downloader-AFP

Discussion in 'Computer Support' started by ellis_jay, Oct 15, 2005.

  1. ellis_jay

    ellis_jay Guest

    Is the value 244 default in a winxp registry? I had this in my registry
    (HKCU) but not the other registry key (HKLM) that indicates a downloader
    (according to a McAfee link).

    http://www.headliner.org/headliner.php?c=us&id=5265&abbr=mcafee


    I have yet to search the files/dll's.
    Downloader-AFP


    HKEY_CURRENT_USER\Control Panel\International\Geo\Nation : Value="244"

    a.. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\down: "MSXMIDI.EXE"

    Created:

    Copies itself as %sysdir%\msxmidi.exe. (8,704 bytes)
    If the download is prevented due to VSE's generic BO protection, another DLL
    file is dropped (in the same folder as the original file)

    winhlp32.dll (9,216 bytes)
    If IE is launched due to this trojan, it contacts the following IP in
    order to download various other trojans.

    69.50.161.11
    The downloaded files are

    netupd32.exe - Detected as downloader-AFP trojan
    nbtrstat.exe - Detected as Adclicker BM Trojan
    wowdbe.exe - Detected as StartPAge-DU trojan
    upncont.exe - Detected as Adware Clearsurfing
    tsmsetup.exe - Detected as Adware MsnList
    sethcd.exe - Detected as Adclicker-BW Trojan.
    smbdins.exe - Detected as Adware-MsnList
    ipvcx6.exe - Detected as Downloader-XD.dr Trojan

    -=-=-
    The following is as far as I got at Google. Looks Greek to me!!


    http://www.endrun.org/xr/svn/source/subversion/libsvn_subr/config_win.c?v=1.0.x#244

    I will know more when I search my computer for the files and dll's. Am I
    correct in asuming both registry keys must be present and the 244 is
    default? Or may it (244) be a leftover from sometime in the past? What to
    do?




    --

    Their ethics are a short summary of police ordinances: for them the most
    important thing is to be a useful member of the state, and to air their
    opinions in the club of an evening; they have never felt the homesickness
    for something unknown and far away, nor the depths which consists in being
    nothing at all.
    ___________Soren Kierkegaard

    Ellis_jay
     
    ellis_jay, Oct 15, 2005
    #1
    1. Advertising

  2. ellis_jay

    why? Guest

    On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote:

    >Is the value 244 default in a winxp registry? I had this in my registry


    Funny question, I would worry less about the value and more about the
    fact the key exists. If I had a loon on several PCs here I wouldn't
    expect the key so can't tell about the value.

    >(HKCU) but not the other registry key (HKLM) that indicates a downloader
    >(according to a McAfee link).


    'may create the key'

    >http://www.headliner.org/headliner.php?c=us&id=5265&abbr=mcafee


    Try AV vendor sites directly, without going through pass-through links.
    If you look for strings to id trojans etc, some site have descriptions
    that are lists of matching words. However when you click on then you can
    get hit by all sorts of junk. All they do is generate lots of words to
    match all sorts of searches.

    Always look at more then 1 AV site, Symantex , Sophos, F-Prot etc and
    use a couple of different apps as vendors change the names about.

    >
    > I have yet to search the files/dll's.
    >Downloader-AFP


    The next bit is the paste from the article and not confirmation you have
    both registry entries or the other bits?

    Check first.

    As it mentions Browser Objects, have a look at HijackThis , search
    previous posts in 24HSHD.

    >HKEY_CURRENT_USER\Control Panel\International\Geo\Nation : Value="244"
    >
    >a.. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    >CurrentVersion\Run\down: "MSXMIDI.EXE"
    >

    <snip>


    Not what you want , knowing what might be but what you need to check.

    Another way to tell is run some sort of registry monitor, I have
    teaTimer and can monitor / allow / disallow registry changes. It does
    help.

    I snipped the IP address the trojan uses, but if you have the full
    trojan and not only some bits, your firewall should perhaps be stopping
    it or even logging the IP. You can check that as well.

    >-=-=-
    >The following is as far as I got at Google. Looks Greek to me!!


    Looks like you need to practice Google searches a bit. The URL below
    jumps to line 244 of the C source code of a VCS (version control system,
    called subversion) utility. Why? Because they have hyperlinks for each
    line and Google indexed those.

    So ignore it.

