Port Explorer v1.200 and NOD32

LOLOLOL Thumping Gizzard is good phil

or AV with high blood pressure?

 

*writes Phil's name on cookie* if i could give you one right now i would! LOL!

yep! i had gone through the "Directory" and of course it didn't show me the file so i thought, alrighty, i'll just type the name of it in there-----but AMON didn't want it that way...so it hadn't worked.

i followed your directions Phil and AMON no longer scanned vdmdbg.dll but then started scanning the psapi.dll instead, so i put that one in the exclude list too and now AMOM is much quieter.

i think you deserve another cookie for solving another problem i had seen with PortExplorer's menu bar going black on me when i ran the mouse over it.....right now that doesn't seem to be happening. i am thinking since i excluded those two files from being scanned by AMON that it's fixed that too!

thank you Phil!

snap

oh....and it's a "beating web muscle".......gizzard indeed! ROFL!

 

Hey! ... I'm hungry, too!

That's GREAT! I'm glad it worked for you. You didn't know it but AMON was *always* scanning psapi.dll. It was just scanning the other one SO many times it was covering up the scan of vdmdbg. I guess it would be more correct to say vdmdbg is being called that much more by PE and AMON is properly scanning it for virus activity.

You are very welcome. I'm glad the info helped. I guess AMON scanning those files could have caused the other problem. <shrug> It's Winders -- who can say!

Humm -- let me think about that for a minute.
<tapping fingers>
<scratching head>
Nah. I like the gizzard thing better. I do have *other* names for it like pulsing pimple and a few I better not mention. Once I had it on-screen and was asked what it was by a non-puter person. I told them it is a self-portrait of me as an embryo.

Now, let's get back to those cookies....

Phil

 

It's actually the beating heart of Vlad Tepes. (I think he was one of Palo's ancestors, but don't quote me on that.)

 

Oh, no! Not the Impaler!! You hang around Palo much late at night?

Phil

 

1) I would like to know if people without NOD32 have the same problem.
Sorry for forgetting AMON is the heart of NOD32, haven't used it too long but it's on my wishlist. Many TDS users have it beside TDS, WG and PE.
I would not like to be without such scans too long either, but WinTasks or the like might streamline the order of starting processes anyway.
So this is why i urgently ask reactions of not NOD and other NOD users on various windows versions.

2) Both files you mention do originally not belong to PE. If you use for instance the frequently mentioned (free) tool Fabertoys (www.faberbox.com) you'll see a very valuable tool showing you exactly by program and process which files are started with them and more. These dll's you mention are not among them on my system.
So i don't know if those belong to XP, NOD32 or another program.
And mind: Snap tells to use the PE 1.1 version, and NOD32 / AMON scanning like crazy those files, but not causing the freezing effect there is with Phil with PE 1.200.
So Phil, are there any other files involved, can you please look with one of your tools or Fabertoys for what exactly is running with PE and NOD or AMON and if there might be other files involved in the scanning too?
Snap, are those files scanned that frequently with PE 1.1 not activated?
PE is always running in the background, the PE we start manually is only the GUI to look at what is happening inside the system: see when you start it, you'll see for IE or OE for instance already all the amount of packets sent and received since reboot, not start at 0 right after starting PE.
So this is why it is very surprising if this scanning would start the moment you open the PE GUI, but for the DCS developers might ease the location of the matter.


3) I don't see any reason for an unexpected problem a third party product causes suddenly because of the use of PE to name PE a beta product. It was beta tested thoroughly and no problems of this kind have showed up, or if there would have been it is ironed out. We all know NOD and PE 1.200 have been tested together thoroughly and will more to find the matter and both or at least one of them will have to look at their product. Be asured there are good contacts between those serious developers so they'll solve the problem asap as ever.
These things happen all over and never ever any third party product was mentioned a beta product because of such things.
The only constant beta we have to deal with is Windows, all operating systems and constantly under construction thanks to the millions of beta telike all of us.
Of course it is sad to run into this unexpected matter but for sure it does not degrade NOD nor PE to a beta product. It's the AMON going crazy, not PE, that one runs fine and stable as far as i understand the story.

