What's DOSANTI and how can I stop it?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Windows XP has been running really slowly of late and I think it's caused by
a file called DOSANTI.exe running in the background which is taking up a lot
of memory. Every time I stop the process, Windows goes back to normal speed.
But when I reboot, it always reappears. I've tried changing the msconfig
settings and I've also tried deleting the file from its folder
(windows\prefetch), but it just keeps restoring itself.

It hasn't been picked up by Norton or AdAware, but can anyone tell me what
it is and how I can get rid of it?

Thanks!
 
kalexs said:
Windows XP has been running really slowly of late and I think it's
caused by a file called DOSANTI.exe running in the background which
is taking up a lot of memory. Every time I stop the process, Windows
goes back to normal speed. But when I reboot, it always reappears.
I've tried changing the msconfig settings and I've also tried
deleting the file from its folder (windows\prefetch), but it just
keeps restoring itself.

It hasn't been picked up by Norton or AdAware, but can anyone tell me
what it is and how I can get rid of it?

Thanks!
Click to expand...

Google returns nothing, and since *you* don't know what it is, then it
is time to consider malware: virus, trojan, worm, whatever. Boot to
safe mode, run a complete virus scan. Check Symantec (Norton) support
center for the dosanti.exe and run their on-line scan for starts.

Q
 
Hi

Have you virus checked your system with the latest definitions for your Anti
Virus program?

Also please try these programs to check for any spyware that may be on your
system:

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://forum.aumha.org/downloads/cwshredder.zip
Spy Sweeper - www.webroot.com

Try SpyWareBlaster to stop intrusions:

http://www.javacoolsoftware.com/spywareblaster.html

Also see the following links:

http://aumha.org/a/parasite.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.microsoft.com/security/articles/spyware.asp
 
I'm not sure what the file is, but it may be starting up via the registry.
Start regedit and look in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Just look for any references to DOSANTI.EXE and delete the keys.

Just an idea, and probably not the best fix, but it may help...

--LB
 
Linda B said:
I'm not sure what the file is, but it may be starting up via the
registry.
Start regedit and look in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Just look for any references to DOSANTI.EXE and delete the keys.

Just an idea, and probably not the best fix, but it may help...

--LB
Click to expand...


Besides looking at the Run keys in the registry (there are two of them,
one under HKCU and HKLM) and the Start group for the profile of the
account under which you login, there are logon scripts that may be
loaded when logging in. Another way to infect the machine in adding an
entry under the Winlogon registry key. Below is what I reported back in
May and sent the author of HijackThis a memo on its omission. I don't
know if the malware scanners, like Ad-Aware and Spybot, have been
updated to recognize nasty entries under this registry key.

From
http://groups.google.com/[email protected]:

Some of the newer spyware/virus variants are adding themselves as an
event
(logon, logoff, shutdown). Take a look at the following registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify"

I think one crapware installs a key named "Guardian" but others may use
something different; see

http://www.computercops.us/modules.php?name=Forums&file=viewtopic&p=141496

for an example report of finding this crapware infecting by using logon
events. HijackThis does not list the contents of this registry key as a
potential for infection (I sent a suggestion to include it). Could be
this
is something so new that none of the anti-spyware checkers will look
there.
After all, the detection signatures for both Ad-Aware and Spybot are
pretty
old being dated back over a month (a month is a long time). Ad-Aware
just
got a new update dated 2004-05-08, but then I still don't know if it
inspects this registry key for event usurpers.
 
Back
Top