Rhiandra is in Desperate Need of PC Help!
- Rhiandra Rangnar
- Donkey Fucker
- Posts: 841
- Joined: Fri Feb 28, 2003 7:51 am
- Location: Over here, silly!
- Contact:
Rhiandra is in Desperate Need of PC Help!
Ok, so Ive been getting a system shutdown message after about 5 minutes online, everytime. It gives 60 seconds then it reboots me.
Upon reboot I am getting a Windows cannot open this file message. The file not being found is read to be: File: TFTP3284
well, I was able to find this at a site called FILExt.com
FILExt.com
The File Extension Source
FAQ Search Memberlist Usergroups Register
Profile Log in to check your private messages Log in
TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
FILExt.com Forum Index -> File Extensions
View previous topic :: View next topic
Author Message
DaBoss
Site Admin
Joined: 11 Mar 2003
Posts: 478
Location: Santa Maria, CA
Posted: Tue Aug 05, 2003 9:29 am Post subject: TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
--------------------------------------------------------------------------------
Many people are getting an error about a file of the format TFTPxxx (xxx being a number) showing up during their computer restart process.
These files appear to be either temporary or marker files left behind by a Trojan running the TFTPD.EXE Windows application (this is a valid Windows file being used by the Trojan; likely to attempt file sharing between systems). This is an exploit of a new Windows vulnerability. The following Windows vulnerability...
http://support.microsoft.com/?kbid=823980
...has been announced and various Anti-virus makers report an increasing amount of traffic attempting to probe that vulnerability in Windows.
These attacks will only increase over time unless people IMMEDIATELY download and install the Windows patch described above. You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of free software firewalls that work just fine. Two, in particular, are often mentioned...
Sygate Personal Firewall - http://www.sygate.com/
Zone Alarm by ZoneLabs - http://www.zonelabs.com/
FILExt takes no position on which one of these (or others) you should use. It's your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.
The TFTPxxx files appear to be in the Startup Group in Windows. You should be able to see them in the directory...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTPxxxx
...or by choosing Start | Program Files | Startup
Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute).
That should solve the immediate TFTPxxx file showing up at system start problem.
Now comes the worse part...getting rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. Again, FILExt makes no specific recommendation if you don't have any. A list of the major anti-virus software vendors can be found here...
http://www.cknow.com/vtutor/vtavsoftware.htm
So far, two different things have been identified as coming through the RPC vulnerability: Trojan/Autoroot and W32.Spybot.Worm. (Note: It's possible these are the same thing as different companies call the same malware by different names at times. It takes awhile for the various companies to update their listings with all the different names.)
In addition to the TFTPxxx files, the following file name have also been implicated in this incident and related to Spybot.Worm:
C:\WINDOWS\system32\ijexwcessr.exe
C:\WINDOWS\pss\webdav.exeCommon Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\System32\MSCONFIG32.EXE
(In all cases the "xxx" is some number.)
In the Trojan/Autoroot case the following file names appear:
RPC.EXE, RPCTEST.EXE, TFTPD.EXE, WORM.EXE, LOLX.EXE and DCOMX.EXE (WORM.EXE and is an SFXArchive that contains the three files RPC.EXE, RPCTEST.EXE and TFTPD.EXE.)
Finally, some folks have found a program named like TFTP.EXE-2FB50BCA.pf (the number may vary). This program also seems related to this incident and should probably be copied off to disk (so you can recover it if it turns out to be a red herring and not related to this incident).
So, in short, be certain to get that patch whatever you do. The more patched systems, the less the new exploits will spread to others. Then, be certain to scan your system with updated anti-virus software and keep it up to date on a daily basis as the AV companies are fighting this thing as I write this.
This will probably be the last update as performing the tasks highlighted above should stop the attacks and clean your system(s) regardless of any new details that might come out.
Good luck.
_________________
Tom
DaBoss @ FILExt.com
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First
FILExt.com Forum Index -> File Extensions All times are GMT - 8 Hours
Page 1 of 1
Jump to: Select a forum Announcement----------------Announcement File Information----------------File ExtensionsFile Formats General Computer Support----------------General Questions Testing----------------Testing Forum Feedback----------------Feedback to FILExt
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Powered by phpBB 2.0.4 © 2001, 2002 phpBB Group
FILExt is
DewaHost offers premium web hosting service at a great price, starting from as low as $8.95/month.
FILExt Text Navigation
Home | FAQ | HelpMe!
