i hav TDS 3 and all gr8 AVs like Norton and AVG but... none seem to eradicate the downloader.clispri.A or trojan.byteverify or even catch them... AVG catches though but i hav to clean them manually... come on TDS u can do it

can anyone say wat i can do with these trojans.... they are new kid on the blocks and yes they are :'( unknown... can anyone temme anything bout these...

Hi subratam,

ByteVerify is not that new: http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
Also check this thread: http://www.wilderssecurity.com/showthread.php?t=13039

I can't find anything about downloader.clispri.A
Can you tell us which scanner identified what file as being clispri.A ?

Regards,

Pieter

man... thx that i went to the same thread u gave to kno bout byteverify.. i hav all latest updates for win2k pro.. dunno though y still byteverify attacked me.. i think i hav cleaned it as i hav cwshredder done that... i also delete the historis and caches by system mechanic and i just got my cache jars in memory option in java plug in unchked so that it dun keep any cache... i read that updated java VM shudnt cause probz.. actually i dun wanna uninstall it.. hey i hav started downloading latest java plug in frm sun.. shud it b ok then??
about downloader.clispri.A its a new kid on the block i hav got some info that it generally hav two exes scbr.exe and ptpo.exe.. i dunno wat it doz though till nou for sure.. my AVG caught that but nothin more it cud do.. no heal no delete... i am not sure also that its not anymore ... if u hav downloader... and u dunno u can run the trendmicro online scan and hav AVG 7 installed b4 that... trend opens each file and AVG catches the worm as the infected file is opened.. any got more info or hou to tackle.... plz come on in...
thanx in advance

I was going to ask for your HijackThis log, but I think I found it:
http://forums.techguy.org/t179386/s.html

Is that correct?

Regards,

Pieter

Hi subratam,

I looked up what zephyr at TSG mentioned and that is correct.

If you had Purityscan this line (or sopmething similar) would have been in your log:
O4 - HKCU\..\Run: [Opad] C:\Documents and Settings\Administrator\Application Data\scbr.exe

Other names that are in use for this spyware are Clickspring and Mendware. Obviously AVG decided it needed yet another name. ::)

Regards,

Pieter

hey thats the log of mine u got it rite... and i chked it once for me... and will u plz go thru it and temme if anything wrong is still in my computer... i hav been getting frustrated by these trojans and viruses in the web... they seem to increase every second plz... see thru my hijackthis log... and see if u can find anything not needed...
Logfile of HijackThis v1.97.6
Scan saved at 6:16:42 PM, on 11/14/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton CrashGuard\CGMenu.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\FreeMem Professional\fmempro.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Tray Wizard\TWizard.exe
C:\Program Files\Winamp3\Studio.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\mdm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125335c4d044a2873906/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
???... thx in advance again :)

Hi subratam,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) <= belongs to DAP but the file is missing

O4 - HKLM\..\Run: C:\WINNT\System32\igfxtray.exe <= [i]Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <= System Tray access to Apple's "Quick Time" viewer. Not needed

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <= Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required anyway. Different filenames used for different variants

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125335c4d044a2873906/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

Then reboot.

Comments in italics came from: http://www.pacs-portal.co.uk/startup_pages/startup_full.php

I don't see any spyware or trojans that are active.

Regards,

Pieter

the latest log file ::::

Logfile of HijackThis v1.97.6
Scan saved at 7:45:48 PM, on 11/14/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton CrashGuard\CGMenu.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Tray Wizard\TWizard.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\FreeMem Professional\fmempro.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab

the striking part in this is i cant eradicate the
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) and i get the same frm spybot it comes again and again.. mayb default.. anyway i hav gone thru security chks, spywareblaster download browser chks everything... as u said... hou do i kno which cookie is good for me and which one is goin to cause havoc...
thx in advance :)

Hi subratam,

Do you still use DAP?

Regards,

Pieter

ya i do use DAP... is thr any probz with that ??? ... it asks for browser integration at first... and when i try to do it it says "int gailed" anyway shud i uninstall DAP or when it asks at 1st i shudnt integrate it with browser?? :-[

Hi subratam,

No there isnt much wrong with DAP, I just figured that might be the reason you can't remove that entry.
So you can leave that one alone and if Spybot finds it again rightclick it in the main screen and choose "Exclude this product from further searches."

And your log looks fine now.

Regards,

Pieter

:D :D ... u guys rock man... this site really looks into each and every matters... i really appreciate ur attention. 8) i am amazed at the answer reply rate that i hav been gettin frm this site.. hats off to u all guys to u specially frm my heart Pieter....
i hope both download.clispri.a and trojan.byteverify have taken a backseat nou... if not and if i do get anything unnecessary i will report sooner than later..
can u say onething to me... can i continue to hav TDS3 after the trial period.. atleast for chkin trojans..???

