no unusual connections, and I am able to get def updates for Norton, malware bytes, and Windows)

Calls wrote:

Big concern is why it indicates registry issue if it was just a flash drive


 

 

I agree, why not run a full scan with the free version of MBAM just to make sure your PC is clean?  Dont forget to update it first:  cnet

booted but still showing only partially removed

Do I need to run the removal tool?

 


Calls wrote:

 it show partially removed because I took out the flash drive before completing the fix?

Big concern is why it indicates registry issue if it was just a flash drive


 

 

Downandup (Conficker) is and Autorun worm that transfers to clean partitions, if it in fact has done so that is,

 

The other reason that Norton has shown detected registry entries is due to the Phantom object listings when certain infections are detected. http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Vundo-capable-to-unzip-itself-from-zip/m-p/130717#M65313 

 

I am sure the Registry entry start value is surpose to be a "4" not a "2"

 


HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start = "4"

 

Calls over the time you have been on this forum under the different user name(s) also I wonder why you are still with Norton 2008.

 

 

 

Quads


Quads wrote:

 


Calls wrote:

 it show partially removed because I took out the flash drive before completing the fix?

Big concern is why it indicates registry issue if it was just a flash drive


 

 

Downandup (Conficker) is and Autorun worm that transfers to clean partitions, if it in fact has done so that is,

 

The other reason that Norton has shown detected registry entries is due to the Phantom object listings when certain infections are detected. http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Vundo-capable-to-unzip-itself-from-zip/m-p/130717#M65313 

 

I am sure the Registry entry start value is surpose to be a "4" not a "2"

 


HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start = "4"

 

Calls over the time you have been on this forum under the different user name(s) also I wonder why you are still with Norton 2008.

 

 

 

Quads


 

Thanks for your response Quads. I have in the past had screen name different than Calls, but Calls is what I now only use and have been doing so for at least 6 months

 

Waiting to get the funds to get NIS 2010

 

when you say

HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start = "4"

 

Do you mean thats what it shoud read if NOT infected? Or is that what it reads WHEN infected?

 

 

When I currently look at

HKLM\SYSTEM\CurrentControlSet\Services\BITS\

it shows

Name       type                         data

Start        REG_DWORD         0x00000002

 

Is this how it should read if clean?

 

Just want to make sure I have the current, most recent removal tool for W32.Downandup.B

I have downloaded  W32.Downandup removal tool 1.1.0.7

I ask this because the tool doesn't specifically say W32.Downandup.B


Calls wrote:

 ...

 Waiting to get the funds to get NIS 2010

 ...

 


  

The NAV product upgrade is free and can be obtained here. Why not get this upgrade in the interim? At least, you'll then have the 2010 version of the NAV software protecting your computer until you are ready to purchase NIS 2010.

 

 

 

 

Elsewhere- Reason why I don't upgrade to NAV2010 is taht NAV2008 has a firewall componenet. If I upgrade to NAV2010 I'd have ti install a firewall from somewhere (which I do not want to do), or use Windows Vista firewall (which I think would just be asking for trouble)

 

 

I MAY HAVE NEGLECTED TO INDICATE THIS EARLIER- BUT NORTON DETECTED THE INFECTION ON  A FLASH DRIVE. THE FLASH DRIVE WAS IN THE COMPUTER SEVERAL HOURS. I DECIDED TO RUN A NORTON SCAN ON IT AND THE DETECTION OCCURRED. DONT KNOW IF THIS INFORMATION CLARIFIES THINGS

 

I apprecaite all that you an dthe others have to offer. I'm still stuck on a few things regarding the detection of W32.Downandup.B

 

1. It ( W32.Downandup.B) is shown that it is in quarantine.

    It says

    status:  removed

   Recommended action: Resolved- No action 

 

But then under Risk state it indicates partially removed

 

I have rebooted many times since the detection. Could this "Partially removed risk state" be due to the fact the virus was on a flash drive and the flash drive was removed too quickly?

In other words, is it saying "partially removed" because the flash drive was not completely cleaned?

 

I found out some details. the flash drive was my wife's from school that she has not used in nearly a year, so it was infected at the school computer level

 

I just want to make sure that the "partially removed" does not mean that it is still on MY PC

The firewall in Norton 2008 is not that "full of feautures" compared to the one included in Norton Internet Security 2010 and Norton 360 version 4.

 

Let's forget what it was and concentrate on what is now . Agree ?

 

Make sure Norton is up-to-date . I don't know how often NAV2008 is updates and that is why I advise you to visit this page:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

and download the right installer . For your system it is this file
http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsv5i32.exe

 

Install it !

 

Then :

1) Place in the flash drive into your computer

2) Open My Computer

3) Right click the flash drive and scan it with Norton . It will clean whatever there is (if anything malicious).

 

At the end , perform full scan with your Norton and remove any possible threat!

 

You are ready !

 

As for the crutial (IMO) upgrade . There is nothing wrong in Windows Firewall . I don't know why do you think it is firewall incapable . If you prefer Norton firewall , get Norton Internet Security or Norton 360 .

