Just wanted to add my RPC error to the list. Running Win
XP Home and had the exact same problems. It somehow seems
to indicate something to do with NAV. NAv was updated and
run when problem first showed up a couple of days ago.
Other problems seem to be developing now. I geuss I'll try
closing port 135 to see if that helps.

"Ron" > wrote in message
...
> Just wanted to add my RPC error to the list. Running Win
> XP Home and had the exact same problems. It somehow seems
> to indicate something to do with NAV. NAv was updated and
> run when problem first showed up a couple of days ago.
> Other problems seem to be developing now. I geuss I'll try
> closing port 135 to see if that helps.

I really wouldn't. Closing port 135 [are you talking TCP 135? UDP 135?
Both?] does nothing to increase your security on the other 130,000 ports,
including the port that's open if you were already hacked with a backdoor.
See below instead:

I've seen a number of people ask this question today, so I hope this
information is
helpful to someone. I've posted this a number of times to the newsgroup, so
a search of the newsgroup before posting might have given you an answer
quicker with no waiting.

FYI, the presence of the files Dcomx.exe or the other files mentioned below
along with a "Remote Procedure Call" or TFTP popup message on your system
and/or system lockups or reboots are signs you may have been hacked by a
tool such as Autorooter. [TFTP.EXE is a normal file that comes with many
versions of Windows, but it should usually not be running on most systems.]

To fix this:

1. Download and install a free firewall. www.sygate.com or www.kerio.com],
your choice.

2. Go to www.windowsupdate.com, both now and every month or two, to install
all the latest Microsoft service packs and patches. You should probably
reboot and go back to www.windowsupdate.com after the updates have
installed, to be sure you got them all [for example, you might have to
install the latest Windows Service Pack, then reboot and go back to install
patches that were released since the Service Pack].

3. Install and run an antivirus with the latest updates for this week
intalled [ www.grisoft.com is free antivirus]. You might also want to scan
your computer using either of the following web sites for a second opinion,
just in case something was missed:

http://housecall.antivirus.com [my preference] OR
http://security2.norton.com

4. Click on "Start, Find/Search, Files or Folders" to search your hard drive
for any of the following file names. If any of the files below are found,
you may need additional help getting rid of them and determining what else
if anything was changed on your computer.

rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe

5. You may want to repeat the above search steps to search for files that
changed in the past day. Many of the files that appear will be normal system
files. You may just want to look through the files that appear to see if
anything appears suspicious. If you have a question about a particular file
name and whether it is normal or not, post that file name along with your
question to a support newsgroup like the one where you originally asked this
question.

I do believe there may be new variants of Autorooter that possibly have not
yet been fully discovered. Unlike an automated event like a worm, this
event may indicate that someone personally ran a tool against you and may
have done things to your computer.

There are a number of posts mentioning a quick "registry fix" to close "port
135." This does very little to secure your computer, as it only closes one
of the 130,000 ports on your computer. Get a firewall first, even a free
one.

Also, note that the presence of new files such as TFTPxxxx or DCOMX.EXE etc.
means that just installing the latest Microsoft patches, editing the
registry, etc. may no longer be sufficient. Installing the Microsoft patch,
editing the registry, closing ports, disabling services, etc. do absolutely
nothing to block the back door that has probably now been installed, so that
your computer can still be compromised using other ports.

Once your computer has been hacked, these are some things I might recommend
doing are here:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

The Autorooter Trojan has been given several different names by various
anti-virus
companies [although I believe some people are being attacked by something
that is similar but not exactly the same as Autorooter]:

RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)

References:

http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
..html
http://news.com.com/2100%2D1009%2D5059263.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
http://support.microsoft.com/?kbid=823980


Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:

"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe

Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.

Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."

I hope this helps. Let us know if you find anything interesting. Thanks to
Susan Bradley for pointing this information out.