Can't pull the plug

  • Thread starter Thread starter Colin M. McGroarty
  • Start date Start date
C

Colin M. McGroarty

Check to make sure that TFTP is not present in the System32 directory.

URLs may wrap

Easy, but annoying fix. When your computer starts go to the services applet
found in administrative tools. Select properties for the RPC or Remote
Procedure Call service. Change the Recovery from "Restart Computer" to
"Restart Service." Now your PC will stay up long enough to fix.

Next download the Microsoft Patch found at:

http://www.microsoft.com/downloads/search.aspx?displaylang=en

The patch is currently in the top download choices for both Win 2K and Win
XP. Choose accordingly and download.

Once the patch is installed make sure to do a full virus scan with current
virus definitions.
See Symantec's web page

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Once the worm has been eliminated I recommend running Windows Update to get
all the current critical updates.
Lastly, change the RPC service back to "Restart Computer" as the recovery
method.

Hope this helps,


--
Colin M. McGroarty
MCP+I, MCSE, NT-CIP

(e-mail address removed)
www.McGroarty.org
 
Trickster,

Go ahead and leave the RPC recovery at "Take no action" that is the default
for Win 2K. The "Restart Computer" is the default for XP workstation. If
you've been hacked you may have another issue in addition to the blast worm.
Also, what AV software do you have?

Did you find any TFTP files is your system 32 directory or did you find the
registry entry referred to on the Symantec site?

--
Colin M. McGroarty
MCP+I, MCSE, NT-CIP

(e-mail address removed)
www.McGroarty.org
 
Hello everyone. I got infected a few days go with a trojan that used the RPC
vulnerability in Windows 2000. I did a full scan and apparently removed it,
but I have a serious problem: my RPC service still crashes, and (related?) I
can't disconnect from the Internet by clicking on the tray icon. I've tried
reinstalling the Windows service pack, but that didn't help. I'd like to
avoid a reinstall. Any remains from the virus that I don't know about?
 
I found the regblast.exe registry entry and deleted it along with the file
itself. The scan (Norton SV 2001 with the latest defs) came out empty handed
(no infected files), and according to Symantec everything should be fine but
it isn't. The RPC service still crashes and I found two files: one called
0018tftp which was 0 bytes and one called
tftp.exe which is apparently a Microsoft file. It says:

Trivial File Transfer Protocol App
Copyright (C) Microsoft Corp. 1981-1999
File version 5.0.2134.1
Product name Microsoft(R) Windows (R) 2000 Operating System.

I deleted them both but the tftp.exe came back. If it really is a MS file
than
it's probably the Win2k file protection that brings it back.

I'll run the removal tol from symantec and patch and hope for the best.
 
Back
Top