 

> Oh, no! Not the Impaler!!

That's the dude!

> You hang around Palo much late at night?

Yeah ... we're old drinking buddies ... he still has the punctures on his neck from our last session.

 

Hi Jooske

Here is a small capture of PE using those dlls just a few minutes ago on my system. No other app is using them. I can see literally thousands of these in a minute or so.

2:29:22 AM   PortExplorer.ex:940   IRP_MJ_QUERY_INFORMATION   C:\WINDOWS\System32\PSAPI.DLL   SUCCESS   FileNameInformation   
2:29:22 AM   PortExplorer.ex:940   IRP_MJ_CLEANUP   C:\WINDOWS\System32\PSAPI.DLL   SUCCESS
      
2:29:22 AM   PortExplorer.ex:940   IRP_MJ_CLOSE    C:\WINDOWS\System32\PSAPI.DLL   SUCCESS
      
2:29:22 AM   PortExplorer.ex:940   IRP_MJ_CREATE   C:\WINDOWS\System32\VDMDBG.DLL   SUCCESS   Attributes: Any
Options: Open
   
2:29:22 AM   PortExplorer.ex:940   FASTIO_QUERY_STANDARD_INFO   C:\WINDOWS\System32\VDMDBG.DLL   SUCCESS   Size: 24064
   
2:29:22 AM   PortExplorer.ex:940   IRP_MJ_CLEANUP   C:\WINDOWS\System32\VDMDBG.DLL   SUCCESS
      
2:29:22 AM   PortExplorer.ex:940   IRP_MJ_CLOSE    C:\WINDOWS\System32\VDMDBG.DLL   SUCCESS      

Neither is going crazy. PE is calling the dlls and AMON is scanning them as it is designed to do. I have every confidence the DCS guys will get this sorted.

Phil

 

Sorry, Jooske -- I missed this part.

No, there are no other files involved. As soon as I excluded the main PE executable file from AMON scanning, the system freezing stopped. I am still running ver1.2 now with NO problems after I did the exclusion. Remember, I did not have this problem with PE ver 1.101. It did not start until I installed ver1.2. AMON was scanning the dlls thousands of times with ver 1.101 but that was not causing any system slow down. That did not show up until ver 1.200.

Phil

 

Hi Jooske! - i also have both vdmdbg.dll and psapi.dll on my Win98se too. Infact, i have two instances of the psapi.dll on that system - one in the TrojanHunter folder (psapi.dll ver 4) and one in the WINDOWS\System folder (Psapi.dll ver 5).
* adding - on the XP i have 4 instances of psapi.dll.
1 in the Windows>ServicePackUninstall folder
1 in the Windows>ServicePackFiles>i386 folder
1 in the Windows>System32 folder and
1 in the ProgramFiles>TrojanHunter folder

only 1 instance of the vdmdbg.dll on each computer.

on my Win98se, know they are not scanned hardly at all and i have the same applications running on that system as i do on the XP-Home system. On the Win98se system, i have not yet blocked the above mentioned files in AMON's exclude list, and AMON seems to mostly want to scan Sygate's (firewall) files on the Win98se system.

i unblocked both files on the XP system and AMON didn't scan them until i opened PE's GUI...then it scans over and over again within seconds between Sygate's smc.exe and the vdmdbg.dll. If i block the vdmdbg.dll and open PE's GUI, then AMON starts scanning between smc.exe and psapi.dll. If i block the psapi.dll, then AMON settles on smc.exe (which is ok with me) and any other file that might be activated as i use the system.

(sorry for posting so late...i was not at this computer for a bit)

hope that helps Jooske....and you are right, they will figure it out. This could be more an XP thingie too.

snap

- edited to add the above*

 

So the files from your snap must be XP related maybe; are there more people with different windows versions to see if those are there? Not on my win98se.

