downloader.clispri.A, trojan.byteverify

Hi sub,
I will talk to you again..but first we have to clear up lots of confusion for you.

First of all the complete path for the area on your PC that you think appears to be gving you a TROJAN is this.

C:\Documents and Settings\Administrator\Local Settings\Temp


That area called TEMP is used by all the programs you now have running to temporarily load so they can function. When you have many running at the same time and also watching that floder...and then run the on-line TREND housecall..programs like AVG can give you false positive if you have it running at the same time.


*****************************************

I have read all the rest of the posts made on this problem you seem to be having at all the other forums.


:
[SOT] Damn trojan
Newsgroup:
alt.hacker




1 Kevin Nov 10, 2003
|-2 root1657 Nov 10, 2003
\-3 subratam Nov 14, 2003

Must be new as AVG didnt pick it up & no one admits to opening an email
with it.


The trojan is named Clispri.A and consists of 2 .exe's named scbr.exe &
ptpo.exe. seems to install itself to c:\Documents and Settings\User_name
\Application Data.


From: subratam (subratambiswas@yahoo.com)
Subject: Re: [SOT] Damn trojan


View this article only
Newsgroups: alt.hacker
Date: 2003-11-14 00:47:07 PST


hey thr... i was also attacked this clispri.A trojan.... though i dunno i am still havin yet... i hav deleted the scbr.exe and ptpo.exe and run all my AVS the trojan seems to set itself in explorer bars. it normally resides in local settings. u can run trendmicro online scan and b4 that hav AVG 7 installed.. the online scan will try to open every file and scan and AVG will catch the trojan. no it cant do anything now though no heal or delete but atleast u kno whether u hav it or not still. i am regularly chkin my post in tech support guy forum security. hope i also need attantion chow


******************************************


So i will tell you this...AVG does not have a trojan in their data base called Clispri.A or downloader.clispri.A, another vendor might...


But at this time you are not infected with any trojan.


I suggest to you again to turn off your AVG so it does not load and scan while you are doing another on line scan. If anything is causing your problems..it is the fact that the action of one AV/AT product is appearing by another scanner, to be a trojan as it scans.

 

Hi there!
>and i got one more question this TDS scan says c:\autoexec.bat is missin after chkin the files , <

In the TDS > Edit Config Text files > crcfiles.txt
edit the right location of files on your system, although i've been told the autoexeb.bat would not be there on an XP system (corect me if i'm wrong) so a file which is not supposed to be there and is not there yoou should only be worried about if it would be located! Best remove it from that txt and add other files if you feel those important to be checked for changes.


>and what is ntvdm.exe<
ntvdm - ntvdm.exe - Process Information
Process File: ntvdm or ntvdm.exe
Process Name: Windows 16-bit Virtual Machine
Description: The Windows Virtual Machine for 16-bit Windows and Dos programs is used to run dos programs and old Windows programs inside a virtual machine

Don't know where you found that on your system? I don't have it.

 

If it helps you I have that NTVDM.EXE and it is a legtimate program and is used for Optimizing Applications


http://www.windowsitlibrary.com/Content/435/06/2.html

I think one of the problem you are having with all this is trying to understand your PC and its OS. I think that is great and you are learning.

But becareful with focusing your thoughts too much on unfamilar named .EXE type programs in your searchwithin the files and folders of your PC.


Even in the TEMP folder many AV/AT developers temporarily install an .exe with a funny name that is actually their program running disguised with a new name each time it loads to fend off attacks by badboys who would seek it out and stop it from running.


AV/AT programmers have also devised other methods besides this in self defence since many of the exploits you run into now days..try first to not only infect you PC..but also to stop any firewall or Security Product that you have installed from doing it job.

 

so yall sayin i am not infected with any trojan rite nou in another forum from http://forums.techguy.org/showthread.php?threadid=179386&goto=newpost
i reported the hijackthis log i did find some regsvc.exe i dunno wat it is.. one dcsresearch string was thr as u can see frm the string thr and hijacklog.. i fixed it.. i also found regsvc.exe.. i do understand wat yall sayin bout AV/AT doin the disguise acts.. and i do really appreciate you all for the attention and help you have been givin me.. in simple one word its awesome but i just want to b sure totally with my computer... if u want i can put both hijackthis log and also AS viewer frm Diamond too
thx in advance

 

Nope..i do not want to see the highjack again..the one you posted at techguy shows you are now plagued with another exploit..a new one you just picked up..they will handle it over there for you.


The kind you are picking up come from various sites..nasty things..there are programs that will stop them..but these hijack search and porno hooks are all over the place and your first goal to stop them is to tighten up the settings on your Browsers and OS. Third party software is good to clean your PC and help with some of it..but it also has to do with sites that are visited and what you allow them to download to you.

On that you do have control..but i think you have never tried to block them with safer setting on your browser.

 

plz.. i am nou gettin tensed as wat new i hav got nou plz help me out frm here also.. as u kno a second late also can do harm to computer and also wat security settings do i go for nou??

plz plz help me out....

 

Since you are in the TDS forum and this is about their product it is not really the place to do this.

But if you post again in one of the general sections of this Wilders Board for help..there are programs like Xpantispy

http://www.xp-antispy.org/

that also works for Win2000 that can help secure your OS..and then also some one can give you site links like this one...
http://www.markusjansson.net/

That you could follow to tighten up your settings...and also understand why you are doing it.


But i can not give you much more in this section of the Wilders Forum.

