TFTP is Trying to Access Internet

G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

Hi All,

I have Windows XP + SP1 with ZoneAlarm Latest Installed.

Sometime Zonealarm alert me about TFTP is trying to access Internet. When I
verified the Property of TFTP.exe I found that is Belongs to Microsoft and
found info from internet that that is a limited version of Microsoft FTP
client.

Why is that executable trying to access internet? Is that Indicated that
some Spyware exists in my PC? I have Scanned my PC using MS Antispyware BETA
but no spy found. (I have AVG Antivirus Installed)

Please Suggest.

Thanks
Prabhat
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

Hi

That file is related to TCP/IP. Have you had any problems with any web
sites if you deny Internet access?

--

Will Denny
MS-MVP Windows Shell/User
Please reply to the News Groups


"Prabhat" <not_a_mail@hotmail.com> wrote in message
news:OBrE9VVgFHA.2700@TK2MSFTNGP15.phx.gbl...
> Hi All,
>
> I have Windows XP + SP1 with ZoneAlarm Latest Installed.
>
> Sometime Zonealarm alert me about TFTP is trying to access Internet. When
> I
> verified the Property of TFTP.exe I found that is Belongs to Microsoft and
> found info from internet that that is a limited version of Microsoft FTP
> client.
>
> Why is that executable trying to access internet? Is that Indicated that
> some Spyware exists in my PC? I have Scanned my PC using MS Antispyware
> BETA
> but no spy found. (I have AVG Antivirus Installed)
>
> Please Suggest.
>
> Thanks
> Prabhat
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

From: "Prabhat" <not_a_mail@hotmail.com>

| Hi All,
|
| I have Windows XP + SP1 with ZoneAlarm Latest Installed.
|
| Sometime Zonealarm alert me about TFTP is trying to access Internet. When I
| verified the Property of TFTP.exe I found that is Belongs to Microsoft and
| found info from internet that that is a limited version of Microsoft FTP
| client.
|
| Why is that executable trying to access internet? Is that Indicated that
| some Spyware exists in my PC? I have Scanned my PC using MS Antispyware BETA
| but no spy found. (I have AVG Antivirus Installed)
|
| Please Suggest.
|
| Thanks
| Prabhat
|

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

Will wrote on Tue, 5 Jul 2005 13:34:38 +0100:

> Hi
>
> That file is related to TCP/IP. Have you had any problems with any web
> sites if you deny Internet access?
>
> --
>
> Will Denny
> MS-MVP Windows Shell/User
> Please reply to the News Groups


That file is the Trivial File Transfer Protocol program that comes with
Windows. It's only relation to TCP/IP is that it uses TCP/IP to connect to
TFTP servers.

Most likely there's malware on the machine trying to use it to download
files from a TFTP server. The only time I've ever seen it in use was on a
test web server I had running that suffered from a buffer overflow hack on
it's web server software (which incidentally wasn't IIS) and the TFTP
program was launched by the attack to download an executable which would
have opened a "backdoor" into the server (which would have been prevented by
the hardware firewall in place anyway), and after sending to NAI and
Kapersky it was determined that the TFTP connection had been interrupted so
the executable was incomplete, but enough of it was present for them to be
able to make an analysis and put out signatures. Never had this return
either as the web server software was fixed soon afterwards.

Dan

> "Prabhat" <not_a_mail@hotmail.com> wrote in message news:OBrE9VVgFHA.2700@TK2MSFTNGP15.phx.gbl...
>> Hi All,
>>
>> I have Windows XP + SP1 with ZoneAlarm Latest Installed.
>>
>> Sometime Zonealarm alert me about TFTP is trying to access Internet. When
>> I verified the Property of TFTP.exe I found that is Belongs to Microsoft
>> and found info from internet that that is a limited version of Microsoft
>> FTP client.
>>
>> Why is that executable trying to access internet? Is that Indicated that
>> some Spyware exists in my PC? I have Scanned my PC using MS Antispyware
>> BETA
>> but no spy found. (I have AVG Antivirus Installed)
>>
>> Please Suggest.
>>
>> Thanks
>> Prabhat
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

> That file is related to TCP/IP. Have you had any problems with any web
> sites if you deny Internet access?

Hi, Every time it ask permission to connect to internet I deny. But I never
had any problem and later I set the rule in Zonealarm to deny every time.
But I just wanted to know If I have not requested then how it will connect
to any FTP server?
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

Hi David,

Thanks for the Info. I will use the script and verify the System. But I have
scan my system once using NAV 2005 But no result while recently I used AVG
(as currently I am using) and able to find one virus from my PC.

