Moved to own thread for better exposure.
Ok, I've just been informed that this part of my previous post is incorrect...
Be aware that if your antivirus subscription expires, your security product will still function and protect you from everything it knew about up to the point it stopped receiving updates, but may not protect you from any new threats that came into being AFTER that point in time.
I have to confess I've never had a subscription expire on me. Perks of the job ;) But a careless mistake on my part, and lucky the ever watchful gurus caught it quickly.
AllenM, thanks. I'll ask the moderator to correct it in the actual post, but in the meantime would you mind adding a comment here with a bit of background to it?
Thanks again.
John,
Thank you for your very detailed and helpful reply. I can better understand what is going on now, and more importantly, why.
Yes, I've seen quite a few changes in Norton AV/NIS over the years, all for the better in my opinion.
Regards,
Kelly
JohnM wrote: "If you suspect the threat is Trojan.ZeroAccess the first thing is to download our Trojan.ZeroAccess Removal Tool and run it. If it removes the problem, you're in good shape. If it doesn't (for the reasons outlined in B above), try Norton Power Eraser. If that doesn't help, you still have options. You can either attempt to fix the problem yourself by following the manual removal instructions on ourTrojan.ZeroAccess write-up, you can contact Norton Support, or you can ask for help via this forum or elsewhere."
After a little thought, here's an obvious question: Has anyone reading this had Norton Support fix their ZeroAccess/Trojan or other issues using the above mentioned tools and write-up or have you done so yourself? Or, do you know anyone who has?
Because if it's this simple and Norton Support and tools can help do it, then all of the time we're wasting on this Forum and all of Quads' time can be better spent.
Why do I think the answer is "no" - even though I would sure like to be wrong?
If it's not, then we need to cut through the corporate-speak and get back to Norton throwing the right resources at this issue that's way beyond what the Forum volunteers should be dealing with.
JohnM is "the horse" - not sure what that means - but since he's on this thread, we should let him know if he's right or wrong.
We should try to get some visibility into the number of these issues resolved by Norton in some way Vs those handled by the Forum (read "Quads").
Don't use NPE or FixZeroaccess with this new variants over the last few days.
Quads
Hi garlen,
I believe Customer Support would put you in touch with the Paid Virus Removal Service, so no, I don't think they could help in this case.
Dave.
garlen,
JohnM's reference to being "the horse" unquestionably refers back to the comment I made at the top of the thread (my original post); when I said in effect it would be good to hear from the horse's mouth (read: Symantec) rather than forum users regarding the flurry of trojans and pleas for removal help that have appeared over the last month. (Yes, wordy sentence.)
Others (Quads, for example) certainly would have a better handle on the root cause. There are too many variables among users for Symantec or anyone else to give concrete answers. User habits, the sites they visit, attention to "best practice" security measures, and so on vary from person to person. Just a hunch, but I'm starting to think most of the recent trojan infections are self-inflicted. Let's face it, in this day and age with Win 7 or Vista in particular, if a user gets hit with malware, it's more likely than not that it's there because the user let it in (the old click-it-without-reading-and-thinking syndrome, accepting false Codec download prompts, etc.)
In any case, JohnM's response more than satisfies the questions I asked in the first place.
Thanks, again, JohnM - and to Quads, for your tireless efforts coming to a lot of users' rescue
I believe Quads is referring to some new variants that have appeared recently. They may be new ZeroAccess variants or they might be a different threat altogether, possibly even borrowing some of the code or techniques from ZeroAccess. Rest assured we are investigating, but it would definitely help that effort to get these newer samples submitted to us for investigation. If anyone has access to such samples, please don't hesitate to send me a PM and we can arrange a way for you to get them to us.
Quads, if you happen to have some of the newer samples you can provide please follow the usual method. Your help is much appreciated as always.
Kelly, nice to see you back here, and thanks for acknowledging my post. It's good to know I was of some help. I hope to be of even more help as our work continues.
JohnM
JohnM wrote:Ok, I've just been informed that this part of my previous post is incorrect...
Be aware that if your antivirus subscription expires, your security product will still function and protect you from everything it knew about up to the point it stopped receiving updates, but may not protect you from any new threats that came into being AFTER that point in time.
I have to confess I've never had a subscription expire on me. Perks of the job ;) But a careless mistake on my part, and lucky the ever watchful gurus caught it quickly.
AllenM, thanks. I'll ask the moderator to correct it in the actual post, but in the meantime would you mind adding a comment here with a bit of background to it?
Thanks again.
Hi John,
That is very kind of you. 
Sometime in the past Norton would continue to operate with old definitions when the subscription expired but this lulled a lot of users into a false sense of security that an out of date product was providing the proper protection that we all expect from Norton. But the reality is that an out of date product cannot possibly accomplish this goal even though things like SONAR and other technoligies really helps... Though some protection with an out of date product is better than no proection at all, it is certainly no substitute for an up to date product.
Now when the Norton subscription expires, the product will cease to provide any protection at all. I've always believed this is the best choice because I for one do not want to be lulled into a false sense of security! 
