How-To Geek

I need some help about it, if there is a thread already about it, can anyone link me to it?

@Guilty

Thanks for the links, also I already have them, apparently, my AV alerted me about it and I quickly scanned with MBAM and nothing found, Safe Mode nothing found. I guess my AV deleted it. I have another question, what does the Trojan do and should I be alert even if my AV deleted it and MBAM didn't find anything?

Note: As soon as I started my computer, my AV said that the trojan appeared and I checked the History and said my AV deleted it and I scanned with MBAM on normal and safe mode, nothing found.

Yes you should!!!

What AV are you using ?

Look at your task manager and see if there are any processes that look out of place.

Check your Roaming files for something that resembles it or has a number ( it may be different ) that starts with 6****

If you are unsure how to get to roaming profile :

C:\users\your name\appdata\roaming\

Then have a look at the files.

Also, a file that starts with 6**** then after that a few numbers or a file name?

@Guilty

Another question, where can you usually get the virus and can MBAM still detect the virus even if Norton said the virus was deleted if the virus was still there?

A friend the other day picked-up the Security Shield Virus... I searched the web and the 'removal instructions' all had names that were numbers. Never found one. However, knowing how these things get in it was sort of easy to find.

Most start off via the registry, and most are in the user sub-folder. Vista and W7 that would be under USERS\userid\APPDATA\ROAMING, and the same structure in XP under DOCUMENTS AND SETINGS\userid. Fairly easy to find.

How I found my friends problem was searching the registry for RUNONCE. There are MANY of these, but only 2 to worry about. The ones for the WINDOWS\CURRENTVERSION\RUNONCE under HKCU\SOFTWARE\MICROSOFT and HKLM\SOFTWARE\MICROSOFT. Normally these should be EMPTY other than the default entry. Normal use of this key is for programs that need to do something only once, usually clean-up after an install or a delete. This is an excellent place for a virus to hide. During boot it gets executed and then first thing it does is check if the file is still there. Delete the file during a clean-up and it just re-installs itself. Security Shield didn't do this though, the program started via the RUNONCE entry. So you might want to check there.

As for Norton, it is OK, and others miss it too. What was my friend using when he got hit? Why MSE of course. What was disabled, MSE of course by the virus. No A/V can be 100% immune to things without basically locking down your computer to the point you can't use it.

The method most use is a 'normal' method for a program. Open the registry... write what it needs to. No A/V will object to this usually. If the file name isn't known, the A/V will allow it to happen. Norton ISS will alert you on D/L to a suspicious program, but one will get many of these 'warnings'. Any program that isn't used by many people trigger this, but I have disabled it for that type of warning, and I'm sure most people do. Almost ANY file of 99% of a game has few users compared to Word for instance. Anyway, the next this that happens is the chains that bind the A/V to running processes is broken and then the A/V is out of the loop. Poof, you've lost protection.

What names do the virus use, random ones of course. This way the A/V can't tell its a rogue to start with. Can be all numbers, all letters, or a mixture of both for the filename. If you look at the files in the userid sub-folders and sort by date, and you know the approximate time you were hit, you'll see a like named file there that matches the time and date. Google its name, can't find it, probably is the virus. Then search the REGISTRY for that name as well... bet you'll find it in a RUNONCE. Oh, one more thing, you might NOT be able to run REGEDIT or even open TASK MANAGER to look for a like named process... in that case boot to SAFE MODE W/NETWORKING, generally you can there.

The lesson being Google the virus, read about it, and then start searching.

Norton and other virus programs are good. None are perfect. Some load the system, some are better than others, but there is no litmus test to say which is. Any A/V is only good if they protect you. If they fail, they are not good. Probably every A/V is susceptible to a zero-day attack. If they don't know what it is they let it through. Getting it 10 minutes later after a signature update would have protected you but you got hit before they discovered it... such if life.

Irv S.

What Irv meant was 'google the virus'
Not google is the virus.

Mike

Bobby, short answer, Norton is good as are other A/V's. Virus' can get in even with the best. Google the name of the virus or what is happening and start reading entries. If you got it, so did others. BE CAREFUL on pages that have 'programs' to cure the problem, most are themselves nothing more than a ploy to get money.

If you can determine the method of attack, where the files are, you can repair it easily.

Irv S.

Bobby, supply more info here I guess?

What exactly do/did you have? Was it a web page that led you somewhere else? Was is a program file, then give the name?

Google will not help as it appears there is nothing called 'misleading.app'?

Irv S.

Everything you've provided is too vague I guess? I don't know what infection you have/had from your postings. I don't know how you discovered it or what you tried doing?

Your subject is "Do any of you know this file thingy called misleading.app?", yet there is no file called "misleading.app"?

Then you said "my AV alerted me about it" but never said what it alerted you to? If 'we' knew what that was, we could probably help you better.

Then this whole thread deteriorated into what A/V's are good or not.

So what was the virus, where was it located according to your A/V (Norton 360) log/report? What was the file name Norton took out?

Irv S.