RPC termination, TFTP files added in startup, please help!

[Lauren]

Hello,

About 20 or 30 minutes into everytime i log into the
itnernet (through a 56 k modem) i get a message box that
says RPC has unexpectedly termianted..computer will shut
down in one minute. Conseuqently, it shuts down ...and
everytime it restarts it adds one more error message that
have thus far read TFTP2800 unknown file type, TFTP260
unknown file type can not open..and one more that occured
on that last shutdown. These files were somehow placed in
the startup menu and appear to be o kb. everytime the
comptuer shuts down from this error, one more TFTP files
appears out of nowhere into the startup folder.
I thought this might have something to do with the new
microsoft security patch for RPC termination so i
downloaded it and it hasnt helped..but i downlaoded it
after this trouble beegan so i might hace already been
messed up.
any any anyyyy help at all would be marvelous. thank
you!!

Lauren

 

[jason]

I aslo have the same problem... but the unknown file for
me was TFTP200... if u find anything out please let me
know thxs...

 

[Rob]

I've also had this problem, starting from earlier this
week. There must be a hole somewhere in the NT networking
software. My file was something like TFTP1992, which I
found in the Startup folder and deleted. Part of the file
I found out, is in Japanese or Chinese, some sort of
Eastern characters. From what I've been reading is that
the RPC call is being used in the same vein as Denial of
Service attacks. I not sure how this is related or how
this is happening though.

Any other ideas?

-Rob

 

[Chris]

Rob did deleting it take care of the problem?

-----Original Message-----
I've also had this problem, starting from earlier this
week. There must be a hole somewhere in the NT networking
software. My file was something like TFTP1992, which I
found in the Startup folder and deleted. Part of the file
I found out, is in Japanese or Chinese, some sort of
Eastern characters. From what I've been reading is that
the RPC call is being used in the same vein as Denial of
Service attacks. I not sure how this is related or how
this is happening though.

Any other ideas?

-Rob

.

 

[Rob]

Nope, I've just had two tonight.

I'm reading and it seems to be linked to the IP messenger
service, that constantly sends you spam, if you've ever
had that problem. What's happening, from what I understand
is that even with the messenger service off, that part of
your computer is still open. So anyone can try to poke
around or mess with you. I don't know the extent yet, but
I'm trying.
-Rob

 

[Chris]

I just read that this update might work

http://microsoft.com/downloads/details.aspx?
FamilyId=22F990CB-E9F9-4670-8B4F-
AC4F6F66C3A2&displaylang=en

 

[john]

See if this may be your prob.

http://support.microsoft.com/default.aspx?scid=kb;en-
us;823980#WinXP

 

[Kent W. England [MVP]]

If these are coming through the Messenger service, that would make this
one of the first attacks via the MS03-026 RPC vulnerability that
Microsoft announced when it issued the critical update for NT systems on
16 July.

You need to get this critical update and install a firewall to plug
ports 135, 139, and 445 which are all vulnerable to access via RPC and
are vulnerable to a buffer overflow attack.

 

[Owen Nelson]

A friend of mine just started to get a very similar problem. It seems
he has a virus (Norton called it w32.spybot.<something else I can't
remember>). Sounds like you have a variant of this. In his case, it
infected his IEXPLORE.EXE in the system32 dir. I'd be interested to
know what file yours is in, that is - if I'm right about all this.

 

[Owen Nelson]

To add another note, the above mentioned system has MSBLAST.EXE on it.
I don't know much about this, but someone told me that it's causing a
big stink right now. In anycase, either of these could be the reason
he's suffering these symptoms (which stopped after I enabled his
msInternetConnectionFirewall). Enabling the firewall wizard bought me
some more time so I could take a good look at the system (seems the
RPC exploit can't be used when particular ports are blocked).

 

[Jupiter Jones [MVP]]

Owen;
You most likely have a worm W32.Blaster.Worm
DISCONNECT the subject computer from any network IMMEDIATELY.

Install or enable a firewall IMMEDIATELY:
http://support.microsoft.com/?kbid=283673

VERY IMPORTANT to follow ALL steps, closing ports or installing the
patch is NOT enough.
Download the patch and regedit referenced in the article below.
You may need to do this at an uninfected computer and burn to CD or
save on floppies.
Each file is small enough to fit on a floppy.

Follow this to clean and protect your computer:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc

After this is resolved prevent similar occurrences by installing ALL
Critical Updates from Windows Update.
Keep antivirus up to date and run at least weekly.
Install or enable a firewall.