Rhiandra is in Desperate Need of PC Help!

Where any Tech issues can be taken up and planned by our highly trained and unbelievably skilled computer geeks.
User avatar
Rhiandra Rangnar
Donkey Fucker
Posts: 841
Joined: Fri Feb 28, 2003 7:51 am
Location: Over here, silly!
Contact:

Rhiandra is in Desperate Need of PC Help!

Postby Rhiandra Rangnar » Mon Aug 11, 2003 7:31 pm

Ok, so Ive been getting a system shutdown message after about 5 minutes online, everytime. It gives 60 seconds then it reboots me.


Upon reboot I am getting a Windows cannot open this file message. The file not being found is read to be: File: TFTP3284

well, I was able to find this at a site called FILExt.com


FILExt.com
The File Extension Source
FAQ Search Memberlist Usergroups Register
Profile Log in to check your private messages Log in


TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003


FILExt.com Forum Index -> File Extensions
View previous topic :: View next topic
Author Message
DaBoss
Site Admin


Joined: 11 Mar 2003
Posts: 478
Location: Santa Maria, CA
Posted: Tue Aug 05, 2003 9:29 am Post subject: TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003

--------------------------------------------------------------------------------

Many people are getting an error about a file of the format TFTPxxx (xxx being a number) showing up during their computer restart process.

These files appear to be either temporary or marker files left behind by a Trojan running the TFTPD.EXE Windows application (this is a valid Windows file being used by the Trojan; likely to attempt file sharing between systems). This is an exploit of a new Windows vulnerability. The following Windows vulnerability...

http://support.microsoft.com/?kbid=823980

...has been announced and various Anti-virus makers report an increasing amount of traffic attempting to probe that vulnerability in Windows.

These attacks will only increase over time unless people IMMEDIATELY download and install the Windows patch described above. You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of free software firewalls that work just fine. Two, in particular, are often mentioned...

Sygate Personal Firewall - http://www.sygate.com/
Zone Alarm by ZoneLabs - http://www.zonelabs.com/

FILExt takes no position on which one of these (or others) you should use. It's your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.

The TFTPxxx files appear to be in the Startup Group in Windows. You should be able to see them in the directory...

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTPxxxx

...or by choosing Start | Program Files | Startup

Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute).

That should solve the immediate TFTPxxx file showing up at system start problem.

Now comes the worse part...getting rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. Again, FILExt makes no specific recommendation if you don't have any. A list of the major anti-virus software vendors can be found here...

http://www.cknow.com/vtutor/vtavsoftware.htm

So far, two different things have been identified as coming through the RPC vulnerability: Trojan/Autoroot and W32.Spybot.Worm. (Note: It's possible these are the same thing as different companies call the same malware by different names at times. It takes awhile for the various companies to update their listings with all the different names.)

In addition to the TFTPxxx files, the following file name have also been implicated in this incident and related to Spybot.Worm:

C:\WINDOWS\system32\ijexwcessr.exe
C:\WINDOWS\pss\webdav.exeCommon Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\System32\MSCONFIG32.EXE

(In all cases the "xxx" is some number.)

In the Trojan/Autoroot case the following file names appear:

RPC.EXE, RPCTEST.EXE, TFTPD.EXE, WORM.EXE, LOLX.EXE and DCOMX.EXE (WORM.EXE and is an SFXArchive that contains the three files RPC.EXE, RPCTEST.EXE and TFTPD.EXE.)

Finally, some folks have found a program named like TFTP.EXE-2FB50BCA.pf (the number may vary). This program also seems related to this incident and should probably be copied off to disk (so you can recover it if it turns out to be a red herring and not related to this incident).

So, in short, be certain to get that patch whatever you do. The more patched systems, the less the new exploits will spread to others. Then, be certain to scan your system with updated anti-virus software and keep it up to date on a daily basis as the AV companies are fighting this thing as I write this.

This will probably be the last update as performing the tasks highlighted above should stop the attacks and clean your system(s) regardless of any new details that might come out.

Good luck.
_________________
Tom
DaBoss @ FILExt.com

Back to top

Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First

FILExt.com Forum Index -> File Extensions All times are GMT - 8 Hours

Page 1 of 1


Jump to: Select a forum Announcement----------------Announcement File Information----------------File ExtensionsFile Formats General Computer Support----------------General Questions Testing----------------Testing Forum Feedback----------------Feedback to FILExt

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




Powered by phpBB 2.0.4 © 2001, 2002 phpBB Group

FILExt is
DewaHost offers premium web hosting service at a great price, starting from as low as $8.95/month.



