Slashdot Mirror

Symantec has removal tools for their software, it's one of the few things that they've managed to do right.

http://service1.symantec.com/SUPPORT/nip.nsf/docid /2001090510510636 for Norton Internet Security 2003 and prior.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039 for NIS 2004 and later versions.

By combining anti-virus scans, anti-spyware scans, and firewall protection into a single package, Microsoft thinks they've created something fresh. So fresh they're charging an annual fee of $49.99 per year.

Sounds like Symantec's 'Norton Internet Security' package except cheaper. I bet this will come pre-installed on Vista with a nag screen asking you to "Activate this essential service for only....". It will of course kill off a lot of security firms that have hitherto made a living off keeping vermin out of Windows but at least it is nice to see that Apple is not the only company willing pull that sort of a stunt. Oh well, at least Apple is not charging its customers for the privilege of being made safe from the design flaws of it's own Operating System, they charge for all sorts of other things but not that.

Please spoo into this test tube, sir, while ma'me lies back waiting for the turkey baster. Pay no attention to the highly educated and trained staff, supported by millions of dollars worth of complicated medical equipment who will perform magic behind the curtain.

This "email worm" is more like a virus than a worm. It doesn't exploit an automatic execution hole in a popular email package, and thus it requires a user to execute the malware for it upon receipt of the email. This is social engineering, and purists can argue that it's a virus, not a worm. It doesn't self replicate, unless expensive medical intervention (in vitro fertilization) is also self-replication. (Note that this effort with respect to the malware requires only a modestly educated and trained person with a five hundred dollar PC to help execute the virus to steal or otherwise wreck havock on valuable data, rather than a highly skilled staff with millions of dollars worth of equipment.)

Well, in some circumstances it might self replicate. Symantec's description indicates that it attempts automatic propagation (including execution) using Windows C$ and Admin shares. This probably works in some LAN environments.

Like so many other bits of malware, it sports a mixture of virus-like and worm-like features (although not many worm-like features in this instance). Many other bits of malware last year routinely arrived in an email and then, once actived by a single user behind the company firewall, began probing the network to exploit one or more wormable holes.

Dumbass, you only read ONE link. Even then, you even then only read HALF of the fucking page. Scroll further down, tool. In fact, you didn't even bother looking at the Symantec link (first one) so I'm going to repost it for you, since it gives the specific facts and pieces of info. You must've not read my entire post for that matter, or you'd have seen the Symantec link from the fucking beginning.) So here, for your pleasure, is the link again.

http://service1.symantec.com/SUPPORT/nav.nsf/docid /1999041209131106 Read, enjoy, and go back to preschool for making yourself look like a crackhead on the internet, and giving everyone here a good laugh.

You know why I blast the editors? BECAUSE THEY SHOULD BE TECHNICALLY KNOWLEDGABLE ENOUGH TO UNDERSTAND THE FUCKING DIFFERENCE IF THEY'RE GOING TO PUT ARTICLES ON THE FRONT FUCKING PAGE, AND GET IT WORDED PROPERLY! Is it too hard, in a world where education has taken a back seat, that we at least try to preserve the shattered remains of the integrity of our fouled and abused language, at least WRITTEN LANGUAGE? You want to look in a class history book in ten years and read somewhere in a paragraph, "OMFG, hitler was such a n00b. He k1ll3d so many J3ws and then got his @$$ pwnt," or would you rather prefer something intelligible, like "Hitler was a German dictator that killed millions of innocent Jewish people, solely because of their ethnicity and religion?"

Tool.

http://service1.symantec.com/SUPPORT/ent-security. nsf/6fffc7260966992188256bf300818635/40814e0bdb4a5 2d188256c130072ca45?OpenDocument&src=bar_sch_nam&s eg=hm

This takes a little while , eg try searching for one of the numeric strings on a production servers registry , I have spent hours recently uninstalling 7.5, 7.6 and 8 client and server editions and it is a pain in the ass.

