04-24-2009 08:58 PM
I installed NIS2009. When I ran a quick scan tracking cookies were found (as usual).
I then rean a full scan and only about 6k files were scanned.
I am still being re-directed as I noted earlier.
04-25-2009 01:01 PM
When I restarted my computer I get Norton Internet Security One Click Support window that just says please wait and runs forever.
There is a white x in a red circle over the Norton icon in the startup tray.
I thought there might be a problem with the install so I tried to unistall and then re-install and when I do that the computer hangs to point you can't even get a Windows task manager.
So I download this program, it doesn't work and I cannot uninstall it?
04-25-2009 01:17 PM
I would say the last 2 programs to try would be
How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.
If this error message is displayed when running SDFix:
The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again
If the Command Prompt window flashes on then off again on XP or Windows2000
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again
See if that works.
If not Combofix http://www.bleepingcomputer.com/combofix/how-to-us
04-26-2009 08:25 AM
OK, thanks. I've done searches in FF and IE and neither redirected me.
I have some follow up questions regarding the startup behavior of NIS but I'll start another thread as I run into the issue.
ComboFix was the one that solved the problem.
The quarantined files are:
2009-04-26 15:00:54 . 2009-04-26 15:00:54 146 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServ
2009-04-26 15:00:53 . 2009-04-26 15:00:53 136 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SNM
2009-04-26 15:00:52 . 2009-04-26 15:00:52 176 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Rox
2009-04-26 15:00:52 . 2009-04-26 15:00:52 175 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Rox
2009-04-26 15:00:51 . 2009-04-26 15:00:52 175 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Rox
2009-04-26 14:39:59 . 2009-04-26 14:39:59 10,795 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-26 14:20:17 . 2009-04-26 14:20:17 854 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_GXVX
2009-04-26 14:10:20 . 2009-04-26 14:26:59 116 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-14 21:08:01 . 2009-04-14 21:08:01 13,824 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcuuvww
2009-04-11 04:38:06 . 2009-04-26 14:02:21 4 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxccount
2009-04-11 04:38:05 . 2009-04-11 04:38:05 35,840 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gx
2005-11-17 23:02:25 . 2005-11-17 23:02:25 39 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Winhelp.INI.vir
2003-01-30 18:52:48 . 2003-01-30 18:52:48 12,073 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\FA
04-26-2009 01:08 PM
Looks like the TDDS.H variant of sorts, look in the "system32" to see if there is a file named "gxvxc[random characters].dat" could still be hidden though.
If you are using a Dell PC the file
Could actually be for the Broadcom drivers, Combofix does not know the difference between that "FAD.sys" and the Malware "FAD.sys".
05-01-2009 05:47 AM
I have run into the same problem. On-line help is dangerous: one rep remotely set up my computer to boot into safemode without internet and even though she had my phone number just disappeared.
To get rid of NIS2009, I booted to SafeMode after downloading the uninstaller to desktop. It did run in the mode, BUT it must be run 2 x to work. Reboot after first run and repeat in Safe Mode.
I tried CCleaner which seemed to work, but only temporarily to fix the hijacking of IE and especially Google searches. Still working with other solutions on this site.
05-01-2009 01:34 PM
Just try Combofix to see if it finds the infection gxvxc[random characters].dll., gxvxc[random characters].sys etc.
Note when Combofix is actually doing the scanning don't move the mouse cursor inside the combofix box as this could cause freezing.