| |||||||
| Windows XP Discuss the Microsoft Windows XP Operating System |
 |
| | LinkBack | Thread Tools |
01-04-2007, 06:44 AM
| |||
| |||
| tftp trying to access internet. Should it? Hello, I have a friend who has Windows XP (updated) running on his PC and he asked me today if a message by zone alarm was anything to worry about. It reported that TFTP application was trying to access the internet. I suggested he deny it for now. Is there any reason the trivial FTP should be accessing a remote website from an XP machine? I did a search on google and discovered that it could be an indication of Nimda or Mblast virus. However, it looks as if these are not a problem for fully updated XP Pro. machines. Any other possibilities or explanations for this? Suggestions? Advice? thanks, ->HS -- Please remove the underscores ( the '_' symbols), if any, from my email address to obtain the correct one. Apologies, but the fudging is to reduce spam.      |
|
01-04-2007, 06:44 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? From: "H. S." <greate_x_calibur******.com> | Hello, | I have a friend who has Windows XP (updated) running on his PC and he | asked me today if a message by zone alarm was anything to worry about. | It reported that TFTP application was trying to access the internet. I | suggested he deny it for now. Is there any reason the trivial FTP should | be accessing a remote website from an XP machine? | I did a search on google and discovered that it could be an indication | of Nimda or Mblast virus. However, it looks as if these are not a | problem for fully updated XP Pro. machines. Any other possibilities or | explanations for this? Suggestions? Advice? | thanks, ->>HS Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm Additional Instructions: http://pcdid.com/Multi_AV.htm * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
|
01-04-2007, 06:44 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? David H. Lipman wrote: <SNIP> > * * * Please report back your results * * * > > Thanks for the steps. But before I do this (the user is not comfortable with these steps, I have to walk him through this or do this remotely), I would still want to know if an updated XP Pro. is vulnerable to these viruses. ->HS -- Please remove the underscores ( the '_' symbols), if any, from my email address to obtain the correct one. Apologies, but the fudging is to reduce spam. |
|
01-04-2007, 06:44 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? From: "H. S." <greate_x_calibur******.com> | Thanks for the steps. But before I do this (the user is not comfortable | with these steps, I have to walk him through this or do this remotely), | I would still want to know if an updated XP Pro. is vulnerable to these | viruses. Since we don't know what exactly is on the PC, I can't specifically approach the Vulnerability issue. All I can say is that malware is most likely using the TFTP.EXE utility of Windows to send "stuff" home. It may be a Keylogging Trojan or it may be a worm. There is insufficient information to come to a conclusion. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
|
01-04-2007, 06:44 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? David H. Lipman wrote: > From: "H. S." <greate_x_calibur******.com> > > > | Thanks for the steps. But before I do this (the user is not comfortable > | with these steps, I have to walk him through this or do this remotely), > | I would still want to know if an updated XP Pro. is vulnerable to these > | viruses. > > Since we don't know what exactly is on the PC, I can't specifically approach the > Vulnerability issue. > > All I can say is that malware is most likely using the TFTP.EXE utility of Windows to send > "stuff" home. It may be a Keylogging Trojan or it may be a worm. There is insufficient > information to come to a conclusion. > Fair enough. One last question before I go all out on the possible rouge program in the computer: is there any valid reason for the XP installation to use tftp? By the way, the XP installation has XP Pro on it, regularly updated, IE 7, Firefox 2.0. Outlook is never used and neither is IE 7. There is no MS office. There is yahoo messenger. MSN is never used. Skype is installed. A typing tutor and vncviewer applications are installed. For security, there is Zone Alarm and Norton antivirus Corp. Ed. 10.0 (also updated). That is about it. -- Please remove the underscores ( the '_' symbols), if any, from my email address to obtain the correct one. Apologies, but the fudging is to reduce spam. |
|
01-04-2007, 06:44 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? From: "H. S." <greate_x_calibur******.com> | Fair enough. | One last question before I go all out on the possible rouge program in | the computer: is there any valid reason for the XP installation to use tftp? | By the way, the XP installation has XP Pro on it, regularly updated, IE | 7, Firefox 2.0. Outlook is never used and neither is IE 7. There is no | MS office. There is yahoo messenger. MSN is never used. Skype is | installed. A typing tutor and vncviewer applications are installed. For | security, there is Zone Alarm and Norton antivirus Corp. Ed. 10.0 (also | updated). That is about it. Not the OS. Only a user. For example, you may use the TFTP client to load a BIOS image on a Router or managed Ethernet Switch. There is NO reason the OS would use TFTP.EXE or the TFTP protocol withour a user requesting its use. Thus, if you aren't specifically using it and it is running, the liklihood of malicipus activity is very high. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
|
