Apology to Symantec

Clarence \(Lancy\) Howard · Mar 27, 2006

Hello all participants

A number of days ago I posted accusations that the software within the
Norton software suite, distributed by Symantec, was preventing me from
having access to data on a computer. I wish to inform everyone here that
this is not the case. I humbly appologise to Symantec for my error.

The situation is that, it is now myself that is denying the owner from
having access to the data. I have been in possession of the data and the
cabinet files for two days now. It is appropriate that I set the machine to
a working condition and return it to the owner.

Last night, I was asked by a participant in another newsgroup to provide a
chronology of what I had done while researching the problem. I had performed
so many actions that I had to go to my notes (okay, so I'm getting older and
sometimes can't remember what I went to the kitchen for, so I scribble down
what I do in a jotter). When typing out the chronology I found something
that I didn't notice as being significant at the time.

The following is fact: ------------------------

There is malicious software on the computer.

The malicious software is not a virus, it is a trojan.

The trojan entered the computer via a voluntary download by the user.

The trojan is specifically targeted at Norton products and tries to the
deceive the user into believing that the problem is being created by Norton
software (it certainly deceived me for a very long time).

The trojan progressively causes the system to behave incorrectly at ever
decreasing intervals.

The trojan then intereferes with the user's attempt to run the Norton
Uninstall procedure. When checking my notes, the first two stages of this
worked fine. Norton itself then found that there was a problem and,
correctly, refused to run the final Uninstall of the Utilities.

The code that produces the "Error, Nprotect.VxD not present .... Please run
SEVINST.EXE ..." is not Norton code. It does not even reside in any of the
Norton folders. This message box is produced by trojan code and is
counterfeiting a valid Norton error message.

The author of this software is an expert programmer who has taken great
care, and spent a considerable amount of time writing it.
-----------------------------------------
The following are reasonable assumptions: -----------

The author of the trojan is mature (over 30 years of age)

The mechanisms used would have greatest effect in Win98SE and WinME
environments.
-----------------------------------------
I was surprised to find that participants in the windowsme newsgroup were
all (not one person was in favour of using Norton) of the opinion that
Norton was "malware". Their references to the frequency of Uninstall
problems were just two many to be a coincidence. I'm of the opinion that
this trojan must have been causing problems throughout the world. The
effects of this are that Norton products are being perceived as being a lot
worse than what they are.

I can only speculate what the motives of the author are. The author has gone
to great lengths to do this.

Finally, I do not apologise for any ranting and raving that I have done
regarding Symantec's lack of support for their own customers. This is truly
appalling. If they want to maintain market share then this will have to be
improved.

Greg Miskelly

Clarence (Lancy) Howard
(e-mail address removed) (remove one of the 7s)

Noel Paton · Mar 27, 2006

Clarence (Lancy) Howard said:
Hello all participants

A number of days ago I posted accusations that the software within the
Norton software suite, distributed by Symantec, was preventing me from
having access to data on a computer. I wish to inform everyone here that
this is not the case. I humbly appologise to Symantec for my error.

<snip>

Greg/Lancy

Please DO NOT apologise to Symantec (and especially to Norton). They are
wholly responsible for their own ineptitude where Win ME is concerned.
I still doubt (but I may be wrong - wouldn't be the first time!) that your
problem was caused by a Trojan - and certainly many people's problems in the
ME group CANNOT be ascribed to such a Trojan (have you managed to find ANY
references to it? - links please!!).
Even assuming that the problem is as you describe - they should have had
some means to remove the infection (is there a dedicated cleaner
available? - link??) and should have publicised it widely.
Have you had the 'Trojan' you found analysed by the AV companies? - could
you send me a link to it - or the original infector??

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

news.rcn.com · Mar 27, 2006

I am with Noel on this. I sincerely doubt that Symantec's response to
reinstallation of their product which makes them refuse to activate it if
you try to reinstall a product which doesn't work AND coincidentally refuse
you all support can be caused by anyone else's trojan. If I were wrong on
this and they did in fact care, one of their tens of thousands of employees
would be reading these postings and putting things right. This is simply one
company which couldn't care less in a big way.

Similarly I sincerely doubt that the problem they have which causes
ccapp.exe to crash which results in a MICROSOFT error message which says 'ha
ha , we know about this problem and we know it is caused by Symantec which
they also know about and which they can't cure' is malware. If it were,
Symantec would care about curing their problem with the malware or would put
a fix for it on their site as opposed to taking the strongest steps in the
industry to tell buyers of their products to get lost! (and refuse to
refund money on their products even within their own 60 day supposed refund
period!)

Frankster · Mar 27, 2006

The following is fact: ------------------------

There is malicious software on the computer.

The malicious software is not a virus, it is a trojan.

Why didn't you proivde a name?

-Frank

Clarence \(Lancy\) Howard · Mar 27, 2006

Hi Noel

Please forgive me for not forwarding that wordpad doc (I will finish it and
send send it as soon as I get the sick box up and running again). It was
actually your suggestion do write out a chronology that allowed me to make
sense of all of this. I had got two thirds of the way through and realised
from my own notes that Norton was not the problem.

