Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Hello Carlos,

I’m sorry to hear about the frustration and inconvenience this issue has caused you. Our general practices have taken a number of years to perfect, but even the most effective and well-intentioned approach needs to be custom-tailored for some situations—like yours—and for that I’m glad that you posted your experience here on the forum so that we can help you and other users like yourself.

First and foremost, let me say that I understand how frustrating it can be to take precautionary measures against getting a computer virus or threat, and yet still have your computer become infected anyway. We see these cases from time to time, but no matter how rare they are, they still break our hearts; make no mistake that there are thousands of people at Norton work tirelessly to create and provide the perfect anti-virus system that could never be circumvented, no matter what!

…but unfortunately that is not possible. No anti-virus software is a guarantee against a computer becoming infected with a virus or other threat. It is a preventative measure that is very effective, but not fool-proof. For example, for Norton 360 to offer full protection, the following must be true:

• Your computer must be virus-free when Norton 360 is installed
• Your computer must meet the minimum system requirements for Norton 360
• Norton 360’s program updates, security patches, and anti-virus definitions must be fully up-to-date
• Norton 360 must be installed and configured in a manner that matches your computer usage and security needs
• The Windows operating system must be free of instability issues, and fully up-to-date with stability, security, and functional updates
• No non-Norton security software can be present which might cause timing conflicts or other incompatibilities

And if your computer does become infected with a virus or other threat due to one of the reasons above, then Norton offers many resources for this purpose at no charge, available here:

http://www.symantec.com/norton/security_response/index.jsp

And, as in your case, if you feel that that the assistance of a live technician is necessary, then we also provide the Spyware and Virus Removal Service, which—as you know—is a fee-based service.

(Note: In the interest of being fully transparent, it’s important to note that this service is not included in the price of your Norton product, and that’s precisely because the need for it is so exceedingly rare. In fact, something like 0.2% of our customers ever have to call our Spyware and Virus Removal Service (this is based on my own personal calculations—not an official figure). And even of that small percentage—whatever it is—9 out of 10 of those customers give us the highest marks on their post-service satisfaction survey.

But, again, I’m sure you’re less interested in everyone else’s experience, and much more concerned with the service that you received, and in that regard I can certainly understand your frustration. When something significant and troubling happens on your computer, it’s anti-climactic—and perhaps equally troubling—when the entirety of the work involved takes only 30 minutes and removes only one file, but I would ask you to think about the results themselves:

 

1. The security threat that was on your computer was fully removed
2. You were given security tips that will prevent this from ever re-occuring—and please feel free to share this knowledge with your friends! This is the type of information that we post at the Symantec site listed above free of charge; our mission is to secure your computer, and sometimes that goes beyond software (sometimes it requires good, old-fashioned education).
3. The technician involved was able to accomplish all of this in 30 minutes—giving you back the rest of the day or night to enjoy as you wish.

 

From my perspective, that’s good value…but of course that doesn’t matter in this case—it’s yours that we care about. So, Carlos, if you would do me a favor, please help me understand a few things:

 

1. How can we help educate users better when this type of issue occurs? How could we have educated you earlier in the process, for example?
2. How can we make the Spyware and Virus Removal Service more rewarding for users like yourself and situations like yours? What more could we have done?
3. What more can we do for you, specifically, right now?

 

Please feel free to post here with any comments or thoughts, or please contact me directly by sending a private message here on the forum. Myself or someone from my team would be happy to contact you by phone, if that’s easier.

Regardless, thanks for your feedback! I’m truly sorry that your experience was less than stellar, but know that we’re here and committed to make it up to you.

Sean Conrad
Technical Product Manager
Norton Premium Services
www.symantec.com

 

(Edited Formatting.)

Hello Sean,

Thank you very much for your reply.

I've just got an email from Symantec telling me I've been refunded and that makes me very happy. Since I reported the incident Symantec has put a great effort into it. I've received several emails, phone calls and your reply. Now I feel very please and know Symantec cares for its customers. That is something customers really appreciate.

This incident should never have happened though. I think the person that offered me the fee-based service should have tried to help me himself. He could have told me about those resources that Norton offers at no charge. After all it was about harmless adware and I can't help feeling suspicious this person knew and wanted to make some quick business instead. As you point out the need for the fee-based removal service is so exceedingly rare and I definitely didn't have that need. I'm sure it is a great service for those who need it. In my case it was like trying to kill mosquitoes with a hammer. I understand you try to defend your people but I absolutely consider what I’ve got it wasn’t good value for my 100€ because there wasn’t a need. Anyway, I'm glad Symantec has acknowledged this and rectify it for the best of both parts.

And about your questions:

How can we help educate users better when this type of issue occurs? How could we have educated you earlier in the process, for example?

Whenever I’ve had a problem I’ve made use of the support service. It’s fantastic to be able to chat personally with a technician. It’s great that person is able to get hold of your computer and fix the problem while you watch the process and mouse pointer going up and down. I think it’s a fantastic opportunity to educate the users and tell them what the problem was about and how to prevent it in the future.