Hi subratam,

I would advise you to buy TDS3 after the trial is over, or sooner if you decide that it suits your needs. They are working on TDS4 now and you will receive a free upgrade.
I know I never regretted buying it. :)

Regards,

Pieter

hi thr.. ya i just saw wat u wrote.. can u plz temme wats the diff that wud come once i get it registered?? and by the way will all the functions of TDS go away after trial period?? ???.. actually i can ofcourse register in future but till then can i continue to hav the normal functions thoz i hav nou??
thx in advance..
oh 1 more thing i was forgettin to get known frm u.. last time i chked full scan thru TDS it gave autoexec.bat was missin... doz that matter too much?? i chked just nou also b4 posting it says file doesnt exist c:\autoexec.bat after verifying the files.. wat is ntvdm.exe??

plz anyone... plz giv a lill attention to this topic :-[ i recently posted one topic namin byteverify and downloader.clispri.a.... many thing may got well till then.. i got all security that almost a person can get
NAV 2002 latest updates with latest liveupdate installed
AVG 7
SpywareBlaster
SpyBot SD
CWshredder
TDS
Trojan Remover
Tiny personal firewall
hijackthis
i hav even gone thru the security chks and have latest security updates...
but this downloader.clispri.a once gettin thru purityscan when i din hav the softwares... and nou dun seem to go :-[
whenever i scan with trendmicro which scans each file minutely and tries to open the infected file (c:\docum~1\admini~1\locals~1\temp\vsg3ea01060) AVG catches the trojan.. but nothin more it can do.. i heard from other sites the trojan mainly has two exes... scbr.exe and ptpo.exe
i welcome anyone anybody to help me out....
thx in advance

If you use any on- line scanner from housecall or any others...then during that time turn off resident AV and AT programs that you installed on your PC and have running.

Hi Subratam!

I'm sorry that you have to deal with one of those nasties. Although I have never caught a Trojan myself and can't personally coach you much on that matter, I found some info on Trojans that may be of help. There is advice on how to find a Trojan , how to repair damage --if you have already caught one of them --and how to avoid falling prey to Trojans . It is good also that you unhide all Windows extensions filenames before starting scanning you computer. The link I give you here tells how to do it.

http://www.irchelp.org/irchelp/security/trojan.html

Additional info:

I am infected with a Trojan. How do I get rid of it?
http://www.broadbandreports.com/faq/4191

And I agree with Primrose's tip, turning off any resident AV and At when scanning your computer with online tools.


Hope this helps,

Uguel

Hi subratam,

Since there is related information in all of them, I've merged your various threads together into the first one you started earlier today.

Please keep all posts on this problem together as there is useful information in all of them and it helps to have it all in one place.

Thanks,
LowWaterMark

Hello subratam & welcome, If you are still having problems ref your shout for Help

Can you please go to this link http://www.diamondcs.com.au/index.php?page=asviewer & download AsViewer.

Run the AsViewer.exe then save the findings to asviewer.txt - paste a copy in your next reply to this thread - This may help us determine why you cannot stop or delete the troublsome files and /or what the Trojan is.

If you can copy the any files that may belong to the Trojan - Please send them to submit@diamoncs.com.au where they can be analysed.

To answer your last questions

You will :
Get the added feature of Executive Protection if you wish to install it, this basically will not allow a Trojan to run whilst TDS is running.

Be able to download the radius files from within TDS3.

Get a free upgrade to TDS4

Have access to the TDS private forums - A vast knowledge base for TDS Licensed operators. :)

TDS trial will stop working after the trial period :(

Cheers LWM.

i hav the temp folder which contains the trojan as and when its tryin to b opened by the house call it shows... shud i delete the tmp folder hou do i kno wat imp things are thr in my folder?? and i have hijackthis.. doz it work same as autostart or can i copy autostart from TDS?? actually i am not sure nou hou many more AVs ATs and Spywareblasters i need to b protected :'( i have more security softwares nou in my comp than anything else.. and had not been my comp 2.4 Ghz and 256 Ram i wud hav been struggling to manage my comp :-X
i hav made all necessary arrangements but i think only this downloader trojan... which once gettin into.. mayb doin nothin but as its also new kid on the block not gettin eradicated.. shud i send the temp folder to u guys?? and if u want i can post my hijackthis file log nxt up... or Autostart Viewer wateva u guys think is good
thx in advance and waitin eagerly

Subratam, Zip a copy of the folder if you like and send it to submit@diamondcs.com.au
We would like to see a printout from your autostartviewer please. Ensure that both services & drivers are selected in "Main" before saving the text.

