PCA Forums

It all began when my old p3 450 box woke me up the other night.. It had reboted its self. Hmm Noticed a window with some sort of error.. I went back to sleep and so did it.

This machine is harldy used but does contain all digi photos, music, and Id care not to lose right now. (haven't backedup files recenly either nor a save point)

So I'm checking out the warning window today upon boot and see it says "Windows cannot open this file TFTP1984. The next is TFTP684. Strange.
So I do run "msconfig" Nope.. The window appears and is gone! Not minimize but gone! Second try just a flash. Weird.
Adware comes up with the normal stuff. cleaned reboot no change.. shoot

Virus?
Ran The free Trend mirco online scanner and it did find something called JAVA BYTVERIFY.A that it siad was uncleanable.. Great. After reading up I found out I had to turn OFF XP restore piont so it could clean it.. It worked, but now my restores spots are gone..
That low level virus might have been there for a long time for all I know. (And yes I am am a fool for not protecting..Yell at me later.

So turns out Its not the virus. And adaware has done its thing..

What I have done past THAT is:

"Run" msconfig and tryed to get the mouse over to "startup" within 1 second and hit print screen so I can read it. Low and behold I got it after a lot of trys .. Sure enough there they sit..TFTP1984 and box 684 checked on in all its stinking glory and cant uncheck them..

Just found out run regedit does the same.. Blip gone.

Where did this beast come from?

How can I edit startup with getting deep? I'm thinking im hosed here

Just a guess or a shot in the dark if you will but maybe if you are lucky you can boot into safe mode and run msconfig without it disappearing on you like that.

Sure sign of a virus. That type of virus hijaaks the EXE file association and prevents certain apps like REGEDIT and MSCONFIG from running.

Easiest way around that is to make a copy of MSCONFIG.EXE and name it MSCONFIG.COM, then run that.

HOWEVER just deleting the registry startup entry alone won't solve your problem. There will be other registry issues like the EXE file association that needs to be fixed.

WARNING: These kind of viruses are VERY hard to eliminate unless you do it properly! The WORST thing you can do is delete the virus files because the registry will still be corrupted and it'll probably restore the virus from a hidden location. Once this happens it's VERY hard to remove.

This smells like the Bugbear virus. Bugbear's almost impossible to remove without a removal tool and the removal tool WILL NOT WORK if you clean the viruses prior to running the tool (been there, done that).

There's a removal tool for Bugbear here: http://securityresponse.symantec.com/av ... .tool.html

I would try running that first (follow the instructions IMPLICITLY! - especially the directions on disabling system restore and disconnecting from the internet or LAN).

If that doesn't detect it then you should go here and run this online virus scanner: http://housecall.antivirus.com/

DO NOT CLEAN ANY OF THE VIRUS FILES YOU FIND!!!!! Just make a note of the names of all the viruses it finds then research them on Symantec's (or McAfee's) online virus database.

As I said before, just cleaning the virus files alone won't help, and may be catastrophic. You MUST research the viruses and use the specified removal procedure or tools or you could make things MUCH worse. Trust me, I've been there.

This is going to be so tricky that I would STRONGLY recommend you make a Ghost image of your boot partition first in case you goof the first time around.

Be aware that Bugbear and it's ilk are network worms. You may have been infected by another computer on your network. Your computer should be disconencted from the network before working on this problem, and should not be reconnected until you have scanned ALL the other systems on the network to make sure they're clean.

Good luck!

Thanks DAD.. Got in in safe and the window stayed Unchecked the crap and oked out..

Same shit on a nomal reboot.. Phooye!! That suckers is in deep..

More info tommow. ZZZZ

***EDIT***

Thanks FP!

Just re-read your message and I see you already did an online virus scan & clean. Not good because I think you've got a nasty worm in there.

You'll have to do this manually.

Boot into safe mode.

Go here http://www.dougknox.com/ click on "Win XP Fixes" then "File Association Fixes". Download the .EXE file association fix and run the reg file.

Now use the trick I mentioned above to make a copy of MSCONFIG names MSCONFIG.COM, then run it and disable ALL your startups.

Reboot back into normal mode, try running MSCONFIG.EXE and see if all your startups are still unchecked. If MSCONFIG runs AND the startups have stayed unchecked, you're probably okay.

Re-enable ONLY the startups you know are valid. Then do a full virus scan (check ALL files not just apps).

Good luck!

the problem is in your memory for sure!

Originally posted by Augix
the problem is in your memory for sure!