    >
    >http://www.endrun.org/xr/svn/source/subversion/libsvn_subr/config_win.c?v=1.0.x#244
    >
    >I will know more when I search my computer for the files and dll's. Am I
    >correct in asuming both registry keys must be present and the 244 is
    >default? Or may it (244) be a leftover from sometime in the past? What to
    >do?


    See the list of AV scanners, Anti-Spyware tools posted oftem by Mike and
    others. I reposeted it within the last 3 or 4 days as well. Search
    24HSHD for - mike housecall

    Your better google search would be -

    Downloader-AFP , as you mentioned at the beginning :) and the exe file
    name as well.

    Quite a few hits, try these few below.

    http://forums.spywareinfo.com/lofiversion/index.php/t10735.html
    http://castlecops.com/s5777-MSXMIDI_EXE.html


    The exe file name at sophos
    http://www.sophos.com/search/index.cgi?search=MSXMIDI&submit=Search&action=search


    Me
     
    why?, Oct 15, 2005
    #2
    1. Advertising

  3. ellis_jay

    ellis_jay Guest

    why? wrote:
    > On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote:
    >
    >> Is the value 244 default in a winxp registry? I had this in my
    >> registry

    >
    > Funny question, I would worry less about the value and more about the
    > fact the key exists.


    To have a value or not to have a value that is the question. Shake-speer?
    Or Ying Yang Twins?






    >If I had a loon on several PCs here I wouldn't
    > expect the key so can't tell about the value.


    The value is what makes the key operational or not, yes?



    > 'may create the key'


    Yes-"may" is the word.



    >> http://www.headliner.org/headliner.php?c=us&id=5265&abbr=mcafee

    >
    > Try AV vendor sites directly, without going through pass-through
    > links. If you look for strings to id trojans etc, some site have
    > descriptions that are lists of matching words. However when you click
    > on then you can get hit by all sorts of junk. All they do is generate
    > lots of words to match all sorts of searches.


    The only sites I have found about this downloader are from McAfee.
    Google-ing or otherwise.


    > Always look at more then 1 AV site, Symantex , Sophos, F-Prot etc and
    > use a couple of different apps as vendors change the names about.
    >
    >>
    >> I have yet to search the files/dll's.
    >> Downloader-AFP

    >
    > The next bit is the paste from the article and not confirmation you
    > have both registry entries or the other bits?
    >
    > Check first.


    Right. Gotta run search for those files and dll's.




    > As it mentions Browser Objects, have a look at HijackThis , search
    > previous posts in 24HSHD.


    I run BHO Demon and HiJackthis from Tom Coyote periodically. Time for a run
    ............




    > Another way to tell is run some sort of registry monitor, I have
    > teaTimer and can monitor / allow / disallow registry changes. It does
    > help.


    I run TeaTimer in sessions, as well as Winpatrol in sessions. I won't
    "leave home without them", so to speak. Great utilities.

    > I snipped the IP address the trojan uses, but if you have the full
    > trojan and not only some bits, your firewall should perhaps be
    > stopping it or even logging the IP. You can check that as well.


    Right. I need to go over my alerts in ZA. Thanx for reminding me.



    >> -=-=-
    >> The following is as far as I got at Google. Looks Greek to me!!

    >
    > Looks like you need to practice Google searches a bit.


    Googling is not my weakness here. It is understanding all that Programese.
    Thanx for letting me know that the 244 in the link is a line and not a
    value.


    >The URL below
    > jumps to line 244 of the C source code of a VCS (version control
    > system, called subversion) utility. Why? Because they have hyperlinks
    > for each line and Google indexed those.
    >
    > So ignore it.
    >
    >>
    >>

    http://www.endrun.org/xr/svn/source/subversion/libsvn_subr/config_win.c?v=1.0.x#244
    >>
    >> I will know more when I search my computer for the files and dll's.
    >> Am I correct in asuming both registry keys must be present and the
    >> 244 is default? Or may it (244) be a leftover from sometime in the
    >> past? What to do?