FILExt Text Navigation
Home | FAQ | HelpMe!
Tools:How to Use FILExt | Research the Net | Look into a File | File Extension Info | Discussion Forum





Efficiently Manage Service Requests


Magic Solutions® HelpDesk IQ(tm) lets your department manage service requests quickly and easily. Track tickets and inventory, produce reports, and of...
»click here


To get the most out of your computer and avoid common problems
FILExt recommends installing these great utilities:
SpeedUpMyPC - Increase System Speed and Performance Today
WinBackup - Secure Your Files Against Virus Attacks & Computer Crashes!
WinTasks 4 Pro - Make Windows run faster and more smoothly in minutes!



__________________________________________

My problem is do I trust this site or is this linked to the problem I have an thus creating a bigger problem for me.


All I know is atm Im screwed and can do nothing until I figure out whats up.



Please help me.
Rhiandra Rangnar
EQ ----> DAoC ----> WoW ----> boredom
[fade]Over 1 million mezzed and counting .........[/fade]

My candle burns at both ends;
It will not last the night;
But ah, my foes, and oh, my friends -
It gives a lovely light!

User avatar
barbos
Cock Clown
Posts: 2612
Joined: Sun Jun 23, 2002 10:33 am
Contact:

Postby barbos » Mon Aug 11, 2003 7:54 pm

http://securityresponse.symantec.com/av ... .worm.html

From Symantec... I think that is related to what you have... When you remove it (or before) I would definately do the windows update thing so it doesn't come back..

There are major exploits going left and right with Windows (and I think I've heard the Department of Home Defense has suggested that Microsoft needs to get to fixing these vulnerabilites)

Just don't install the three programs FILExt recommends =)

User avatar
Rhiandra Rangnar
Donkey Fucker
Posts: 841
Joined: Fri Feb 28, 2003 7:51 am
Location: Over here, silly!
Contact:

Postby Rhiandra Rangnar » Mon Aug 11, 2003 9:15 pm

......
Rhiandra Rangnar

EQ ----> DAoC ----> WoW ----> boredom

[fade]Over 1 million mezzed and counting .........[/fade]



My candle burns at both ends;
It will not last the night;
But ah, my foes, and oh, my friends -
It gives a lovely light!

Winke
Donkey Fucker
Posts: 872
Joined: Mon Jan 27, 2003 11:40 pm
Contact:

Virus

Postby Winke » Mon Aug 11, 2003 10:14 pm

Rhi you have a worm in your system, the files you described belong to that worm. I had and my Norton AV cleaned it.

Winke

Bulor
Ass Jammer
Posts: 1429
Joined: Mon Mar 17, 2003 10:12 am
Location: NYC
Contact:

Postby Bulor » Mon Aug 11, 2003 10:22 pm

REFORMAT it's the best option ever
DAOC-SOLD
Lieph (heal)/ Sapporo & Djur(Sham)/ Qute & Brail(SBs)/ Bulor (war)/ Blackroc (ska)/ Antigun & Antigunn (SMs)
WOW-SOLD
Lieph (Warlock) / Vexi (Hunter)
WAR- CLOSED BETA!

User avatar
Beratuul
Ass Jammer
Posts: 1641
Joined: Sun Jan 05, 2003 11:36 pm
Location: Canadia.
Contact:

Postby Beratuul » Mon Aug 11, 2003 11:47 pm

Ok:

Then you need to be aware that at this point, you probably have a virus.

http://securityresponse.symantec.com /avcenter/venc/data/w32.blaster.worm.html

This virus is currently propogating *automatically* as a worm. This worm not only can give someone control over your computer (backdoor), but it will also cause your computer to launch a denial of service attack against Microsoft on the 16th of August.

Please be aware that if your computer rebooted due to the RPC vulnerability, you may have suffered more than just a bit of "lost work" due to the reboot -- you may also be infected with the Blaster.Worm.

------------------------------------------------------------------------------------

It looks like removal isn't very difficult, after you've installed the Microsoft Patch -- seems that pretty much all you need to do is go into the registry, naviagate to HKEY_Local_Machine/Software/Microsoft/Windows/CurrentVersion/RUN and disable the "MBLAST.EXE" line..