??? here lies the AS viewer report if anything else yall need do temme... i am waitin
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
c:\winnt\system.ini [boot]\scrnsave.exe
C:\WINNT\Webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINNT\Webshots.scr
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
C:\Program Files\Norton CrashGuard\CGMenu.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
C:\WINNT\loadqm.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
C:\Program Files\Trojan Remover\Trjscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
C:\Program Files\Tray Wizard\TWizard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Mechanic Cache Cleanup
C:\Program Files\iolo\System Mechanic 4\SysMech4.exe /COMPLETECACHE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
C:\Program Files\Desktop Architect\datray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
C:\Program Files\FreeMem Professional\fmempro.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\SIM3 Scan 1.job
C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk /r \??\C:
autocheck autochk *
smrgdf C:\Program Files\iolo\System Mechanic 4\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD

:-[ thx in advance

oops i din see that u told me to chk the services and drivers... sorry

the updated viewer log :

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
c:\winnt\system.ini [boot]\scrnsave.exe
C:\WINNT\Webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINNT\Webshots.scr
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
C:\Program Files\Norton CrashGuard\CGMenu.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
C:\WINNT\loadqm.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
C:\Program Files\Trojan Remover\Trjscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
C:\Program Files\Tray Wizard\TWizard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Mechanic Cache Cleanup
C:\Program Files\iolo\System Mechanic 4\SysMech4.exe /COMPLETECACHE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
C:\Program Files\Desktop Architect\datray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
C:\Program Files\FreeMem Professional\fmempro.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\SIM3 Scan 1.job
C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk /r \??\C:
autocheck autochk *
smrgdf C:\Program Files\iolo\System Mechanic 4\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINNT\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Avg7Alrt\
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
HKLM\System\CurrentControlSet\Services\Avg7UpdSvc\
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\GFI LANguard System Integrity Monitor 3 agent service\
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lnss_sscans\
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\NtmsSvc\
C:\WINNT\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PersFw\
C:\Program Files\Tiny Personal Firewall\persfw.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINNT\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINNT\system32\regsvc.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINNT\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINNT\system32\MSTask.exe
HKLM\System\CurrentControlSet\Services\SecDrv\
\??\C:\WINNT\system32\drivers\SECDRV.SYS
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINNT\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINNT\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINNT\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\WinMgmt\
C:\WINNT\System32\WBEM\WinMgmt.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINNT\system32\svchost.exe -k wugroup

anybody out thr???

and i got one more question this TDS scan says c:\autoexec.bat is missin after chkin the files , and wat is ntvdm.exe???

Hi sub,
I will talk to you again..but first we have to clear up lots of confusion for you.

First of all the complete path for the area on your PC that you think appears to be gving you a TROJAN is this.

C:\Documents and Settings\Administrator\Local Settings\Temp


That area called TEMP is used by all the programs you now have running to temporarily load so they can function. When you have many running at the same time and also watching that floder...and then run the on-line TREND housecall..programs like AVG can give you false positive if you have it running at the same time.


*****************************************

I have read all the rest of the posts made on this problem you seem to be having at all the other forums.


:
[SOT] Damn trojan
Newsgroup:
alt.hacker




1 Kevin Nov 10, 2003
|-2 root1657 Nov 10, 2003
\-3 subratam Nov 14, 2003

Must be new as AVG didnt pick it up & no one admits to opening an email
with it.


The trojan is named Clispri.A and consists of 2 .exe's named scbr.exe &
ptpo.exe. seems to install itself to c:\Documents and Settings\User_name
\Application Data.


From: subratam (subratambiswas@yahoo.com)
Subject: Re: [SOT] Damn trojan


View this article only
Newsgroups: alt.hacker
Date: 2003-11-14 00:47:07 PST


hey thr... i was also attacked this clispri.A trojan.... though i dunno i am still havin yet... i hav deleted the scbr.exe and ptpo.exe and run all my AVS the trojan seems to set itself in explorer bars. it normally resides in local settings. u can run trendmicro online scan and b4 that hav AVG 7 installed.. the online scan will try to open every file and scan and AVG will catch the trojan. no it cant do anything now though no heal or delete but atleast u kno whether u hav it or not still. i am regularly chkin my post in tech support guy forum security. hope i also need attantion chow


******************************************


So i will tell you this...AVG does not have a trojan in their data base called Clispri.A or downloader.clispri.A, another vendor might...


But at this time you are not infected with any trojan.


I suggest to you again to turn off your AVG so it does not load and scan while you are doing another on line scan. If anything is causing your problems..it is the fact that the action of one AV/AT product is appearing by another scanner, to be a trojan as it scans.

Hi there!
>and i got one more question this TDS scan says c:\autoexec.bat is missin after chkin the files , <

In the TDS > Edit Config Text files > crcfiles.txt
edit the right location of files on your system, although i've been told the autoexeb.bat would not be there on an XP system (corect me if i'm wrong) so a file which is not supposed to be there and is not there yoou should only be worried about if it would be located! Best remove it from that txt and add other files if you feel those important to be checked for changes.


