A friend the other day picked-up the Security Shield Virus... I searched the web and the 'removal instructions' all had names that were numbers. Never found one. However, knowing how these things get in it was sort of easy to find.
Most start off via the registry, and most are in the user sub-folder. Vista and W7 that would be under USERS\userid\APPDATA\ROAMING, and the same structure in XP under DOCUMENTS AND SETINGS\userid. Fairly easy to find.
How I found my friends problem was searching the registry for RUNONCE. There are MANY of these, but only 2 to worry about. The ones for the WINDOWS\CURRENTVERSION\RUNONCE under HKCU\SOFTWARE\MICROSOFT and HKLM\SOFTWARE\MICROSOFT. Normally these should be EMPTY other than the default entry. Normal use of this key is for programs that need to do something only once, usually clean-up after an install or a delete. This is an excellent place for a virus to hide. During boot it gets executed and then first thing it does is check if the file is still there. Delete the file during a clean-up and it just re-installs itself. Security Shield didn't do this though, the program started via the RUNONCE entry. So you might want to check there.
As for Norton, it is OK, and others miss it too. What was my friend using when he got hit? Why MSE of course. What was disabled, MSE of course by the virus. No A/V can be 100% immune to things without basically locking down your computer to the point you can't use it.
The method most use is a 'normal' method for a program. Open the registry... write what it needs to. No A/V will object to this usually. If the file name isn't known, the A/V will allow it to happen. Norton ISS will alert you on D/L to a suspicious program, but one will get many of these 'warnings'. Any program that isn't used by many people trigger this, but I have disabled it for that type of warning, and I'm sure most people do. Almost ANY file of 99% of a game has few users compared to Word for instance. Anyway, the next this that happens is the chains that bind the A/V to running processes is broken and then the A/V is out of the loop. Poof, you've lost protection.
What names do the virus use, random ones of course. This way the A/V can't tell its a rogue to start with. Can be all numbers, all letters, or a mixture of both for the filename. If you look at the files in the userid sub-folders and sort by date, and you know the approximate time you were hit, you'll see a like named file there that matches the time and date. Google its name, can't find it, probably is the virus. Then search the REGISTRY for that name as well... bet you'll find it in a RUNONCE. Oh, one more thing, you might NOT be able to run REGEDIT or even open TASK MANAGER to look for a like named process... in that case boot to SAFE MODE W/NETWORKING, generally you can there.
The lesson being Google the virus, read about it, and then start searching.
Norton and other virus programs are good. None are perfect. Some load the system, some are better than others, but there is no litmus test to say which is. Any A/V is only good if they protect you. If they fail, they are not good. Probably every A/V is susceptible to a zero-day attack. If they don't know what it is they let it through. Getting it 10 minutes later after a signature update would have protected you but you got hit before they discovered it... such if life.