Rhiandra is in Desperate Need of PC Help!
Posted: Mon Aug 11, 2003 7:31 pm
Ok, so Ive been getting a system shutdown message after about 5 minutes online, everytime. It gives 60 seconds then it reboots me.
Upon reboot I am getting a Windows cannot open this file message. The file not being found is read to be: File: TFTP3284
well, I was able to find this at a site called FILExt.com
FILExt.com
The File Extension Source
FAQ Search Memberlist Usergroups Register
Profile Log in to check your private messages Log in
TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
FILExt.com Forum Index -> File Extensions
View previous topic :: View next topic
Author Message
DaBoss
Site Admin
Joined: 11 Mar 2003
Posts: 478
Location: Santa Maria, CA
Posted: Tue Aug 05, 2003 9:29 am Post subject: TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
--------------------------------------------------------------------------------
Many people are getting an error about a file of the format TFTPxxx (xxx being a number) showing up during their computer restart process.
These files appear to be either temporary or marker files left behind by a Trojan running the TFTPD.EXE Windows application (this is a valid Windows file being used by the Trojan; likely to attempt file sharing between systems). This is an exploit of a new Windows vulnerability. The following Windows vulnerability...
http://support.microsoft.com/?kbid=823980
...has been announced and various Anti-virus makers report an increasing amount of traffic attempting to probe that vulnerability in Windows.
These attacks will only increase over time unless people IMMEDIATELY download and install the Windows patch described above. You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of free software firewalls that work just fine. Two, in particular, are often mentioned...
Sygate Personal Firewall - http://www.sygate.com/
Zone Alarm by ZoneLabs - http://www.zonelabs.com/
FILExt takes no position on which one of these (or others) you should use. It's your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.
The TFTPxxx files appear to be in the Startup Group in Windows. You should be able to see them in the directory...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTPxxxx
...or by choosing Start | Program Files | Startup
Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute).
That should solve the immediate TFTPxxx file showing up at system start problem.
Now comes the worse part...getting rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. Again, FILExt makes no specific recommendation if you don't have any. A list of the major anti-virus software vendors can be found here...
http://www.cknow.com/vtutor/vtavsoftware.htm
So far, two different things have been identified as coming through the RPC vulnerability: Trojan/Autoroot and W32.Spybot.Worm. (Note: It's possible these are the same thing as different companies call the same malware by different names at times. It takes awhile for the various companies to update their listings with all the different names.)
In addition to the TFTPxxx files, the following file name have also been implicated in this incident and related to Spybot.Worm:
C:\WINDOWS\system32\ijexwcessr.exe
C:\WINDOWS\pss\webdav.exeCommon Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\System32\MSCONFIG32.EXE
(In all cases the "xxx" is some number.)
In the Trojan/Autoroot case the following file names appear:
RPC.EXE, RPCTEST.EXE, TFTPD.EXE, WORM.EXE, LOLX.EXE and DCOMX.EXE (WORM.EXE and is an SFXArchive that contains the three files RPC.EXE, RPCTEST.EXE and TFTPD.EXE.)
Finally, some folks have found a program named like TFTP.EXE-2FB50BCA.pf (the number may vary). This program also seems related to this incident and should probably be copied off to disk (so you can recover it if it turns out to be a red herring and not related to this incident).
So, in short, be certain to get that patch whatever you do. The more patched systems, the less the new exploits will spread to others. Then, be certain to scan your system with updated anti-virus software and keep it up to date on a daily basis as the AV companies are fighting this thing as I write this.
This will probably be the last update as performing the tasks highlighted above should stop the attacks and clean your system(s) regardless of any new details that might come out.
Good luck.
_________________
Tom
DaBoss @ FILExt.com
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First
FILExt.com Forum Index -> File Extensions All times are GMT - 8 Hours
Page 1 of 1
Jump to: Select a forum Announcement----------------Announcement File Information----------------File ExtensionsFile Formats General Computer Support----------------General Questions Testing----------------Testing Forum Feedback----------------Feedback to FILExt
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Powered by phpBB 2.0.4 © 2001, 2002 phpBB Group
FILExt is
DewaHost offers premium web hosting service at a great price, starting from as low as $8.95/month.
FILExt Text Navigation
Home | FAQ | HelpMe!
Tools:How to Use FILExt | Research the Net | Look into a File | File Extension Info | Discussion Forum
Efficiently Manage Service Requests
Magic Solutions® HelpDesk IQ(tm) lets your department manage service requests quickly and easily. Track tickets and inventory, produce reports, and of...
»click here
To get the most out of your computer and avoid common problems
FILExt recommends installing these great utilities:
SpeedUpMyPC - Increase System Speed and Performance Today
WinBackup - Secure Your Files Against Virus Attacks & Computer Crashes!
WinTasks 4 Pro - Make Windows run faster and more smoothly in minutes!
__________________________________________
My problem is do I trust this site or is this linked to the problem I have an thus creating a bigger problem for me.
