File of the Form TFTPxxx Tries to Run at Startup
A file of the form TFTPxxx (where xxx = numbers) attempts to run at system start and Windows does not know how to do that. What is it and what should you do?
The Windows Trivial File Transfer Program (TFTP.EXE) is a small file transfer client provided with Windows (TFTP differs from the FTP commonly talked about and is not a substitute for it -- see the references below). When run, that program sometimes leaves behind a file of the form TFTPxxx in whatever directory was default when the program runs. The files are harmless; they are just left over from the TFTP program running. That explains where the file comes from. Now we need to backtrack a bit...
On 16 July 2003 Microsoft released a patch to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. Without the patch, computers were vulnerable to crackers or programs which could enter a vulnerable computer and run arbitrary code on that vulnerable computer. Unfortunately, most people either did not know about or ignored the patch. A description of the vulnerability and links to the patch are on the Microsoft site...
About a month later, a modified form of the Blaster Worm was released which specifically targetted this vulnerability. While the worm did little damage to an infected computer it did run the Windows TFTP client to send itself to other computers and, in the process since it used the Startup directory as the default, caused that program to drop TFTPxxx files into the Startup directory. The next time Windows started it encountered these files and did not know how to run them. Windows then asked users to specify a program or search the Internet. Many picked the second option and ended up at the FILExt site, leading eventually to this FAQ.
What should you do?
If you have not already, download and IMMEDIATELY install the Windows patch described above. This will stop further incoming attacks.
Once you have done that, you need to get rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. FILExt makes no specific recommendation. A list of the major anti-virus software vendors can be found here...
You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of free software firewalls that work just fine. Two, in particular, are often mentioned...
- Sygate Personal Firewall - (Effective November 30th, 2005 all Sygate consumer firewall products were discontinued. This product is now part of the Symantec family and no longer free.)
- Zone Alarm by ZoneLabs - http://www.zonelabs.com/
FILExt takes no position on which of these (or others) you should use. It's your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.
Finally, the TFTPxxx files appear in the Startup Group in Windows. You should be able to see them in the directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTPxxxx
...or by choosing Start | Program Files | Startup
Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute). As indicated above, these files are not dangerous. They just clutter up the Startup directory and cause Windows to pause to ask you about them during Startup.
Then, keep your firewall and anti-virus software up to date at all times.
Install Windows security patches when released.
Added note: Other malware has started to appear and use the TFTP program and, therefore, leave TFTPxxxx files on systems. Some of these files can contain signatures of the malware and can be tagged by anti-virus software as being infected. The solution is the same as the above: make certain you have all the latest Microsoft Critical Updates and delete the left files. The anti-virus software should remove the malware itself or their Website should have a program that will do the removal.