Re: Norton Internet Security doesn't detect Zlob.DNS Changer

thisilldo · ‎04-12-2009

I installed NIS2009. When I ran a quick scan tracking cookies were found (as usual).

I then rean a full scan and only about 6k files were scanned.

I am still being re-directed as I noted earlier.

thisilldo · ‎04-12-2009

When I restarted my computer I get Norton Internet Security One Click Support window that just says please wait and runs forever.

There is a white x in a red circle over the Norton icon in the startup tray.

I thought there might be a problem with the install so I tried to unistall and then re-install and when I do that the computer hangs to point you can't even get a Windows task manager.

So I download this program, it doesn't work and I cannot uninstall it?

Quads · ‎07-21-2008

Hi

I would say the last 2 programs to try would be

SDfix http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.

- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.

5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again

See if that works.

If not Combofix http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Quads

thisilldo · ‎04-12-2009

OK, thanks. I've done searches in FF and IE and neither redirected me.

I have some follow up questions regarding the startup behavior of NIS but I'll start another thread as I run into the issue.

ComboFix was the one that solved the problem.

The quarantined files are:

2009-04-26 15:00:54 . 2009-04-26 15:00:54              146 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-RunServicesOnce-CANwinStartAfterBoot.reg.dat
2009-04-26 15:00:53 . 2009-04-26 15:00:53              136 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SNM.reg.dat
2009-04-26 15:00:52 . 2009-04-26 15:00:52              176 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-RoxioAudioCentral.reg.dat
2009-04-26 15:00:52 . 2009-04-26 15:00:52              175 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-RoxioDragToDisc.reg.dat
2009-04-26 15:00:51 . 2009-04-26 15:00:52              175 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-RoxioEngineUtility.reg.dat
2009-04-26 14:39:59 . 2009-04-26 14:39:59           10,795 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-26 14:20:17 . 2009-04-26 14:20:17              854 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_GXVXCSERV.SYS.reg.dat
2009-04-26 14:10:20 . 2009-04-26 14:26:59              116 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-14 21:08:01 . 2009-04-14 21:08:01           13,824 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcuuvwwlyryavpxftxejeqceesabamocdd.dll.vir
2009-04-11 04:38:06 . 2009-04-26 14:02:21                4 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxccounter.vir
2009-04-11 04:38:05 . 2009-04-11 04:38:05           35,840 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxcghvkdxsnpuhcdarjhylictrkuvksffqw.sys.vir
2005-11-17 23:02:25 . 2005-11-17 23:02:25               39 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Winhelp.INI.vir
2003-01-30 18:52:48 . 2003-01-30 18:52:48           12,073 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\FAD.sys.vir

Quads · ‎07-21-2008

Hi

Ok

C:\Qoobox\Quarantine\Registry_backups\Service_GXVXCSERV.SYS.reg.dat

C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcuuvwwlyryavpxftxejeqceesabamocdd.dll.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxccounter.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxcghvkdxsnpuhcdarjhylictrkuvksffqw.sys

Looks like the TDDS.H variant of sorts, look in the "system32" to see if there is a file named "gxvxc[random characters].dat" could still be hidden though.

If you are using a Dell PC the file

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\FAD.sys.

Could actually be for the Broadcom drivers, Combofix does not know the difference between that "FAD.sys" and the Malware "FAD.sys".

Quads

myronsilver · ‎05-01-2009

I have run into the same problem. On-line help is dangerous: one rep remotely set up my computer to boot into safemode without internet and even though she had my phone number just disappeared.

To get rid of NIS2009, I booted to SafeMode after downloading the uninstaller to desktop. It did run in the mode, BUT it must be run 2 x to work. Reboot after first run and repeat in Safe Mode.

I tried CCleaner which seemed to work, but only temporarily to fix the hijacking of IE and especially Google searches. Still working with other solutions on this site.