What Am I Paying For?!

Discussion in 'Archived Threads 2001-2004' started by John Watson, Feb 24, 2003.

  1. John Watson

    John Watson Screenwriter

    Joined:
    Jul 14, 2002
    Messages:
    1,937
    Likes Received:
    0
    I just renewed a Symantec Norton Anti-virus Subscription this morning, and then, immediately after a rebooting this aft (after several hours of noodling on the computer), there was a funny little noise upon restart, and a Norton pane with a big red background popped up saying Norton "Cannot repair" C:Program Files Internet Explorer System.exe, and telling me it was infected with a Download Trojan.

    It recommended I choose quarantine, and choosing that gave me a another pane, with a green background, saying it was isolated, and it was now safe to use my computer.

    So I think I went to open some program, maybe Outlook Express, but before anything, a little blue Windows Program Not Found Pane popped up, and said Windows cannot find System.exe, which "is needed for opening files of the type : Application".

    To me, that sounds like a BIG PROBLEM?

    What gives? I seem to have my usual programs available, do I have a problem?

    And if I have a problem, what am I paying Symantec for? There is no clue at this point what site or e- mail or anything was the precipitating event, the notices only came after I restarted the computer.

    Any ideas or suggestions appreciated!
     
  2. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    What OS are you running? And what version of NAV (Norton Antivirus) are you running? Did you update your virus definitions after renewing the subscription? How old were your virus definitions prior to renewing?

    What was the name of the infection? "Download.Trojan?" or something along those lines?

    I just searched my hard drive and didn't find a System.exe anywhere, not in IE or anywhere else. Perhaps you were infected with something. You might need to reinstall IE to restore its functionality (use Windows Update to get the latest service pack for the IE you're running).

    As for what you're paying for, well, Norton just found and removed a potentially malicious piece of code off your computer. You should definitely run a Live Update to get the latest virus definitions and any program updates, then go into the quarantine and scan the file again to see if it's recognized as something more specific than Download.Trojan. Once you find that out, more specific removal/cleanup instructions can be found on Symantec's website.

    KJP
     
  3. John Watson

    John Watson Screenwriter

    Joined:
    Jul 14, 2002
    Messages:
    1,937
    Likes Received:
    0
    Thanks Kevin, I have Windows98 SE, and Norton is set to update automatically once a week, so I figured that last took place last Wednesday, but looking at NAV they say it was done today, perhaps simultaneously with the renewal process, but I'm not sure about that.

    Anyway, I looked at Norton and see there are around a dozen files in quarantine after a year on line, and after just being prompted by Norton to try again, Norton says they are still unrepairable.

    I still see the same file names and terms that I mentioned in my first post SYSTEM.EXE, and ‘Download.trojan'.

    I guess I'm worried that the file is needed for something to run the computer, but would Norton quarantine a file that did that, without telling me so?

    And I don't understand why Norton can't repair these files?

    But I've never sent anything for SARC analysis before, maybe I should give that a go...
     
  4. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    I don't think it's need to run anything on your computer, as otherwise I would have the same file on my computer. Of course, I have win2k, not 98, but I don't recall there being a system.exe that would be detected as a Trojan horse coming with a standard Windows/IE install.

    You can submit the suspect file to Symantec for analysis. Either it really contains a Trojan horse, in which case they'll notify you, or you had a false positive, in which case they should fix the definitions. If it's a false positive you can restore the file from quarantine. But considering none of my computers have a system.exe anywhere on the system, I'm guessing that you got infected with something.

    Norton can only "repair" files infected with viruses; since trojans and worms are stand-alone they can't be repaired, they have to be deleted. What else do you have in your quarantine? Probably some email worms, right?

    Oh yeah, I recommend you run a full scan of your system in case the trojan (or anything else) exists in other files that haven't been accessed yet.

    KJP
     
  5. Matt DeVillier

    Matt DeVillier Supporting Actor

    Joined:
    Sep 3, 1999
    Messages:
    773
    Likes Received:
    0
    John,

    the file that NAV found was a trojan that infected your system. Part of the infection was it reassigning itself to run whenever you launch a program (or certain programs). I'm sure if you go to Symantec's web site and search for whatever trojan it found, they will have instructions for removing it completely.

    the reason NAV cannot repair the file is because that file is itself a trojan, not one that was infected by a trojan. there's nothing to save and that's NAV's way of letting you know

    -Matt
     
  6. John Watson

    John Watson Screenwriter

    Joined:
    Jul 14, 2002
    Messages:
    1,937
    Likes Received:
    0
    Well, I looked the name of the reputed virus (Download.trojan) up at Symantec, and there is almost nothing on it, just Symantec saying its Characteristics are "Wild"; Likelihood is "Common".

    Anyway, Symantec also says Download.Trojan is not Memory resident, does not have Size stealth, does not have Full stealth, is not Triggered event, is not Encrypting, and is not Polymorphic (if the red line thru a circle means negative).

    But NOTHING (zip, nada, rien) about removal (compared with two other viruses in my quarantine, for which Norton has semi-lengthy "easy" removal instructions?)

    I also pressed Norton's Submit button, and it produced a (partially) obscured (!!!!) text saying this virus is known to Symantec and should NOT BE SUBMITTED (!!!!). It goes on "This virus destroys the program it infects; to remove the virus from your computer, use Norton AntiVirus to delete the infected file and then replace it with a copy of the original."

    Leaving aside the facts that I only went there from curiosity, and that this information is totally inconsistent with the earlier message that I could use the computer now, where do I get that replacement copy, from my windows disk? Or worse, as both Kevin and Matt suggest, maybe there is no such file? I can't get any info on what Program, if any, may be affected.

    As an experiment, I just used the Delete option for one example of bugbear, and it seemed to work (ie, deleted it)

    I guess now my issue is, if I did this for the Download.Trojan in ExplorerSystem.exe,(pressed delete on that particular file) would it cause me trouble?

    Actually I'll probably just carry on, and if things work ok, and nothing drives me to seek technical assistance from a competent relative, just remain with an abiding feeling that Norton is a fraud, and non- technical people like me can only be safe in the wild frontier, by staying home and watching it on TV.:b
     
  7. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,439
    Likes Received:
    0
    I think the definition for "Download.Trojan" is generic, it likely covers a number of similar trojans that aren't significant enough to warrant unique definitions for them. Since the trojan likely didn't replace an existing file, but instead created a new file called System.exe, you should be safe in deleting it. If something no longer works (e.g. Internet Explorer), reinstalling IE or whatever should help. Otherwise, search your registry for the offending file name (System.exe) and post here where you find it. The trojan may have installed itself in the registry and needs to be removed in order for your system to function properly again.

    KJP
     

Share This Page