>and what is ntvdm.exe<
ntvdm - ntvdm.exe - Process Information
Process File: ntvdm or ntvdm.exe
Process Name: Windows 16-bit Virtual Machine
Description: The Windows Virtual Machine for 16-bit Windows and Dos programs is used to run dos programs and old Windows programs inside a virtual machine

Don't know where you found that on your system? I don't have it.

If it helps you I have that NTVDM.EXE and it is a legtimate program and is used for Optimizing Applications


http://www.windowsitlibrary.com/Content/435/06/2.html

I think one of the problem you are having with all this is trying to understand your PC and its OS. I think that is great and you are learning.

But becareful with focusing your thoughts too much on unfamilar named .EXE type programs in your searchwithin the files and folders of your PC.


Even in the TEMP folder many AV/AT developers temporarily install an .exe with a funny name that is actually their program running disguised with a new name each time it loads to fend off attacks by badboys who would seek it out and stop it from running.


AV/AT programmers have also devised other methods besides this in self defence since many of the exploits you run into now days..try first to not only infect you PC..but also to stop any firewall or Security Product that you have installed from doing it job.

so yall sayin i am not infected with any trojan rite nou ::) in another forum from http://forums.techguy.org/showthread.php?threadid=179386&goto=newpost
i reported the hijackthis log i did find some regsvc.exe i dunno wat it is.. one dcsresearch string was thr as u can see frm the string thr and hijacklog.. i fixed it.. i also found regsvc.exe.. i do understand wat yall sayin bout AV/AT doin the disguise acts.. and i do really appreciate you all for the attention and help you have been givin me.. in simple one word its awesome but i just want to b sure totally with my computer... if u want i can put both hijackthis log and also AS viewer frm Diamond too
thx in advance

Nope..i do not want to see the highjack again..the one you posted at techguy shows you are now plagued with another exploit..a new one you just picked up..they will handle it over there for you.


The kind you are picking up come from various sites..nasty things..there are programs that will stop them..but these hijack search and porno hooks are all over the place and your first goal to stop them is to tighten up the settings on your Browsers and OS. Third party software is good to clean your PC and help with some of it..but it also has to do with sites that are visited and what you allow them to download to you.

On that you do have control..but i think you have never tried to block them with safer setting on your browser.

plz.. i am nou gettin tensed as wat new i hav got nou :( plz help me out frm here also.. as u kno a second late also can do harm to computer and also wat security settings do i go for nou??

plz plz help me out....

Since you are in the TDS forum and this is about their product it is not really the place to do this.

But if you post again in one of the general sections of this Wilders Board for help..there are programs like Xpantispy

http://www.xp-antispy.org/

that also works for Win2000 that can help secure your OS..and then also some one can give you site links like this one...
http://www.markusjansson.net/

That you could follow to tighten up your settings...and also understand why you are doing it.


But i can not give you much more in this section of the Wilders Forum.

Be Well :)

hmmm... i did download xpspy as u said... it did disable some of readily accessible internet updates.... actually i hav all these spywarebblaster,spybot and cwshredder with me... i dunno if thats the reason... i think some of sites are takin a lill time to open... rest all r fine...
i am still confused about regsvc.exe if thats bad hou shud i remove that
i want my comp to b free frm nasties nou :'(
its been frustrating all these days just goin on downloadin one software after another for security and my comp is full of security softwares instead of anythin else :P

Logfile of HijackThis v1.97.6
Scan saved at 11:49:39 PM, on 11/15/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton CrashGuard\CGMenu.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Tray Wizard\TWizard.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\FreeMem Professional\fmempro.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\mdm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab

********************************
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
c:\winnt\system.ini [boot]\scrnsave.exe
C:\WINNT\Webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINNT\Webshots.scr
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
C:\Program Files\Norton CrashGuard\CGMenu.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
C:\WINNT\loadqm.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
C:\Program Files\Trojan Remover\Trjscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
C:\Program Files\Tray Wizard\TWizard.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
C:\Program Files\Desktop Architect\datray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
C:\Program Files\FreeMem Professional\fmempro.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\SIM3 Scan 1.job
C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
smrgdf C:\Program Files\iolo\System Mechanic 4\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINNT\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Avg7Alrt\
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
HKLM\System\CurrentControlSet\Services\Avg7UpdSvc\
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\GFI LANguard System Integrity Monitor 3 agent service\
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lnss_sscans\
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\NtmsSvc\
C:\WINNT\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PersFw\
C:\Program Files\Tiny Personal Firewall\persfw.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINNT\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINNT\system32\regsvc.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINNT\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINNT\system32\MSTask.exe
HKLM\System\CurrentControlSet\Services\SecDrv\
\??\C:\WINNT\system32\drivers\SECDRV.SYS
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINNT\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINNT\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINNT\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\WinMgmt\
C:\WINNT\System32\WBEM\WinMgmt.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINNT\system32\svchost.exe -k wugroup

