topic Re: Misleadapp.downloader in Norton Internet Security / Norton AntiVirus

Misleadapp.downloader

vicodinmonster — Sun, 14 Jun 2009 13:12:14 GMT

I have read some of the previous threads on this particular infection, so i have been able to do some of the initial legwork.

I was able to install hijack this, and run a scan.

here is the text file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:57 AM, on 6/13/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Users\Leonel Uribe\Documents\leo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9ea023079f424) (gupdate1c9ea023079f424) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8620 bytes

I believe that part of the problem is the O17 and O18 entries, but i am not sure what other things need to be removed.

Please help!

Vicodinmonster

Re: Misleadapp.downloader

Floating_Red — Sun, 14 Jun 2009 13:41:12 GMT

I would suggest following the Removal Instructions.

Please make sure you Post the Threat exactly as it is Detected!

Removal Instructions for Downloader.MisleadApp: http://www.symantec.com/security_response/writeup.jsp?docid=2007-061114-0840-99&tabid=3.

Re: Misleadapp.downloader

vicodinmonster — Sun, 14 Jun 2009 15:24:41 GMT

tried it already and the av does not pick it up.

thanks anyway!

Re: Misleadapp.downloader

Floating_Red — Sun, 14 Jun 2009 15:55:02 GMT

vicodinmonster wrote:
tried it already and the av does not pick it up.

thanks anyway!

Have you tired a Full System Scan in Safe Mode, in Your Account and in the Administrator Account?

What is your Norton Product and Version, e.g. Norton Internet Security 2009? I see in your Log that you have 16.0.0.125; you should have either 16.5.0.134/135. Could you go to: Open your Norton Product > ? Help & Support > About and let us know what the Version is.

Message Edited by Floating_Red on 06-14-2009 04:53 PM

Message Edited by Floating_Red on 06-14-2009 04:54 PM

Message Edited by Floating_Red on 06-14-2009 04:55 PM

Re: Misleadapp.downloader

delphinium — Sun, 14 Jun 2009 16:16:55 GMT

It looks like something is stopping your Norton from updating properly. Is the Adaware an older free version or does it also have antivirus scanning capabilities.

In the other threads you have looked at, you would also have seen a recommendation to download Malwarebytes free version. See if you are able to download and install it. if you find that it won't do one or the other come back and let us know.

Install it, update it, and run a full scan. Post the log here.

http://www.malwarebytes.org

Re: Misleadapp.downloader

vicodinmonster — Mon, 15 Jun 2009 21:02:52 GMT

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 6.0.6001 Service Pack 1

6/15/2009 4:25:20 PM
mbam-log-2009-06-15 (16-24-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 236028
Time elapsed: 31 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\PlayAllDVD (Trojan.DNSChanger) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PlayAllDVD (Trojan.DNSChanger) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.111,85.255.112.200 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.111,85.255.112.200 -> No action taken.

Folders Infected:
c:\Users\Leonel Uribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayAllDVD (Trojan.DNSChanger) -> No action taken.
C:\Program Files\PlayAllDVD (Trojan.DNSChanger) -> No action taken.

Files Infected:
c:\Users\leonel uribe\AppData\Roaming\microsoft\Windows\start menu\Programs\playalldvd\Uninstall.lnk (Trojan.DNSChanger) -> No action taken.
c:\program files\playalldvd\Uninstall.exe (Trojan.DNSChanger) -> No action taken.
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.

these are the scan results, i had them removed, but as you have probably guessed, it did not solve the problem.

so now i am at a loss, i removed what i thought was the problem but nada...

any assistance would be greatly appreciated!,

Re: Misleadapp.downloader

Floating_Red — Mon, 15 Jun 2009 23:13:23 GMT

In the Malwarebytes' Log, it says No Action Taken, so Malwarebytes' has only Detected it so those Files will still be on your computer. I would suggest Quaratine them and Remove the Files. You might even need to do another Full Scan to get these Removed.

And I also see you only Scanned the C-Drive; please Scan at least C: and D: Drives in the Full Scan. And I would suggest in Normal and in Safe Mode.

As always, make sure you Update your Definitions and dis-connect from the Internet before Starting any Anti-Virus Scan.

Message Edited by Floating_Red on 06-16-2009 12:10 AM

Message Edited by Floating_Red on 06-16-2009 12:13 AM

Re: Misleadapp.downloader

delphinium — Tue, 16 Jun 2009 00:03:16 GMT

Also disable system restore to delete any saved restore points.

Re: Misleadapp.downloader

vicodinmonster — Tue, 16 Jun 2009 00:57:40 GMT

Hello all again,

Ran malware, removed the infected entries, in both safe and regular mode, was disconected from the web sys restore was disconected.

as per the scans my machine is clean. buy the browser keeps getting hijacked. i am on the verge of a reformat....

i ran all the scans again and they all come back clean. Rootkit perhaps? i just got another warning from norton 32generic... great...

any other ideas anyone?

this is really frustrating...

thanks again to all

Re: Misleadapp.downloader

Quads — Tue, 16 Jun 2009 01:10:04 GMT

can you please give me the full file details, in the Norton History and the name of the actual file (in details) and where it is saying it is located??

