Trudy Sunday said:
While being on line for 15-20 min or so, i get a red and
grey box in the middle of my screen stating due to
windowxp error, comp will shut down and restart. I
believe the code it reads is psc or spc not quite sure
which one, but am tired of of it shutting down on me. Am
a student right now, and need the access to internet for
major midterm papers and essays. could someone please let
me know what i should do.
Try this, it might apply to you:
I've seen a number of people ask this question today, so I hope this is
helpful to someone:
FYI, the presence of the files Dcomx.exe or the other files mentioned below
along with a "Remote Procedure Call" or TFTP popup message on your system
and/or system lockups or reboots are signs you may have been hacked by a
tool such as Autorooter. [TFTP.EXE is a normal file that comes with many
versions of Windows, but it should usually not be running on most systems.]
To fix this, you need a firewall [even a free one such as
www.sygate.com or
www.kerio.com], to install all the latest Microsoft service packs and
patches from
www.windowsupdate.com, check your firewall logs to see who has
hacked you, and install and run an antivirus with the latest updates that
detects this thing [
www.grisoft.com is free antivirus], or submit sample
files to your antivirus vendor if it does not detect this thing. I do
believe there may be new variants of Autorooter that possibly have not yet
been fully discovered. Unlike an automated event like a worm, this event
may indicate that someone personally ran a tool against you and may have
done things to your computer.
There are a number of posts mentioning a quick "registry fix" to close "port
135." This does very little to secure your computer, as it only closes one
of the 130,000 ports on your computer. Get a firewall first, even a free
one.
Also, note that the presence of new files such as TFTPxxxx or DCOMX.EXE etc.
means that just installing the latest Microsoft patches, editing the
registry, etc. may no longer be sufficient. Installing the Microsoft patch,
editing the registry, closing ports, disabling services, etc. do absolutely
nothing to block the back door that has probably now been installed, so that
your computer can still be compromised using other ports.
You can find out if you are infected with Autorooter or something new that
hasn't been discovered by going to one of the scanner sites below. If
nothing is detected, that's pretty interesting, let us and your antivirus
company know:
http://housecall.antivirus.com [my preference] OR
http://security2.norton.com
Once your computer has been hacked, these are some things I might recommend
doing are here:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
This Trojan has been given several different names by various anti-virus
companies:
RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)
References:
http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
..html
http://news.com.com/2100-1009-5059263.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
http://support.microsoft.com/?kbid=823980
Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:
"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."
I hope this helps. Let us know if you find anything interesting. Thanks to
Susan Bradley for pointing this information out.
