Yea yea.

Ok, I work for a AirForce Base, civilian wise. Anyways, our network fellows didn't want to close the ports 135,137,445. Ok, they finally did. Big woop. Well our parent server for norton gets everything updated.. scans and finds the worm. Supposley it deletes the worm, but it leaves a TFTP435 in the Virus History.(random generated numbers after the TFTP) Well I try to clean,delete, AND quarentine it. When I try, it says one of the files maybe in use, or the virus is in an e-mail message.


Ok, note: I know the RPC exploits allows you to FTP a file into the Windows Directory of your choice. TFTP is an FTP used by Windows.


I removed the Outlook (We have exchange servers) portion on a computer with the TFTP456 in the virus history, tried removing it, no success. So I figured the file was running, but where? I looked in Registry Key Run portion's... nothing.

So whenever I remove Norton and reinstall it, the TFTP file is not there. Scan my system and it finds nothing. And all symptoms go away.

My question is, do I have to reinstall Norton everytime I come across this? (atLEAST 10 a day) Is there a way to fix this easier?Quicker? More sufficient?

Anthony

This should save you alot of future headaches.

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

The removal tool does not find anything. Say blaster worm is off, but it has a sluggish affect on my machines. Also I cannot open some windows with the TFTP### in the Virus log saying it is there. When I righgt click and hit properties, it tells me it is the Blaster Worm. Ok, but it doesn't let me delete it or anything. (the parent server says it has cleaned the virus)

but if I uninstall and reinstall norton, the affects go away after a reboot. Weird, but true.

I assume you haven't tried Nortons Tech site for an answer?

If I get some time to search around, I'll try to find you a better answer, but at this point I'm stumped.

Yea, I haven't thought about Norton Tech site. Usually I can find the answer of the problem on the net by searching.. or figuring it iout, this one has stumped me also. I guess I can throw my problem up to the Norton Tech fellows, just figured I'd ask at the old speedguide to see if anyone else has had this issue.


Thanks Blebs ;)

YOSC might have run into this already but he won't be around till morning. I'm sure if he has, he'll speak up.

The last time I came across tftp in the root of a computer was someones machine that Symantec popped up W32.spybot.worm warnings on. She was behind a totally closed NAT router, but probably came in via an e-mail attatchment.

I'm having a tough time squashing this....as now and then symantec will pop up saying it found the virus in explorer.exe, and it will quarantine it.

Anyways, one day went over and looked at her computer, she had tftp.exe and some other file in the root of her C drive. The only tftp she should have had was in her download directory, Linksys folder...for firmware updates, as that's the tool Linksys provides to update the firmware on their routers.

Her guest account was enabled for some reason. (disabled on XP by default), and in the Symantec logs, when it catches the virus, it's under the guest account.

So I disabled her guest account again, changed her admin password, deleted those files, disabled the ftp service, disabled remote registry services, hasn't seemed to come back.

w32.spybot.worm has nothing to do with spybot search and destroy. It's a backdoor that lets some send other backdoors to your system. I haven't seen tftp in a Blaster case. I'd look for other issues on your rig.

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.dr.html

Whenever I look in the virus history saying the "TFTP###" file in there.. and right click to clean, quarentine, or delete..and nothing happens, but when I click properties, it says it is the W32.BlasterWorm or whatever. However I cannot delete it, thus reinstalling NortonCorpEdition, it seems to solve it.