If it wants your custom installer package to deinstall itself and cant find it
(dumped onto a temporary directory on a long ago cloned master ) then your outlook is effectively :
"you are screwed , use slow drawn out uninstallation process"

This is great but when you find you actually have components installed like parts of the SSC installed combined with fragments of NAV 7.5 server complete with AMS etc overlaid with the CE 8 client then it really starts to suck.

a bundling of Symantec's Systemworks and Symantec's Internet Security?

If it is, I didn't trust either of them in the old-days of Windows XP. Both are bloatware that take up too much memory and processing power. And as recent news has demonstrated, Symantec doesn't have a good track record in terms of actually fending off against viruses. They seem more in the interest of keeping themselves alive than doing any good. (Ghost debacle with SpyBot?)

a bundling of Symantec's Systemworks and Symantec's Internet Security?

If it is, I didn't trust either of them in the old-days of Windows XP. Both are bloatware that take up too much memory and processing power. And as recent news has demonstrated, Symantec doesn't have a good track record in terms of actually fending off against viruses. They seem more in the interest of keeping themselves alive than doing any good. (Ghost debacle with SpyBot?)

Well, you can always get Norton AntiVirus...

http://service1.symantec.com/SUPPORT/nav.nsf/docid /1999041209131106

Care to argue with Symantec on the definition?

How the hell did My above post get modded 'troll' anyways? There's your proof. Oh, need more proof?

How... http://www.webopedia.com/DidYouKnow/Internet/2004/ virus.asp
About... http://www.computer-lynx.com/a-virus-or-worm.htm
THIS??? http://expertanswercenter.techtarget.com/eac/knowl edgebaseAnswer/0,295199,sid63_gci980535,00.html

Someone needs to go back to computer pre-school. I knew the difference in those 15 years ago, when I was 8. Tool.

Here's how to know the difference between a money-making press release, and an honest story: The press release says "Fear, fear, fear!!!"

The honest story gives you links to tools for eliminating the threat: You can run this tool: W32.Blackmal@mm Removal Tool, which apparently removes all variants of the worm.

Here are manual instructions: WORM_GREW.A, Also known as: CME-24

Here is the list of names of the CME-24 worm, and links to removal methods: CME-24 aliases, information, and removal tools.

"As much as I appreciate the warning, hints on HOW to know if you're infected would have certainly helped."

As much as I appreciate your comment, hints on HOW to know if you're infected would have certainly helped.

So I don't get the same response to this comment, here's some links to Nyxem/Karma Sutra/MyWife (Whatever you wanna call it) removal:

- Symantec
- McAffee

Haydn.

Hello,

A bit of searching came up with the following free or trial versions of anti-virus programs which are capable of detecting and removing Win32/MyWife (née CME-24):

Alwil - Avast! 4 Home Edition (free for personal non-commercial use)
ESET - NOD32 trial version (30-day evaluation)
Grisoft - AVG Free Edition (free for personal non-commercial use)
Kaspersky Lab - Anti-Virus Personal 5.0 (30-day evaluation)
McAfee - VirusScan (30-day evaluation)
Microsoft - Windows Malicious Software Removal Tool (KB890830) (free)
Panda - Titanium Antivirus 2006 (30-day evaluation)
Sophos - Anti-Virus (30-day evaluation)
Symantec - W32.Blackmal@mm Removal Tool (free)
Trend Micro - PC-cillin Trial Version (30-day evaluation)

I'm certain other readers will look up and post links to additional vendors, too. Ob-disclaimer: I happen to work for one of the companies listed above, so there.

Regards,

Aryeh Goretsky

Hello,

A bit of searching came up with the following free or trial versions of anti-virus programs which are capable of detecting and removing Win32/MyWife (née CME-24):

Alwil - Avast! 4 Home Edition (free for personal non-commercial use)
ESET - NOD32 trial version (30-day evaluation)
Grisoft - AVG Free Edition (free for personal non-commercial use)
Kaspersky Lab - Anti-Virus Personal 5.0 (30-day evaluation)
McAfee - VirusScan (30-day evaluation)
Microsoft - Windows Malicious Software Removal Tool (KB890830) (free)
Panda - Titanium Antivirus 2006 (30-day evaluation)
Sophos - Anti-Virus (30-day evaluation)
Symantec - W32.Blackmal@mm Removal Tool (free)
Trend Micro - PC-cillin Trial Version (30-day evaluation)

I'm certain other readers will look up and post links to additional vendors, too. Ob-disclaimer: I happen to work for one of the companies listed above, so there.

