If you are seeing these popups, your system is *Infected*, not *Protected*.
This attack began on two machines in my office almost simultaneously. Both systems run Norton Internet Security.
Popups began appearing stating that a Trojan.Poweliks had been blocked. Then popups started appearing saying Trojan.Adclicker had been blocked. Finally, CPU warnings began to pop for "COM Surrogate".
A full Norton system scan revealed nothing. Norton Power Eraser revealed nothing. Clearly there was an issue.
I connected to Norton support and allowed a tech to access my machine. I posted the complete conversation elsewhere, but for simplicity here are the key points.
I showed him the alerts on screen and he replied to my concerns with:
3:28 PM Norton Tech: As you can see, it is blocked by Norton.
3:28 PM Me: so the alert is named "System Infected" but the system is not infected?
3:28 PM Norton Tech: Yes, your system is totally safe.
This is not the case.
I probed about the COM Surrogate instances, and was told:
3:44 PM ME: okay, so I am 100% clear - Norton didn't block this and can't fix it.
3:45 PM ME: i mean, it blocks the outgoing connection attempts, but didn't stop the infection.
3:45 PM Norton Tech: This may be damaged or infected but Norton is blocking the connection so that means you are safe.
Still skeptical I began monitoring connections in the command window using Netstat -b ( this displays all connections and the program source ). As soon as another Norton popup appeared advising me that first Trojan.Poweliks was blocked, then quickly after that, saying that Trojan.Adclicker was blocked, multiple instances of COM Surrogate lit up in the taskmanager and hundreds of connections were established. Looking at the IPs and references to domains in the list, it looks like connections and 'click' instances were being created to create click fraud, the purpose of the Adclicker Trojan/
Just a few snippets, the command window was literally scrolling full speed, non-stop:
TCP 192.168.1.7:58675 195.2.240.79:http SYN_SENT
[dllhost.exe]
TCP 192.168.1.7:58679 8.30.11.13:http ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:58680 199.233.57.10:http ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:58681 199.233.57.10:http ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:58682 66.45.56.124:http CLOSE_WAIT
[System]
TCP 192.168.1.7:58688 69.172.216.58:http ESTABLISHED
[System]
TCP 192.168.1.7:60981 yk-in-f102:http ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:60982 atl14s08-in-f30:https ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:60983 64.71.187.126:http ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:60984 64.71.187.126:http ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:60985 108-61-42-10:http ESTABLISHED
Can not obtain ownership information
TCP 192.168.1.7:60986 66.155.21.187:http TIME_WAIT
TCP 192.168.1.7:60987 64.71.187.126:http ESTABLISHED
Can not obtain ownership information
Etc.
I'm appalled that a Norton tech would advise that the system is protected, after being connected to the machine and having an opportunity to look at all aspects of the issue, when clearly it is not.
I'm also not sure how NIS could notice one potential connection attempt and yet not pick up at all on hundreds occurring in a matter of minutes.
Be advised if you are seeing these popups, your system is most definitely infected. I have tried one very aggressive removal procedure and thus far the machine seems clear, but since the method of system infection was not obvious, I'm waiting to see if re-infection occurs through some unknown system exploit.