07-10-2008 07:48 AM
I wish I had seen this fórum before. I’ve just lost 100€ and 1 day. Please read this because it’s lots of fun (not for me though).
After 3 month period trial, 6 months ago I decided to purchase Norton 360. I was aware of the risk of surfing the internet and I thought that buying the best I could afford I would be secured. I though I was in the best hands.
I’ve had popup windows for the last 3 months. Yesterday I decided to do something about. I couldn’t staind it anymore. After having a look in the internet I realised it was something to do with spyware. I had a look at the specifications of my Norton 360 and there it was “virus and spyware protection”. I thought when you have a green cross in your icon that meant I was fully protected. If you put the arrow of the mouse on top the icon it says “Norton 360 is protecting you”. I couldn’t be more wrong.
I’ve used support before and I thought it was terrific. I chatted with a technician who got hold of the computer and fix the problem. Clever guys this Norton people. There we go, I thought, I’ll contact these guys again and they’re going to their magic and end of the story.
The first technician installed the add-on pack which was supposed to stop all popup windows. There we go, problem fixed. But it wasn’t.
I contact the support guys again, I chat with a different person. This one didn’t try anything (too busy?) and passed me directly with the Virus Removal department.
The next person must have been the salesman because he tried nothing to solve the problem but offered me an expertise service. And he knew what the problem was. Judge yourselves:
Sejin: As I understand from your issue description, you are getting annoying pop ups in your computer. Am I correct?
Mr. Carlos Gonzalez: yes, that's correct
Sejin: Do you get any pop ups that prompt you to download antivirus or other protection software?
Mr. Carlos Gonzalez: that's correct
Sejin: Are you getting any alert messages like "Virus Alert", "Your Computer is infected", "Security Alert" etc?
Mr. Carlos Gonzalez: yes
Sejin: Did the pop ups specify any virus names?
Mr. Carlos Gonzalez: haven't payed much attention
Sejin: Do you have unfamiliar blinking icons or yellow triangles in the lower right hand corner of your desktop?
Mr. Carlos Gonzalez: yes prompt window asking me to accept or cancel but window pop ups regardless
Continues in the next reply
That was EXACTLY what was going wrong with my computer. There must have been lots people like me before. These Virus Removal guys must be making a killing these days.
But here is some more:
Sejin: You don’t have to worry; we will look in to the issue. Our expert consultants will do a complete diagnosis of your system, and troubleshoot any malware present on your computer. If required and if your system permits they can connect to your computer remotely and do all this for you directly.
Mr. Carlos Gonzalez: ok, is this included in the product I purchased?
Sejin: Carlos, when you purchase the product, the cost of the product is for the software, updates to the software and for the virus definitions. Apart from this, there is an additional charge for value added services.
Mr. Carlos Gonzalez: how much?
Sejin: The Consultation and Removal fee would be €99.99.
Sejin: We guarantee to identify any threats that may be on your system. Once we have found them, we will remove them guaranteed.
Is he a salesman or what?
Anyway, at that point, I thought my pc was about to crash and that it was serious and if I had these guys helping me I would have my pc running as smoothly as the first day. So I accepted and pay the 100€ (ok 99.99€) and passed me to the final “expert” (the master, the guru)
I couldn’t believe what happened next: In 30 minutes he removed 1 AND ONLY ONE file which was infected by the virus and gave me 4 links full of tips so that I didn’t have the same problem again. HOW IS THAT? 30 minutes!!!!! I was so furious.
By the way here are the 4 links and save yourself 100€:
I asked the guy why Norton 360 hasn’t fixed the problem itself. All he could tell was that the cause was that the file had full permission given by the administrator (me) and so Norton didn’t stop it. How could have given permission myself, I asked. LISTEN TO THIS PLEASE: He told me the problem is you can give permissions without being aware of it. How is that possible? It’s very simple: the popup window prompts if you want to accept this and that and there are 3 buttons: accept, cancel and a tiny little close button. The guru told me basically that you have 1 out of 3 of making the right decision (that’s only 33%) and that you should close the window with the TINY little close button, that otherwise you’re giving full permissions for the programme to run . HOW THE HELL ANY USER IS SUPPOSED TO KNOW THIS? If that is true even if you’ve got NORTON 360 you’ve only got 33% chances.
