SEARCH

The How-To Geek Forums Have Migrated to Discourse

How-To Geek Forums / Geek Stuff

Do any of you know this file thingy called misleading.app?

(24 posts)
  • Started 2 years ago by BobbyD
  • Latest reply from ispalten
  • Topic Viewed 1422 times

BobbyD
Posts: 187

I need some help about it, if there is a thread already about it, can anyone link me to it?

Posted 2 years ago
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

Hi BobbyD ,

Its a trojan it silently downloads itself and redirects you to a Fake malware scanner.

Use SAS http://superantispyware.com/ and download the Free version also try MBAM http://download.cnet.com/Malwa.....ag=mncol;1

Posted 2 years ago
Top
 
BobbyD
Posts: 187

@Guilty

Thanks for the links, also I already have them, apparently, my AV alerted me about it and I quickly scanned with MBAM and nothing found, Safe Mode nothing found. I guess my AV deleted it. I have another question, what does the Trojan do and should I be alert even if my AV deleted it and MBAM didn't find anything?

Note: As soon as I started my computer, my AV said that the trojan appeared and I checked the History and said my AV deleted it and I scanned with MBAM on normal and safe mode, nothing found.

Posted 2 years ago
Top
 
BobbyD
Posts: 187

Should I still be alert that the trojan might still be on my computer? I heard some viruses stay on the computer even after they deleted, or maybe I heard different.

Posted 2 years ago
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

Yes you should!!!

What AV are you using ?

Look at your task manager and see if there are any processes that look out of place.

Check your Roaming files for something that resembles it or has a number ( it may be different ) that starts with 6****

If you are unsure how to get to roaming profile :

C:\users\your name\appdata\roaming\

Then have a look at the files.

Posted 2 years ago
Top
 
BobbyD
Posts: 187

@GuiltySpark

I'm using Norton 360. I have a question, if it was 'deleted' and it was still there, can MBAM or SAS manage to find the virus because some AV's can't do what MBAM and SAS can do.

Posted 2 years ago
Top
 
BobbyD
Posts: 187

Also, a file that starts with 6**** then after that a few numbers or a file name?

Posted 2 years ago
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

Norton360 is gonna do you no favours what so ever it always allows virus in and says it picks it up but because of the way the AV is usually set up, it will go through a restore point and if the virus is in the form of a worm it will just replicate itself again and again.

My advice would be to ditch the 360 and install Microsoft Security Essentials you will see a vast improvement.

Use the Norton removal tool found here : http://www.sevenforums.com/tut.....post690028
You might be asked to remove Symmantec first the removal tool for that is also there.

MSE can be found here : http://www.microsoft.com/en-us.....fault.aspx

You should also turn off all Autoruns, I don't know what OS you have but in Vista you can access it through Control Panel --- Autoplay, Select do nothing or equivalent for all in the list to stop the replication during your transition period.

The file starting with 6**** MAY be found in the Roaming profile that I pointed to above although the number can change, but if you use MSE ( microsoft security essentials ) then it will remove the problem completely.

Posted 2 years ago
Top
 
BobbyD
Posts: 187

@Guilty

Another question, where can you usually get the virus and can MBAM still detect the virus even if Norton said the virus was deleted if the virus was still there?

Posted 2 years ago
Top
 
BobbyD
Posts: 187

And what kind of processes should I look out for on Task Manager and is there any EASIER way to find the file that you mentioned if the file is still there?

Posted 2 years ago
Top
 
ispalten
ispalten
Posts: 6259

A friend the other day picked-up the Security Shield Virus... I searched the web and the 'removal instructions' all had names that were numbers. Never found one. However, knowing how these things get in it was sort of easy to find.

Most start off via the registry, and most are in the user sub-folder. Vista and W7 that would be under USERS\userid\APPDATA\ROAMING, and the same structure in XP under DOCUMENTS AND SETINGS\userid. Fairly easy to find.

How I found my friends problem was searching the registry for RUNONCE. There are MANY of these, but only 2 to worry about. The ones for the WINDOWS\CURRENTVERSION\RUNONCE under HKCU\SOFTWARE\MICROSOFT and HKLM\SOFTWARE\MICROSOFT. Normally these should be EMPTY other than the default entry. Normal use of this key is for programs that need to do something only once, usually clean-up after an install or a delete. This is an excellent place for a virus to hide. During boot it gets executed and then first thing it does is check if the file is still there. Delete the file during a clean-up and it just re-installs itself. Security Shield didn't do this though, the program started via the RUNONCE entry. So you might want to check there.