 

If cost is a problem right now , download Norton 360 free OEM version which will work for your free for 90 days.

http://www.symantecstore.com/dr/sat2/ec_main.entry25?page=1582AIndexPage&client=Symantec&sid=37771&cid=273172&CUR=840&DSP=&PGRP=0&ABCODE=&CACHE_ID=273172

 

 

What is Norton 360:

http://www.symantec.com/norton/360

 

There are many many stores and online stores (legitimate ones) which offer Norton very cheap . Amazon is authorized reseller as far as I know and you can get N360 for 34.98 , right now . Note that this is a single licence for up to 3 computers.

 

 


Calls wrote:

Elsewhere- Reason why I don't upgrade to NAV2010 is taht NAV2008 has a firewall componenet. If I upgrade to NAV2010 I'd have ti install a firewall from somewhere (which I do not want to do), or use Windows Vista firewall (which I think would just be asking for trouble)

 

 

I MAY HAVE NEGLECTED TO INDICATE THIS EARLIER- BUT NORTON DETECTED THE INFECTION ON  A FLASH DRIVE. THE FLASH DRIVE WAS IN THE COMPUTER SEVERAL HOURS. I DECIDED TO RUN A NORTON SCAN ON IT AND THE DETECTION OCCURRED. DONT KNOW IF THIS INFORMATION CLARIFIES THINGS

 

I apprecaite all that you an dthe others have to offer. I'm still stuck on a few things regarding the detection of W32.Downandup.B

 

1. It ( W32.Downandup.B) is shown that it is in quarantine.

    It says

    status:  removed

   Recommended action: Resolved- No action 

 

But then under Risk state it indicates partially removed

 

I have rebooted many times since the detection. Could this "Partially removed risk state" be due to the fact the virus was on a flash drive and the flash drive was removed too quickly?

In other words, is it saying "partially removed" because the flash drive was not completely cleaned?

 

I found out some details. the flash drive was my wife's from school that she has not used in nearly a year, so it was infected at the school computer level

 

I just want to make sure that the "partially removed" does not mean that it is still on MY PC


 

3play- thanks for your response  I want to rsolve this more than anyone. But before I can move on I NEED to understand the current state and this threat as it pertains to my PC

 

The flash drive that was the source of the infection, I no longer have. It belonged to someone else.  Two days after my detection, the flash drive owner scanned it with their antivirus(Trend Micro) and virus was on the flash drive,

 

So My main concern right now- Is MY COMPUTER clean.

 

What is  the whole "Risk state- Partially removed" message in the Alert Details about? That is what has me so concerned.

 

1. Is it indicating some form of threat or piece of the threat is still on my PC?

 

2. Is it saying that at the time of detection and removal, the threat was removed from my PC but not from the flash drive ?

(I told the flash ddrive owner and  two days later (after my infection) the Owner of the flash drive scanned the flash drive and infection was still detected on the flash drive)

 

 

 

Thank you all who have been helping. PLEASE if ANYONE can help me understand what this

"Risk state- Partially removed"  means  I would be greatful to  you forever.

Hi Calls,

 

Since you asked me via PM to post to this thread, I am here and can only repeat what Quads and many others have suggested to you over the past months: you are still with Norton 2008, and it would be best if you upgraded to Norton 2010. If your computer meets the minimum system requirements for NAV 2010 as listed over here (under "System Requirements"), then there should be no obstacle, especially since you can upgrade for free. If you are hesitant about performing the upgrade on your own, then Symantec Customer Support can remove NAV 2008 and install NAV 2010 for you; or since you are thinking of obtaining NIS 2010, you should be able to get it at a discount since you are already a Symantec Customer.

Hi Calls,


I think that, some process from the threat or related to the threat started running in the background and because of that NAV 2008 showed that "partially removed". But, NAV 2008 is able to remove the critical viral part in the threat so that it can't spread to your computer and that is why it showed the result as "Resolved". You could have tried to run a scan in the pendrive by booting into Safe Mode. If you have the infected file in your Quarantine, try to Submit it to Symantec for further analysis.


Just would like to know whether the Trend Micro is able to detect and remove the threat completely and what was the threat name indicated by the Trend Micro.


As you have asked for my suggestion through PM, my opinion is that your computer is safe and the threat didn't get the chance to spread, so you are safe to go. As a side note, I would like to add this - if you had Norton 2009/2010 with SONAR protection, then there is a chance for showing it as "Removed" instead of "Partially Removed"; the behavioural blocking may be able terminate the unauthorized process to run in your computer.


Yogesh


Calls wrote: 

Thank you all who have been helping. PLEASE if ANYONE can help me understand what this

"Risk state- Partially removed"  means  I would be greatful to  you forever.


I don't understand people like you who keep on digging and digging into the same things . Your question was actually answered . Furthermore , if you now perform scan with any antivirus including Norton , it will give you a clean bill regarding Downadup (Conficker) . It is not important what it was , important is NOW and TOMORROW.

 

Sending PMs to certain users is not necessary , IMHO , so that they repeat what has already been posted.