If you want to read the whole transcript:
I know I’ve been a fool but now I’m going to publish this in all the IT forums in the internet and see what happens.
07-14-2008 04:49 PM - last edited on 07-14-2008 05:08 PM by Dave_Coleman
From my perspective, that’s good value…but of course that doesn’t matter in this case—it’s yours that we care about. So, Carlos, if you would do me a favor, please help me understand a few things:
Please feel free to post here with any comments or thoughts, or please contact me directly by sending a private message here on the forum. Myself or someone from my team would be happy to contact you by phone, if that’s easier.
Regardless, thanks for your feedback! I’m truly sorry that your experience was less than stellar, but know that we’re here and committed to make it up to you.
Technical Product Manager
Norton Premium Services
07-16-2008 03:23 AM
Thank you very much for your reply.
I've just got an email from Symantec telling me I've been refunded and that makes me very happy. Since I reported the incident Symantec has put a great effort into it. I've received several emails, phone calls and your reply. Now I feel very please and know Symantec cares for its customers. That is something customers really appreciate.
This incident should never have happened though. I think the person that offered me the fee-based service should have tried to help me himself. He could have told me about those resources that Norton offers at no charge. After all it was about harmless adware and I can't help feeling suspicious this person knew and wanted to make some quick business instead. As you point out the need for the fee-based removal service is so exceedingly rare and I definitely didn't have that need. I'm sure it is a great service for those who need it. In my case it was like trying to kill mosquitoes with a hammer. I understand you try to defend your people but I absolutely consider what I’ve got it wasn’t good value for my 100€ because there wasn’t a need. Anyway, I'm glad Symantec has acknowledged this and rectify it for the best of both parts.
And about your questions:
How can we help educate users better when this type of issue occurs? How could we have educated you earlier in the process, for example?
Whenever I’ve had a problem I’ve made use of the support service. It’s fantastic to be able to chat personally with a technician. It’s great that person is able to get hold of your computer and fix the problem while you watch the process and mouse pointer going up and down. I think it’s a fantastic opportunity to educate the users and tell them what the problem was about and how to prevent it in the future.
Before any issue arises no user is going to spend time thinking about the subject. I mean users buy software to help them making as little effort as possible. Virus is a big concern for everybody and that’s why we buy products like Norton. The subject can be quite cumbersome and we don’t want to spend time reading about how to prevent them. We think by buying antivirus software we’re 100% protected. Now, when something happens (and let’s hope is not too late) is a good opportunity to educate the user. In that context, the user is aware more prevention has to be done (apart from buying an antivirus product) and is more opened to learn about the subject. In my case, it would have been a perfect opportunity to be educated and I could have been instructed about prevention and all the stuff. But no, it didn’t go like that and someone decided to make business with it.
How can we make the Spyware and Virus Removal Service more rewarding for users like yourself and situations like yours? What more could we have done?
By buying a Norton product I am a Symantec’s customer. As such I consider that further assistance have to be provided when the product hasn’t been fully efficient and that’s when the support service is a great complement. When this is not enough the next step is the fee-based removal service. That’s great too. The problem again is that I didn’t need that final step. Ok, let’s think that the technician that sold me the fee-based service was genuine and thought I needed it. A complete diagnosis of my computer was done and just one file was removed. Wouldn’t have been great not to charge me for the service when it was realised it was a minor issue and there was no need for the service in the first place? So, the problem here is to decide whether the user really needs the fee-based service and for that a previous diagnosis should be done. I think that’s common sense. You shouldn’t be charged before. It’s something to think about.