McAfee has also updated their "Stinger" software to automatically(?) remove this trojan/worm/virus:

http://us.mcafee.com/virusInfo/defaul t.asp?id=description&virus_k=100547




*Do not re-format...* its fixed easy.
Casper, Svenegal, Tassadar, Maurs, Maurier, Perigrine, Du Maurier ( I go by these names).

My shit tastes like corn.

User avatar
barbos
Cock Clown
Posts: 2612
Joined: Sun Jun 23, 2002 10:33 am
Contact:

Postby barbos » Tue Aug 12, 2003 5:22 am


User avatar
Abysmal
Pathetic Chode
Posts: 359
Joined: Sat Jan 18, 2003 2:26 am

Postby Abysmal » Tue Aug 12, 2003 6:23 am

I had exactly the same thing happen yesterday, I would start up, and 5 min later get a message that im being shut down, with a 1 min timer.
Im just finishing up reinstalling windows now :)

I couldnt stay on long enough to search for a cure, so I just got out my cd's and started from scratch. Guess it serves me right, I have never used any kind of anti-virus program before. 5 years and no problems, this is a first for me.

User avatar
Abysmal
Pathetic Chode
Posts: 359
Joined: Sat Jan 18, 2003 2:26 am

Postby Abysmal » Tue Aug 12, 2003 7:16 am


User avatar
barbos
Cock Clown
Posts: 2612
Joined: Sun Jun 23, 2002 10:33 am
Contact:

Postby barbos » Tue Aug 12, 2003 7:47 am

I have done some research.

Firstly this worm is spread through a vulnerability in windows, so you don't have to download it, or get it in an email, it is deposited on your computer.

I've read that it doesn't shutdown unless you are connected to the internet (so disconnecting can keep your system up and running), and should your computer start shutting down, you can goto your start menu, click run, and type

shutdown -a

and it should abort the shutdown.

Microsoft has patches that will fix the vulnerability:
Windows 2000
Windows XP

The Symantec FixBlast tool can be downloaded here.

It is important you disable System Restore before running the removal tool or you're problem could return. [ Instructions for XP ]

*edit Symantec's site isn't working well for System Restore. I'll link Microsoft's overly worded confusing article here.

Click for more information about the removal tool

Another thing you can do is search for MSBLAST.EXE and remove it. I would do it after running the removal tool.

I hope this is helpful... (moving to general discussion since non BWC may encounter this problem)
Last edited by barbos on Sat Oct 04, 2003 8:24 pm, edited 1 time in total.

User avatar
Finch
L33t Boardwarrioring Assface
Posts: 81
Joined: Mon Jun 23, 2003 12:25 pm
Contact:

Postby Finch » Tue Aug 12, 2003 1:43 pm

http://windowsupdate.microsoft.com

Rhia go there hun and just download all the critical updates and service packs :)

Any problems PM me on vn or ingame agter 6:30 PM Est after work :D

User avatar
barbos
Cock Clown
Posts: 2612
Joined: Sun Jun 23, 2002 10:33 am
Contact:

Postby barbos » Tue Aug 12, 2003 2:30 pm

lol, well the worm does try and prevent microsoft update from running, and then attempts to shut the computer down every couple of minutes after an internet connection is detected...

User avatar
Finch
L33t Boardwarrioring Assface
Posts: 81
Joined: Mon Jun 23, 2003 12:25 pm
Contact:

Postby Finch » Tue Aug 12, 2003 2:51 pm

I had this worm last week.. F8 run safe mode with Networking support. Download the updates.. I didnt even need to do this I just ran the update.

User avatar
barbos
Cock Clown
Posts: 2612
Joined: Sun Jun 23, 2002 10:33 am
Contact:

Postby barbos » Tue Aug 12, 2003 4:14 pm

running the updates will prevent it from coming back, but you still have to get it off...

User avatar
Rhiandra Rangnar
Donkey Fucker
Posts: 841
Joined: Fri Feb 28, 2003 7:51 am
Location: Over here, silly!
Contact:

Postby Rhiandra Rangnar » Tue Aug 12, 2003 4:48 pm

attempting to solve problems now, I pray I can stay connected long enough to do so.

Thank you all for your input and help.


wish me luck
Rhiandra Rangnar

EQ ----> DAoC ----> WoW ----> boredom

[fade]Over 1 million mezzed and counting .........[/fade]



My candle burns at both ends;
It will not last the night;
But ah, my foes, and oh, my friends -
It gives a lovely light!


Return to “Tech. Monkey Board”

Who is online

Users browsing this forum: No registered users and 24 guests