Hi subratam,

Looks clean to me. :D

Regards,

Pieter

i chked the different security sites and did latest chks wth TDS .. all seems to b fine nou.... one security site told that some ports are opend and some TCP ports too but i got chked them by TDS.. nothin unneccessary popped out..
one question do i need to keep open the telnet port 23?? if not hou can i close it... and bout regsvc.exe the TDS said its frm MS only... i am only thinkin bout c:\WINNT\SYSTEM32\regsvc.exe.. dunno whether its malicious... anyway i chked with the hijackthis.. and removed the said fixes...
waitin for the advice nxt
good to see u back pieter :) lots hav been happening since i saw u last
thx in advance

Hi subratam
-{ Quote: "one question do i need to keep open the telnet port 23?? if not hou can i close it... " }-
do you have Telnet service running (see image)
If not, you might want to close the port in your firewall.
Dolf

Hey sub,

good going guy ;) Dollefie has you covered now..and you are learning fast. Yup too many security programs will drive you up the wall..but stick with the good ones these people at wilders tell you about and then study up on each of them as to what they can do for you..and come back often to ask those questions. None are too small or incidental if you get stuck.

allow me please to also put in this post the IM you sent me and others can help you address it..

one question do i need to keep open the telnet port 23?? if not hou can i close it... and bout regsvc.exe the TDS said its frm MS only... i am only thinkin bout c:\WINNT\SYSTEM32\regsvc.exe.. dunno whether its malicious... anyway i chked with the hijackthis.. and removed the said fixes...
waitin for the advice nxt
thx in advance

plz reply to this post a lill quik :-\ i saw in services and in the telnet it was said "start" so i think it wasnt running... and i hav disabled as i dun need telnet(or do i ??? ) anyway and for another thing i hav got 2 firewalls gettin zonealarm pro with tiny personal firewall... wat u comment on that??
thx in advance

Disabling the telnet service is a good thing and no, you probably don't need it. (The telnet service provides a way to access your system from a remote location. I doubt you do that because if you did, you'd know you do. You be on some other system somewhere, you'd "TELNET <ip-address of your PC>" and login from there.) So, just disable it.

As to two firewalls, no that is rarely a good idea. Pick the one you are most comfortable with and use that one. You shouldn't even install two firewalls at the same time on the same system.

actually i am havin broadband network internet and in my netork thrs a kernel driver ICMP packet circulating so i had to configure my tiny personal firewall which has proved to b quite effective and handy to my system and not allowed the evil to get into my comp.. till date i hav also been studying about zonealarm bein one of best in bzness so i thought to try it out and configured it... thats it.. i am not goin to uninstall tiny firewall as it really gettin the kernel driver alongwith other applications at hand... ZA i went forward as for its gr8 reputation... i hav not installed it same time... tiny i hav installed 3 weeks b4 ZA i installed a lill while ago... i hav gone thru ZA configuration www.markusjansson.net and nou i think i am in better position
about telnet i hav disabled it :) but TDS says i hav a open port at 25 though i hav chked 5+ times b4 posting this.. no alarm and no trojans and for other ports ZA showed me my NAV was guarding thoz namely the email ports :)
i welcome more wise comments as i am always learning security... "internet isnt a child's plaything after all"
thx in advance

Okay, your remaining question is why TDS is showing TCP Port 25 open on your system, is that correct?

You can confirm the open ports by using a DOS window via "Start" menu > "Run..." > type in "command" (without the quotes) > in the DOS box type "netstat -an" (again without the quotes) this will show you the open / listening ports on your system. If would appear something like this:

C:\>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:25 0.0.0.0:0 LISTENINGLet us know if port 25 is listed (like the sample above) under "local address" column.

i dunno i am again gettin tensed a bit :-[
0.0.0.0:135,445,1025,1031,2469,44334 are in the state of listening no 0.0.0.0:25 is thr ???

please close the port 135 UDP/TCP in your firewall.
Dolf

one more question never mind if i get this answer after my last post question bout port 25 which is more imp and i will go step by step.. i am just puttin my nxt question to u all techies... i am on network... and i ran a IP vulnerability test which says i am showin a certain IP but i hav a diff IP altogether in my network and i hope the IP i am showin is stealth one and i am safe ???
take ur time guys i am online late today i want to get all infos up to date 8)

i am sorry but hou can i block a certain port in my firewall i am very much novice in this and i dun wanna take risk in doin somethin i am not sure of
waitin eagerly for a reply

First you might want to run the ShieldsUp! tests from The Steve Gibson site here: http://grc.com/x/ne.dll?rh1dkyd2.
There you get answers on various questions you have about public IP-address and open ports.
Dolf

The netstat results you posted above does not mean that these ports are being allowed in through your firewall... It only means they are listening locally within the system.

