RPC problems and TFTPxxxx - only post solid info - no questions please.

[njovin]

I have noticed a surge in problems with people's RPC service crashing and this TFTPxxx file showing up in the start menu.

I am starting this thread to help determine the exact cause of the problem and how to fix it. Please do not post questions or ask for help. If you have good info on the cause of this problem or a fix, please DO post.

Since this behavior began on my machine I installed all security patches from MS, and have not had the problem since, but I will keep you all posted.

[njovin]

UPDATE

Found some good info on Norton's website. Looks like this is going to be a big problem until everyone gets their systems patched. To go to the Norton page follow this link:

http://securityresponse.symantec.com...tent/8205.html

There is some good info on the exploit, and links to the patches for EVERY AFFECTED OS can be found at the very bottom of the page. Be sure you download the one that matches your OS.

[ESALADUANE]

I agree. A lot of people seem to be ignoring this patch and getting burned. Microsoft has had this patch at its Windows Update site since the middle of July and this forum has had it posted since August 1st (MS03-026 also called 823980).

http://www.windowsxpforums.com/

[Playboy™]

Step # 1 TURN OFF YOUR RPC SHUTDOWN

in your control panel, go to administrative tools then to components services. then under the folder on the left you will see something that says Services ( local )

then on the right hand side scroll down to the "remote procedure call" highlight it right click and go to properties, then you can choose what happens when your rpc has a problem. it is automatically set to reboot in 60 seconds , But you can set it to not restart or other options.


STEP # 2 PATCH THE RPC EXPLOIT

http://www.microsoft.com/technet/tre...n/MS03-026.asp

STEP # 3 SCAN AND CLEAN YOUR COMPUTER FOR VIRII/TROJANS

http://housecall.trendmicro.com/hous...start_corp.asp

do this every day for the next week , even if you already have antivirus software installed.


As these trojans get more well known they will be caught by your regular virus software but as of now all the big anti-virus software companies dont have the ability to detect/clean this problem.[color=black]

BTW i had/have this virus and am very good at spotting these sorts of problems , so if there is any info you need to know.

i had all 4 problems to begin with in order

#1 i started getting the rpc error previously mentioned and computer would restart by itself.

#2 after the 3rd restart i noticed i got an error trying to load a temp file for tftp as the computer booted up ( on desktop )

#3 then i noticed the WEBDAV.exe in my startup on programs

#4 i pressed ctrl-alt-delete to find out what was running and my task manager would popup and disappear right away.


solutions in order

first i renamed the taskmanager to a diff name and loaded it, but didnt notice any suspicious programs or processes

then i modified my rpc setting so i wouldnt get shutoff when the rpc had the problem

then i removed webdav.exe

then i patched with microsoft patch

then i changed all my passwords/ cancelled all my credit cards.

[scout177]

Hi;

I've had all these problems but I do not have webdav.exe anywhere. Also, my email connections are being rejected by way of netscape and outlook, but a web based connection for the same account works fine. Norton's says there is an "error" with an email protective measure, but closes down before I can re-activate it. Meanwhile; I was having problems installing the MS patch. I finally disconnected from the web, renamed tskmanager, used that to shut down all back ground problems and was able to install the patch- but I am still having the tftp files pop up on reboot, and nortons still closes after 5 seconds; and task manager still does not run on its own.

Fun stuff. Any ideas?

[scout177]

Okay- found webdav, deleted it, but now the ms patch is still closing down before I can install it.

[ESALADUANE]

If your download was successful but it did not install, try this.

Go to C:\WINDOWS\SYSTEM32\Catroot2 and delete or move or rename the "Catroot2" folder ( Windows will automatically recreate a new Catroot2 folder).

Once you've removed the corrupted Catroot2 folder, return to Windows Update and try the download again. This has worked successfully for many people (including me) and I'm unaware of any problems with deleting Catroot2 (as I said, you'll get a brand new one).

http://support.microsoft.com/default...b;en-us;822798

[scout177]

Okay; Thanks for helping out.