Regards,

Aryeh Goretsky

• Despite the eagerness to imply that this is something roaming the net randomly looking for computers to infect, it's pretty much your run-of-the-mill e-mail worm that actively requires opening an executable (.scr) attachment to infect a system. Under normal circumstances (i.e., without the free opportunity to bash Microsoft attached), how many IT pros would say that anyone opening a random attachment e-mailed to them deserved what they got?
• McAfee rates this one as low-risk for both home and corporate users.
• Symantec gives it a run-of-the-mill threat assessment (low geographical distribution, easy containment).

You can use a program called Ghostwalker that comes with Ghost Corporate 2003 to change a computer's SID after the disk image is loaded.

I can respond to this authoritatively.

According to Symantec, you require a license for every computer DEPLOYED with Ghost, regardless of how it happens. (through the console, ghost/multicast, an image from a hard drive, or a drive-to-drive transfer)

I LOVE ghost, and I've been using it since v3.xx (when it was owned by a company named Binary Research) for doing harddrive upgrades. I really wish Symantec would pull their head out of their *** and sell me some sort of "technician license", where for $900 I can use it on as many computers as I want - because I can't afford to have a $25 license disappear everytime I use it on a client's machine in the shop!

Here are some sources you can read to confirm what I'm saying:

http://service1.symantec.com/SUPPORT/ghost.nsf/d87 bb6ce0bde286d88256d6a00452701/71b757789120db828025 701500716e86?OpenDocument&prod=Symantec%20Ghost%20 Solution%20Suite&ver=1.0&src=ent&pcode=sym_ghost_s uite&dtype=corp&svy=&prev=&miniver=sym_ghost_suite _1

http://service1.symantec.com/SUPPORT/ghost.nsf/doc id/2001031312251025?Open&src=ent&docid=20010322102 94225&nsf=ghost.nsf&view=d87bb6ce0bde286d88256d6a0 0452701&dtype=corp&prod=Symantec%20Ghost%20Solutio n%20Suite&ver=1.0&osv=&osv_lvl=&seg=

(Note at the bottom of this particular page:)
Note: You are allowed to install the Ghost console numerous times, however, you must keep track of the total number of licenses used. This includes all clients managed by any console of a given version, plus all copies made with boot disks.

I can respond to this authoritatively.

According to Symantec, you require a license for every computer DEPLOYED with Ghost, regardless of how it happens. (through the console, ghost/multicast, an image from a hard drive, or a drive-to-drive transfer)

I LOVE ghost, and I've been using it since v3.xx (when it was owned by a company named Binary Research) for doing harddrive upgrades. I really wish Symantec would pull their head out of their *** and sell me some sort of "technician license", where for $900 I can use it on as many computers as I want - because I can't afford to have a $25 license disappear everytime I use it on a client's machine in the shop!

Here are some sources you can read to confirm what I'm saying:

http://service1.symantec.com/SUPPORT/ghost.nsf/d87 bb6ce0bde286d88256d6a00452701/71b757789120db828025 701500716e86?OpenDocument&prod=Symantec%20Ghost%20 Solution%20Suite&ver=1.0&src=ent&pcode=sym_ghost_s uite&dtype=corp&svy=&prev=&miniver=sym_ghost_suite _1

http://service1.symantec.com/SUPPORT/ghost.nsf/doc id/2001031312251025?Open&src=ent&docid=20010322102 94225&nsf=ghost.nsf&view=d87bb6ce0bde286d88256d6a0 0452701&dtype=corp&prod=Symantec%20Ghost%20Solutio n%20Suite&ver=1.0&osv=&osv_lvl=&seg=

(Note at the bottom of this particular page:)
Note: You are allowed to install the Ghost console numerous times, however, you must keep track of the total number of licenses used. This includes all clients managed by any console of a given version, plus all copies made with boot disks.

