Assistance Request

[Bill H.]

Hi Guys,

I have a problem I’m hoping to get some guidance on a Windows 2000 box.

This spyware/virus is called catanti.exe. I have searched for it on Google and have come up with nothing so I expect that it has renamed it self to some random letters in order to hide its true name

There are 4 parts to this program that I can find:

Catanti.exe in c:\winnt\
A reg entry in startup\runonce
A BHO in IE
A .DAT file in the user’s temp directory

Killing it in memory does not work and it reruns and starts again.
Deleting or renaming the catanti.exe in c:\winnt\ it just makes a new copy of itself.
Removing the startup entry and it just puts is back, the same with the BHO and the same with the .DAT file.

If I restart in safe mode, it is still there in memory when I run task manager.

I know if I could kill the memory process that would solve my problems and I could take care of the rest.

What program can I use to discover what is restarting it in memory every time I kill it, or if you have any other suggestions I would appreciate it.

Thank you!

Bill H.

[GR@PH;<'S]

Bill H.,
Please can you make sure that you are using
[span style=\'color:blue\']Ad-aware SE Build 106[/span][/url] (Free/Personal)
[span style=\'color:red\'][if not Uninstall your old Ad-aware first then install SE][/span]
Then use the WebUpDate
to get the latest Definition file
([span style=\'color:Red\']SE1R51 21.06.2005[/span])
To do this Open Ad-aware
Click the WebUpDate
button at the top right hand side of the Ad-aware screen (The world globe).
Click "Connect"
Ad-aware will then download the latest  Definition file for you.
To make sure it is updated , look at the main
Ad-aware screen, and look under "Initialization Status"
It should say the Latest Definition file.
then scan  doing a  [span style=\'color:blue\']"Full Scan"[/span][/url] and then post your logfile here by using the Add-Reply Feature .
As Logs are stored in :
C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
An easy way to get there is to
click Start,
click Run
And type in and press ENTER: %appdata%
then click  Lavasoft
then Ad-Aware
and then Logs.
scroll down to find the latest one that you have
(by date & time)
and open it right Click select all
copy and then paste the contents of it here.
(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)
I recommend that you use the WebUpDate just before you scan that way you will always be up to date.

(note The Application Data is a hidden folder, so you will need to show hidden files and folders
and for Windows 98/ME users your logs are stored in
 C:\WINDOWS\All Users\Application Data\ ) by default
GR@PH;<'S

[Billjh]

Hi Guys,

I was able to fix my problems by doing the following.

I booted into safe mode and used procexp.exe to suspend the process in memory. I renamed the files that were causing me problems and deleted the start up reg entries. Because the process was suspended in memory, the files were not recreated when I renamed them. I restarted the computer and all was good except for some clean up.

Bill H.