Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Support (http://www.velocityreviews.com/forums/f33-computer-support.html)
-   -   downloader-AFP (http://www.velocityreviews.com/forums/t231445-downloader-afp.html)

ellis_jay 10-15-2005 08:59 PM

downloader-AFP
 
Is the value 244 default in a winxp registry? I had this in my registry
(HKCU) but not the other registry key (HKLM) that indicates a downloader
(according to a McAfee link).

http://www.headliner.org/headliner.p...65&abbr=mcafee


I have yet to search the files/dll's.
Downloader-AFP


HKEY_CURRENT_USER\Control Panel\International\Geo\Nation : Value="244"

a.. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\down: "MSXMIDI.EXE"

Created:

Copies itself as %sysdir%\msxmidi.exe. (8,704 bytes)
If the download is prevented due to VSE's generic BO protection, another DLL
file is dropped (in the same folder as the original file)

winhlp32.dll (9,216 bytes)
If IE is launched due to this trojan, it contacts the following IP in
order to download various other trojans.

69.50.161.11
The downloaded files are

netupd32.exe - Detected as downloader-AFP trojan
nbtrstat.exe - Detected as Adclicker BM Trojan
wowdbe.exe - Detected as StartPAge-DU trojan
upncont.exe - Detected as Adware Clearsurfing
tsmsetup.exe - Detected as Adware MsnList
sethcd.exe - Detected as Adclicker-BW Trojan.
smbdins.exe - Detected as Adware-MsnList
ipvcx6.exe - Detected as Downloader-XD.dr Trojan

-=-=-
The following is as far as I got at Google. Looks Greek to me!!


http://www.endrun.org/xr/svn/source/....c?v=1.0.x#244

I will know more when I search my computer for the files and dll's. Am I
correct in asuming both registry keys must be present and the 244 is
default? Or may it (244) be a leftover from sometime in the past? What to
do?




--

Their ethics are a short summary of police ordinances: for them the most
important thing is to be a useful member of the state, and to air their
opinions in the club of an evening; they have never felt the homesickness
for something unknown and far away, nor the depths which consists in being
nothing at all.
___________Soren Kierkegaard

Ellis_jay



why? 10-15-2005 10:01 PM

Re: downloader-AFP
 

On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote:

>Is the value 244 default in a winxp registry? I had this in my registry


Funny question, I would worry less about the value and more about the
fact the key exists. If I had a loon on several PCs here I wouldn't
expect the key so can't tell about the value.

>(HKCU) but not the other registry key (HKLM) that indicates a downloader
>(according to a McAfee link).


'may create the key'

>http://www.headliner.org/headliner.p...65&abbr=mcafee


Try AV vendor sites directly, without going through pass-through links.
If you look for strings to id trojans etc, some site have descriptions
that are lists of matching words. However when you click on then you can
get hit by all sorts of junk. All they do is generate lots of words to
match all sorts of searches.

Always look at more then 1 AV site, Symantex , Sophos, F-Prot etc and
use a couple of different apps as vendors change the names about.

>
> I have yet to search the files/dll's.
>Downloader-AFP


The next bit is the paste from the article and not confirmation you have
both registry entries or the other bits?

Check first.

As it mentions Browser Objects, have a look at HijackThis , search
previous posts in 24HSHD.

>HKEY_CURRENT_USER\Control Panel\International\Geo\Nation : Value="244"
>
>a.. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
>CurrentVersion\Run\down: "MSXMIDI.EXE"
>

<snip>


Not what you want , knowing what might be but what you need to check.

Another way to tell is run some sort of registry monitor, I have
teaTimer and can monitor / allow / disallow registry changes. It does
help.

I snipped the IP address the trojan uses, but if you have the full
trojan and not only some bits, your firewall should perhaps be stopping
it or even logging the IP. You can check that as well.

>-=-=-
>The following is as far as I got at Google. Looks Greek to me!!


Looks like you need to practice Google searches a bit. The URL below
jumps to line 244 of the C source code of a VCS (version control system,
called subversion) utility. Why? Because they have hyperlinks for each
line and Google indexed those.

So ignore it.

>
>http://www.endrun.org/xr/svn/source/....c?v=1.0.x#244
>
>I will know more when I search my computer for the files and dll's. Am I
>correct in asuming both registry keys must be present and the 244 is
>default? Or may it (244) be a leftover from sometime in the past? What to
>do?


See the list of AV scanners, Anti-Spyware tools posted oftem by Mike and
others. I reposeted it within the last 3 or 4 days as well. Search
24HSHD for - mike housecall

Your better google search would be -

Downloader-AFP , as you mentioned at the beginning :-) and the exe file
name as well.

Quite a few hits, try these few below.

http://forums.spywareinfo.com/lofive...hp/t10735.html
http://castlecops.com/s5777-MSXMIDI_EXE.html


The exe file name at sophos
http://www.sophos.com/search/index.c...&action=search


Me

ellis_jay 10-17-2005 04:01 AM

Re: downloader-AFP
 
why? wrote:
> On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote:
>
>> Is the value 244 default in a winxp registry? I had this in my
>> registry

>
> Funny question, I would worry less about the value and more about the
> fact the key exists.


To have a value or not to have a value that is the question. Shake-speer?
Or Ying Yang Twins?






>If I had a loon on several PCs here I wouldn't
> expect the key so can't tell about the value.


The value is what makes the key operational or not, yes?



> 'may create the key'


Yes-"may" is the word.