What more can we do for you, specifically, right now
I’ve got my money back.I think Symantec has been fair with me and made me feel cared. I can’t complain.
Just say thanks for the effort and time the company and in this case yourself has invested on me.
07-16-2008 05:17 AM
If you will allow me, I happen to disagree with some of your statements. I have computer systems that fully meet the criteria you list for "full protection". Nevertheless, I do get infected with virii (I entirely know why) but the point is, that I should not be infected because Norton's is installed. I have elsewhere in this forum posted some details of my infections, and I can tell you as a matter of fact that Norton 360 v1 and v2, does not see the original downloaded file as infected, does not stop the opening and infection of the file, does not see the system as infected, does not therefore offer to clean, remove the infected files. One particular batch of virus is of the vundo family. What is more, I found that other AV's like Microsoft's own product and the Kaspersky(?) scanner all found virus infections or left over pieces, which Norton's simply does not recognise.
Why Norton's is not accounting for well reported virus, I cannot answer. If you check out the thread
you will see that no answers to my questions have been given.
It would, imho, be foolish for anyone to rely upon Norton 360 v2 at this time. I can download a virus infected file at any time from the web and can scan same with Norton and get the all clear, only to find that upon execution my system is infected.
BTW, whilst I am responding to someone I recognise as a serious engineer at Norton's, can I ask why Norton's does not recognise and resolve the zoombie issue?
07-16-2008 01:42 PM
I'm sorry to hear you've been having so much trouble tackling this infection. The Trojan.Vundo family of threats is a particularly challenging family of threats. Firstly, it is being regularly updated to evade detection by antivirus vendors. In addition to this it will generally download further malware and security risks, making it more difficult to clean up a machine which has been infected with Trojan.Vundo.
We've been taking a number of steps to tackle these challenges:
- Regularly updating our detection for Trojan.Vundo, making it more generic and therefore proactively detecting more variants. Unfortunately the malware authors recognise this and will regularly modify the threat to evade detection. We therefore need to constantly update our detection. If you look at our write-up for Trojan.Vundo under the "Protection" section you'll see that the detection was updated today (July 16).
- In order to prevent machines from getting infected in the first place, we have created IPS signatures to detect, and bloke, infection attempts. We have had a lot of success with this and have seen infection numbers almost halve as a result.
- Most infections of Trojan.Vundo occur as a result of drive-by downloads (i.e. compromised websites). The Browser Protection feature in Norton 360 will automatically block most of these.
Unfortunately, despite all of the above, some variants will slip through the net, which seems to have happened in your case. If you still have the malicious files available, I would appreciate itif you could submit them for analysis here. You'll receive an email with tracking number for the submission. If you can provide the tracking number here we can take a look at the samples and add detection if necessary.
Symantec Security Response
07-16-2008 02:42 PM
Firstly, I thank you for your post. I am honoured that a Symantec employee has responded.
The variants I had include win32/Vundo.k (Microsoft)
I can only say that at the time when other AV's were correctly detecting, removing, preventing the above, Norton's 360 was not.
The link you provided does not, imho, deal adequately with these Vundo variants. The first time I was infected, Vundo actually turned off updates, and disabled system restore. It does this because when system restore is turned off, all restore points are lost.
In my view, if you have an infection which has not disabled system restore you have a chance to at least deal with the registry entries created by the infection. Your removal instruction starts off by first advising the user to disable system restore. I understand why;
because a system restore point is likely to have been created by or in consequence of the infection, and those restore points are likely to be corrupted. However, earlier restore points will not.
But more importantly, if you followed by thread link,
you will see that I list a whole raft of virii that Norton 360 did not detect.
More importantly, it is possible to delete individual restore points manually. The question I asked was
"I also now fail to understand why as default Norton 360 v2, does not look into system volume information directory. Can anyone explain please?"
I would welcome your response to this question, as it seems more logical that Norton should scan the system volume information directory since it contains the all important restore points. Knowing that a restore point is infected will hopefully prevent a user restoring to that specific point, and equally allows the user to remove the restore point or fix.