Thanks
Prabhat

> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
> http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line
Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode. This
> way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
or you can
> download the files and perform a scan in Normal Mode. Once you have
downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE
and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor
related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

From: "Prabhat" <not_a_mail@hotmail.com>

| Hi David,
|
| Thanks for the Info. I will use the script and verify the System. But I have
| scan my system once using NAV 2005 But no result while recently I used AVG
| (as currently I am using) and able to find one virus from my PC.
|
| Thanks
| Prabhat


There is no OS reason to use TFTP unless you are specifically doing it fot a resson succh as
using it in a BootP/TFTP process such as configuring network devices such as a Ethernet
switch, Router or print server. Therefore malware is presumed and is highly likely.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

tftp can be a security risk. If it is attempting to access the Internet
then yes I'd say you have a problem. You cannot remove that file for if you
do you will have System File errors. The file is necessary. If you want to
stop it from accessing the Internet remove all NTFS permissions from it and
I mean all. When you apply updates to Wuindows XP you may have to reenable
those permissions first by checking Allow permissions to propagate to it.
Then remove them when you are done. Don't worry if you forget Windows will
give you the option to fix the problem and you know what the problem is.

--
George Hester
_______________________________
"Prabhat" <not_a_mail@hotmail.com> wrote in message
news:OBrE9VVgFHA.2700@TK2MSFTNGP15.phx.gbl...
> Hi All,
>
> I have Windows XP + SP1 with ZoneAlarm Latest Installed.
>
> Sometime Zonealarm alert me about TFTP is trying to access Internet. When
I
> verified the Property of TFTP.exe I found that is Belongs to Microsoft and
> found info from internet that that is a limited version of Microsoft FTP
> client.
>
> Why is that executable trying to access internet? Is that Indicated that
> some Spyware exists in my PC? I have Scanned my PC using MS Antispyware
BETA
> but no spy found. (I have AVG Antivirus Installed)
>
> Please Suggest.
>
> Thanks
> Prabhat
>
>
 

kelly

Distinguished
Apr 14, 2004
1,761
0
19,780
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

The Windows firmware update program "tftp.exe", supplied by Linksys and UMAX
as part of their firmware update .exe files. More info on Security listed
here:
http://www.practicallynetworked.com/support/tftp_problem.htm

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com



"George Hester" <hesterloli@hotmail.com> wrote in message
news:eUBvsE2gFHA.2840@tk2msftngp13.phx.gbl...
> tftp can be a security risk. If it is attempting to access the Internet
> then yes I'd say you have a problem. You cannot remove that file for if
> you
> do you will have System File errors. The file is necessary. If you want
> to
> stop it from accessing the Internet remove all NTFS permissions from it
> and
> I mean all. When you apply updates to Wuindows XP you may have to
> reenable
> those permissions first by checking Allow permissions to propagate to it.
> Then remove them when you are done. Don't worry if you forget Windows
> will
> give you the option to fix the problem and you know what the problem is.
>
> --
> George Hester
> _______________________________
> "Prabhat" <not_a_mail@hotmail.com> wrote in message
> news:OBrE9VVgFHA.2700@TK2MSFTNGP15.phx.gbl...
>> Hi All,
>>
>> I have Windows XP + SP1 with ZoneAlarm Latest Installed.
>>
>> Sometime Zonealarm alert me about TFTP is trying to access Internet. When
> I
>> verified the Property of TFTP.exe I found that is Belongs to Microsoft
>> and
>> found info from internet that that is a limited version of Microsoft FTP
>> client.
>>
>> Why is that executable trying to access internet? Is that Indicated that
>> some Spyware exists in my PC? I have Scanned my PC using MS Antispyware
> BETA
>> but no spy found. (I have AVG Antivirus Installed)
>>
>> Please Suggest.
>>
>> Thanks
>> Prabhat
>>
>>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

From: "Kelly" <kelly@mvps.org>

| The Windows firmware update program "tftp.exe", supplied by Linksys and UMAX
| as part of their firmware update .exe files. More info on Security listed
| here:
| http://www.practicallynetworked.com/support/tftp_problem.htm
|
| --
|
| All the Best,
| Kelly (MS-MVP)
| | Troubleshooting Windows XP

In reference to that URL, storing the Routers password as ClearText in the TFTP client is
hardly a problem if the following are set...

"Block WAN request" -- Enabled
"Remote Management" -- Disabled
"Remote Upgrade" -- Disabled.

However I truly doubt that the OPs problems has anything to do with the TFTP client that
comes with a Router's FirmWare and it is the TFTP client that is used in the OS that is
being used as indicated in the OPs problem.