    >
    > See the list of AV scanners, Anti-Spyware tools posted oftem by Mike
    > and others. I reposeted it within the last 3 or 4 days as well. Search
    > 24HSHD for - mike housecall


    I use:
    AVG (default)
    Stinger
    Spybot S&D
    AdAware from lavasoft
    BHO demon
    Winpatrol
    Housecall (free scanner)
    Panda (free scanner)
    Avast (scanner)
    Spywareinfo (freescanner)
    Spyaudit (Webroot freescanner)
    Kaspersky (free file upload)
    Bazooka
    Asquared
    Asquared hijack
    Ewido
    MRU blaster
    Sophos worm removl tools
    Rav online scanner
    and other things too numerous to list here.

    > Your better google search would be -
    >
    > Downloader-AFP , as you mentioned at the beginning :) and the exe
    > file name as well.
    >
    > Quite a few hits, try these few below.
    >
    > http://forums.spywareinfo.com/lofiversion/index.php/t10735.html
    > http://castlecops.com/s5777-MSXMIDI_EXE.html
    >
    >
    > The exe file name at sophos
    >

    http://www.sophos.com/search/index.cgi?search=MSXMIDI&submit=Search&action=search
    >
    >
    > Me


    Thanx.

    --

    Their ethics are a short summary of police ordinances: for them the
    most important thing is to be a useful member of the state, and to air
    their opinions in the club of an evening; they have never felt the
    homesickness for something unknown and far away, nor the depths which
    consists in being nothing at all. ___________Soren Kierkegaard

    Ellis_jay
     
    ellis_jay, Oct 17, 2005
    #3
  4. ellis_jay

    why? Guest

    On Sun, 16 Oct 2005 23:01:17 -0500, ellis_jay wrote:

    >why? wrote:
    >> On Sat, 15 Oct 2005 15:59:45 -0500, ellis_jay wrote:
    >>
    >>> Is the value 244 default in a winxp registry? I had this in my
    >>> registry

    >>
    >> Funny question, I would worry less about the value and more about the
    >> fact the key exists.

    >
    >To have a value or not to have a value that is the question. Shake-speer?
    >Or Ying Yang Twins?


    <smile>


    > >If I had a loon on several PCs here I wouldn't


    Ouch ... ^^^^ look

    >> expect the key so can't tell about the value.

    >
    >The value is what makes the key operational or not, yes?


    Yes, however I would hope not to have the key in the 1st place.


    >> 'may create the key'

    >
    >Yes-"may" is the word.


    That's what it said.

    >
    >
    >>> http://www.headliner.org/headliner.php?c=us&id=5265&abbr=mcafee

    >>
    >> Try AV vendor sites directly, without going through pass-through
    >> links. If you look for strings to id trojans etc, some site have
    >> descriptions that are lists of matching words. However when you click
    >> on then you can get hit by all sorts of junk. All they do is generate
    >> lots of words to match all sorts of searches.

    >
    >The only sites I have found about this downloader are from McAfee.
    >Google-ing or otherwise.


    Yep, so you have to find out what other AV vendors are calling it. I do
    wish they had a common nameset some days.

    <snip>
    >>
    >> Looks like you need to practice Google searches a bit.

    >
    >Googling is not my weakness here. It is understanding all that Programese.


    <grin>

    Sometimes using + and - as prefixes to words makes a big difference. I
    have had to use

    keyword1 +keyword2 keyword3 -keyword4 -keyword5 -keyword5 -keyword7

    on several ocassions.

    >Thanx for letting me know that the 244 in the link is a line and not a
    >value.


    YW.

    <snip>

    Me
     
    why?, Oct 18, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?ZmFuYm90?=

    eXact.downloader

    =?Utf-8?B?ZmFuYm90?=, May 14, 2005, in forum: Microsoft Certification
    Replies:
    0
    Views:
    537
    =?Utf-8?B?ZmFuYm90?=
    May 14, 2005
  2. Max Quordlepleen

    Re: The worlds safest downloader?

    Max Quordlepleen, Aug 4, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    1,472
    miss calm
    Aug 5, 2003
  3. °Mike°

    Re: The worlds safest downloader?

    °Mike°, Aug 4, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    564
    °Mike°
    Aug 4, 2003
  4. kerplunKuK

    downloader.small.ad virus

    kerplunKuK, Aug 19, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    479
    Monsignor Larville Jones MD
    Aug 20, 2003
  5. John Q

    IBM AFP Viewer problem

    John Q, Mar 27, 2006, in forum: Computer Information
    Replies:
    0
    Views:
    707
    John Q
    Mar 27, 2006
Loading...

Share This Page