Symantec Please Speak Up About Rash of Trojans

I note with interest a lot of threads here, on the N360 forum, and on other AV boards as well a lot of problems with infections of trojan.gen.2 and others.  Seems there is an unusual amount of labor (mostly by Quads, an Army of one) on this forum and on other help sites devoted to ridding machines of these infections.

 

Understand no AV solution works at 100%, got all that.  Key question here is how are these trojans getting in, and is NIS/N360 currently able to block them? 

 

I've been a Norton user since the days Peter Norton's photo came on the software box.  All my family's machines are humming along just fine - no problems here.  But there has been a justifiable outcry for Symantec's take and suggestions, and understandably a lot of folks' confidence has been rattled in all of this.

 

Please let us know from the horse's mouth what's going on, rather that leave it to volunteers and forum visitors to do it.

 

Regards,

Kelly

True, though not everyone reporting problems is a computer novice.  Despite following best practices it still seems to be a problem.  My main point is Symantec has been eerily quiet in all of this - I'd like to hear the company's take on it rather than crickets.

 

Regards,

Kelly

Still waiting for Symantec to weigh in about this - keeping silent on the matter does nothing to help consumer confidence in the product. 

 

My OP has been pushed back 3 pages due to the spate of trojan reports and pleas for help.  That should tell you there's a problem.

 

Symantec, are you even reading/listening?

 

Kelly

I note with interest a lot of threads here, on the N360 forum, and on other AV boards as well a lot of problems with infections of trojan.gen.2 and others.  Seems there is an unusual amount of labor (mostly by Quads, an Army of one) on this forum and on other help sites devoted to ridding machines of these infections.

 

Understand no AV solution works at 100%, got all that.  Key question here is how are these trojans getting in, and is NIS/N360 currently able to block them? 

 

I've been a Norton user since the days Peter Norton's photo came on the software box.  All my family's machines are humming along just fine - no problems here.  But there has been a justifiable outcry for Symantec's take and suggestions, and understandably a lot of folks' confidence has been rattled in all of this.

 

Please let us know from the horse's mouth what's going on, rather that leave it to volunteers and forum visitors to do it.

 

Regards,

Kelly

Symantec will come too this fourm will they are ready too do so and when they have time to do it and likey right now they are not reading  this  

 

 

 

 

 


DavidThomas88 wrote:

Symantec will come too this fourm will they are ready too do so and when they have time to do it and likey right now they are not reading  this  

 

 

 

 

 


I would not recommend presuming to speak for Norton!

Symantec and SSR know about this and Symantec do see the forum, it is there forum after all.

 

Quads

Sorry for not replying sooner about this topic. We are very aware of the increased number of Trojan threads posted to the forum, and a more knowledgable person than me will be responding to the thread shortly. I apologize for the delay in posting.


DavidThomas88 wrote:

hi

 

 

thats be come no one on here nos how too be care full where they go on the internetnet  they are likey downlodeing some in they sould not be downlodeing and that likey how they are geting  Trojans they likey get them from web site like the the pirate bay and other web sites and they are likey not checking the geen norton icon  be for they enter that web site  too see if its a good link or bab link   guys if the norton icon shows red dont even hit the link at all and you guys wont get Trojans

 

 

 

all ways check be for you hit a link too make sure it is safe dont be downloding some in that may have a trojans with it

 

 

it will make life on Quads a little more  easyer on him/here if you look be for you enter that site or downlode some in


This is an arrogant presumption.

Tony,

 

You or someone with the correct authority and responsibility within Symantec/Norton need to respond to (among other issues related to this Trojan disaster) Quuds' comment: 

"Norton / Symanetec AV's does not have the ability to deal with patched files like services.exe, atapi.sys (TDL3)  etc. or boot sector patchers (rewriters) like TDL4, (Tidserv) , wistler, mebroot etc. or BCD changes like Philar or SST."

It is not acceptable that a paid product like NIS has these huge holes that are putting all customers at risk.

Without giving the bad guys information Symentec/Norton MUST tell your customer base what your are doing to help us!


Kelly wrote:

 Understand no AV solution works at 100%, got all that.  Key question here is how are these trojans getting in, and is NIS/N360 currently able to block them?

 

 I've been a Norton user since the days Peter Norton's photo came on the software box.



I've been with them a long time also, approx 11 to 12 years. I also understand no AV solution works at 100%.

 

Key question here is how are these trojans getting in, and is NIS/N360 currently able to block them?

