Norton AntiVirus disabled ater removing password stealer threat

[Bill Sanderson]

System Restore is a good way to recover the Norton/Symantec functionality
lost in this incident. I don't know how many different versions of the
software are involved, or how the registry entries might differ between
versions.
--

 

[Guest]

So this exact scenerio occured in my case, it wasn''t until a friend pointed
out the article in the Washington Post that I became aware of the error. As
a result of the removal of NAV I became infelcted with a different virus,
which I am endeavoring to remove. Once I have accomplished this, how do I
get the regestry corrected from the errant changes and removals by MSFT AS
Beta?

While I am fully aware of the personal responsiblity we all have with
respect to our own internet and computer security, one would like to think
that the software we ernestly employ to keep ourselves protected does not
become the vehicle through which we make our computer unsafe.

I appreciate any advice on how to correct the registry changes, thanks!

 

[Guest]

To test this I installed Windows XP SP2 on a bare drive, installed Norton AV
Corporate version 10, and then installed Microsoft Anti-spyware on 2/11 at
10:30PM PT (defs 5807) and ran multiple scans. It did not detect Norton as a
threat. My Norton virus def files are: 2/11/2006 rev. 4.
Don't know why the different results, just FYI.

 

[Bill Sanderson]

I agree with your thoughts--it is an unfortunate truth that any software
which handles binary data from the outside world entails a security risk,
and both Symantec's products and Microsoft's have amply demonstrated that in
the past.

The best fix to get NAV/SAV working again is either:

1) use System Restore to return to a restore point before midnight Thursday.
This may fix your virus problem as well.

If that is not available to you--say, Windows 2000--the next best is to use
the original Symantec/Norton media to uninstall and reinstall the product.

If you don't have that media immediately available, using manual uninstall
instructions provided by Symantec at their web site for your product and
version--or an automated tool, if available--would be next.

What Symantec/Norton product is involved?
What version of Windows?

Microsoft resolved the false positive with definitions 5807 at about 3 PM
U.S. Eastern standard time on Friday. If you have Microsoft Antispyware
installed, go to Help, about, and see what definition version is noted. If
it states 5807, please also hit the diagnostics button, and see whether you
see 160/160 at the end of one of the lines. If that's the case, the false
positive should be fully resolved, and you can concentrate on getting NAV
going again.

Microsoft provides free help for Windows users with virus infection or
security-patch related issues. In the U.S. or Canada, dial 1-866-pcsafety.
Elsewhere, call your local Microsoft Subsidiary, or the number for paid help
in your locale, and ask for the free help with the above mentioned issues.



--

 

[Bill Sanderson]

The false positive was found in the 5805 definition files, which were
available from sometime in the early morning--2-3 am, on Friday (US Eastern
standard time) until approximately 3 PM on Friday, when they were replaced
by 5807.

So--you tested with 5807 and got the expected result--which is good!

 

[Guest]

This is no glitch in the code. It's another example of Microsoft nuking it's
rivals. Remember Netscape?

When are you guys going to get a clue and stop supporting this monopoly and
it's preditory business practices?

 

[Guest]

I had issues re-installing or un-installing for that matter, even after
updating the spyware software. Here is how it was resolved:

1) run Symantec's SymNRT.exe
(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039)

2) run Windows Installer Cleanup - (msicuu2.exe,
http://support.microsoft.com/?scid=kb;en-us;290301 )

3) Shutdown Anti-Syware Software (not sure if this actually did anything,
but cant hurt)
4) Re-install Symantec
5) Enable Anti-Spyware Software

Now everything seems to be working, and the Bancos item is now ignored when
doing a Spyware scan.

 

[Bill Sanderson]

Thanks for letting us know what worked.

I would recommend that you:

1) Make a careful check that Microsoft Antispyware has been updated to
definition set 5807.

In Microsoft Antispyware, do File, Check for update. Then go to Help,
about, and press the diagnostics button. Look for a line ending in 160/160.
If you see this line, I believe you are updated.

2) I would then check at Options, Settings, and click on Spyware Scan in the
left column. Make sure that PWS.Bancos.a is not set to be "always ignored."
There is, in fact, a real threat by this name, and you don't want to be
excluding it from detection.

 

[Guest]

Hi,

I have the following email from Microsoft:

"Microsoft and Symantec have worked jointly on an automated tool to repair
installations of Symantec's software that were affected by this issue. This
tool is available at no charge from Symantec Product Support Services."

