| Home | Forums | Reviews | Guides | Newsgroups | Register | Search |
 |
| Thread Tools |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote: >Is the value 244 default in a winxp registry? I had this in my registry Funny question, I would worry less about the value and more about the fact the key exists. If I had a loon on several PCs here I wouldn't expect the key so can't tell about the value. >(HKCU) but not the other registry key (HKLM) that indicates a downloader >(according to a McAfee link). 'may create the key' >http://www.headliner.org/headliner.p...65&abbr=mcafee Try AV vendor sites directly, without going through pass-through links. If you look for strings to id trojans etc, some site have descriptions that are lists of matching words. However when you click on then you can get hit by all sorts of junk. All they do is generate lots of words to match all sorts of searches. Always look at more then 1 AV site, Symantex , Sophos, F-Prot etc and use a couple of different apps as vendors change the names about. > > I have yet to search the files/dll's. >Downloader-AFP The next bit is the paste from the article and not confirmation you have both registry entries or the other bits? Check first. As it mentions Browser Objects, have a look at HijackThis , search previous posts in 24HSHD. >HKEY_CURRENT_USER\Control Panel\International\Geo\Nation : Value="244" > >a.. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ >CurrentVersion\Run\down: "MSXMIDI.EXE" > <snip> Not what you want , knowing what might be but what you need to check. Another way to tell is run some sort of registry monitor, I have teaTimer and can monitor / allow / disallow registry changes. It does help. I snipped the IP address the trojan uses, but if you have the full trojan and not only some bits, your firewall should perhaps be stopping it or even logging the IP. You can check that as well. >-=-=- >The following is as far as I got at Google. Looks Greek to me!! Looks like you need to practice Google searches a bit. The URL below jumps to line 244 of the C source code of a VCS (version control system, called subversion) utility. Why? Because they have hyperlinks for each line and Google indexed those. So ignore it. > >http://www.endrun.org/xr/svn/source/....c?v=1.0.x#244 > >I will know more when I search my computer for the files and dll's. Am I >correct in asuming both registry keys must be present and the 244 is >default? Or may it (244) be a leftover from sometime in the past? What to >do? See the list of AV scanners, Anti-Spyware tools posted oftem by Mike and others. I reposeted it within the last 3 or 4 days as well. Search 24HSHD for - mike housecall Your better google search would be - Downloader-AFP , as you mentioned at the beginning  and the exe filename as well. Quite a few hits, try these few below. http://forums.spywareinfo.com/lofive...hp/t10735.html http://castlecops.com/s5777-MSXMIDI_EXE.html The exe file name at sophos http://www.sophos.com/search/index.c...&action=search Me |
|
|
|
|
|||
|
|
| |
|
Guest
Posts: n/a
|
why? wrote:
> On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote: > >> Is the value 244 default in a winxp registry? I had this in my >> registry > > Funny question, I would worry less about the value and more about the > fact the key exists. To have a value or not to have a value that is the question. Shake-speer? Or Ying Yang Twins? >If I had a loon on several PCs here I wouldn't > expect the key so can't tell about the value. The value is what makes the key operational or not, yes? > 'may create the key' Yes-"may" is the word. >> http://www.headliner.org/headliner.p...65&abbr=mcafee > > Try AV vendor sites directly, without going through pass-through > links. If you look for strings to id trojans etc, some site have > descriptions that are lists of matching words. However when you click > on then you can get hit by all sorts of junk. All they do is generate > lots of words to match all sorts of searches. The only sites I have found about this downloader are from McAfee. Google-ing or otherwise. > Always look at more then 1 AV site, Symantex , Sophos, F-Prot etc and > use a couple of different apps as vendors change the names about. > >> >> I have yet to search the files/dll's. >> Downloader-AFP > > The next bit is the paste from the article and not confirmation you > have both registry entries or the other bits? > > Check first. Right. Gotta run search for those files and dll's. > As it mentions Browser Objects, have a look at HijackThis , search > previous posts in 24HSHD. I run BHO Demon and HiJackthis from Tom Coyote periodically. Time for a run ............ > Another way to tell is run some sort of registry monitor, I have > teaTimer and can monitor / allow / disallow registry changes. It does > help. I run TeaTimer in sessions, as well as Winpatrol in sessions. I won't "leave home without them", so to speak. Great utilities. > I snipped the IP address the trojan uses, but if you have the full > trojan and not only some bits, your firewall should perhaps be > stopping it or even logging the IP. You can check that as well. Right. I need to go over my alerts in ZA. Thanx for reminding me. >> -=-=- >> The following is as far as I got at Google. Looks Greek to me!! > > Looks like you need to practice Google searches a bit. Googling is not my weakness here. It is understanding all that Programese. Thanx for letting me know that the 244 in the link is a line and not a value. >The URL below > jumps to line 244 of the C source code of a VCS (version control > system, called subversion) utility. Why? Because they have hyperlinks > for each line and Google indexed those. > > So ignore it. > >> >> http://www.endrun.org/xr/svn/source/....c?v=1.0.x#244 >> >> I will know more when I search my computer for the files and dll's. >> Am I correct in asuming both registry keys must be present and the >> 244 is default? Or may it (244) be a leftover from sometime in the >> past? What to do? > > See the list of AV scanners, Anti-Spyware tools posted oftem by Mike > and others. I reposeted it within the last 3 or 4 days as well. Search > 24HSHD for - mike housecall I use: AVG (default) Stinger Spybot S&D AdAware from lavasoft BHO demon Winpatrol Housecall (free scanner) Panda (free scanner) Avast (scanner) Spywareinfo (freescanner) Spyaudit (Webroot freescanner) Kaspersky (free file upload) Bazooka Asquared Asquared hijack Ewido MRU blaster Sophos worm removl tools Rav online scanner and other things too numerous to list here. > Your better google search would be - > > Downloader-AFP , as you mentioned at the beginning and the exe> file name as well. > > Quite a few hits, try these few below. > > http://forums.spywareinfo.com/lofive...hp/t10735.html > http://castlecops.com/s5777-MSXMIDI_EXE.html > > > The exe file name at sophos > http://www.sophos.com/search/index.c...&action=search > > > Me Thanx. -- Their ethics are a short summary of police ordinances: for them the most important thing is to be a useful member of the state, and to air their opinions in the club of an evening; they have never felt the homesickness for something unknown and far away, nor the depths which consists in being nothing at all. ___________Soren Kierkegaard Ellis_jay |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
|
| |
|
| Thread Tools | |
|
|