 

I'm going to out on a limb here. Has anyone noticed that the people getting infected Registered this month (July)?

Why aren't we seeing infections with the old timers on the forum? Seems kind of odd.

Is NIS/N360 currently able to block this infection? I think it is.

 

In the last post in this thread http://community.norton.com/t5/Norton-Internet-Security-Norton/Is-Norton-broke/td-p/764156/page/5 Quads mentions that he has figured out that the users posting now and are infected has done something particular and it is not because Nortons protection has failed. He doesn't elaborate, though. Disabled something vital? Just speculating.

Thanks, Tony

 

In my circle of family and friends (whose computers I maintain), three computers are set up with Norton 360 and six are set up with NIS 2012.  No problem whatsoever on any of them, but I have to wonder what's up given the rash of trojans.

 

I'm starting to think the cause is some users shooting themselves in the foot.  One neighbor got infected with it, but he had let his AV subscription lapse months ago and the program had lost functionality.

 

Still, would like to hear what Symantec has to say - and if there's anything beyond the usual best practices we need to do to keep protected.

 

Many thanks,

Kelly

 

 

 

Yes, I would like to hear what they have to say also.  I have 4 computers here at home, 2 desk, 2 laptops, and one of them has these darn trojans in it, and can't get rid of them. I have used norton since it first came out, never installed any program that would conflict with the proper use of Norton.  I was just on the phone with 360 support and they are blaming it on media files (i.e. itunes) cause that would be the only media files on that particular laptop.  The guy went as far as saying I didn't maintain the computer....which is a crock....I am no novice when it comes to taking care of the computers in my house.....they said that I had to many components/files of Windows running, and that is how it was affected.  This guy was rude, inconsiderate, disrespectful to me on the phone, everytime I tried telling him what I was doin, he would talk over me, and before he hung up on me, he said I can uninstall Norton and never use their product again and hopes my computer crashes with many viruses in it!!  Really??  This is what I pay hundreds of dollars for?  To be treated like this? 

 

So yes, please someone tell me how and why this is happening.  As for the ignorant person who said it's because we go to sites and download stuff without thinking first, is wrong....You want to see how strick I am about downloads on my household computers....give me a call cause I am sure my children would rather stay with you than me.

We need to be careful about blaming the victim. I agree that safe surfing and constant patching/updating are critical. I always patch everything, use Secuina PSI, and SlimDrivers to check things, use SlimCleaner and CCleaner to make sure old files are gone, constantly update Java, and the Adobe products (from Adobe) and, so far, have not been hit - but it's probably only a matter of time.

Think about Norton's position. For months now, a significant number of paying customers have NOT been helped in ANY WAY by Norton employees and/or products - but ONLY by Forum volunteers using non-Norton, 3rd-party products.

Without these volunteers and products, customers would have been left high and dry. Damaged and exposed.

What is wrong with Norton?

Where are the highly-paid, experienced, expert employees who should be spearheading this effort?

What's happening here is far beyond anything that volunteers should be doing in a user Forum. Quads and the other volunteers who've been helping customers are true heroes - but they're doing Norton's job and have been for far too long. I sure hope Norton is giving them some sort of recognition...lifetime free subscriptions perhaps?

Is Norton no longer willing, able to, or capable of supporting its customers? Do they not have the skills, experience, resources, and knowledge to do this?

Suppose you were a decades-long customer of a premiere car (Mercedes-Benz?) and your newest version suddenly became unable to protect you from known traffic dangers - but Mercedes was unwilling or unable to help and the only assistance you could get for months was from some volunteer owners and their only suggestion was to use parts from Toyota and Ford to try to fix the problems? How would you feel?

Questionable analogy since the government would probably step in and order a recall, but still....

g:

> Quads and the other volunteers who've been helping customers are true heroes

 

That's for sure.

 

> but they're doing Norton's job and have been for far too long

 

That's true.  Why is that happening? 

Why isn't there more information and support coming from Symantec, instead of volunteers?

 

> Where are the highly-paid, experienced, expert employees who should be spearheading this effort?

> Is Norton no longer willing, able to, or capable of supporting its customers?

> Do they not have the skills, experience, resources, and knowledge to do this?

 

Well, if you read the news, Symantec fired their CEO this week.

 

The article says that in their first fiscal quarter (second quarter of this calendar year) they earned _$1.7 Billion_ dollars.  In a quarter!