Companies like make ad-hoc tools to remove particularly nasty spyware. When in doubt, googling the name of the spyware can almost always find you a remover utility from a reputable company.

HijackThis

Vundo removal tool

Some Free removal tools and the Bitdefender Live CD

The same thing we do every night, Pinky, try to infect the world!

I've had and maintained Windows boxes fairly constantly for the last 15 years, and to date the only Windows virus I've had problems with was CIH (aka Chernobyl). That was pretty bad though, a completely busted hard drive.

The only other virus to penetrate my defences was stoned.angelina, back in the DOS days. Don't think I even had a virus scanner back then.

Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.

I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.

Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.

Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.

Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.

Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?

Because no one takes security seriously until it's too late.

From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.

I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."

I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.

Yep, Mac OS X can be hit with a Trojan not a big suprise there. Symantec has some info on this 'MP3Concept Trojan Horse', which is benign. It does use a neat trick to imbed the code in an MP3, but other than that it isn't that special. Tricking someone to run your program isn't really something that we will ever make impossible under every circumstances, but I will admidt that using filename extensions to identify file types is one very stupid thing that Mac OS X copied from Windows, and then hiding them by default only compounds the stupidity.

Exploit, infections from not known: http://www.macintouch.com/opener.html

But "opener" requires a previously comprimized system. A "rootkit" without a viable delivery mechinism isn't really a "virus" or "worm" or even a "trojan". Acording to McAfee: "This threat does not make use of an exploit, so to have the script run successfully on a system and make changes, the user account from which the script is run must have sufficient rights. If no superuser/root/admin access is available many of the subroutines will fail and generate errors." I don't know why McAfee classifies it as a virus/worm since it doesn't seem to have any propagation abilities.

In Wild exploit, known infections: http://news.zdnet.co.uk/internet/security/0,390203 75,39155837,00.htm

True, the exploit mentioned is a tricky thing (potentially allowing code that was downloaded to be run as trusted), however I don't know if any was ever found in the wild - and even then it would still require an administrator's password to do system damage. The "hole" was supposedly patched by Apple's Security Update 2004-06-07 according to Unsanity who had released a little application to guard against the exploit.

If those are the only ones you've found, you haven't really shown any "exploit[s] for a Mac OS X vulnerability", although the MP3Concept Trojan I guess uses some "social hacking" types of tricks that would also work in Windows by hiding that it is an application rather than an mp3 file. Even if we accept a count of 3 (or ten or twenty), Mac OS X would still be comparitively malware-free.

The day i see a virus on OS X is the day I buy an AV program.

It's this kind of smugness that the article is talking about. Here is a nasty virus that only runs on OS X http://securityresponse.symantec.com/avcenter/venc /data/sh.renepo.b.html Installs a keylogger for passwords and overwrites commands with it's own copy.
p.s. Mac users are also subject to Java viruses like http://securityresponse.symantec.com/avcenter/secu rity/Content/2005.10.12.html

The day i see a virus on OS X is the day I buy an AV program.

It's this kind of smugness that the article is talking about. Here is a nasty virus that only runs on OS X http://securityresponse.symantec.com/avcenter/venc /data/sh.renepo.b.html Installs a keylogger for passwords and overwrites commands with it's own copy.
p.s. Mac users are also subject to Java viruses like http://securityresponse.symantec.com/avcenter/secu rity/Content/2005.10.12.html

...Is he right, and what actual products exist for OS X that would protect against infections?

This is stupid on so many levels, I can't figure out the insightful mod.

They'd try to run OS X on a typical PC, it'd suck and then they'd do the typical stupid computer user thing which is to say "this software fucking sucks."

Because the hardware support in OSX is rather finite, it won't just 'install on a typical PC'. To get it to run on a non-Apple machine, it would require a good amount of research in supported hardware and/or the ability to install BSD drivers, nevermind circumventing any DRM. Should a pirated version appear which handles all of the hardware issues (which I think is unlikely), the desire and ability to locate it is beyond the typical computer user. You're simultaneously implying reasonably advanced knowledge and ignorance.

