Thought I'd pass around some info that's going around at my job about this exploit - not sure if it'll help anyone though

****> It should be noted, however, that since the vulnerability
permitted an attacker to do almost anything with a victim machine, the
information below may represent only one of many possible attack
results. Therefore, the absence of the files described below should
*not* be considered to be a conclusive indication that a system was
not compromised due to this vulnerability.

The latest version of McAfee VirusScan Enterprise 7 (and I would guess
VS 4.5.1 also) does NOT recognize any files related to exploiting the
RPC DCOM vulnerability as being problematic. This may not be
surprising, since we're not dealing with a virus - yet. Please don't
rely on a virus scanner to find these, or similar files on a system at
this time.

Files that exploit RPC DCom will only show up on a machine as part of
kit that one might use to carry out attacks on remote hosts. However,
because such files can only be installed when an attacker has
substantial access to a victim machine, the most reliable method of
clean up is to rebuild the victim machine from known, good media,
while __NOT__ connected to the network (e.g., rebuild and _fully_
patch, and enable the XP built-in firewall, while behind a firewall
device (e.g. Linksys BEFSR41), or while disconnected from the network).

Hence, if a host is discovered to have been the victim of the RPC DCOM
exploit, and until organizations such as CERT, NAI, etc can issue more
definitive information on what the bounds of these exploits might be,
Information Security can only endorse the recommendation that the
machine be rebuilt. As soon as we become aware of a less-drastic yet
more certainly effective means of ensuring identification of whatever
the attackers may have done, we will pass that along.

Several of the victim workstations examined have had the following
characteristics in common (note: these characteristics represent only
one "footprint" - there are certainly other, different footprints
related to exploiting RPC DCOM - absence of these files does *NOT*
mean definitively that the system was not victimized in some other way):

* Three files located in a directory named "c:\temp"
+ directx.exe
+ cygwin1.dll
+ rpcroot.exe

* Some of the machines examined had a copy of directx.exe and
rpcroot.exe in c:\windows\system32.

* Directx.exe, while a file by that name may normally be present as
part of the Windows 'Direct-X' display facility, is in this case
actually an IRC server. When executed, directx.exe will create the
following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
+ C:\test\directx.exe

HKLM\SOFTWARE\ColdVision
+ (Default)
+ update

* In addition to the registry entries, directx.exe will generate two
text files (in the same directory as directx.exe):
+ JoinMe.conf
+ operators.conf
The "operators.conf" file is empty, while "JoinMe.conf" contains 22
lines of IRC server configuration variables (with no interesting
values). It has been reported that directx.exe may contain a client
component which attempts to connect to an IRC server at 38.115.134.245.

* After a re-boot, the victim host will be running the IRC server on
port 6667

* Turns out that directx.exe and "ColdVision" have a bit of a history.
See http://vil.nai.com/vil/content/v_100024.htm

* The rpcroot.exe file is a script-kiddie utility that will allow one
to reboot vulnerable Windows machines remotely (via the RPC DCom issue).
Note that rpcroot.exe does not give one a shell on the victim machine
(other utilities floating around the Internet apparently will provide
shell access).

Cygwin1.dll is, of course, probably used in support of the IRC server
(directx.exe). It's possible for rpcroot.exe to be used for any
number of bad deeds: e.g., from general troubel making, to remotely
rebooting other victim Windows machines for the purpose of bringing up
newly installed IRC servers.

Wow 7 times, lol. Yeh at least you got it patched and hopefully things are in the clear now. :grinthumb

I'm glad we could help, and welcome aboard.

If you stay I hope you enjoy it

No problem Tob, glad we got ya straightened out

I hope you stick around and enjoy your time spent here.

That sounds like you need to boot into Safe Mode and run your antivirus, as well as adaware or spybot. That should get rid of your new problem with task manager being shut down as soon as you bring it up.

I'm very glad we could help all of you newcomers. It is nice to know we are getting out there and helping the computing community.

This post got googled or something, you might have noticed the 1000+ active users in vB at any time, 15333 reads so far.

Welcome everyone!