 

Maybe a little more resources could go into product development and support.

 

The current situation kind of reminds me of that Simon and Garfunkel song, Sounds of Silence.


joen wrote:

 

Well, if you read the news, Symantec fired their CEO this week.

 

The current situation kind of reminds me of that Simon and Garfunkel song, Sounds of Silence.



Wow, Symantec fired their CEO. That maybe why we see the "Sounds of Silence". :smileysad:

I am also a long time NIS user. I have not been hit with any of these viruses or malware but are concerned with this outbreak described on this forum.  I am impressed with the good hearted volunteers who are helping the users with this problem. As mentioned in above comments, besides using good practices on the internet and your computer, is there anything else to be aware of or stay away from at this time to lessen the chance of getting infected with these viruses and malware?

Hi Kelly,

 

I'm JohnM and I work for Symantec Security Response. My team analyzes threats and adds protection updates, so for the purposes of this thread you can consider me the horse, or at least one of them. First of all, I'd like to thank you and your family for your continuous support of Norton through the years. You must surely have witnessed some major changes during that time.

 

I'll try to address your concerns as I understand them, your main points being how these trojans are getting onto people's computers, and whether or not Norton products are able to block them. FWIW, I believe your questions are reasonable and you are entirely justified in asking them. Discussion such as this go a long way to informing and educating people how to better protect their private information and that of their family.


NOTE: This post is fairly long as my main intent is to respond to the questions posed and attempt to educate people about the issue at hand (and I highly recommend you read the post in it's entirely to better understand what you are dealing with) but if anyone is simply in a hurry to find out what they need to do to rescue their computer from a Trojan.ZeroAccess infection that just won't go away, skip to the bottom.

 

How do these threats get in?
Threats attempt to infect computers in a variety of ways, such as an email containing a malicious attachment, hidden inside a video available for download or viewing on the Internet, via an Internet website containing code that exploits a vulnerability in software installed on the computer (often referred to as a drive-by download), through P2P filesharing applications, over network shares if the computer is part of a local area network (LAN), and various other means. Reading this forum is actually a good way to learn how people got infected with Trojan.ZeroAccess. Recent examples I've seen are via P2P files, malicious videos and driveby downloads but there are surely others.

 

Is Norton able to block them? 

In order to answer the question of whether Norton products detect them or not, we need to consider several different scenarios.

 

A. A threat that Norton is able to detect and block
Norton products are able to detect the vast majority of threats and prevent them from installing themselves onto the target computer. It doesn't matter how deeply a threat would embed itself in the operating system (OS) or what it would do once it got there if it can't get onto the computer in the first place. This is the ideal protection scenario and one that we at Symantec strive for 24 hours a day, 7 days a week.


B. A threat that Norton is unable to detect and block the installation of, but after a subsequent definitions update is able to effectively remove from the computer
There could be several reasons why a threat manages to install itself on a computer in the first place, but for argument's sake let's say the security product simply doesn't contain what is required to prevent that particular threat getting in at the time. It would be ideal if this were never the case and your antivirus blocked 100% of threats 100% of the time, but unfortunately that's not the reality of it. Some threats do manage to get in, and need to be removed after the fact.


C. A threat that Norton is unable to detect and block the installation of, and even after a subsequent definitions update is still not able to effectively remove from the computer
This is a fairly rare case, but it does exist. I believe this is the scenario that applies to some of the forum threads which prompted this particular thread. So, how does this happen and more importantly why can't Norton remove it.

 

ZeroAccess is a complex threat, obviously having required much time and skill to develop. There are different variants of ZeroAccess, but many of them have one thing in common - they overwrite critical operating system files, effectively replacing them with their own malicious version. Malicious, but designed to still fulfill the function of the original file it overwrote so that the computer can continue to work, albeit under the relative control of the malware creator. Because the system file or files are essential to the normal running of the computer, if Norton simply deletes them the computer will no longer function properly and may not even start after a reboot. In many cases Norton is able to recover the original file and put it back in place. But there are cases where the original file is not recoverable - it may have been deleted, corrupted or modified by the threat to the point where it no longer functions as intended - and needs to be restored from a known good backup. So rather than delete these malicious files and potentially render a computer unusable Norton brings them to the attention of the computer user, along with the recommendation that the files are restored manually. There are various means of doing this, usually involving either the Windows installation disk or some form of the Windows Recovery Console (XP) / System Recovery (Windows 7).