Be Well

 

hmmm... i did download xpspy as u said... it did disable some of readily accessible internet updates.... actually i hav all these spywarebblaster,spybot and cwshredder with me... i dunno if thats the reason... i think some of sites are takin a lill time to open... rest all r fine...
i am still confused about regsvc.exe if thats bad hou shud i remove that
i want my comp to b free frm nasties nou
its been frustrating all these days just goin on downloadin one software after another for security and my comp is full of security softwares instead of anythin else

Logfile of HijackThis v1.97.6
Scan saved at 11:49:39 PM, on 11/15/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton CrashGuard\CGMenu.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Tray Wizard\TWizard.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\FreeMem Professional\fmempro.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\mdm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab

********************************
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
c:\winnt\system.ini [boot]\scrnsave.exe
C:\WINNT\Webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINNT\Webshots.scr
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
C:\PROGRA~1\NORTON~1\navapw32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
C:\Program Files\Norton CrashGuard\CGMenu.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
C:\WINNT\loadqm.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
C:\PROGRA~1\DAP\DAP.EXE /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
C:\Program Files\Trojan Remover\Trjscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
C:\Program Files\Tray Wizard\TWizard.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
C:\Program Files\Desktop Architect\datray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
C:\Program Files\FreeMem Professional\fmempro.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\SIM3 Scan 1.job
C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
smrgdf C:\Program Files\iolo\System Mechanic 4\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINNT\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Avg7Alrt\
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
HKLM\System\CurrentControlSet\Services\Avg7UpdSvc\
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\GFI LANguard System Integrity Monitor 3 agent service\
C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lnss_sscans\
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\NtmsSvc\
C:\WINNT\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PersFw\
C:\Program Files\Tiny Personal Firewall\persfw.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINNT\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINNT\system32\regsvc.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINNT\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINNT\system32\MSTask.exe
HKLM\System\CurrentControlSet\Services\SecDrv\
\??\C:\WINNT\system32\drivers\SECDRV.SYS
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINNT\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINNT\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINNT\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\WinMgmt\
C:\WINNT\System32\WBEM\WinMgmt.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINNT\system32\svchost.exe -k wugroup

 

Hi subratam,

Looks clean to me.

Regards,

Pieter

 

i chked the different security sites and did latest chks wth TDS .. all seems to b fine nou.... one security site told that some ports are opend and some TCP ports too but i got chked them by TDS.. nothin unneccessary popped out..
one question do i need to keep open the telnet port 23?? if not hou can i close it... and bout regsvc.exe the TDS said its frm MS only... i am only thinkin bout c:\WINNT\SYSTEM32\regsvc.exe.. dunno whether its malicious... anyway i chked with the hijackthis.. and removed the said fixes...
waitin for the advice nxt
good to see u back pieter lots hav been happening since i saw u last
thx in advance

 

Hi subratam

do you have Telnet service running (see image)
If not, you might want to close the port in your firewall.
Dolf

 

Hey sub,

good going guy Dollefie has you covered now..and you are learning fast. Yup too many security programs will drive you up the wall..but stick with the good ones these people at wilders tell you about and then study up on each of them as to what they can do for you..and come back often to ask those questions. None are too small or incidental if you get stuck.

allow me please to also put in this post the IM you sent me and others can help you address it..

one question do i need to keep open the telnet port 23?? if not hou can i close it... and bout regsvc.exe the TDS said its frm MS only... i am only thinkin bout c:\WINNT\SYSTEM32\regsvc.exe.. dunno whether its malicious... anyway i chked with the hijackthis.. and removed the said fixes...
waitin for the advice nxt
thx in advance

 

plz reply to this post a lill quik i saw in services and in the telnet it was said "start" so i think it wasnt running... and i hav disabled as i dun need telnet(or do i ) anyway and for another thing i hav got 2 firewalls gettin zonealarm pro with tiny personal firewall... wat u comment on that??
thx in advance

 

actually i am havin broadband network internet and in my netork thrs a kernel driver ICMP packet circulating so i had to configure my tiny personal firewall which has proved to b quite effective and handy to my system and not allowed the evil to get into my comp.. till date i hav also been studying about zonealarm bein one of best in bzness so i thought to try it out and configured it... thats it.. i am not goin to uninstall tiny firewall as it really gettin the kernel driver alongwith other applications at hand... ZA i went forward as for its gr8 reputation... i hav not installed it same time... tiny i hav installed 3 weeks b4 ZA i installed a lill while ago... i hav gone thru ZA configuration www.markusjansson.net and nou i think i am in better position
about telnet i hav disabled it but TDS says i hav a open port at 25 though i hav chked 5+ times b4 posting this.. no alarm and no trojans and for other ports ZA showed me my NAV was guarding thoz namely the email ports
i welcome more wise comments as i am always learning security... "internet isnt a child's plaything after all"
thx in advance

 

i dunno i am again gettin tensed a bit
0.0.0.0:135,445,1025,1031,2469,44334 are in the state of listening no 0.0.0.0:25 is thr

 

please close the port 135 UDP/TCP in your firewall.
Dolf

 

one more question never mind if i get this answer after my last post question bout port 25 which is more imp and i will go step by step.. i am just puttin my nxt question to u all techies... i am on network... and i ran a IP vulnerability test which says i am showin a certain IP but i hav a diff IP altogether in my network and i hope the IP i am showin is stealth one and i am safe
take ur time guys i am online late today i want to get all infos up to date

 

i am sorry but hou can i block a certain port in my firewall i am very much novice in this and i dun wanna take risk in doin somethin i am not sure of
waitin eagerly for a reply

 

First you might want to run the ShieldsUp! tests from The Steve Gibson site here: http://grc.com/x/ne.dll?rh1dkyd2.
There you get answers on various questions you have about public IP-address and open ports.
Dolf

 

ya i hav been undergoin stealth test for last 1hr or more .doz it really help for the firewall i am havin?? will the open ports then automatically guarded??
thx in advance

 

this is wat i got from shields up file sharing test

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.