Here's what happened; it installed, and the RPC issue is resolved. However, the shutting down of task manager, nortons, and my inability to check email are persisting. All of this would be bearable except I'd like to check my email

Also, sorry for taking this answer thread and asking a question; I had meant to put my original comments in the other thread.

Thanks again.

[Playboy™]

another few things you might want to check out.

upon closer examination of my system i noticed a few other abnormalities in the same area i previously documented how to turn off the automatic shutdown when your rpc has a problem.

in your control panel, go to administrative tools then to components services. then under the folder on the left you will see something that says Services ( local ) click that.

ok now on the right there is a large list of services
previously i showed you how to change the settings regarding the automatic shutdown of the RPC ( remote procedure call ) , im not sure if you should fully disable this service but it wont hurt to change it so it doesnt shutdown your computer everytime ( by right clicking on remote procedure call on the list , not the remote procedure call locater !).

when you right click on any of the items on the list you can go to properties and check what the DEPENDANCIES of each service is. I wouldnt go willy nilly shutting everything your not familiar with down, but there are a few things that i cant see any reason having turned on , and i have disabled via the properties.

REMOTE REGISTRY
ROUTING AND REMOTE ACCESS
UPLOAD MANAGER
WEBCLIENT

also im not sure if its related but under WEBCLIENT one of the depedencies listed was WEBDAV so it may be another thing to check into.


From the looks of it this virus seems to have come from kazaa and worked its way out not the other way around like i had originally suspected. All people that have had this problem so far that i have seen have had kazaa(lite) or some other file sharing device.

I rarely use kazaa and i dont ever download software, just occasional porn and im always very carefull, but as an avid computer user im smart enough to know better than to be suprised .

ill keep everyone notified if i find any more evil files on the box related to this.

[scout177]

Hmmm, didn't seem to change anything for me. But thanks.

[crazy]

ive been having the same troubles as you guys, but it has been TFTP3500 ... though i no longer get this...please check out W32.Spybot.Worm thread that I have posted in, I believe this is all related...i am following the patch instructions to see if it helps with this worm problem, also if anyone can explain, when i connect to aol it says I have a problem with my connection but I stay on and i can go about everything normally...can anyone explain?

[njovin]

I have had all of these symptoms and resolved them all by following the process I outline in this thread.

[ESALADUANE]

Here are some other people following the same issue. They seem to believe that it's W32/Spybot.

http://www.broadbandreports.com/foru...ty,1~mode=flat

[ESALADUANE]

With different threads going, I'm not sure if someone posted this already or not.

http://www.lurhq.com/webdav.html

[Playboy™]

your solution only applies to a variant of the problem .

if you read my thread labeled solution, you will have half the battle beat.

The other symptoms are all variants, i didnt have tftpxxx in my startup nor did i need to boot in safe mode. so my problem is slightly different than yours i think i have seen at least 3 different scenerios here so far..

These variants will be quickly picked up by "MOST" virus scanners, please do not count on nortons to protect you ( or any other software you already have ) i highly urge you to do an online scan using the previously mentioned link, and do it for the next week, because most of these arent being picked up by the scanners yet, and as much as we have explained what to delete , im sure there are many other things that are still hidden.

first and foremost get the rpc fault patched.

secondly look for anything in your startup folder or in the task manager programs or processes that your not familiar with, and copy down the name, then go to yahoo and type the name in and search, if its something that should be there you will see info about it, if its a shady file, you will also see that

3rd as i mentioned do a frequesnt virus scan.

things that may be on your system that you dont need or are virii

webdav.exe
tftpxxxx.exe
msconfig45.exe
tftp.exe ( this comes with windows but is not needed )


p.s. dont go ahead of yourself, please only remove or disable things you are positive are not needed or are virii.

if your not sure ask..