Tools:How to Use FILExt | Research the Net | Look into a File | File Extension Info | Discussion Forum
Efficiently Manage Service Requests
Magic Solutions® HelpDesk IQ(tm) lets your department manage service requests quickly and easily. Track tickets and inventory, produce reports, and of...
»click here
To get the most out of your computer and avoid common problems
FILExt recommends installing these great utilities:
SpeedUpMyPC - Increase System Speed and Performance Today
WinBackup - Secure Your Files Against Virus Attacks & Computer Crashes!
WinTasks 4 Pro - Make Windows run faster and more smoothly in minutes!
__________________________________________
My problem is do I trust this site or is this linked to the problem I have an thus creating a bigger problem for me.
All I know is atm Im screwed and can do nothing until I figure out whats up.
Please help me.
Upon reboot I am getting a Windows cannot open this file message. The file not being found is read to be: File: TFTP3284
well, I was able to find this at a site called FILExt.com
FILExt.com
The File Extension Source
FAQ Search Memberlist Usergroups Register
Profile Log in to check your private messages Log in
TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
FILExt.com Forum Index -> File Extensions
View previous topic :: View next topic
Author Message
DaBoss
Site Admin
Joined: 11 Mar 2003
Posts: 478
Location: Santa Maria, CA
Posted: Tue Aug 05, 2003 9:29 am Post subject: TFTPxxx File Info - PLEASE READ! New Info as of 8/7/2003
--------------------------------------------------------------------------------
Many people are getting an error about a file of the format TFTPxxx (xxx being a number) showing up during their computer restart process.
These files appear to be either temporary or marker files left behind by a Trojan running the TFTPD.EXE Windows application (this is a valid Windows file being used by the Trojan; likely to attempt file sharing between systems). This is an exploit of a new Windows vulnerability. The following Windows vulnerability...
http://support.microsoft.com/?kbid=823980
...has been announced and various Anti-virus makers report an increasing amount of traffic attempting to probe that vulnerability in Windows.
These attacks will only increase over time unless people IMMEDIATELY download and install the Windows patch described above. You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of free software firewalls that work just fine. Two, in particular, are often mentioned...
Sygate Personal Firewall - http://www.sygate.com/
Zone Alarm by ZoneLabs - http://www.zonelabs.com/
FILExt takes no position on which one of these (or others) you should use. It's your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.
The TFTPxxx files appear to be in the Startup Group in Windows. You should be able to see them in the directory...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTPxxxx
...or by choosing Start | Program Files | Startup
Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute).
That should solve the immediate TFTPxxx file showing up at system start problem.
Now comes the worse part...getting rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. Again, FILExt makes no specific recommendation if you don't have any. A list of the major anti-virus software vendors can be found here...
http://www.cknow.com/vtutor/vtavsoftware.htm
So far, two different things have been identified as coming through the RPC vulnerability: Trojan/Autoroot and W32.Spybot.Worm. (Note: It's possible these are the same thing as different companies call the same malware by different names at times. It takes awhile for the various companies to update their listings with all the different names.)
In addition to the TFTPxxx files, the following file name have also been implicated in this incident and related to Spybot.Worm:
C:\WINDOWS\system32\ijexwcessr.exe
C:\WINDOWS\pss\webdav.exeCommon Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\System32\MSCONFIG32.EXE
(In all cases the "xxx" is some number.)
In the Trojan/Autoroot case the following file names appear:
RPC.EXE, RPCTEST.EXE, TFTPD.EXE, WORM.EXE, LOLX.EXE and DCOMX.EXE (WORM.EXE and is an SFXArchive that contains the three files RPC.EXE, RPCTEST.EXE and TFTPD.EXE.)
Finally, some folks have found a program named like TFTP.EXE-2FB50BCA.pf (the number may vary). This program also seems related to this incident and should probably be copied off to disk (so you can recover it if it turns out to be a red herring and not related to this incident).
So, in short, be certain to get that patch whatever you do. The more patched systems, the less the new exploits will spread to others. Then, be certain to scan your system with updated anti-virus software and keep it up to date on a daily basis as the AV companies are fighting this thing as I write this.
This will probably be the last update as performing the tasks highlighted above should stop the attacks and clean your system(s) regardless of any new details that might come out.
Good luck.
_________________
Tom
DaBoss @ FILExt.com
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First
FILExt.com Forum Index -> File Extensions All times are GMT - 8 Hours
Page 1 of 1
Jump to: Select a forum Announcement----------------Announcement File Information----------------File ExtensionsFile Formats General Computer Support----------------General Questions Testing----------------Testing Forum Feedback----------------Feedback to FILExt
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Powered by phpBB 2.0.4 © 2001, 2002 phpBB Group
FILExt is
DewaHost offers premium web hosting service at a great price, starting from as low as $8.95/month.
