I have a problem..need help

[ChaoStar]

Ok, so I was lying on my bed when I notice my come restart itself. This was very odd. After I got back into windows i tried checking what was in my startup. So I did start > run > msconfig , but as soon as it opened up it closed. So I tried to see what process's were running, So I did ctrl+alt+del and as soon as that came up it closed. Every other progam stays open except those two. I did manage to get screen caps before they closed.

Notice anything funny here?

I want to uncheck these two progams from my startup..So how can I do that without using msconfig, since it closes immediately.

Oh and I did a release/renew in a dos prompt and then did netstat to see if anyone is connecting and I get this.

I'm running Windows XP Pro.

Help Please.

 

[Demandred]

I could be wrong, but it looks like you're one of the first to be hit by a worm targeting the windows RPC hole. Congratulations . Might try rebooting to safe mode and remove the programs from startup from there. I'd try and leave it on and connected to the internet as little as possible, you've probably got some kind of backdoor on there. If/when you get it cleaned off, the first thing you need to do is go to windowsupdate and get yourself patched up.

 

[ChaoStar]

I panic'd. It was the RPC exploit.

 

[Phydeaux]

taken from: Microsoft Security Bulletin MS03-026

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.

Mitigating factors:

To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, or 445 or any other specifically configured RPC port on the remote machine. For intranet environments, these ports would normally be accessible, but for Internet connected machines, these would normally be blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
Best practices recommend blocking all TCP/IP ports that are not actually being used, and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments.

i got this just prior to my OS shutting down

 

[Infinity]

Install all critical Windows XP updates, go into safe mode, delete the files msconfig32.exe (hidden in C:\windows\system32) and webdav.exe (in startup folder). Problem solved, and run a firewall from now on.