Didn't you scan at online sites and come up with stealth results already? Did you post that somewhere before? If this is the case, then your firewall is blocking 135 already.

ya i hav been undergoin stealth test for last 1hr or more .doz it really help for the firewall i am havin?? will the open ports then automatically guarded??
thx in advance

this is wat i got from shields up file sharing test

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

That's a great result. Your configuration appears to be a good one and you are currently protected from external access probes. Good job.

wat do u think of this??

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2003-11-15 at 22:54:38

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

5 Ports Open
18 Ports Closed
3 Ports Stealth
---------------------
26 Ports Tested

Ports found to be OPEN were: 22, 23, 25, 80, 443

Ports found to be STEALTH were: 139, 389, 445

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

but my personal firewall isnt allowin any ICMP watsoever to come in or go out ??? i chked again....

Well, that's different than the summary you posted above. :-\ (Oh wait, the summary was just from the NetBIOS scan. Okay, that makes sense. That is blocked okay.)

What is your network setup exactly?

You said something about a broadband LAN? Do you have a router on your network?

the server in the network runs LINUX server and gets connected thru a more secured ISP server
i use cable internet.
i hav been seeing the stealth test and they say port 135 is a cause for much havoc worldwide .... and its still open in my comp.
i dinno a comp with all necessary security softwares still can b so vulnerable... anyway i hav got u guys and i trust and bliv u lot
waitin eagerly for u all to temme my nxt step
thx in advance

I'm sorry, I don't understand what you are saying here...

-{ Quote: " quoting: subratam link=board=5;threadid=16326;start=45#msg101606 date=1068937733]the server in the network runs LINUX server and gets connected thru a more secured ISP server
i use cable internet." }-

The list of ports seen open by the above GRC scan is completely different from the ports your netstat results show open on your system, so it really looks like there is something "further out" on the network than your PC. The GRC scan is not going directly against your PC, it is going against some other system, router or firewall.

What exactly is the layout of your network. What does your PC plug into? And then what does that thing plug into?

-{ Quote: "i hav been seeing the stealth test and they say port 135 is a cause for much havoc worldwide .... and its still open in my comp. " }-

It is open "locally" on your computer as it is for almost all Win2000 and XP systems. But, the GRC scan result shows 135 as closed (it is not in either the open or stealth port list, but it was scanned, so therefore it is closed.) That is still good. You are protected for that by something - LAN router? Server? External firewall? ISP blocking?

-{ Quote: "i dinno a comp with all necessary security softwares still can b so vulnerable..." }-

Well, such a computer (one with all patches and updates) can still technically be vulnerable. However, your network configuration seems to be protecting your PC. What we need to figure out is the entire network setup you have there to figure out why those ports "show" open to the Internet even though they aren't open on your PC.

first of all i must say this site rocks and u guys r awesome really... i appreciate the way u answered my queries thx a lot
nou i am goin step by step i ran netstat again and chked these open ports
135,445,1025,1031,2469,44334 (though 1 thing i must say here when i first ran netstat it also gave 4380-4406 and not again though they r comin back... )
nxt bout the network i am havin is having LINUX server based server. whenever i am goin thru the stealth test the IP trace dun come at all to the network i am havin... but it stops to the ISP server from which my network server is gettin the bandwidth... i hope i was able to make u understand atleast something i hav firewalls and yes the ISP server is the last stop to be scanned in the stealth test as i said... even the IP the test shows isnt mine that i hav on network(which i think is my IP on internet is it??) even i am recognised as some other comp name by trace not by my real comp name
i hope that my comp is.. i repeat i hope as wat i get frm wat u said and stealth reports.. that i hav my comp well configured NOW but thr mayb some in the network thoz r fallin prey to the casualties
and ya... its never bad to learn MORE

oops 1 thin i forgot to mention ... my firewall passed the leaktest from grc.com (latest leaktest version) :D

It does seem like you have a non-standard ISP connection of some sort... Not that that is a bad thing! In fact, in this case it appears to be protecting you external to your system, and that is a good thing. Since the ports open in the scan are completely different from your open ports in netstat, and because NetBIOS is stealthed and 135 is closed, I will state I think you are protected from some of the most common probes out there. That also is a good thing.

From all I've read so far in your posts, I don't think your PC is vulnerable from any specific "open port" issue, nor does it look like you have any virus or trojan problems now. I think your system is okay. Until we see some specific problem (some "virus found" or some other exploit alerted), I'd have to guess you are okay.

My recommendation... You are a new TDS user (at least you are evaluating it, right?), so continue using that for the rest of the period of the evaluation and see if it ever finds any actual trojan files. If you like TDS and want to buy after the eval period, then you ought to.

