Dcom Exploit

L

LeeG

Guest
My Avast online scanner keeps flashing up with a Dcom Exploit

88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154 being

two of the combinations.) Am I being targeted by someone.

 
L

LeeG

Guest
In addition could this be being caused due to upgrading to SP3? I know this

type of problem was addressed with sp2 but this seems to coincide with the

upgrade to sp3! I have tried a couple of ways to close down the DCOM port

135 but it is still showing as open. Anyone know any answers/solutions.

"LeeG" wrote:

<span style="color:blue">

> My Avast online scanner keeps flashing up with a Dcom Exploit

> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154 being

> two of the combinations.) Am I being targeted by someone.</span>

 
P

PA Bear [MS MVP]

Guest
/Where/ is Avast find this?

Have you posted about this in Avast User Forums?

http://forum.avast.com/

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

LeeG wrote:<span style="color:blue">

> In addition could this be being caused due to upgrading to SP3? I know

> this

> type of problem was addressed with sp2 but this seems to coincide with the

> upgrade to sp3! I have tried a couple of ways to close down the DCOM port

> 135 but it is still showing as open. Anyone know any answers/solutions.

>

> "LeeG" wrote:

><span style="color:green">

>> My Avast online scanner keeps flashing up with a Dcom Exploit

>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

>> being two of the combinations.) Am I being targeted by someone. </span></span>

 
L

LeeG

Guest
Not yet. This exploit seems to coincide with the installation of SP3. Up

until now I had never had this exploit happen. I have been running Avast for

quite a while now and this is the first time it has flagged this exploit.

"PA Bear [MS MVP]" wrote:

<span style="color:blue">

> /Where/ is Avast find this?

>

> Have you posted about this in Avast User Forums?

> http://forum.avast.com/

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

>

> LeeG wrote:<span style="color:green">

> > In addition could this be being caused due to upgrading to SP3? I know

> > this

> > type of problem was addressed with sp2 but this seems to coincide with the

> > upgrade to sp3! I have tried a couple of ways to close down the DCOM port

> > 135 but it is still showing as open. Anyone know any answers/solutions.

> >

> > "LeeG" wrote:

> ><span style="color:darkred">

> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

> >> being two of the combinations.) Am I being targeted by someone. </span></span>

>

> </span>

 
L

LeeG

Guest
Forgot to mention. I have already looked at the avast forum and i can only

find explanations and possible cures and have also tried one and currently

monitoring the solution. I am curious has to why the change?

"PA Bear [MS MVP]" wrote:

<span style="color:blue">

> /Where/ is Avast find this?

>

> Have you posted about this in Avast User Forums?

> http://forum.avast.com/

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

>

> LeeG wrote:<span style="color:green">

> > In addition could this be being caused due to upgrading to SP3? I know

> > this

> > type of problem was addressed with sp2 but this seems to coincide with the

> > upgrade to sp3! I have tried a couple of ways to close down the DCOM port

> > 135 but it is still showing as open. Anyone know any answers/solutions.

> >

> > "LeeG" wrote:

> ><span style="color:darkred">

> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

> >> being two of the combinations.) Am I being targeted by someone. </span></span>

>

> </span>

 
P

PA Bear [MS MVP]

Guest
[i meant to ask, "Where is Avast finding this?"]

If you can post a few links to pertinent threads in that forum, I'd

appreciate it.

Is the Windows Firewall or a third-party firewall enabled?

What anti-spyware applications might be installed (other than Defender)?

What third-party firewall (if any)? Was Avast and/or any of these other

applications running when you installed SP3?

How did you install SP3 (e.g., manually; via Windows Update)? Was the

machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

machine fully patched before you installed SP3? Had you just reinstalled

Windows prior to installing SP3?

Can you successfully reach and scan for updates at Windows Update website?

Are any updates offered? If so, can you install them successfully?

--

~PA Bear

LeeG wrote:

<paste><span style="color:blue">

> Not yet. This exploit seems to coincide with the installation of SP3. Up

> until now I had never had this exploit happen. I have been running Avast

> for quite a while now and this is the first time it has flagged this

> exploit.</span>

</paste><span style="color:blue">

> Forgot to mention. I have already looked at the avast forum and i can

> only

> find explanations and possible cures and have also tried one and currently

> monitoring the solution. I am curious has to why the change?

>

> "PA Bear [MS MVP]" wrote:<span style="color:green">

>> /Where/ is Avast find this?

>>

>> Have you posted about this in Avast User Forums?

>> http://forum.avast.com/

>> --

>> ~Robear Dyer (PA Bear)

>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> AumHa VSOP & Admin http://aumha.net

>> DTS-L http://dts-l.net/

>>

>>

>> LeeG wrote:<span style="color:darkred">

>>> In addition could this be being caused due to upgrading to SP3? I know

>>> this

>>> type of problem was addressed with sp2 but this seems to coincide with

>>> the

>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>> port

>>> 135 but it is still showing as open. Anyone know any answers/solutions.

>>>

>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

>>>> being two of the combinations.) Am I being targeted by someone. </span></span></span>

 
L

LeeG

Guest
Windows firewall is active and I am using the full home edition of Avast.

Also using Spybot S&D and regularily scan with Adaware. I do an AV and

spybot scans about twice a month.