I do not keep infected files. But whilst I am running Norton 360 I feel sure that it will not be long before I am infected and in that event will submit the files.
07-17-2008 03:03 AM
The short answer is that Antivirus products do not have the ability to manipulate files in System Restore as it is a protected folder. For more details I'd recommend reading this article from Microsoft: http://support.microsoft.com/kb/263455. We recommend disabling System Restore to prevent malicious files being restored. I've seen a number of people having trouble cleaning up infections (including Vundo) due to System Restore being enabled.
We have our own remediation engine called Eraser which we use to clean up the side effects of malware infections. In most cases it can successfully clean up a Trojan.Vundo infection. However as we appear not to have been able to detect the infection in the first place, Eraser wouldn't have kicked in. If you do see malicious files in future that we aren't detecting, please do submit them. As I mentioned in my previous post, we're giving Trojan.Vundo a lot of attention, so I would hope that you won't see missed detections like this in future.
Symantec Security Response
07-17-2008 07:14 AM
thanks again for the rapid response. I want to fully respond to your post. However, if you will allow, I want to squeeze in some other virii issues. I have just forced a full scan on my computer. I do this regularly.
1.It finds today w95.fono on a file that has been sitting idle on my hard drive for 6 months. I ask myself why now? Whats more if I follow the link
it tells me nothing about the virus or about manual deletion.
2.It also finds backdoor.greybird; again on a file idle on hard drive for 6 months. Again do I believe it. This machine is regularly checked by Microsoft onecare and Kaspersky. They were happy but they might be wrong. The question is why now?
3.Next up is trojan.adclicker. Again a file idle on har drive for 6 months. So is it that Norton 360 has never worked before now, or that Norton has just got around to protection, or that these are false positives?
4. Lastly we have Trokan.Zlob. OK this is detected on a file idle on the hard drive for 2 months. Norotn cannot clean.
OK I got that off my chest. Now turning to your post.
A. I partly agree with you that most AV do not manipulate file in the protected folder. However, a clever AV could temporarily unprotect the folder and reprotect after clean. I could go into the programming necessary but am sure you know that it is technically possible, if not accepted practice.
B. However, if you click on your link (remove the last full stop) you will say that the Symptoms say
"When you run an antivirus program, you may receive a report that indicates that one or more files in the _Restore\Temp or the _Restore\Archive folders contain a virus or are infected with a virus."
You see other AV's actually scan the restore folder and at least report if a virus is contained therein. (Readers: I am aware that the article is for Windows Millenium but I accept the principal of the article as it may be applied to other operating system including in my case here Win XP).
The issue I am trying to raise, is that Norton does NOT even scan the restore folder. So if anyone is relying upon Norton to let them know whether their hard disk is clean, they will be dissillusioned. In my view it is better that Norton's should at least report the infection. The user can then be instructed on removal. The following will assist
I prefer to use cacls rather than the suggestions in your previously cited link.
Sorry to labour the point but I feel this is important. Let me give you this realistic example please.
A user uses his PC without adequate AV protection (i.e. he uses another brand of AV which obiously must be inferior to Norton's (ed: he he!).
He decides to spend his money and buy the real thing and install Norton 360. He runs a full scan and the machine is left clean.
He then has a problem and decides to go back to a selected restore point. His machine is now infected because the restore point was infected. He did not know this of course because Norton's never looked at the restore information.
It makes no sense, IMHO, to dsable System Restore at the first sign of trouble. In that event you might as well leave System Restore off permanently.
07-17-2008 11:43 PM
Also, do you know about the Virus Total website, if you have a suspected malicious file it will tell you whether it has been recognized by Symantec or any other security company. I use it frequently, and sometimes a virus which has been recognized by some of the better known security companies, will show up as Symantec having not released definition for it as yet, in which case I upload the files to Symantec, and usually you will see they release definitions relatively quickly.