And I disagree with George's assessment - "You cannot remove that file for if you do you
will have System File errors. The file is necessary". I know of no known reason that
TFTP.EXE would be used in the Windows OS in a kernel functionality. It is a mere client
utility like FTP.EXE and is used by the Windows PC user as needed.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

Dave all I ask you to do is try it. Remove the file if you want. Install a
Service Pack. It will reappear. Better yet leave it alone. Remove the
permissions from it it's almost the same thing but isn't.

--
George Hester
_______________________________
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O1KUBS7gFHA.2916@TK2MSFTNGP14.phx.gbl...
> From: "Kelly" <kelly@mvps.org>
>
> | The Windows firmware update program "tftp.exe", supplied by Linksys and
UMAX
> | as part of their firmware update .exe files. More info on Security
listed
> | here:
> | http://www.practicallynetworked.com/support/tftp_problem.htm
> |
> | --
> |
> | All the Best,
> | Kelly (MS-MVP)
> | | Troubleshooting Windows XP
>
> In reference to that URL, storing the Routers password as ClearText in the
TFTP client is
> hardly a problem if the following are set...
>
> "Block WAN request" -- Enabled
> "Remote Management" -- Disabled
> "Remote Upgrade" -- Disabled.
>
> However I truly doubt that the OPs problems has anything to do with the
TFTP client that
> comes with a Router's FirmWare and it is the TFTP client that is used in
the OS that is
> being used as indicated in the OPs problem.
>
> And I disagree with George's assessment - "You cannot remove that file for
if you do you
> will have System File errors. The file is necessary". I know of no known
reason that
> TFTP.EXE would be used in the Windows OS in a kernel functionality. It is
a mere client
> utility like FTP.EXE and is used by the Windows PC user as needed.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

From: "George Hester" <hesterloli@hotmail.com>

| Dave all I ask you to do is try it. Remove the file if you want. Install a
| Service Pack. It will reappear. Better yet leave it alone. Remove the
| permissions from it it's almost the same thing but isn't.
|
| --
| George Hester

Well if I delete or rename it, it gets restored. Even w/o installing a SP.
BTW: I am on Win2K and this happens.

I renamed the native TFTP.EXE and dropped a Linksys Read-Only TFTP.EXE file and it was still
auto-replaced.

So if you assert "it is neccessary", then what is it used for ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

Hi David Thanks for the suggestion and settings.
Prabhat


> In reference to that URL, storing the Routers password as ClearText in the
TFTP client is
> hardly a problem if the following are set...
>
> "Block WAN request" -- Enabled
> "Remote Management" -- Disabled
> "Remote Upgrade" -- Disabled.
>
> However I truly doubt that the OPs problems has anything to do with the
TFTP client that
> comes with a Router's FirmWare and it is the TFTP client that is used in
the OS that is
> being used as indicated in the OPs problem.
>
> And I disagree with George's assessment - "You cannot remove that file for
if you do you
> will have System File errors. The file is necessary". I know of no known
reason that
> TFTP.EXE would be used in the Windows OS in a kernel functionality. It is
a mere client
> utility like FTP.EXE and is used by the Windows PC user as needed.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

where is it connecting too.
--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/_comment/001075.html
=================================================
"Prabhat" <not_a_mail@hotmail.com> wrote in message news:OFgmbtXgFHA.2632@TK2MSFTNGP09.phx.gbl...
>> That file is related to TCP/IP. Have you had any problems with any web
>> sites if you deny Internet access?
>
> Hi, Every time it ask permission to connect to internet I deny. But I never
> had any problem and later I set the rule in Zonealarm to deny every time.
> But I just wanted to know If I have not requested then how it will connect
> to any FTP server?
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.general (More info?)

I don't know and I agree having it at all is a security risk. It is a
System Protected file. sfc will gripe if it is not there and if all
permissions are removed on it. But really just leave it where it is.
Remove the permissions and you almost have it "not there." It avoids sfc
issues. It's easy to put it back in by allowing permissions to propagate to
it. That's my suggestion.

--
George Hester
_______________________________
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O#0WUM$gFHA.1996@TK2MSFTNGP10.phx.gbl...
> From: "George Hester" <hesterloli@hotmail.com>
>
> | Dave all I ask you to do is try it. Remove the file if you want.
Install a
> | Service Pack. It will reappear. Better yet leave it alone. Remove the
> | permissions from it it's almost the same thing but isn't.
> |
> | --
> | George Hester
>
> Well if I delete or rename it, it gets restored. Even w/o installing a
SP.
> BTW: I am on Win2K and this happens.
>
> I renamed the native TFTP.EXE and dropped a Linksys Read-Only TFTP.EXE
file and it was still
> auto-replaced.
>
> So if you assert "it is neccessary", then what is it used for ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>