FILExt Text Navigation
Home | FAQ | HelpMe!
Tools:How to Use FILExt | Research the Net | Look into a File | File Extension Info | Discussion Forum
Efficiently Manage Service Requests
Magic Solutions® HelpDesk IQ(tm) lets your department manage service requests quickly and easily. Track tickets and inventory, produce reports, and of...
»click here
To get the most out of your computer and avoid common problems
FILExt recommends installing these great utilities:
SpeedUpMyPC - Increase System Speed and Performance Today
WinBackup - Secure Your Files Against Virus Attacks & Computer Crashes!
WinTasks 4 Pro - Make Windows run faster and more smoothly in minutes!
__________________________________________
My problem is do I trust this site or is this linked to the problem I have an thus creating a bigger problem for me.
All I know is atm Im screwed and can do nothing until I figure out whats up.
Please help me.
Rhiandra Rangnar
EQ ----> DAoC ----> WoW ----> boredom
[fade]Over 1 million mezzed and counting .........[/fade]
My candle burns at both ends;
It will not last the night;
But ah, my foes, and oh, my friends -
It gives a lovely light!
EQ ----> DAoC ----> WoW ----> boredom
[fade]Over 1 million mezzed and counting .........[/fade]
My candle burns at both ends;
It will not last the night;
But ah, my foes, and oh, my friends -
It gives a lovely light!
http://securityresponse.symantec.com/av ... .worm.html
From Symantec... I think that is related to what you have... When you remove it (or before) I would definately do the windows update thing so it doesn't come back..
There are major exploits going left and right with Windows (and I think I've heard the Department of Home Defense has suggested that Microsoft needs to get to fixing these vulnerabilites)
Just don't install the three programs FILExt recommends =)
From Symantec... I think that is related to what you have... When you remove it (or before) I would definately do the windows update thing so it doesn't come back..
There are major exploits going left and right with Windows (and I think I've heard the Department of Home Defense has suggested that Microsoft needs to get to fixing these vulnerabilites)
Just don't install the three programs FILExt recommends =)
- Rhiandra Rangnar
- Donkey Fucker
- Posts: 841
- Joined: Fri Feb 28, 2003 7:51 am
- Location: Over here, silly!
- Contact:
Virus
Rhi you have a worm in your system, the files you described belong to that worm. I had and my Norton AV cleaned it.
Winke
Winke
Ok:
Then you need to be aware that at this point, you probably have a virus.
http://securityresponse.symantec.com /avcenter/venc/data/w32.blaster.worm.html
This virus is currently propogating *automatically* as a worm. This worm not only can give someone control over your computer (backdoor), but it will also cause your computer to launch a denial of service attack against Microsoft on the 16th of August.
Please be aware that if your computer rebooted due to the RPC vulnerability, you may have suffered more than just a bit of "lost work" due to the reboot -- you may also be infected with the Blaster.Worm.
------------------------------------------------------------------------------------
It looks like removal isn't very difficult, after you've installed the Microsoft Patch -- seems that pretty much all you need to do is go into the registry, naviagate to HKEY_Local_Machine/Software/Microsoft/Windows/CurrentVersion/RUN and disable the "MBLAST.EXE" line..
McAfee has also updated their "Stinger" software to automatically(?) remove this trojan/worm/virus:
http://us.mcafee.com/virusInfo/defaul t.asp?id=description&virus_k=100547
*Do not re-format...* its fixed easy.
Then you need to be aware that at this point, you probably have a virus.
http://securityresponse.symantec.com /avcenter/venc/data/w32.blaster.worm.html
This virus is currently propogating *automatically* as a worm. This worm not only can give someone control over your computer (backdoor), but it will also cause your computer to launch a denial of service attack against Microsoft on the 16th of August.
Please be aware that if your computer rebooted due to the RPC vulnerability, you may have suffered more than just a bit of "lost work" due to the reboot -- you may also be infected with the Blaster.Worm.
------------------------------------------------------------------------------------
It looks like removal isn't very difficult, after you've installed the Microsoft Patch -- seems that pretty much all you need to do is go into the registry, naviagate to HKEY_Local_Machine/Software/Microsoft/Windows/CurrentVersion/RUN and disable the "MBLAST.EXE" line..