Does anybody know where this tool is located on the Symantec website? I've
been searching for a while and haven't found it.

Thanks

 

[Bill Sanderson]

You need to call Symantec support to obtain the tool. This call shouldn't
cost you.
--

 

[Guest]

I have Symantec AV 10.0 and I got this message when I did my windows
"Express" updates for Win2k.

 

[Bill Sanderson]

Interesting. This is a different alert than the others that I've seen cited
in these groups from this feature. Have you done any further checking to
see whether all updates succeeded? Checking with MBSA 2.0, or just
re-running WindowsUpdate, and also checking whether the Windows Defender
signatures are the same as other machines would be what I'd want to check.

--

 

[Guest]

I tried an update on a different computer. THIS is the update that tried to
kill SAV. Does that compare to the issues with NAV?

-Security Update for Windows Media Player Plug-in (KB911564)
-Date last published: 2/14/2006
-Download size: 597 KB
-A security issue has been identified that could allow an attacker to
remotely compromise your
-Windows-based system using the Windows Media Player Plug-in and gain
control over it. You can
-help protect your computer by installing this update from Microsoft. After
you install this item,
-you may have to restart your computer.
-System Requirements
-Recommended CPU: Not specified.
-Recommended memory: Not specified.
-Recommended hard disk space: Not specified.
-How to Uninstall
-This software update can be removed via Add or Remove Programs in Control
Panel.

 

[Bill Sanderson]

What you are seeing is not related at all to the issue between Microsoft
Antispyware beta1, build 701, with definition set 5805, and Symantec
Corporate Edition antivirus.

In that case, the Antispyware identified a number of registry entries as
PWS.Bancos.a which were, in fact, those of Symantec Antivirus.

Removing the "threat" by removing these entries, damaged the antivirus.

You are seeing alerts from an optional "tamper protection" feature in SAV
10. Others in these groups have also seen such alerts from actions taken by
Windows Defender.

There's no evidence that either the patch you reference, or Windows
Defender, are intentionally interfering with Symantec Antivirus.

I'd recommend seeking an explanation of these messages from Symantec's
support--they are the ones who should understand what is happening.

--

 

[Guest]

What you are seeing is not related at all to the issue between Microsoft
Antispyware beta1, build 701, with definition set 5805, and Symantec
Corporate Edition antivirus.

In that case, the Antispyware identified a number of registry entries as
PWS.Bancos.a which were, in fact, those of Symantec Antivirus.

Removing the "threat" by removing these entries, damaged the antivirus.

You are seeing alerts from an optional "tamper protection" feature in SAV
10. Others in these groups have also seen such alerts from actions taken by
Windows Defender.

There's no evidence that either the patch you reference, or Windows
Defender, are intentionally interfering with Symantec Antivirus.

I'd recommend seeking an explanation of these messages from Symantec's
support--they are the ones who should understand what is happening.

 

[Guest]

Is everyone talking about the infostealer.gampass and/or downloader?

If so, let me give you my experience….
The virus came from bellsouth.net my internet provider. It started with
ZT0616[1].exe and started to load many, many programs.

I use Norton 360 so I called them. The free support could offer not help.
Instead, they asked me to go to the Premium Anti Virus Service for $99. I
called and 3 different technicians tried for a total of 12 hours and they
could not get the virus of the machine.

Went to Best Buy and one of the Geek’s told me to restore my system – I have
an HP and the disks were provided. Did and it worked fine for 3 days until I
used one of my data files. It’s Back!!!

One thing I can tell you, it takes a hold of explorer and dose not allow see
or reset the file view option to see hidden file.

If anyone can help, I surely would appreciate it.

PS. No two system are affected the same way……

 

[Guest]

WOW ! wow wow !....please , tell me how did you get rid on Norton from the
Registry ???.... i apologise for asking for help, instead of conversely give
it, but i couldn't help you even if i tried., but i'd really like to know
about those creeps, corrupted to the core.


stillmind

 

[Guest]

Gary, could you tell me if you got Norton out of your registry as well ?
....and if so, how ?

 

[Dave M]

bic2chick;

Dunno how Denny did it a year and a half ago, but I woulda gone here, for
starters anyway:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

 

[Bill Sanderson]

Whew--blast from the past indeed. I was about to go looking for the phone
numbers and IM aliases of anybody I could find to yell False Positive....