Thought it was Snap's writing AMON scanning those files like crazy also in the PE 1.1 version, but not causing the problem (yet).
That's why i wondered if there were more new things showing of in the PE 1.2 , something extra or different which seems he possible culpit.
Of course i'm really sorry you run into this problem, but as we expect also many NOD32 users interested in PE (nodding kindly to Rodzilla) --and even in the about impossible case they would not be-- both developers will look to make them running smoothly together again.
So your determinations and observations are of great value with working to this solution.
Thanks a lot for your patience!

 

You are right Jooske - i am not having any system slow downs or freezes on either computer that i have noticed and i have everything open that i usually would on both of them (right now).

i also have PE version 1.1 and as stated above, AMON is scanning like crazy those files on the XP-Home, but seems to be leaving them pretty much alone on the Win98se.....why? i have no idea. LOL....but i don't think i would want to risk updating right now to the PE version 1.2, especially on the Win98se since it doesn't have the ability to hold the resources like XP and it also only has 128MB memory. LOL!

snap

*adding: i just remembered something.....NOD32 is different for Win98se isn't it? Maybe there is something in that difference that might be the reason it isn't scanning those files like it is on the XP's... just a thought and a guess.

 

I am running windows Me with ZAP, NOD and regrun and I find the psapi.dll in C:\Program\Microsoft IntelliPoint 4.0\Mouse\SETUand inC:\Program\MicrosoftHardware\Keyboard the vdmdbg.dll I find in C:\WINDOWS\SYSTEM

 

Hi Snap, thanks for your explanations. I should have looked deeper, as i do have those files and indeed of the psapi.dll various instances; did not see them called by PE in the Faber Toys, so forgot their existence.
See now what it is good for, so can imagine it's called and thus scanned. (You'll love FT as much as i do for such analyses).

So do you have the NOD32 on the win98Se system too, and PE 1.1 to try that out? and if so, is it scanning there those two dll's in the fast run too the moment PE is started? Would be interesting to see what happens there with PE 1.2 and NOD32.
Not sure if the eval PE is version 1.2 too at the moment and would cause the same.

Good that Rodzilla came into this thread as well, to ensure in NOD was not changed a thing in the recent meantime, so we can concentrate on PE.

 

Jooske

Thanks for the tip on Faber Toys.. Looks like a pretty cool program.

I am wondering if anybody still uses Dr. Watson?

In WIndows XP System 32 folder

or just do a search for it with a *watson.*

Then you can right click on that and ad a shortcut to your desktop.

 

Even in the greatest trouble on my system long ago drwatson was always telling all was ok, so for me not really reliable.
Maybe in combination with the fully functional PE / TDS / WG / FT and whatever more we like (wintasks is a nice tool too).

 

Jooske

I took a look at the tool you mention above and it seems a nice little process viewer with some added goodies. I have a preference for the tools from Sysinternals. You might want to take a look at their free offerings. There is no "install", you just unzip them where you want and run. They are all very small, very useful, and very cool.

http://www.sysinternals.com/win9x/98utilities.shtml

The above link will take you to the 9x section. For the task at hand, I would recommend Process Explorer (similar to yours), Filemon (which shows all file access activity in real time), and Regmon. You may want to take a look at the others while there - a good description is provided for each. Enjoy!

Phil

 

Problem should be fixed in the next version. Thanks Phil and the rest.
-Jason-

 

That's GREAT news, Jason! Thanks for the heads-up.

I have noticed what appears to be a little more weirdness in ver 1.200. Post here or email?

Phil

 

Thank you Jason and Jooske!

looking forward to the next version - meanwhile, i am just gonna play with it! 'tis SO COOL!

snap

 

Phil if you think people will benefit from hearing the weirdness then post it here, otherwise send me an email . Doesn't matter which way.
-Jason-

 

I had the same winter freeze with (Win9 PE and Nod. I can't use PE at all presently. No biggy I will wait for next build.
zappa

 

We've identified why Nod32's scanner is having problems with PE and we've made some changes that should work around it - tests here indicate that the problem is now fixed. We hope to release the next update within the next day or two, thanks for your patience!

 

Wayne,

Care to share some details ?

I've had a long running problem with Amon on my Win2K system such that it appears to be constantly scanning smc.exe (Sygate Personal Firewall) and autoexec.bat.

Just wondering if this is a related problem...