Apple has to prevent piracy of its OS if for no other reason than to protect the brand from the idiots out there who aren't smart enough to realize that OSX is DESIGNED to work primarily with one specific hardware set

Just plain wrong. Apple prevents piracy of the OS and support of generic hardware because Apple is a hardware company at heart. Remember the Apple clones? The company isn't inherently against licensing its software , it just hasn't figured out a workable buisness model to do so.

that's too much mental heavy lifting for the average, at least American, computer user

How on earth can you come to the conclusion that American computer is stupid? The US drives the entire indistry and is home to MIT, Berkely, Stanford, Caltech, IBM, Apple, Micosoft, Sun, Oracle, and countless more. Posting on slashdot, I assume the basis of comparison is Europe? OK, SAP is in Germany and the Scandanavian countries have great state-sponsored telecommunications... but what else? Oh, maybe the the zombie PC capital of the planet? Slashdot seems to be full of self-hating Americans who have never flown oversees and think a crumbling socalist economy is utopia, and smug Europeans who think all Americans are rednecks, despite all of their entertainment & IT coming from SanFran/Boston/NYC/LA.

http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20070.html
http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20069.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/8732.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/3.3.2003.html ...and so on and so forth.

No OS is immune to vulnerabilities.

Additionally, I use NIS at home because I've tried the free alternatives (AVG and ClamWin) and found them to be rot. For some reason, every time I install AVG, my web browsing goes to crap. I have to refresh every page to get it to come up and I find unacceptable delays. NIS does the scanning with no noticeable performance hit.

I hate to get in these flame wars, but I honestly don't get the passion. I've tried the alternatives and found them to be shoddy. I'll stick with what works.

http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20070.html
http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20069.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/8732.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/3.3.2003.html ...and so on and so forth.

No OS is immune to vulnerabilities.

Additionally, I use NIS at home because I've tried the free alternatives (AVG and ClamWin) and found them to be rot. For some reason, every time I install AVG, my web browsing goes to crap. I have to refresh every page to get it to come up and I find unacceptable delays. NIS does the scanning with no noticeable performance hit.

I hate to get in these flame wars, but I honestly don't get the passion. I've tried the alternatives and found them to be shoddy. I'll stick with what works.

http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20070.html
http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20069.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/8732.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/3.3.2003.html ...and so on and so forth.

No OS is immune to vulnerabilities.

Additionally, I use NIS at home because I've tried the free alternatives (AVG and ClamWin) and found them to be rot. For some reason, every time I install AVG, my web browsing goes to crap. I have to refresh every page to get it to come up and I find unacceptable delays. NIS does the scanning with no noticeable performance hit.

I hate to get in these flame wars, but I honestly don't get the passion. I've tried the alternatives and found them to be shoddy. I'll stick with what works.

http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20070.html
http://securityresponse.symantec.com/avcenter/atta ck_sigs/s20069.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/8732.html
http://securityresponse.symantec.com/avcenter/secu rity/Content/3.3.2003.html ...and so on and so forth.

No OS is immune to vulnerabilities.

Additionally, I use NIS at home because I've tried the free alternatives (AVG and ClamWin) and found them to be rot. For some reason, every time I install AVG, my web browsing goes to crap. I have to refresh every page to get it to come up and I find unacceptable delays. NIS does the scanning with no noticeable performance hit.

I hate to get in these flame wars, but I honestly don't get the passion. I've tried the alternatives and found them to be shoddy. I'll stick with what works.

This situation doesn't surprise me comming from Symantec however. I ditched them around NAV 2001 and never looked back, Especially when you could predict when the next antivirus version would come out because the previous version would "mysteriously" start having problems or crashing about a week before the next version release.

According to the page you linked to (http://service1.symantec.com/SUPPORT/nav.nsf/doci d/2001092114452606) the "removal" tool, rnav2003.exe does not remove everything:

"Rnav2003.exe does not remove the following items:

        * The files or registry keys for the virus definitions
        * Subscription information
        * Entries in Windows Scheduled Tasks
        * Other shared files"

Go through the manual removal instructions on that page to remove what rnav2003.exe does not get.