>> http://www.headliner.org/headliner.p...65&abbr=mcafee

>
> Try AV vendor sites directly, without going through pass-through
> links. If you look for strings to id trojans etc, some site have
> descriptions that are lists of matching words. However when you click
> on then you can get hit by all sorts of junk. All they do is generate
> lots of words to match all sorts of searches.


The only sites I have found about this downloader are from McAfee.
Google-ing or otherwise.


> Always look at more then 1 AV site, Symantex , Sophos, F-Prot etc and
> use a couple of different apps as vendors change the names about.
>
>>
>> I have yet to search the files/dll's.
>> Downloader-AFP

>
> The next bit is the paste from the article and not confirmation you
> have both registry entries or the other bits?
>
> Check first.


Right. Gotta run search for those files and dll's.




> As it mentions Browser Objects, have a look at HijackThis , search
> previous posts in 24HSHD.


I run BHO Demon and HiJackthis from Tom Coyote periodically. Time for a run
............




> Another way to tell is run some sort of registry monitor, I have
> teaTimer and can monitor / allow / disallow registry changes. It does
> help.


I run TeaTimer in sessions, as well as Winpatrol in sessions. I won't
"leave home without them", so to speak. Great utilities.

> I snipped the IP address the trojan uses, but if you have the full
> trojan and not only some bits, your firewall should perhaps be
> stopping it or even logging the IP. You can check that as well.


Right. I need to go over my alerts in ZA. Thanx for reminding me.



>> -=-=-
>> The following is as far as I got at Google. Looks Greek to me!!

>
> Looks like you need to practice Google searches a bit.


Googling is not my weakness here. It is understanding all that Programese.
Thanx for letting me know that the 244 in the link is a line and not a
value.


>The URL below
> jumps to line 244 of the C source code of a VCS (version control
> system, called subversion) utility. Why? Because they have hyperlinks
> for each line and Google indexed those.
>
> So ignore it.
>
>>
>>

http://www.endrun.org/xr/svn/source/....c?v=1.0.x#244
>>
>> I will know more when I search my computer for the files and dll's.
>> Am I correct in asuming both registry keys must be present and the
>> 244 is default? Or may it (244) be a leftover from sometime in the
>> past? What to do?

>
> See the list of AV scanners, Anti-Spyware tools posted oftem by Mike
> and others. I reposeted it within the last 3 or 4 days as well. Search
> 24HSHD for - mike housecall


I use:
AVG (default)
Stinger
Spybot S&D
AdAware from lavasoft
BHO demon
Winpatrol
Housecall (free scanner)
Panda (free scanner)
Avast (scanner)
Spywareinfo (freescanner)
Spyaudit (Webroot freescanner)
Kaspersky (free file upload)
Bazooka
Asquared
Asquared hijack
Ewido
MRU blaster
Sophos worm removl tools
Rav online scanner
and other things too numerous to list here.

> Your better google search would be -
>
> Downloader-AFP , as you mentioned at the beginning :-) and the exe
> file name as well.
>
> Quite a few hits, try these few below.
>
> http://forums.spywareinfo.com/lofive...hp/t10735.html
> http://castlecops.com/s5777-MSXMIDI_EXE.html
>
>
> The exe file name at sophos
>

http://www.sophos.com/search/index.c...&action=search
>
>
> Me


Thanx.

--

Their ethics are a short summary of police ordinances: for them the
most important thing is to be a useful member of the state, and to air
their opinions in the club of an evening; they have never felt the
homesickness for something unknown and far away, nor the depths which
consists in being nothing at all. ___________Soren Kierkegaard

Ellis_jay



why? 10-18-2005 08:54 PM

Re: downloader-AFP
 

On Sun, 16 Oct 2005 23:01:17 -0500, ellis_jay wrote:

>why? wrote:
>> On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote:
>>
>>> Is the value 244 default in a winxp registry? I had this in my
>>> registry

>>
>> Funny question, I would worry less about the value and more about the
>> fact the key exists.

>
>To have a value or not to have a value that is the question. Shake-speer?
>Or Ying Yang Twins?


<smile>


> >If I had a loon on several PCs here I wouldn't


Ouch ... ^^^^ look

>> expect the key so can't tell about the value.

>
>The value is what makes the key operational or not, yes?


Yes, however I would hope not to have the key in the 1st place.


>> 'may create the key'

>
>Yes-"may" is the word.


That's what it said.

>
>
>>> http://www.headliner.org/headliner.p...65&abbr=mcafee

>>
>> Try AV vendor sites directly, without going through pass-through
>> links. If you look for strings to id trojans etc, some site have
>> descriptions that are lists of matching words. However when you click
>> on then you can get hit by all sorts of junk. All they do is generate
>> lots of words to match all sorts of searches.

>
>The only sites I have found about this downloader are from McAfee.
>Google-ing or otherwise.


Yep, so you have to find out what other AV vendors are calling it. I do
wish they had a common nameset some days.

<snip>
>>
>> Looks like you need to practice Google searches a bit.

>
>Googling is not my weakness here. It is understanding all that Programese.


<grin>

Sometimes using + and - as prefixes to words makes a big difference. I
have had to use

keyword1 +keyword2 keyword3 -keyword4 -keyword5 -keyword5 -keyword7

on several ocassions.

>Thanx for letting me know that the 244 in the link is a line and not a
>value.


YW.

<snip>

Me


All times are GMT. The time now is 11:39 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.