Before any issue arises no user is going to spend time thinking about the subject. I mean users buy software to help them making as little effort as possible. Virus is a big concern for everybody and that’s why we buy products like Norton. The subject can be quite cumbersome and we don’t want to spend time reading about how to prevent them. We think by buying antivirus software we’re 100% protected. Now, when something happens (and let’s hope is not too late) is a good opportunity to educate the user. In that context, the user is aware more prevention has to be done (apart from buying an antivirus product) and is more opened to learn about the subject. In my case, it would have been a perfect opportunity to be educated and I could have been instructed about prevention and all the stuff. But no, it didn’t go like that and someone decided to make business with it.

How can we make the Spyware and Virus Removal Service more rewarding for users like yourself and situations like yours? What more could we have done?

By buying a Norton product I am a Symantec’s customer. As such I consider that further assistance have to be provided when the product hasn’t been fully efficient and that’s when the support service is a great complement. When this is not enough the next step is the fee-based removal service. That’s great too. The problem again is that I didn’t need that final step. Ok, let’s think that the technician that sold me the fee-based service was genuine and thought I needed it. A complete diagnosis of my computer was done and just one file was removed. Wouldn’t have been great not to charge me for the service when it was realised it was a minor issue and there was no need for the service in the first place? So, the problem here is to decide whether the user really needs the fee-based service and for that a previous diagnosis should be done. I think that’s common sense. You shouldn’t be charged before. It’s something to think about.

What more can we do for you, specifically, right now

I’ve got my money back.I think Symantec has been fair with me and made me feel cared. I can’t complain.

Just say thanks for the effort and time the company and in this case yourself has invested on me.

Kind Regards,

Carlos

If you will allow me, I happen to disagree with some of your statements. I have computer systems that fully meet the criteria you list for "full protection". Nevertheless, I do get infected with virii (I entirely know why) but the point is, that I should not be infected because Norton's is installed. I have elsewhere in this forum posted some details of my infections, and I can tell you as a matter of fact that Norton 360 v1 and v2, does not see the original downloaded file as infected, does not stop the opening and infection of the file, does not see the system as infected, does not therefore offer to clean, remove the infected files. One particular batch of virus is of the vundo family. What is more, I found that other AV's like Microsoft's own product and the Kaspersky(?) scanner all found virus infections or left over pieces, which Norton's simply does not recognise.

 

Why Norton's is not accounting for well reported virus, I cannot answer. If you check out the thread

http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=1576

 

you will see that no answers to my questions have been given.

 

It would, imho, be foolish for anyone to rely upon Norton 360 v2 at this time. I can download a virus infected file at any time from the web and can scan same with Norton and get the all clear, only to find that upon execution my system is infected.

 

BTW, whilst I am responding to someone I recognise as a serious engineer at Norton's, can I ask why Norton's does not recognise and resolve the zoombie issue?

I'm sorry to hear you've been having so much trouble tackling this infection. The Trojan.Vundo family of threats is a particularly challenging family of threats. Firstly, it is being regularly updated to evade detection by antivirus vendors. In addition to this it will generally download further malware and security risks, making it more difficult to clean up a machine which has been infected with Trojan.Vundo.

 

We've been taking a number of steps to tackle these challenges:

 

- Regularly updating our detection for Trojan.Vundo, making it more generic and therefore proactively detecting more variants. Unfortunately the malware authors recognise this and will regularly modify the threat to evade detection. We therefore need to constantly update our detection. If you look at our write-up for Trojan.Vundo under the "Protection" section you'll see that the detection was updated today (July 16).

 

- In order to prevent machines from getting infected in the first place, we have created IPS signatures to detect, and bloke, infection attempts. We have had a lot of success with this and have seen infection numbers almost halve as a result.

 

- Most infections of Trojan.Vundo occur as a result of drive-by downloads (i.e. compromised websites). The Browser Protection feature in Norton 360 will automatically block most of these.

 

Unfortunately, despite all of the above, some variants will slip through the net, which seems to have happened in your case. If you still have the malicious files available, I would appreciate itif you could submit them for analysis here. You'll receive an email with tracking number for the submission. If you can provide the tracking number here we can take a look at the samples and add detection if necessary.

 

Orla

Symantec Security Response 

Firstly, I thank you for your post. I am honoured that a Symantec employee has responded.

The variants I had include win32/Vundo.k (Microsoft)

win32/Vundo.gen!H

 

I can only say that at the time when other AV's were correctly detecting, removing, preventing the above, Norton's 360 was not.

The link you provided does not, imho, deal adequately with these Vundo variants. The first time I was infected, Vundo actually turned off updates, and disabled system restore. It does this because when system restore is turned off, all restore points are lost.

