• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Downloader.misleadapp Virus - Can't remove...

My laptop (running Vista) has been infected with a downloader.misleadapp virus and nothing I've tried to remove it is working.  First, ran liveupdate and tried to scan, but Norton IS09 can't get past "initializing".  Ran update then tried a full scan in safe mode.  Norton scans maybe 1% of my total files then says its complete and finds nothing.  Tried running Malwarebyetes Anti-Malware but it won't load.

I certainly appreciate any and all help.  Thanks!

Replies

Kudos1 Stats

Re: Downloader.misleadapp Virus - Can't remove...

Hi zrelaxed,

Try renaming mbam.exe (Malwarebytes) to something else such as road.exe and see if it will run. If you can get Malwarebytes to run, please post the scan results log here.

If Malwrebytes does not solve your issue you may have to generate a HijackThis log and post the log here.

Here is a link to download the HijackThis utility and there is also a video tutorial on the page.

Please just generate the log and do not attempt any repairs until one of our knowledgeable members can review it.

Thanks.

[edit: content]

Message Edited by Phil_D on 06-21-2009 08:35 AM
"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Please also download and run GMER. Post the log over here.

http://www.gmer.net/
"All that we are is the result of what we have thought"
Kudos1 Stats

Re: Downloader.misleadapp Virus - Can't remove...


Phil_D wrote:

Try renaming mbam.exe...


I assume you mean re-naming and not renaming?  And re-naming it "mbam.exe" will not work as Attackers have started to Target Malwarebytes' Anti-Malware, which is why Phil suggest "road.exe".

Message Edited by Floating_Red on 06-21-2009 02:23 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

We have found in some cases the name change has to occur as early as the download screen, where you have to change the download to "Save as" in order for it to be allowed onto the machine.  When it installs, go into the program and change that .exe to the same name or it might not be able to run.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

First - Thank you Everyone!  I sincerely appreciate your help.  Renaming the mbam.exe file worked like a charm.

Below are the results from the Malwarebytes scan.  I'll run the gmer scan tonight.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

6/22/2009 06:09:58
mbam-log-2009-06-22 (06-09-34).txt

Scan type: Quick Scan
Objects scanned: 75379
Time elapsed: 1 hour(s), 14 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151,85.255.112.207 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.151,85.255.112.207 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kudos1 Stats

Re: Downloader.misleadapp Virus - Can't remove...

Zrelaxed:

We will definitely require the GMER.  Scan only, do nothing to resolve anything using GMER.  It can cause considerable issues if not used properly.  We only need it to identify all the files which are associated to your gxvxc rootkit.  The log can be posted in segments, try to keep them in order, and plug them all in for Quads to look at later.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Here are the results of the GMER scan.   Again, thanks! 

Part One....

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 06:18:50
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT            857CA6B8                                                                                                                                ZwAlertResumeThread
SSDT            857CA798                                                                                                                                ZwAlertThread
SSDT            8615C848                                                                                                                                ZwAllocateVirtualMemory
SSDT            85E0F3C0                                                                                                                                ZwAlpcConnectPort
SSDT            85C7D7D0                                                                                                                                ZwAssignProcessToJobObject
SSDT            85C7DD78                                                                                                                                ZwCreateMutant
SSDT            86BE6E60                                                                                                                                ZwCreateSymbolicLinkObject
SSDT            86DC9DB8                                                                                                                                ZwCreateThread
SSDT            85C7D8B0                                                                                                                                ZwDebugActiveProcess
SSDT            85CF1150                                                                                                                                ZwDuplicateObject
SSDT            8615C6A8                                                                                                                                ZwFreeVirtualMemory
SSDT            85C7DE68                                                                                                                                ZwImpersonateAnonymousToken

Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Part 2:

SSDT            85C7DF48                                                                                                                                ZwImpersonateThread
SSDT            85E0D3F0                                                                                                                                ZwLoadDriver
SSDT            857CAF28                                                                                                                                ZwMapViewOfSection
SSDT            85C7DC98                                                                                                                                ZwOpenEvent
SSDT            85CF1068                                                                                                                                ZwOpenProcess
SSDT            85D1C688                                                                                                                                ZwOpenProcessToken
SSDT            85C7DAD8                                                                                                                                ZwOpenSection
SSDT            85E84968                                                                                                                                ZwOpenThread
SSDT            85C7D6E0                                                                                                                                ZwProtectVirtualMemory
SSDT            857CA500                                                                                                                                ZwResumeThread
SSDT            857CAC98                                                                                                                                ZwSetContextThread
SSDT            857CAD78                                                                                                                                ZwSetInformationProcess
SSDT            85C7D990                                                                                                                                ZwSetSystemInformation
SSDT            85C7DBB8                                                                                                                                ZwSuspendProcess
SSDT            857CA878                                                                                                                                ZwSuspendThread
SSDT            85C37468                                                                                                                                ZwTerminateProcess
SSDT            857CABB8                                                                                                                                ZwTerminateThread
SSDT            857CAE68                                                                                                                                ZwUnmapViewOfSection
SSDT            8615C778                                                                                                                                ZwWriteVirtualMemory
SSDT            86BE6F50                                                                                                                                ZwCreateThreadEx

Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Part 3:

Code            85C624A8                                                                                                                                ZwEnumerateKey
Code            85C042C0                                                                                                                                ZwFlushInstructionCache
Code            85C36515                                                                                                                                IofCallDriver
Code            85C054AE                                                                                                                                IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!IofCompleteRequest                                                                                                         81C7BFE2 5 Bytes  JMP 85C054B3
.text           ntkrnlpa.exe!KeSetTimerEx + 350                                                                                                         81CFA914 8 Bytes  [B8, A6, 7C, 85, 98, A7, 7C, ...] {MOV EAX, 0x98857ca6; CMPSD ; JL 0xffffffffffffff8d}
.text           ntkrnlpa.exe!KeSetTimerEx + 364                                                                                                         81CFA928 4 Bytes  [48, C8, 15, 86]
.text           ntkrnlpa.exe!KeSetTimerEx + 370                                                                                                         81CFA934 4 Bytes  [C0, F3, E0, 85]
.text           ntkrnlpa.exe!KeSetTimerEx + 3C4                                                                                                         81CFA988 4 Bytes  JMP 49A77A0E
.text           ntkrnlpa.exe!KeSetTimerEx + 428                                                                                                         81CFA9EC 4 Bytes  [78, DD, C7, 85]
.text           ...                                                                                                                                    
.text           ntkrnlpa.exe!IofCallDriver                                                                                                              81CFDF6F 5 Bytes  JMP 85C3651A
PAGE            ntkrnlpa.exe!ZwFlushInstructionCache                                                                                                    81DF430B 5 Bytes  JMP 85C042C4
PAGE            ntkrnlpa.exe!ZwEnumerateKey                                                                                                             81E49BA2 5 Bytes  JMP 85C624AC

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Windows\Explorer.EXE[376] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free]                                                          [6A39F563] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                                                 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                                                 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device          \Driver\NAVEX15 \Device\NAVEX15                                                                                                         9CB315D4

AttachedDevice  \Driver\tdx \Device\Tcp                                                                                                                 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device          \Driver\NAVENG \Device\NAVENG                                                                                                           9CBE3570

AttachedDevice  \Driver\tdx \Device\Udp                                                                                                                 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\tdx \Device\RawIp                                                                                                               SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                                                                fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Part 4:

Library         \\?\globalroot\systemroot\system32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [800]  0x10000000                                                                                               

---- Services - GMER 1.0.15 ----

Service         C:\Windows\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys (*** hidden *** )                                                 [SYSTEM] gxvxcserv.sys                                                                                     <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys                                                                                   
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start                                                                              1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type                                                                               1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath                                                                          \systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group                                                                              file system
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules                                                                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv                                                                  \\?\globalroot\systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl                                                                     \\?\globalroot\systemroot\system32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll
Reg             HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcclk                                                                   \\?\globalroot\systemroot\system32\gxvxccxjbspxrvdqjfsevmnfeanoqwhqpfwgs.dll
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys                                                                                       
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start                                                                                  1
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type                                                                                   1
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath                                                                              \systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group                                                                                  file system
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules                                                                               
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv                                                                      \\?\globalroot\systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl                                                                         \\?\globalroot\systemroot\system32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll
Reg             HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcclk                                                                       \\?\globalroot\systemroot\system32\gxvxccxjbspxrvdqjfsevmnfeanoqwhqpfwgs.dll
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys                                                                                       

Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Part 5:

Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start                                                                                  1
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type                                                                                   1
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath                                                                              \systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group                                                                                  file system
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules                                                                               
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv                                                                      \\?\globalroot\systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl                                                                         \\?\globalroot\systemroot\system32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll
Reg             HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcclk                                                                       \\?\globalroot\systemroot\system32\gxvxccxjbspxrvdqjfsevmnfeanoqwhqpfwgs.dll
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys                                                                                       
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@start                                                                                  1
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@type                                                                                   1
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@imagepath                                                                              \systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@group                                                                                  file system
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules                                                                               
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcserv                                                                      \\?\globalroot\systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcl                                                                         \\?\globalroot\systemroot\system32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll
Reg             HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcclk                                                                       \\?\globalroot\systemroot\system32\gxvxccxjbspxrvdqjfsevmnfeanoqwhqpfwgs.dll
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys                                                                                       
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@start                                                                                  1
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@type                                                                                   1
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@imagepath                                                                              \systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys@group                                                                                  file system
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules                                                                               
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules@gxvxcserv                                                                      \\?\globalroot\systemroot\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules@gxvxcl                                                                         \\?\globalroot\systemroot\system32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll
Reg             HKLM\SYSTEM\ControlSet005\Services\gxvxcserv.sys\modules@gxvxcclk                                                                       \\?\globalroot\systemroot\system32\gxvxccxjbspxrvdqjfsevmnfeanoqwhqpfwgs.dll

Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Part 6 - Final Part:

---- Files - GMER 1.0.15 ----

File            C:\Windows\System32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys                                                                   47616 bytes executable                                                                                     <-- ROOTKIT !!!
File            C:\Windows\System32\gxvxccount                                                                                                          4 bytes
File            C:\Windows\System32\gxvxccxjbspxrvdqjfsevmnfeanoqwhqpfwgs.dll                                                                           27649 bytes executable
File            C:\Windows\System32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll                                                                           22529 bytes executable

---- EOF - GMER 1.0.15 ----

Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Thanks Zrelaxed.  Nice work.  Quads will be along later.  We have time zone issues.  He will provide tools and instructions later in the day.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Sounds great.  Again, your help is much appreciated.  If there's anything else I can do in the interim, just let me know.
Kudos2 Stats

Re: Downloader.misleadapp Virus - Can't remove...

Hi 

Now  (read carefully) If you have Spybot S&D uninstall it.

1. Download Avenger to your desktop,

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

3. In the "Input script here:" copy and paste the script between the lines


Drivers to disable:

gxvxcserv.sys

gxvxcserv 

Drivers to delete:

gxvxcserv.sys

gxvxcserv 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf  

C:\WINDOWS\system32\drivers\gxvxctbeyvpiwwmtqtajfuxuohtnsexnkekoo.sys

C:\WINDOWS\system32\gxvxcxpcmoxprtrpiyujxrcxcmlktbpfnibph.dll

C:\WINDOWS\System32\gxvxccxjbspxrvdqjfsevmnfeanoqwhqpfwgs.dll

C:\WINDOWS\System32\gxvxccount

Folders to delete:

C:\resycled

D:\resycled

E:\resycled

F:\resycled

G:\resycled

H:\resycled

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxvxcserv.sys   

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\gxvxcserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\gxvxcserv.sys


Here is a screenshot (script updated since shot)

Make sure the "Automatically disable any rootkits found" is NOT selected

4. Click "Execute"

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

5. This Rootkit can come with a DNS Changer

Restart the PC again, then see if you can install  Update and run Malwarebytes From http://www.malwarebytes.org/mbam.php  or http://www.filehippo.com/download_malwarebytes_anti_malware/

After Run a Full Scan, then if it finds anything remove them, then see if you can update Malwarebytes 

Quads   

Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Thank you!  As far as I can tell, your solution worked perfectly.  Just updating NIS09 and running a full scan to confirm.  I sincerely appreciate everyone's help.
Kudos0

Re: Downloader.misleadapp Virus - Can't remove...

Hi

You will be able to see in the Avenger log what was removed by Avenger.

Quads 

This thread is closed from further comment. Please visit the forum to start a new thread.