Please DO NOT apologise to Symantec (and especially to Norton). They are
wholly responsible for their own ineptitude where Win ME is concerned.

If I accuse somebody in the wrong then I apologise. It is simply good
manners. In my opinion, ME and 98SE are more vulnerable to this trojan than
XP because of the amount of DOS based stuff there is in the startup process.

I still doubt (but I may be wrong - wouldn't be the first time!) that your
problem was caused by a Trojan .......

It is caused by a trojan

......... - and certainly many people's problems in the
ME group CANNOT be ascribed to such a Trojan (have you
managed to find ANY references to it? - links please!!).

I'm not stating categorically that the problems faced by Norton users
running ME are the result of trojan code. What I am saying is that this
machine was affected by it. I have found no references to such a trojan
anywhere.

Even assuming that the problem is as you describe - they should have had
some means to remove the infection (is there a dedicated cleaner
available? - link??) and should have publicised it widely.

Why should Norton already know about it?

Have you had the 'Trojan' you found analysed by the AV companies? - could
you send me a link to it - or the original infector??

I have not been able to capture the trojan (what do you think I've been
trying to do for the last three days?). I obviously do not have the
technical expertese to find it. I have tried, and tried to find it, but I
can't. What I can do though, is by process of illimination, work out what is
happening. Indeed, it was your suggestion for me to produce a chronology
that allowed me to do this. Take the counterfeit error message as an
example. When I look at it now, it's so obvious. The logo is fuzzy (a copy),
the font is wrong, the text just wraps (it is not nicely spaced out). It's a
fake. It's like seeing a pair of Nike trainers at a very low price on a
market stall. If you really look at them closely you realise that they are
not the real McCoy.

I am of the opinion that the user inadvertently downloaded a malwarez
version of a valid IT Security product, rather than the real thing. It is an
opinion, I cannot prove it.

Greg

Clarence (Lancy) Howard
(e-mail address removed) (remove one of the 7s)

Clarence \(Lancy\) Howard · Mar 27, 2006

Hello news

I am with Noel on this. I sincerely doubt that Symantec's response to
reinstallation of their product which makes them refuse to activate it if
you try to reinstall a product which doesn't work AND coincidentally refuse
you all support can be caused by anyone else's trojan.

I did not apologise to Norton about my views on their customer support. On
the contrary, I refuse to apologise about this. Their customer support is
pathetic.

....... If I were wrong on this and they did in fact care, one of their
tens of thousands of employees would be reading these postings and
putting things right. This is simply one company which couldn't care
less in a big way.

By putting things right, do you mean that a corporate decision should be
made to improve customer support? If that's the case then I agree with you,
whole heartedly.

Similarly I sincerely doubt that the problem they have which causes
ccapp.exe to crash which results in a MICROSOFT error message
which says 'ha ha , we know about this problem and we know it is
caused by Symantec which they also know about and which they
can't cure' is malware. .......

I do not know about this. I'm sure you are probably right though. I do not
run any kind of security software whatsoever on my own machine. I make
regular backups and do a reinstall periodically. Keeps the machine tidy.
Therefore, I have no reason to keep up to date about such matters.

..... If it were, Symantec would care about curing their problem
with the malware or would put a fix for it on their site as opposed
to taking the strongest steps in the industry to tell buyers of their
products to get lost! (and refuse to refund money on their products
even within their own 60 day supposed refund period!)

Again, I sympathise with your thoughts on this matter. I'm sure you are
correct. Nevertheless, I have no reason to believe that Symantec even know
about the problem I was having. Therefore, I can not accuse them of
negligently ignoring the problem. I have to admit that I was, and still am,
really pissed off by the fact that they just ignored me when I needed help.

Greg

Clarence (Lancy) Howard
(e-mail address removed) (remove one of the 7s)

Clarence \(Lancy\) Howard · Mar 27, 2006

Hello Frank

Why didn't you proivde a name?

Having struggled with this for coming on nine days it is obvious that I do
not have the technical expertese to capture or identify this trojan.

Greg

Clarence (Lancy) Howard
(e-mail address removed) (remove one of the 7s)

news.rcn.com · Mar 27, 2006

By putting things right, do you mean that a corporate decision should be
made to improve customer support? If that's the case then I agree with
you,
whole heartedly.

Someone advised them long ago that you can easily fool the american public
into thinking that you are giving support by awarding yourselves lots of
anonymous awards for how extrarodinarily good your support is and they
advised them that people will believe it if you put it enough references to
it on every page of your web site.

.. I have to admit that I was, and still am,

really pissed off by the fact that they just ignored me when I needed
help.

They seem to have acknowledged long ago that they cannot compete with the
others in selling their products to users and concentrate on selling it to
manufacturers. I suppose this is a good thing as it leaves the field open
to (apparently) really good anti-virus programs like AVG, trend micro,
nod32 etc to flourish, etc

But this was why they discontinued their support and now couldnt care less
about users when they cant fix problems their products cause.