McAfee has also updated their "Stinger" software to automatically(?) remove this trojan/worm/virus:
http://us.mcafee.com/virusInfo/defaul t.asp?id=description&virus_k=100547
*Do not re-format...* its fixed easy.
Casper, Svenegal, Tassadar, Maurs, Maurier, Perigrine, Du Maurier ( I go by these names).
My shit tastes like corn.
My shit tastes like corn.
I had exactly the same thing happen yesterday, I would start up, and 5 min later get a message that im being shut down, with a 1 min timer.
Im just finishing up reinstalling windows now
I couldnt stay on long enough to search for a cure, so I just got out my cd's and started from scratch. Guess it serves me right, I have never used any kind of anti-virus program before. 5 years and no problems, this is a first for me.
Im just finishing up reinstalling windows now
I couldnt stay on long enough to search for a cure, so I just got out my cd's and started from scratch. Guess it serves me right, I have never used any kind of anti-virus program before. 5 years and no problems, this is a first for me.
http://vnboards.ign.com/message.asp?top ... &replies=9
http://vnboards.ign.com/message.asp?top ... &replies=7
http://vnboards.ign.com/message.asp?top ... &replies=0
This worm is spreading very fast it seems
http://vnboards.ign.com/message.asp?top ... &replies=7
http://vnboards.ign.com/message.asp?top ... &replies=0
This worm is spreading very fast it seems
I have done some research.
Firstly this worm is spread through a vulnerability in windows, so you don't have to download it, or get it in an email, it is deposited on your computer.
I've read that it doesn't shutdown unless you are connected to the internet (so disconnecting can keep your system up and running), and should your computer start shutting down, you can goto your start menu, click run, and type
shutdown -a
and it should abort the shutdown.
Microsoft has patches that will fix the vulnerability:
Windows 2000
Windows XP
The Symantec FixBlast tool can be downloaded here.
It is important you disable System Restore before running the removal tool or you're problem could return. [ Instructions for XP ]
*edit Symantec's site isn't working well for System Restore. I'll link Microsoft's overly worded confusing article here.
Click for more information about the removal tool
Another thing you can do is search for MSBLAST.EXE and remove it. I would do it after running the removal tool.
I hope this is helpful... (moving to general discussion since non BWC may encounter this problem)
Firstly this worm is spread through a vulnerability in windows, so you don't have to download it, or get it in an email, it is deposited on your computer.
I've read that it doesn't shutdown unless you are connected to the internet (so disconnecting can keep your system up and running), and should your computer start shutting down, you can goto your start menu, click run, and type
shutdown -a
and it should abort the shutdown.
Microsoft has patches that will fix the vulnerability:
Windows 2000
Windows XP
The Symantec FixBlast tool can be downloaded here.
It is important you disable System Restore before running the removal tool or you're problem could return. [ Instructions for XP ]
*edit Symantec's site isn't working well for System Restore. I'll link Microsoft's overly worded confusing article here.
Click for more information about the removal tool
Another thing you can do is search for MSBLAST.EXE and remove it. I would do it after running the removal tool.
I hope this is helpful... (moving to general discussion since non BWC may encounter this problem)
Last edited by barbos on Sat Oct 04, 2003 8:24 pm, edited 1 time in total.
http://windowsupdate.microsoft.com
Rhia go there hun and just download all the critical updates and service packs
Any problems PM me on vn or ingame agter 6:30 PM Est after work
Rhia go there hun and just download all the critical updates and service packs
Any problems PM me on vn or ingame agter 6:30 PM Est after work
- Rhiandra Rangnar
- Donkey Fucker
- Posts: 841
- Joined: Fri Feb 28, 2003 7:51 am
- Location: Over here, silly!
- Contact:
attempting to solve problems now, I pray I can stay connected long enough to do so.
Thank you all for your input and help.
wish me luck
Thank you all for your input and help.
wish me luck
Rhiandra Rangnar
EQ ----> DAoC ----> WoW ----> boredom
[fade]Over 1 million mezzed and counting .........[/fade]
My candle burns at both ends;
It will not last the night;
But ah, my foes, and oh, my friends -
It gives a lovely light!
EQ ----> DAoC ----> WoW ----> boredom
[fade]Over 1 million mezzed and counting .........[/fade]
My candle burns at both ends;
It will not last the night;
But ah, my foes, and oh, my friends -
It gives a lovely light!
Return to “Tech. Monkey Board”
Who is online
Users browsing this forum: No registered users and 180 guests