As for Norton, it is OK, and others miss it too. What was my friend using when he got hit? Why MSE of course. What was disabled, MSE of course by the virus. No A/V can be 100% immune to things without basically locking down your computer to the point you can't use it.

The method most use is a 'normal' method for a program. Open the registry... write what it needs to. No A/V will object to this usually. If the file name isn't known, the A/V will allow it to happen. Norton ISS will alert you on D/L to a suspicious program, but one will get many of these 'warnings'. Any program that isn't used by many people trigger this, but I have disabled it for that type of warning, and I'm sure most people do. Almost ANY file of 99% of a game has few users compared to Word for instance. Anyway, the next this that happens is the chains that bind the A/V to running processes is broken and then the A/V is out of the loop. Poof, you've lost protection.

What names do the virus use, random ones of course. This way the A/V can't tell its a rogue to start with. Can be all numbers, all letters, or a mixture of both for the filename. If you look at the files in the userid sub-folders and sort by date, and you know the approximate time you were hit, you'll see a like named file there that matches the time and date. Google its name, can't find it, probably is the virus. Then search the REGISTRY for that name as well... bet you'll find it in a RUNONCE. Oh, one more thing, you might NOT be able to run REGEDIT or even open TASK MANAGER to look for a like named process... in that case boot to SAFE MODE W/NETWORKING, generally you can there.

The lesson being Google the virus, read about it, and then start searching.

Norton and other virus programs are good. None are perfect. Some load the system, some are better than others, but there is no litmus test to say which is. Any A/V is only good if they protect you. If they fail, they are not good. Probably every A/V is susceptible to a zero-day attack. If they don't know what it is they let it through. Getting it 10 minutes later after a signature update would have protected you but you got hit before they discovered it... such if life.

Irv S.

Posted 2 years ago
Top
 
BobbyD
Posts: 187

Should I give out where the virus attempted to attack? I don't know if it would be help. @Irv What do you mean Google being the virus?

Also, can you shorten what you said, Irv? I sometimes don't have the time enough to read very long things.

Posted 2 years ago
Top
 
vistamike
vistamike
Posts: 10945

What Irv meant was 'google the virus'
Not google is the virus.

Mike

Posted 2 years ago
Top
 
BobbyD
Posts: 187

@Vistamike Oh.

@Irv S.

I googled the virus and the first thing that popped up is norton talking about Misleading Applications.

Posted 2 years ago
Top
 
ispalten
ispalten
Posts: 6259

Bobby, short answer, Norton is good as are other A/V's. Virus' can get in even with the best. Google the name of the virus or what is happening and start reading entries. If you got it, so did others. BE CAREFUL on pages that have 'programs' to cure the problem, most are themselves nothing more than a ploy to get money.

If you can determine the method of attack, where the files are, you can repair it easily.

Irv S.

Posted 2 years ago
Top
 
BobbyD
Posts: 187

@Irv. S

Well, I did check but I can only find things about "misleading applications" not the one I mentioned. Should I mention where the virus attempted to go to?

Posted 2 years ago
Top
 
ispalten
ispalten
Posts: 6259

Bobby, supply more info here I guess?

What exactly do/did you have? Was it a web page that led you somewhere else? Was is a program file, then give the name?

Google will not help as it appears there is nothing called 'misleading.app'?

Irv S.

Posted 2 years ago
Top
 
BobbyD
Posts: 187

@Irv

For your first question, you mean the file location the virus attempted to go to?

For your second question, what do you mean what I have..? And I don't know, I just randomly got it, the virus.

Posted 2 years ago
Top
 
ispalten
ispalten
Posts: 6259

Everything you've provided is too vague I guess? I don't know what infection you have/had from your postings. I don't know how you discovered it or what you tried doing?

Your subject is "Do any of you know this file thingy called misleading.app?", yet there is no file called "misleading.app"?

Then you said "my AV alerted me about it" but never said what it alerted you to? If 'we' knew what that was, we could probably help you better.

Then this whole thread deteriorated into what A/V's are good or not.

So what was the virus, where was it located according to your A/V (Norton 360) log/report? What was the file name Norton took out?

Irv S.

Posted 2 years ago
Top
 
vistamike
vistamike
Posts: 10945
 



Topic Closed

This topic has been closed to new replies.