01-04-2007, 06:45 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? David H. Lipman wrote: > From: "H. S." <greate_x_calibur******.com> > > > > > | Fair enough. > > | One last question before I go all out on the possible rouge program in > | the computer: is there any valid reason for the XP installation to use tftp? > > | By the way, the XP installation has XP Pro on it, regularly updated, IE > | 7, Firefox 2.0. Outlook is never used and neither is IE 7. There is no > | MS office. There is yahoo messenger. MSN is never used. Skype is > | installed. A typing tutor and vncviewer applications are installed. For > | security, there is Zone Alarm and Norton antivirus Corp. Ed. 10.0 (also > | updated). That is about it. > > > Not the OS. Only a user. > > For example, you may use the TFTP client to load a BIOS image on a Router or managed > Ethernet Switch. > > There is NO reason the OS would use TFTP.EXE or the TFTP protocol withour a user requesting > its use. Thus, if you aren't specifically using it and it is running, the liklihood of > malicipus activity is very high. > > Here is what I found: 1. Spbot did not find anything. 2. Symantec AV Corp Ed. did not find anything. 3. There are some tftp*.* files in C: like this: C:\Program Files\Symantec AntiVirus\TFTP2920 C:\Program Files\Symantec AntiVirus\TFTP2928 C:\Program Files\Symantec AntiVirus\TFTP3524 C:\WINDOWS\system32\tftp.exe C:\WINDOWS\system32\dllcache\tftp.exe The files in Symantec folder are 0 bytes long. There were only 5 or so attempts by tftp to contact some machine in the last week or so. I checked for the welchia worm, but there is no tftp service running and there is no w32svc or something in the WINDOWS directory. Given the above, any chances of infection? -- Remove underscores, if any, from my email address to obtain the correct one. |
|
01-04-2007, 06:47 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? H. S. wrote in message: > I have a friend who has Windows XP (updated) running on his PC and he > asked me today if a message by zone alarm was anything to worry about. > It reported that TFTP application was trying to access the internet. I > suggested he deny it for now. Is there any reason the trivial FTP > should be accessing a remote website from an XP machine? > > I did a search on google and discovered that it could be an indication > of Nimda or Mblast virus. However, it looks as if these are not a > problem for fully updated XP Pro. machines. Any other possibilities or > explanations for this? Suggestions? Advice? Take a look at info on W32.Spybot.ACYR at http://www.symantec.com/security_res...302-99&tabid=2 -- Dave |
|
01-04-2007, 06:48 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? Daave wrote: > > Take a look at info on W32.Spybot.ACYR at > http://www.symantec.com/security_res...302-99&tabid=2 > > Yes, I did that last night but did not find the signatures of infection. e.g. there was no %Windir%\w32svc.exe file. -- Please remove the underscores ( the '_' symbols), if any, from my email address to obtain the correct one. Apologies, but the fudging is to reduce spam. |
|
01-04-2007, 06:48 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? H. S. wrote in message: > I have a friend who has Windows XP (updated) running on his PC and he > asked me today if a message by zone alarm was anything to worry about. > It reported that TFTP application was trying to access the internet. I > suggested he deny it for now. Is there any reason the trivial FTP > should be accessing a remote website from an XP machine? > > I did a search on google and discovered that it could be an indication > of Nimda or Mblast virus. However, it looks as if these are not a > problem for fully updated XP Pro. machines. Any other possibilities or > explanations for this? Suggestions? Advice? Take a look at info on W32.Spybot.ACYR at http://www.symantec.com/security_res...302-99&tabid=2 -- Dave |
|
01-04-2007, 06:48 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? Daave wrote: > > Take a look at info on W32.Spybot.ACYR at > http://www.symantec.com/security_res...302-99&tabid=2 > > Yes, I did that last night but did not find the signatures of infection. e.g. there was no %Windir%\w32svc.exe file. -- Please remove the underscores ( the '_' symbols), if any, from my email address to obtain the correct one. Apologies, but the fudging is to reduce spam. |
|
01-04-2007, 06:48 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? From: "H.S." <great_excalibur******.com> | Here is what I found: | 1. Spbot did not find anything. | 2. Symantec AV Corp Ed. did not find anything. | 3. There are some tftp*.* files in C: like this: | C:\Program Files\Symantec AntiVirus\TFTP2920 | C:\Program Files\Symantec AntiVirus\TFTP2928 | C:\Program Files\Symantec AntiVirus\TFTP3524 | C:\WINDOWS\system32\tftp.exe | C:\WINDOWS\system32\dllcache\tftp.exe | The files in Symantec folder are 0 bytes long. There were only 5 or so | attempts by tftp to contact some machine in the last week or so. I | checked for the welchia worm, but there is no tftp service running and | there is no w32svc or something in the WINDOWS directory. | Given the above, any chances of infection? Still high. Albeit I'm miffed about the TFTP files in; C:\Program Files\Symantec AntiVirus The Welchia is just one of numerous from tghe Mocbot to the SDBot. http://www.sophos.com/support/knowle...&action=search Please run the Multi AV Scanning Tool. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
|
01-04-2007, 06:49 AM
| |||
| |||
| Re: tftp trying to access internet. Should it? From: "H.S." <great_excalibur******.com> | Here is what I found: | 1. Spbot did not find anything. | 2. Symantec AV Corp Ed. did not find anything. | 3. There are some tftp*.* files in C: like this: | C:\Program Files\Symantec AntiVirus\TFTP2920 | C:\Program Files\Symantec AntiVirus\TFTP2928 | C:\Program Files\Symantec AntiVirus\TFTP3524 | C:\WINDOWS\system32\tftp.exe | C:\WINDOWS\system32\dllcache\tftp.exe | The files in Symantec folder are 0 bytes long. There were only 5 or so | attempts by tftp to contact some machine in the last week or so. I | checked for the welchia worm, but there is no tftp service running and | there is no w32svc or something in the WINDOWS directory. | Given the above, any chances of infection? Still high. Albeit I'm miffed about the TFTP files in; C:\Program Files\Symantec AntiVirus The Welchia is just one of numerous from tghe Mocbot to the SDBot. http://www.sophos.com/support/knowle...&action=search Please run the Multi AV Scanning Tool. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
|
| Bookmarks |
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Internet access | ddhrt | Windows XP | 1 | 01-04-2007 04:31 AM |
| Getting Timeouts on TFTP | GeekThug | Windows XP | 3 | 01-04-2007 03:43 AM |
| Internet Access | Dizzziokie | Windows XP | 4 | 01-04-2007 02:38 AM |
| Internet Access | Peter K | Windows Vista | 4 | 01-02-2007 10:18 AM |