 

What is Trojan.Gen?

A quick note about Trojan.Gen and Trojan.Gen.2 detections. A detection with "Gen" in the name is what is known as a generic detection, written with the intention of catching a wider range of threats or variants of a threat family than a normal detection which has a specific name, such as Trojan.ZeroAccess. A Gen detection basically casts a wider net. So Gen detections sometimes catch 'specific' threats, without knowing exactly what that particular threat is. The Gen detection doesn't really care what the threat is, it's goal is simply to stop it in it's tracks. Now, when a user sees a Norton pop-up telling them "Auto-Protect blocked threats" or similar, only to see the exact same alert every time they start their computer, it can indeed be confusing. If we go back to our ZeroAccess example above where the threat overwrites critical system files we are able to see how this can happen. So in our scenario ZeroAccess has overwritten a critical start-up system file, which Norton is unable to restore for reasons outlined above. This malicious file runs at start-up, creates additional malicious files on the computer which Norton then blocks - hence the pop-up. But as Norton is unable to restore the critical system file which is causing the subsequent malicious files to be created, it happens every time the computer starts. In this scenario, the computer is safe - Norton has done it's job of blocking the main threat. But until the critical system file is restored (manually, from a clean backup) the scenario will repeat itself. Annoying to say the very least.


So, what to do if you are unfortunate enough to get infected with one of these nasties that your Norton product is having trouble removing?

 

I got infected - what do I do now?
Firstly, you have my sympathy, as you have a bit of pain ahead of you but there isn't much that can be done about it at this point other than work through it. If you suspect the threat is Trojan.ZeroAccess the first thing is to download our Trojan.ZeroAccess Removal Tool and run it. If it removes the problem, you're in good shape. If it doesn't (for the reasons outlined in B above), try Norton Power Eraser. If that doesn't help, you still have options. You can either attempt to fix the problem yourself by following the manual removal instructions on our Trojan.ZeroAccess write-up, you can contact Norton Support, or you can ask for help via this forum or elsewhere.

 

Anyway, there's a fair bit there to digest, and I hope it all makes sense. Please know that we are continually working to prevent the pain and hassle our customers can experience when dealing with virus infections, but sometimes the solution is not quite as seamless or painless as we would like. Oh for that perfect world.

 

Thanks for listening.

 

JohnM

 

===============

 

Tips
Here are some recommendations for general computer use that should help avoid a disaster scenario.

 

Backup your data
It never ceases to amaze me how many people don't do this, and then regret it when it's suddenly gone forever. If you keep any information on your computer that would cause you grief in the event you lost it permanently, keep a regular copy of it somewhere else. Back it up to a separate hard drive or flash drive, or even better, online. Another good option is backing up to once-writable media (so it can't be inadvertently erased or overwritten) and keep it somewhere safe. It's insurance in the event your computer gets stolen, suffers a critical failure, or a nasty piece of malware renders it unrecoverable. These things can and do happen.

 

Ensure you have some form of a recovery disk
Back in the good old days before software piracy became a significant factor, new computers used to come with the operating system installation disk. But these days most don't, instead coming with a small hidden partition called the recovery partition which contains a copy of the operating system as it was when it was first installed. This recovery partition can then be used to repair the computer in the event that the operating system gets corrupted. It works well, but has one drawback. The recovery partition could also become corrupted. And while it's true that even a physical recovery disk could become unusable (e.g.. if it gets scratched badly enough) having one is still useful as a second option to help recover from an OS failure or corruption.

 

Keep your security product definitions up-to-date
In fact, keep all your installed software up to date with latest updates, patches and security fixes. A lot of the problems computer users experience could be avoided by following this simple rule.

 

 

[edit: changed post per JohnM's request]

I think we all need to digest JohnM's note for awhile as it seems to avoid or ignore the fact that volunteers such as Quads were and are doing the job that Norton should have been doing, and having to use non-Norton tools, for months. I'm not sure that "you can contact Norton Support, or you can ask for help via this forum or elsewhere" (whatever "elsewhere" means) is an appropriate response given the magnitude of the problem.

 

However, I strongly agree with one thing: Beyond all the updates, patches, file and driver checks I do, I also make a System Repair Disk at the end of every MS Patch Tuesday week for both of our desktops and out Netbook and keep at least the last six months of disks for each.

 

This may seem to be overkill (and be impractical for large environments),  but it might also save you a lot of pain and suffering if you haven't already been hit.