Also, keep reading the reference threads people have posted for you. Keep trying to tighten your security and that will prevent you from getting any malware in the future.

again first of all i must thank u :D for all the support and attention i got .. from u and every other its a remarkable feedback i ever got i sincerely admire...
:D i am feeling much better nou that YOU have said i am safe... and more than that i hav been also chkin all these all along i also feel more or less satisfied...
its better to b safe out thr u kno ;)
i will giv u the list of all security softwares i got
NAV 2002 Licensed with latest LiveUpdate Installer and LiveUpdate installed till date
AVG Version 7 Licensed
Zone Alarm Pro Version 4 Licensed
Tiny Personal Firewall
SpyBot SD
SpywareBlaster
Cwshredder
TDS(u were rite i am havin trial version :( actually i hav been buyin all these security things all along and really spent a lot nou ... and i hav got this TDS new.. i will ofcourse giv a look to buy it its a gr8 software any free good AT u kno??)
TrojanRemover 6
wat else..lol...
hey do i still need adaware???
thx though again for all supports :) and i ofcourse will always look for this forum again and again to learn more and more
i feel safe with u all guys out here... to me i say it from heart... are the best firewall for lots of people thoz are sloly learning security... kudos

>> again first of all i must thank u...

We're glad to help you learn and secure your system. 8)

>> Tiny Personal Firewall

What version of Tiny are you running? And, if you know what modules are enabled? (I'm wondering if this is an old version of Tiny, before they added the sandbox to it, or if it is a recent or current version with the sandbox fully enabled. I run Tiny's sandbox-only along side ZAP 4.0)

>> any free good AT u kno??

No. There are no good and currently released free Anti-Trojan's. It is one type of product where there aren't good free options available.

>> hey do i still need adaware?

Ad-aware and Spybot are mostly interchangable, however, we generally recommend that people run both... The free product version of Ad-aware and Spybot are both excellent anti-spyware tools. They can both be installed and used to run periodic scans, say weekly, at the least. (Run them one after the other not literally at the same time.)

i hav a question again ??? i hav a old version tiny firewall i kno its already updated but as i did say at the beginnin i had to configure with wat i hav as if and when i release the gate for a sec the TCP IP Kernel Driver comes in... and that forces me to format my comp :-[ i wud like to ask if i download the updated version wat wud happen if i go to install... then the old version will get merged ?? and then ?
shud i download updated then unplug my LAN card and then configure as i did earlier??
thx in advance

I still don't understand what this is exactly...

>> ...when i release the gate for a sec the TCP IP Kernel Driver comes in... and that forces me to format my comp...

How do you know about this? What product warns you of it and what exactly does it say?

>> i hav a old version tiny firewall i kno its already updated ... if i download the updated version wat wud happen if i go to install...

What version is it that you have? It makes a difference to the recommendation. However, if it is an old, non-sandbox version then I don't understand why you'd want to keep it installed if you recently bought ZAP 4? (Tiny's a great firewall, but as I said above, it's not a good idea to run two software firewalls on the same system at the same time.)

>> shud i download updated then unplug my LAN card and then configure as i did earlier??

If you are going to upgrade, update deinstall or install a firewall, this is a very good and safe way to do it. Get the download. Unplug. Do what you gotta do deinstall or upgrade wise. Start the firewall. Plug back in.

about TCP IP kerner driver... its a ICMP packet constantly circulating in our network. it causes real havoc once u let it enter the computer changing a lot in ur system. Tiny personal warns bout it and says that someone wants to send u Kernel Driver do u want it to enter or not... once it enters then u r gone u bcome the affected part of network also. actually i was suffering this till i configured b4 even allowing the LAN card to plug . i had to format 4 times b4 for this matter.
the version is really old i think 2.0.15A but as its much effective in handling most of the evils and most importantly the kerner driver ICMP packet. i ofcourse can download the latest Tiny 5 version and can update my firewall unpluggin the LAN again..
as u said u also hav 2 firewalls same as mine the TINY and ZA and i did told u the reasons y i am running the two... the two arent clashing wat u say??

No, I don't have two firewalls. I have Tiny Trojan Trap and ZAP 4.0. Tiny Trojan Trap has no firewall components in it at all. It is a totally separate product from the Tiny Software people. (It is just a sandbox, and therefore does not conflict with the ZAP software firewall.)

All I can do is make a recommendation, whether you decide to listen to it or not is your choice. The majority of people will advise you to not run or even install two software firewalls on a single system because of the possibility of conflicts (either seen or unseen).

The old Tiny firewall is a fine packet filter, giving you good inbound protection and considering that you have some sort of network protection from your provider, you probably don't need any more firewall software anyway.

Subratam TCP/IP Kernel Driver is part is of your TCP/IP stack, and it belongs there. It handles the icmp protocol, and icmp is not anywhere as dangerious as you think, your just being over paranoid, and its a part of normal internet protocols.

FYI, there were vulnerablilities discovered in the old Tiny that were fixed in Kerio 2x, and you can still download Kerio 2x from this link. I don't suggest you even touch Kerio 4x at this time, and the most recent 2x version was 2.15
http://www.kerio.com/dwn/kpf/

Now your rules are the problem, and from your problems it would seem you need to fix more than icmp. This is a power-user program, and does require the user to have knowledge of tcp/ip protocols. Your just being an over paranoid user that doesn't understand what is going on.