Allen
If you opened your Twitter account and found a tweet that said "It's you on photo?" or "It's about you?," would you click the link to check? According to Sophos, these tweets link to websites that redirect to sites hosting the Blackhole Exploit Kit. And as you can probably guess, Zeroaccess is often one of the payloads. This is an excellent example of how social engineering (falling for a trick), JavaScript (redirection) and an exploit pack (targeting unpatched, insecure software applications) can be combined into an effective attack against unwary users.
Hello to all,
After reading carefully the text posted by JohnM, one thing is clear to me.
ZeroAccess malware writers are BY FAR better than Symantec's or other AV developpers.
Maybe Symantec should consider to hire some of them to give a solution on this problem otherwise I'm pretty sure that even after 2 or 3 years of investigations and NIS 2013, 14 or 15 the results will be the same.
If you are at the wrong place at the wrong time, ZeroAccess and it's variants will gain control over your pc.
Conclusion: Everyone please back up your data, if possible format your pc every day to be at 100% sure and say a lot of prayers!!
I know this may sound negative but according to JohnM's post we are not ready to see results soon, only investigations and investigations....
Also, I have one question: If you are hit by this malware, would a format be considered as a 100% removal solution (by installing Windows with an installation disc or from a hidden partition), or as long as the format is performed some remnants of ZeroAccess will say "hello" after the format is finished?
Thanks for any advice.
Kindest regards,
Hi,
Just a couple of comments. If the malware and virus developers wanted honest jobs I'm sure they would apply
Reinstalling from the installation disk is not 100%. Some things have been known to slip past and remain to bite again
Stay well and surf safe
Dickevans,
Thank you for your comments.
If reinstalling from the installation disc is not a 100% solution as you mentionned what are the options left?
Throw the pc or deal with a removalist like Quads?
Any alternatives? If there are some, could you please explain in detail? (other than Norton removal tools).
Many thanks.
Best,
dickevans wrote:Hi,
Just a couple of comments. If the malware and virus developers wanted honest jobs I'm sure they would apply
Reinstalling from the installation disk is not 100%. Some things have been known to slip past and remain to bite again
Stay well and surf safe
What malware can survive a reinstall from a system image? What about the malware giving people on the forum so much trouble now?
sandbox your brower www.sandboxie.com
Apostolos wrote:After reading carefully the text posted by JohnM, one thing is clear to me.
ZeroAccess malware writers are BY FAR better than Symantec's or other AV developpers.
Hi Apostolos,
The malware writers are not better. But malware writers always have an advantage, because AV products cannot provide an ironclad defense against a threat that they haven't yet seen. So the bad guys will tweak Zeroaccess to create a new, slightly altered sample, and test it against security products to make sure that it is not detectable prior to releasing it. Once it is released, AV vendors will quickly find it and create detection signatures that will protect users against it. Although modern techniques allow signatures to be put in place rapidly, in the interim the malware has the advantage. Thousands of new malware variants are released every day, This is why you will continually read here that no AV product can detect 100% of the threats in the wild. They all protect against the known threats, but with thousands of new threats to contend with daily, there are always some that have not yet been seen, and those are the ones that are able to evade detection.
JohnM
Trouble is users are using the 2 tools, mainly NPE looks like the problem and with the new usermode variant of zeroaccess and services.exe one user had a BSOD on the restart twice (didn't learn the first time)
Others with the zeroacces can have the combo, or have had the Combo of zeroaccess and what looks like Boot.Pihar (or maxSS). Norton can detect it as Boot.Pihar or Boot.Tidserv.
Problem, using NPE on what is not the old TDL4 (Tidserv) causes a non booting Windows as it is incorrectly dealt with as TDL4.
I have to use FRST to complete the remove / repair after NPE for the user to be able to have Windows correctly startup in Normal Mode, or Both Normal and Safe Mode.
I have not tested any new zeroaccess droppers over the last few days as I trying to keep up on the forum with the threads, feels like I am trying to climb everest with all 4 legs.
Quads
Sorry have to admit I had a chuckle at this in a new zeroaccess (services.exe) patch thread
I just got off the chat with a Norton tech who was not able to help me with this issue. Then I saw that it is fixable.
Would someone please walk me through the process?
Thanks
Quads
car825 wrote:
dickevans wrote:Hi,
Just a couple of comments. If the malware and virus developers wanted honest jobs I'm sure they would apply
Reinstalling from the installation disk is not 100%. Some things have been known to slip past and remain to bite again
Stay well and surf safe
What malware can survive a reinstall from a system image? What about the malware giving people on the forum so much trouble now?
Does anyone know the answer to this? My system is clean, but I like knowing I can fix things with a full image copy restore. How confident should I be in percentage terms that this is true.
_______________________________________________________________________________________________
car825 wrote:
Does anyone know the answer to this? My system is clean, but I like knowing I can fix things with a full image copy restore. How confident should I be in percentage terms that this is true.
A full image copy restore should solve all of your problems except in the very very rare instance where malware has infected the system BIOS, in which case the BIOS chip would almost certainly need to be replaced.
I would be 99.9999 confident. I hope I don't give anyone any ideas