All I know is atm Im screwed and can do nothing until I figure out whats up.
Please help me.
Upon reboot I am getting a Windows cannot open this file message. The file not being found is read to be: File: TFTP3284
well, I was able to find this at a site called FILExt.com
FILExt.com
The File Extension Source
FAQ Search Memberlist Usergroups Register
Profile Log in to check your private messages Log in
TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
FILExt.com Forum Index -> File Extensions
View previous topic :: View next topic
Author Message
DaBoss
Site Admin
Joined: 11 Mar 2003
Posts: 478
Location: Santa Maria, CA
Posted: Tue Aug 05, 2003 9:29 am Post subject: TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
--------------------------------------------------------------------------------
Many people are getting an error about a file of the format TFTPxxx (xxx being a number) showing up during their computer restart process.
These files appear to be either temporary or marker files left behind by a Trojan running the TFTPD.EXE Windows application (this is a valid Windows file being used by the Trojan; likely to attempt file sharing between systems). This is an exploit of a new Windows vulnerability. The following Windows vulnerability...
http://support.microsoft.com/?kbid=823980
...has been announced and various Anti-virus makers report an increasing amount of traffic attempting to probe that vulnerability in Windows.
These attacks will only increase over time unless people IMMEDIATELY download and install the Windows patch described above. You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of free software firewalls that work just fine. Two, in particular, are often mentioned...
Sygate Personal Firewall - http://www.sygate.com/
Zone Alarm by ZoneLabs - http://www.zonelabs.com/
FILExt takes no position on which one of these (or others) you should use. It's your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.
The TFTPxxx files appear to be in the Startup Group in Windows. You should be able to see them in the directory...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTPxxxx
...or by choosing Start | Program Files | Startup
Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute).
That should solve the immediate TFTPxxx file showing up at system start problem.
Now comes the worse part...getting rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. Again, FILExt makes no specific recommendation if you don't have any. A list of the major anti-virus software vendors can be found here...
http://www.cknow.com/vtutor/vtavsoftware.htm
So far, two different things have been identified as coming through the RPC vulnerability: Trojan/Autoroot and W32.Spybot.Worm. (Note: It's possible these are the same thing as different companies call the same malware by different names at times. It takes awhile for the various companies to update their listings with all the different names.)
In addition to the TFTPxxx files, the following file name have also been implicated in this incident and related to Spybot.Worm:
C:\WINDOWS\system32\ijexwcessr.exe
C:\WINDOWS\pss\webdav.exeCommon Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\System32\MSCONFIG32.EXE
(In all cases the "xxx" is some number.)
In the Trojan/Autoroot case the following file names appear:
RPC.EXE, RPCTEST.EXE, TFTPD.EXE, WORM.EXE, LOLX.EXE and DCOMX.EXE (WORM.EXE and is an SFXArchive that contains the three files RPC.EXE, RPCTEST.EXE and TFTPD.EXE.)
Finally, some folks have found a program named like TFTP.EXE-2FB50BCA.pf (the number may vary). This program also seems related to this incident and should probably be copied off to disk (so you can recover it if it turns out to be a red herring and not related to this incident).
So, in short, be certain to get that patch whatever you do. The more patched systems, the less the new exploits will spread to others. Then, be certain to scan your system with updated anti-virus software and keep it up to date on a daily basis as the AV companies are fighting this thing as I write this.
This will probably be the last update as performing the tasks highlighted above should stop the attacks and clean your system(s) regardless of any new details that might come out.
Good luck.
_________________
Tom
DaBoss @ FILExt.com
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First
FILExt.com Forum Index -> File Extensions All times are GMT - 8 Hours
Page 1 of 1
Jump to: Select a forum Announcement----------------Announcement File Information----------------File ExtensionsFile Formats General Computer Support----------------General Questions Testing----------------Testing Forum Feedback----------------Feedback to FILExt
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Powered by phpBB 2.0.4 © 2001, 2002 phpBB Group
FILExt is
DewaHost offers premium web hosting service at a great price, starting from as low as $8.95/month.
FILExt Text Navigation
Home | FAQ | HelpMe!
Tools:How to Use FILExt | Research the Net | Look into a File | File Extension Info | Discussion Forum
Efficiently Manage Service Requests
Magic Solutions® HelpDesk IQ(tm) lets your department manage service requests quickly and easily. Track tickets and inventory, produce reports, and of...
»click here
To get the most out of your computer and avoid common problems
FILExt recommends installing these great utilities:
SpeedUpMyPC - Increase System Speed and Performance Today
WinBackup - Secure Your Files Against Virus Attacks & Computer Crashes!
WinTasks 4 Pro - Make Windows run faster and more smoothly in minutes!
__________________________________________
My problem is do I trust this site or is this linked to the problem I have an thus creating a bigger problem for me.
All I know is atm Im screwed and can do nothing until I figure out whats up.
Please help me.