Also, if you want to "[r]emove Norton AntiVirus 2005/2004 installed as a stand-alone product or as a part of Norton SystemWorks 2005/2004 or Norton Internet Security 2005/2004" "[f]ollow the instructions in [r]emoving your Norton program using SymNRT to remove these program versions":

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039

There, you will also find a .reg file to clean out your registry.

In addition to the .reg file in the above link, perhaps their most useful removal instructions can be found here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2004110113064039

Among several things, they link to Microsoft's Windows Installer CleanUp utility (http://support.microsoft.com/default.aspx?scid=kb ;en-us;290301) which is extremely helpful in removing programs that used the Microsoft Windows Installer.

According to the page you linked to (http://service1.symantec.com/SUPPORT/nav.nsf/doci d/2001092114452606) the "removal" tool, rnav2003.exe does not remove everything:

"Rnav2003.exe does not remove the following items:

        * The files or registry keys for the virus definitions
        * Subscription information
        * Entries in Windows Scheduled Tasks
        * Other shared files"

Go through the manual removal instructions on that page to remove what rnav2003.exe does not get.

Also, if you want to "[r]emove Norton AntiVirus 2005/2004 installed as a stand-alone product or as a part of Norton SystemWorks 2005/2004 or Norton Internet Security 2005/2004" "[f]ollow the instructions in [r]emoving your Norton program using SymNRT to remove these program versions":

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039

There, you will also find a .reg file to clean out your registry.

In addition to the .reg file in the above link, perhaps their most useful removal instructions can be found here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2004110113064039

Among several things, they link to Microsoft's Windows Installer CleanUp utility (http://support.microsoft.com/default.aspx?scid=kb ;en-us;290301) which is extremely helpful in removing programs that used the Microsoft Windows Installer.

According to the page you linked to (http://service1.symantec.com/SUPPORT/nav.nsf/doci d/2001092114452606) the "removal" tool, rnav2003.exe does not remove everything:

"Rnav2003.exe does not remove the following items:

        * The files or registry keys for the virus definitions
        * Subscription information
        * Entries in Windows Scheduled Tasks
        * Other shared files"

Go through the manual removal instructions on that page to remove what rnav2003.exe does not get.

Also, if you want to "[r]emove Norton AntiVirus 2005/2004 installed as a stand-alone product or as a part of Norton SystemWorks 2005/2004 or Norton Internet Security 2005/2004" "[f]ollow the instructions in [r]emoving your Norton program using SymNRT to remove these program versions":

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039

There, you will also find a .reg file to clean out your registry.

In addition to the .reg file in the above link, perhaps their most useful removal instructions can be found here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2004110113064039

Among several things, they link to Microsoft's Windows Installer CleanUp utility (http://support.microsoft.com/default.aspx?scid=kb ;en-us;290301) which is extremely helpful in removing programs that used the Microsoft Windows Installer.

I've used this a lot lately when upgrading NAV, this is a removal tool which will nuke all traces of many Norton programs off a computer. Not as useful if you have, say, NAV and Ghost and just want to remove NAV, but if you only have NAV, this works for different versions. (As my family all uses NAV, but everyone always seems to have a different version, sticking this on my usb drive has been invaluable.)

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039?Open&src=&docid=2001092114 452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&os v=&osv_lvl=&seg=

The SymNRT.exe remover will remove ALL installs of:
        * Norton AntiVirus 2004/2005/2006
        * Norton AntiVirus Professional 2004
        * Norton AntiVirus 3, 5 and 10 User Pack 2004/2005/2006
        * Norton GoBack 3.1/3.5/3.6/4.0/4.1
        * Norton SystemWorks 2004 Professional Edition
        * Norton SystemWorks 2005/2006 Premier
        * Norton SystemWorks 2004/2005/2006
        * Norton SystemWorks 2006 Basic Edition
        * Norton Password Manager 2004
        * Norton Internet Security 2004/2005/2006
        * Norton Internet Security 5 and 10 User Pack 2004/2005/2006
        * Norton Internet Security 2005 AntiSpyware Edition 8.2
        * Norton Personal Firewall 2004/2005/2006
        * Norton AntiSpam 2004/2005
        * Norton Ghost 2003/9.0/10.0

What about it? http://www.symantec.com/avcenter/security/Content/ 2005.12.21b.html

The symantec web site report on this states that it only affects 2005 and 2006, but I am running 2003 and it is also affected! The update fixes (supposedly) the issue. Nprotect can now be seen in the RECYCLED directory.