Ron Lopshire · Mar 27, 2006

Clarence said:
A number of days ago I posted accusations that the software within the
Norton software suite, distributed by Symantec, was preventing me from
having access to data on a computer. I wish to inform everyone here that
this is not the case. I humbly appologise to Symantec for my error.

(...)

The following is fact: ------------------------

There is malicious software on the computer.

The malicious software is not a virus, it is a trojan.

The trojan entered the computer via a voluntary download by the user.

The trojan is specifically targeted at Norton products and tries to the
deceive the user into believing that the problem is being created by Norton
software (it certainly deceived me for a very long time).

The trojan progressively causes the system to behave incorrectly at ever
decreasing intervals.

The trojan then intereferes with the user's attempt to run the Norton
Uninstall procedure. When checking my notes, the first two stages of this
worked fine. Norton itself then found that there was a problem and,
correctly, refused to run the final Uninstall of the Utilities.

The code that produces the "Error, Nprotect.VxD not present .... Please run
SEVINST.EXE ..." is not Norton code. It does not even reside in any of the
Norton folders. This message box is produced by trojan code and is
counterfeiting a valid Norton error message.

The author of this software is an expert programmer who has taken great
care, and spent a considerable amount of time writing it.
-----------------------------------------
The following are reasonable assumptions: -----------

The author of the trojan is mature (over 30 years of age)

The mechanisms used would have greatest effect in Win98SE and WinME
environments.
-----------------------------------------

Lancy,

1) On what do you base your facts?
2) On what do you base your assumptions?
3) Symantec is annoying enough without being falsely accused. <g>
4) Do you have worms?

Searching Virus List for "Nprotect.VxD"

Email-Worm.Win32.Bagle.z (KL)
(http://www.viruslist.com/en/viruses/encyclopedia?virusid=49958)

Email-Worm.Win32.Zafi.a (KL)
(http://www.viruslist.com/en/viruses/encyclopedia?virusid=57484)

Both are Internet worms spread through an infected email attachment,
and both attempt to protect themselves by interfering with resident AV
(anti-worm, anti-trojan) applications. Also, once infected, the Bagle
worm propagates by among other means looking for P2P files, and
harvesting email addresses.

Do some Googling and see what you come up with for removing this crap.
If you do indeed have worms, post back and Dave and/or some of the
other Gurus can help you get rid of it.

Ron

David W. Hodgins · Mar 27, 2006

Having struggled with this for coming on nine days it is obvious that I do
not have the technical expertese to capture or identify this trojan.

It seems most likely to be a boot virus/trogan/whatever. If you haven't
already restored the mbr, could you download a copy of mbrwork from
http://www.devhood.com/Tools/tool_details.aspx?tool_id=749
Unzip the file and run the program (booted from a clean dos boot disk),
make a backup of the first track, zip it, and send a copy to me via
email.

Note that It's generally not a good idea to send malware to people
asking for copies. It's best to submit samples to websites such
as www.virustotal.com.

In this case, unless you understand how to extract the boot code from
the mbr, I think an exception is reasonable. See my sig for the change
to my email address, to send to.

Regards, Dave Hodgins

woody · Mar 28, 2006

Having struggled with this for coming on nine days it is obvious that I do

not have the technical expertese to capture or identify this trojan.

bollocks greg.

are you trying to tell me that you havn't got a dump of

1) the contents of the cmos
2) the contents of the dos ram area and high memory area
3) the contents of the absolute zero sector
4) the contents of the mbr
5) the contents of both the fats
6) other relevant information

i know you too long for that

-woody-

Noel Paton · Mar 28, 2006

Clarence (Lancy) Howard said:
Hi Noel

Please forgive me for not forwarding that wordpad doc (I will finish it
and
send send it as soon as I get the sick box up and running again). It was
actually your suggestion do write out a chronology that allowed me to make
sense of all of this. I had got two thirds of the way through and realised
from my own notes that Norton was not the problem.

No problem, Lancy - whenever you're ready

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

James Egan · Mar 28, 2006

No problem, Lancy - whenever you're ready

Remember what happened with that full house last time, Kid.

Noel Paton · Mar 28, 2006

James Egan said:
Remember what happened with that full house last time, Kid.

Yeah - but there were two Ace of Spades in the pack!

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

Guest · Mar 29, 2006

X-No-Archive: yes

Apology to Symantec? Not me. They have cost me a lot of wasted time.
Personally, I don't like their products.

Apology to Symantec

Clarence \(Lancy\) Howard

Noel Paton

news.rcn.com

Frankster

Clarence \(Lancy\) Howard

Clarence \(Lancy\) Howard

Clarence \(Lancy\) Howard

news.rcn.com

Ron Lopshire

David W. Hodgins

woody

Noel Paton

James Egan

Noel Paton

Guest