If you want help with your Tiny/Kerio 2x configuration that can be done, and you can post a screenshot of your rules for others to review. However you are in quite over your head, and maybe a application based firewall would be better for you?

As far as icmp goes just make sure your not allowing icmp 8 inbound, and I've even attached a example of basic icmp rules.

the ICMP that is relayed in my network corrupts my TCP/IP kernel driver and in return it infects my PC.. i hav been getting lot of helps from u guys... actually i am keeping TINY only for that it really gets u safe from harmful packets as i am seein its doin effectively... as for ZA i am keeping this coz it keeps me in stealth form once i configure that so that ICMP dun get to come in i will keep one firewall at one time
i really feel bad Low as u thought that i am not takin ur recommendation... but i hav been listening everything and i will listen always as u all kno much more and i am learning...
hou can i post the firewall rules log??

by the way i hav tiny personal version 2.0.15A (221001) :)

"ts nice to kno nothin than knoin somethin wrong" Well besides your horrible spelling, your have fallen under "Knowing something wrong" when it comes to icmp.

ICMP cannot infect your pc, there are no icmp connections like tcp as its a messaging protocol.

If you want people to review you rules you have to take a screenshot of your rules, and make a new post in the Other Firewalls forum. Use alt+printscreen to capture the active window only instead of just pressing the printscreen button, and be sure to save it in a internet friendly format like .gif or .jpg for size. Crop the image where needed, and you might have to take multiple screenshots if you have a huge amount of rules.

Right now by simply renaming one program on your system I could gain access to the internet with Tiny 2x, now do you want to upgrade to Kerio 2x???

hmmm.... is kerio diff from TFW or it updates the already installed Tiny??
do ZA support system access with renamed programs??
Blitz i am learning so i think it wud b good frm ur part to let me help informatively :-[

nxt

last alongwith a rule for ZA that is allowed

I'm going to quote myself highlighting a few words:
"If you want people to review you rules you have to take a screenshot of your rules, and make a new post in the Other Firewalls forum"

You can be helped better with your firewall configuration in the firewall forum than in this generic security forum.

The rename issue is a bug in Tiny 2x where it can bypass your firewall configuration compeletly, otherwise it wouldn't let it out normally depending on your configuration.

Kerio 2x was built with Tiny 2x code. Kerio became their own company when they separated from Tiny Software. Its 99.% the same, and will import Tiny 2x rules. The interface is the same with many fixes, and udpates to the program itself.

Now your starting to listen more, others were being nice to you, but it wasn't getting through to you so that was a problem. I realized you were still learning from what I read, but I also realized that you already had ideas you believed for some reason that you were not changing after you were told they were wrong.

BTW, stick to one firewall only. Running both will only cause problems.

I'll be back after a while to respond to your posted ruleset, I usually have to write many paragraphs when reviewing others rules so it takes a while.

i just nou uninstalled ZA and i am goin to download the kerio 2X version...
as u said.. i just want to b sure... the kerio will import the Tiny Rules rite??
i do understand that its better to use one firewall only... its better for me to listen to u :) then bein with anythin i am beginner...
the tiny PF i am havin after downloading the kerio 2X wat wud b my next steps its a .exe the kerio and shud i unplug the LAN and then install or i again ask the kerio will install itself with Tiny rules??
i appreciate for ur help

Re-Read my last comment about Tiny 2x rules in to Kerio 2x
"Kerio 2x was built with Tiny 2x code. Kerio became their own company when they separated from Tiny Software. Its 99.% the same, and will import Tiny 2x rules. The interface is the same with many fixes, and udpates to the program itself."

Yes, you should make sure you won't connect to other machines, or auto-connect to the internet when you don't have a firewall running.

I was going to do something, but since you say your networked that is another issue. That makes your configuration more complex, so how is your network setup, what ip ranges do you use for your network?

Since your not completely reading what others are saying as I'm having to quote my last comments, I will ask that you read, and re-read this thread. Instead of using your exported rules I want you to start out with the standard rule set, and read the instructions completely. Its a starting template with some rules loose so they work, and you will have to restrict them later.
http://www.broadbandreports.com/forum/remark,8023708~root=kerio~mode=flat#8023745

So download the Kerio 2x, download that standard ruleset, use print preview to print out only the part of the page that contains the instructions, export your Tiny 2x rules, disconnect your machine from the internet/lan, proceed to uninstall Tiny, replace it with Kerio, import the standard ruleset, start customizing the rules, and reconnect to the internet/lan.

--We will discuss your configuration problems in Other Firewalls forum in the thread you have already started.--

thxxxxxxx a lot Blitz.... i am gettin it more str8 nou.. wont say much of nou here but in the firewall post
if i do hav any security probz i wud come here back