Augix, are you smoking CRACK? Because you've really gone coo coo tonight....

When was the last time you ran windows update ?
There was a recent security bug in windows and there's an exploit via IRC out there > http://news.com.com/2100-1009-5059263.html
Just a thought from me since your TFTP*** stuff looks a lil like the "tftpd" used in that exploit.

Me suspects that Augix has a little brother that's been at his computer, because this is like the 4th or 5th wacky post he's made in the space of 30 minutes.

Ok Here what Ive done today.

I did not run the removal tool as its too late as mentioned in FP's first post. Wish I would have waited..
Burned off everthing thats important to cd's.. No exe,s just pic, mp3 and some txt files. Just in case.

Followed FP's advice on manual removal.

Before going into safe mode I downloaded and unzipped the reg fix (xp_regfile.reg) Correct one?

Then booted into safe and executed the reg file. Said succesful. Then while still in safe mode I located msconfig.exe. (in a strange place.. pchealth/binaries?) Anyway I executed it to be sure that was the one and it was. Maybe I shouldn't have? Then I made a copy of it in a different location (not in the windows folder) renamed it msconfig.com and executed it. It popped up and I unchecked all boxes.
Now windows wants a reboot. I ok it and darn it still comes up with the "Windows cannot open this file TFTP1984 and bla... And nope. no getting into msconfig or regedit.

Did I miss somthing? Maybe I blew it in the renaming part. Does the new msconfig.com need to be in windows maybe?? Guess I try it all over again without touching the orginal msconfig.

Thanks! Sure would like to beat this but if I can't well.. Just might have to convice the wife its the hard drive and I can give her the one out of my machine IF I can get a bigger one for mine.. Hehe.

Koo Koo you have the latest IRC trojan that exploits a windows security flaw
I just cleaned this off my server box yesterday, and Its to a tee what you are decribing...

you need to have administravtive rights to do this

first off download the security patch FP mentioned in this thread:
http://www.pcabusers.net/forums/showthread.php?threadid=28702

Now AVG didnt catch this one so I used PCCIllin to find the trojan and delete it, - there free housecall internet based program sould do fine

next go into msconfig and delete those entrys

next go into allusers startup folder and remove the TFTP files from there

reeboot- boom trogan and mesgs gone, and you system is protected from future exploit, total time takes about 15 minutes

Bill

I also think you installed the wrong registry fix - you want the one called "EXE Fix" here: http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

Since you didn't remove the EXE file association, when you rebooted and loaded your first EXE file, the virus restored itself from a backup copy.

You want to run that registry fix from within Safe mode.

Thank you goat. I cant run msconfig. but I did manage to rid the pesky start wanings with your advice. Those are gone!! Did the MS patch too btw.
But the bastard is still there even after getting the correct file from FP and running it from safe and following procedure.
Also got a brand new box to check off in msconfig while in safe mode.. called TCHXXEIMNR.exe HUH? Get rid of 2 and another takes over ??

Too tierd to research that one right now..
havent played a game in two days and it affecting my mental state. Heh

Any more info would be great.

You may not be able to fix it. It's running another service or trapping some other association so every time you fix one thing it restores itself somewhere else.

I've been down that road before. Be prepared to do a clean install.

This is why it helps to do a Ghost image of your boot partition regularly.

This shoundn't have worked, but it seems to have fixed it? Almost too easy.
I rebooted and hit f8 for the startup choices. I went with " last known good configuration" or somthing like that.. Huh! I can now get into regedit, msconfig no problem.. ALL boxs were unchecked too.
I let it reboot normally and im in without problems. While at that point I grabbed a 30 day trial of a reg cleaner from Ace labs and let it go.. Then let it remove everything that came up. (hay nothing to lose here so whynot)
It got rid of a lot of crap check boxes in startup. the TFTP's are gone but the TCHXXEIMNR.exe remians but UNCHECKED ! Good!
After a number of reboots to be sure, and rerunning house call I can't find anything wrong. Comp is working fine and doest appear I lost anything so far.. Im leary but guess time will tell. Its Due for a major ungrade soon anyway.
Pretty sure this was an attack that night. Like I said the comp just shut down and was rebooting on its own and its never ever done that.
Got a firewall running now.. yea the trusty rusty Zone alarm freebie. I have had it before but for some dumb reason unistalled it on both comps. And look was happened. I've had 388 intrustions and 211 blocked access atempts since installing it on the Amd box just this morning. Also my cable modem activity lite has been going nuts for the last week..

Get your guards up guys.. theres some shit happening out there.