In my view, if you have an infection which has not disabled system restore you have a chance to at least deal with the registry entries created by the infection. Your removal instruction starts off by first advising the user to disable system restore. I understand why;

because a system restore point is likely to have been created by or in consequence of the infection, and those restore points are likely to be corrupted. However, earlier restore points will not.

 

But more importantly, if you followed by thread link,

 

http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=1576 

you will see that I list a whole raft of virii that Norton 360 did not detect.

 

More importantly, it is possible to delete individual restore points manually. The question I asked was

 

"I also now fail to understand why as default Norton 360 v2, does not look into system volume information directory. Can anyone explain please?"

 

I would welcome your response to this question, as it seems more logical that Norton should scan the system volume information directory since it contains the all important restore points. Knowing that a restore point is infected will hopefully prevent a user restoring to that specific point, and equally allows the user to remove the restore point or fix.

 

I do not keep infected files. But whilst I am running Norton 360 I feel sure that it will not be long before I am infected and in that event will submit the files.

The short answer is that Antivirus products do not have the ability to manipulate files in System Restore as it is a protected folder. For more details I'd recommend reading this article from Microsoft: http://support.microsoft.com/kb/263455.  We recommend disabling System Restore to prevent malicious files being restored. I've seen a number of people having trouble cleaning up infections (including Vundo) due to System Restore being enabled.

 

We have our own remediation engine called Eraser which we use to clean up the side effects of malware infections. In most cases it can successfully clean up a Trojan.Vundo infection. However as we appear not to have been able to detect the infection in the first place, Eraser wouldn't have kicked in. If you do see malicious files in future that we aren't detecting, please do submit them. As I mentioned in my previous post, we're giving Trojan.Vundo a lot of attention, so I would hope that you won't see missed detections like this in future.

 

Orla

Symantec Security Response 

Dear Orla_cox

thanks again for the rapid response. I want to fully respond to your post. However, if you will allow, I want to squeeze in some other virii issues. I have just forced a full scan on my computer. I do this regularly.

 

1.It finds today w95.fono on a file that has been sitting idle on my hard drive for 6 months. I ask myself why now? Whats more if I follow the link

http://securityresponse.symantec.com/security_response/detected_writeup.jsp?name=W95%2EFono

 

it tells me nothing about the virus or about manual deletion.

 

2.It also finds backdoor.greybird; again on a file idle on hard drive for 6 months. Again do I believe it. This machine is regularly checked by Microsoft onecare and Kaspersky. They were happy but they might be wrong. The question is why now?

 

3.Next up is trojan.adclicker. Again a file idle on har drive for 6 months. So is it that Norton 360 has never worked before now, or that Norton has just got around to protection, or that these are false positives?

 

4. Lastly we have Trokan.Zlob. OK this is detected on a file idle on the hard drive for 2 months. Norotn cannot clean.

 

OK I got that off my chest. Now turning to your post.

 

A. I partly agree with you that most AV do not manipulate file in the protected folder. However, a clever AV could temporarily unprotect the folder and reprotect after clean. I could go into the programming necessary but am sure you know that it is technically possible, if not accepted practice.

 

B. However, if you click on your link (remove the last full stop) you will say that the Symptoms say

"When you run an antivirus program, you may receive a report that indicates that one or more files in the _Restore\Temp or the _Restore\Archive folders contain a virus or are infected with a virus."

 

You see other AV's actually scan the restore folder and at least report if a virus is contained therein. (Readers: I am aware that the article is for Windows Millenium but I accept the principal of the article as it may be applied to other operating system including in my case here Win XP).

 

The issue I am trying to raise, is that Norton does NOT even scan the restore folder. So if anyone is relying upon Norton to let them know whether their hard disk is clean, they will be dissillusioned. In my view it is better that Norton's should at least report the infection. The user can then be instructed on removal. The following will assist

http://support.microsoft.com/kb/309531

 

I prefer to use cacls rather than the suggestions in your previously cited link.

 

Sorry to labour the point but I feel this is important. Let me give you this realistic example please.

.........................

 

A user uses his PC without adequate AV protection (i.e. he uses another brand of AV which obiously must be inferior to Norton's (ed: he he!).

 

He decides to spend his money and buy the real thing and install Norton 360. He runs a full scan and the machine is left clean.

 

He then has a problem and decides to go back to a selected restore point. His machine is now infected because the restore point was infected. He did not know this of course because Norton's never looked at the restore information.

 

QED,

 

It makes no sense, IMHO, to dsable System Restore at the first sign of trouble. In that event you might as well leave System Restore off permanently.

 

 

 

cgoldman, you may be interested in these previous posts of mine here, and here.

 

Also, do you know about the Virus Total website, if you have a suspected malicious file it will tell you whether it has been recognized by Symantec or any other security company. I use it frequently, and sometimes a virus which has been recognized by some of the better known security companies, will show up as Symantec having not released definition for it as yet, in which case I upload the files to Symantec, and usually you will see they release definitions relatively quickly.