Endpoint Protection

 View Only

  • 1.  How to detect/remove W32.Downandup

    Posted Sep 20, 2010 01:40 AM

    I found risk w32.downandup on my client action was deleted.

    How can I detect and removed W32.downandup to my client system, even if shows deleted to logs.

    service affected: lockup AD accounts

    Thanks



  • 2.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 01:52 AM

    Assure that all your PCs in the network having KB 958644 patch.

     

    Scan the affected the PCs in safe mode.The downadup removal tool also very useful..

    You may use risk tracer for find out the affected PCs...

     

     



  • 3.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 02:15 AM

    Download the removal tool 

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

    Turn off system restore and boot in safe mode and run this tool



  • 4.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 02:18 AM

    Only one client affected and according to our network administrator this pc causes of lockup of AD accounts.

    After using removal tool, still no downandup found. we cant run risk tracer because only AV and AS installed (low hardware specs).

    still no risk found after after scanning on safemode.



  • 5.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 02:29 AM

    If only one PC is affected ,remove it from network scan in safemode with downadup removal tool with system restore is off.Asssure that is having KB 958644(Remember that even if one PC in the network not having this patch also will make your network vulnerable to downadup)

    How your network administator concluded it is downadup only.?Downadup is not the only threat which will cause network traffic.SO it is better to do a scan with antivirus also in safe mode...



  • 6.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 04:04 AM

    As Aravin described, the first action to do is isolate this computer from network. Then discover if there are more virus in safe mode. Downadup could be easily removed with a specific tool (W32.Downadup Removal Tool) but scan your system to assure that there is only this virus, excluding also there are malwares or others guests...



  • 7.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 04:13 AM

    We have tool to detect/locate where the AD account lockup happen and found it on that pc.

    We removed it from the network and scan on safemode, no downandup or risk found. reconnect the pc to network and test again using our tool. Shows that this pc was the source of lockup some AD accounts according to logs that was collected.

    Thanks



  • 8.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 04:51 AM

    If  that is the case I think it is better to reimage that PC.



  • 9.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 05:30 AM

    Hi,

    It would be best if you run SEP/SAV using latest rapid release

    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    If it's a single PC, maybe you could 'alienate' it from network and then only detect and clean the said PC on safe-mode

     

    regards



  • 10.  RE: How to detect/remove W32.Downandup

    Posted Sep 20, 2010 07:36 AM

    Maybe they have an infected USB drive?