Info can be found here:

http://securityresponse.symantec.com/avcenter/secu rity/Content/2006.01.10.html

Not to take up for symantec, but they do offere a free utility for removing all traces of their software. They have one for each piece of software as far as I know.

http://service1.symantec.com/SUPPORT/nav.nsf/docid /2001092114452606

I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work. So, I had to go to this link [symantec.com] and do it manually....talk about a pain in the #*$%.

I have to admit that manually removing Norton is always a pain in the ass but Norton has provided a total removal tool for years. Before, it was called Rnav2003 and was available for free download on their website. Newer versions of Norton require SymNRT, which is also available free on their website:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039?Open&src=bar_sch_nam&docid =2004093015165236&nsf=tsgeninfo.nsf&view=docid&dty pe=&prod=&ver=&osv=&osv_lvl=

It works like a charm and means you don't have to sit there manually removing Norton for two hours, secretly and silenting wanting to find a pencil, sharpen it and shove it in your eye.

The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.

Also, according to Symantec's own writeup on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.

Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue

I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work.
So, I had to go to this link and do it manually....talk about a pain in the #*$%.

Backup and restore with Ghost is a piece of cake, do it on a regular basis for many different versions of Winders, no need to reinstall OS. Keep all of my data in a separate \files directory for all applications and I can backup just that then use a current Ghost image to put the OS and Apps back in about 40 minutes, then just restore current \files directory. I Ghost anytime I add a new app, both before and after just in case.

Ghost costs $70. You mean I have to pay another $70 to a third party after paying for Windows itself, just to repeatedly reinstall the OS "easily", and save my data? Man, what a deal!

You're right, Linux and its stability and recommended practice of seperating data from functionality is just too complicated. I'd much rather just reinstall all the time and pay someone else to be sure my data stays safe whenever I need to do so.

~Rebecca

you're wrong. symantec anti virus which is avaliable on google pack has no comparable software on osX

Nope, no equivalent product on OS X. Of course, anti virus software is pretty much totally unecessary on OS X...

I run into this same issue on so many of my clients' computers. I end up removing Norton as it was either expired or somehow broken. At least half the time the damn thing doesn't uninstall. This is such a pervasive issue that Norton had to write a removal (SymNRT) to clean up where their uninstaller failed. Eventually they should move that tool to this page.

I run into this same issue on so many of my clients' computers. I end up removing Norton as it was either expired or somehow broken. At least half the time the damn thing doesn't uninstall. This is such a pervasive issue that Norton had to write a removal (SymNRT) to clean up where their uninstaller failed. Eventually they should move that tool to this page.

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

http://www.securityfocus.com/bid/16074
http://www.microsoft.com/technet/security/advisory /912840.mspx
http://www.symantec.com/avcenter/venc/data/pf/pwst eal.bankash.g.html

Didn't Microsoft already release a patch for this on Nov 8th? According to Symantec's info page on this attack directs you to this Microsoft bulletin links to patches for each Windows release.

A year ago a exploit was found in Excel that would allow remote code execution on a Mac, it stretched back even to many earlier versions.

Now we have a exploit on Norton Anti-Virus that will allow takeover and privilege elevation on a Mac.

http://www.zdnetindia.com/insight/commentary/stori es/132034.html

Here are some other exports of their products from their own mouths.

http://securityresponse.symantec.com/avcenter/secu rity/SymantecAdvisories.html

There is no sane reason to use OfficeMac on a Mac, Appleworks will read and write Excel and Word files, it's only the weak untrained sick puppies that are scared of their jobs who use OfficeMac. Anyone with a brain can achieve the same result with much safer software.

So according to the Symantec advisory the vulnerability is only present in version 10.x of the Corporate Edition. And there I was, thinking it was about time to upgrade from 8.1 that we're running at work ... not anymore!