Quads

Re: Misleadapp.downloader

Quads — Tue, 16 Jun 2009 01:40:37 GMT

Hi again

I have a Theory

First I need 3 logs

Please run RootRepeal as in this post http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=13889#M13889

And GMER, http://www.gmer.net/ and "Scan" then "Save" the log, then due to the possible side post the log on http://pastebay.com/ and PM me the link. Use your Norton Name on Pastebay

Pastebay does have a Character limit so please make sure that the whole gets posted

I would also like a DDS log

Download http://homepages.slingshot.co.nz/~crutches/DDS/

You will have to go offline and disable auto-protect and the firewall to run it when it is finished it will produce a log. then you can enable everything again and go back online

When I have the 3 logs I will cross reference

Quads

Re: Misleadapp.downloader

vicodinmonster — Tue, 16 Jun 2009 11:40:36 GMT

Hello Quads,

The name of the security threat is packed.generic233.

Norton does not list it on the history file at least not with that name. which is the same thing it was doing with misleadapp.

malwarebytes does not pick it up, adaware did not see it... meanwhile all web browsing is hijacked if you use a web link.

very challenging little bugger this one is...

thanks to all for the help.

Re: Misleadapp.downloader

Quads — Tue, 16 Jun 2009 20:45:34 GMT

That is the name Norton gives the Treat, not the actual name of the file and it's location, could you please do the 3 logs above

Quads

Re: Misleadapp.downloader

Floating_Red — Tue, 16 Jun 2009 20:54:34 GMT

As well as doing the Logs for Quads, could you also try the Removal Intructions for Packed.Generic.233.

Removal Instructions for Packed.Generic.233: http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2009-060800-5953-99&tabid=3.

Re: Misleadapp.downloader

Quads — Tue, 16 Jun 2009 21:19:52 GMT

I saw the Symantec writeup, but if Norton does not want to remove it / can't then it's as useless as an udder on a bull.

Quads

Re: Misleadapp.downloader

Quads — Wed, 17 Jun 2009 20:42:01 GMT

You have the "MSIVXserv.sys" Rootkit at least. I haven't looked at the DDS log yet I will get there

Quads

Re: Misleadapp.downloader

Quads — Thu, 18 Jun 2009 04:41:46 GMT

If you have Spybot S&D, please uninstall.

Please go here and Download Avenger to your Desktop, http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509

With Vista remember to right click, Avenger and select "Run as Administator" from the Menu.

Now when you get to number 3. use the script below not the one on the other post, SO

3. In the "Input script here:" copy and paste the script between the lines

Drivers to disable:

MSIVXserv.sys

Drivers to delete:

MSIVXserv.sys

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\Windows\System32\drivers\MSIVXcdpppsenlsylcscnqblskitpopcfyxvb.sys

C:\WINDOWS\system32\drivers\MSIVXfpqebwwxpiswvenobbndeitvrjiwprcc.sys

C:\WINDOWS\system32\drivers\MSIVXpxettvasrnemkooicrytqcpwbbcsgpsu.sys

C:\WINDOWS\system32\drivers\MSIVXuytmnaqqiptkkaxqoscjmihrxwtunyfi.sys

C:\WINDOWS\system32\MSIVXpvymtqimexcpdqpsvymktfnpckdjnchw.dll

C:\WINDOWS\system32\MSIVXbnixqaxvkdsiborkveqxuehwtveijcqx.dll

C:\WINDOWS\system32\MSIVXtcpitqpqhykempvydbqnnhbnpsxftfbb.dll

C:\WINDOWS\system32\MSIVXgyusdbpapbginsojyucbcvvrtuhvwlnr.dll

C:\WINDOWS\system32\MSIVXxqfgfomfgbghveijmpekagedsvidtqfm.dll

C:\Windows\System32\MSIVXedopmooyitxvmoohvyxeqwskwwtwajyb.dll

C:\Windows\System32\MSIVXqexdxmxerxnimqrsmftejymvnxurvanw.dll

C:\Windows\System32\MSIVXcount

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\MSIVX

Then carry on with the other post from Screenshot and below.

Quads

Re: Misleadapp.downloader

vicodinmonster — Thu, 18 Jun 2009 11:29:15 GMT

Hello Quads!

It appears as if the problem has been solved I have scanned the system with avenger, gmer and no rootkits found.

Norton is now running again, and the previous threats are now removed.

Web browsing is back to normal, and even performance levels are up.

My knee jerk reaction was to re install, but the whole experience has been educational! I don't wish this on anyone, but I learned an awful lot!

Thanks Again Quads!

and thanks to all the people that contributed on the forum.

Vicodinmonster

Re: Misleadapp.downloader

delphinium — Thu, 18 Jun 2009 15:42:08 GMT

Hi Vicodinmonster:

Glad everything is working well for you. There should be a .zip file in the Avenger folder. Please upload it here http://rapidshare.com/index.html

Use your name as you did with the others.