The SP3 was a manual download direct from the Microsoft website and I still

had my resident scanners active when I installed it. I was fully up to date

with sp2 before I installed sp3

I have tried to reverse trace the different ip addresses that are flagged by

avast but no joy.

Here are some of the variations:

88.107.251.156

88.107.115.154

88.107.16.150

88.107.38.82

88.107.146.102

88.107.30.168

Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

One link I have tried but this solution did not work is

http://www.grc.com/freeware/dcom.htm

I can access and install updates from the windows update site. Just

installed a couple of office updates on thursday.

"PA Bear [MS MVP]" wrote:

<span style="color:blue">

> [i meant to ask, "Where is Avast finding this?"]

>

> If you can post a few links to pertinent threads in that forum, I'd

> appreciate it.

>

> Is the Windows Firewall or a third-party firewall enabled?

>

> What anti-spyware applications might be installed (other than Defender)?

> What third-party firewall (if any)? Was Avast and/or any of these other

> applications running when you installed SP3?

>

> How did you install SP3 (e.g., manually; via Windows Update)? Was the

> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

> machine fully patched before you installed SP3? Had you just reinstalled

> Windows prior to installing SP3?

>

> Can you successfully reach and scan for updates at Windows Update website?

> Are any updates offered? If so, can you install them successfully?

> --

> ~PA Bear

>

>

> LeeG wrote:

> <paste><span style="color:green">

> > Not yet. This exploit seems to coincide with the installation of SP3. Up

> > until now I had never had this exploit happen. I have been running Avast

> > for quite a while now and this is the first time it has flagged this

> > exploit.</span>

> </paste><span style="color:green">

> > Forgot to mention. I have already looked at the avast forum and i can

> > only

> > find explanations and possible cures and have also tried one and currently

> > monitoring the solution. I am curious has to why the change?

> >

> > "PA Bear [MS MVP]" wrote:<span style="color:darkred">

> >> /Where/ is Avast find this?

> >>

> >> Have you posted about this in Avast User Forums?

> >> http://forum.avast.com/

> >> --

> >> ~Robear Dyer (PA Bear)

> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> AumHa VSOP & Admin http://aumha.net

> >> DTS-L http://dts-l.net/

> >>

> >>

> >> LeeG wrote:

> >>> In addition could this be being caused due to upgrading to SP3? I know

> >>> this

> >>> type of problem was addressed with sp2 but this seems to coincide with

> >>> the

> >>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

> >>> port

> >>> 135 but it is still showing as open. Anyone know any answers/solutions.

> >>>

> >>>> My Avast online scanner keeps flashing up with a Dcom Exploit

> >>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

> >>>> being two of the combinations.) Am I being targeted by someone. </span></span>

>

> </span>

 
R

Roger Abell [MVP]

Guest
You are running XP, and I will assume this is a home machine.

You have no need for DCOM.

Go to Administrative Tools and select Component Services.

When it opens, click into Component Services / Computers

and right click on My Computer and select Properties.

In the My Computer Properties window that opens select

the Default Properties tab and make sure that the checkbox

Enable Distributed COM on this computer is NOT checked.

Avast might detect something coming in from the network but

if DCOM is not enabled it will not get a response.

Make sure you have a firewall enabled and that the exceptions

are all ones that you know about and need.

Roger

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...<span style="color:blue">

> Forgot to mention. I have already looked at the avast forum and i can

> only

> find explanations and possible cures and have also tried one and currently

> monitoring the solution. I am curious has to why the change?

>

> "PA Bear [MS MVP]" wrote:

><span style="color:green">

>> /Where/ is Avast find this?

>>

>> Have you posted about this in Avast User Forums?

>> http://forum.avast.com/

>> --

>> ~Robear Dyer (PA Bear)

>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> AumHa VSOP & Admin http://aumha.net

>> DTS-L http://dts-l.net/

>>

>>

>> LeeG wrote:<span style="color:darkred">

>> > In addition could this be being caused due to upgrading to SP3? I know

>> > this

>> > type of problem was addressed with sp2 but this seems to coincide with

>> > the

>> > upgrade to sp3! I have tried a couple of ways to close down the DCOM

>> > port

>> > 135 but it is still showing as open. Anyone know any

>> > answers/solutions.

>> >

>> > "LeeG" wrote:

>> >

>> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >> 115.154

>> >> being two of the combinations.) Am I being targeted by someone.</span>

>>

>> </span></span>

 
R

Roger Abell [MVP]

Guest
Check what exemptions are allowed in your firewall settings.

I am not aware of at what point in the network stack Avast might

be tying in, but the firewall should be disallowing tcp 135 traffic

from unknown machine addresses. If you use filesharing in your

home network you do need tcp 135 to be available to those boxes,

but it should not be open to the world.

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:47917144-F76F-4060-93AC-89A62FD8DB09@microsoft.com...<span style="color:blue">

> Windows firewall is active and I am using the full home edition of Avast.

> Also using Spybot S&D and regularily scan with Adaware. I do an AV and

> spybot scans about twice a month.

>

> The SP3 was a manual download direct from the Microsoft website and I

> still

> had my resident scanners active when I installed it. I was fully up to

> date

> with sp2 before I installed sp3

>

> I have tried to reverse trace the different ip addresses that are flagged

> by

> avast but no joy.

>

> Here are some of the variations:

>

> 88.107.251.156

> 88.107.115.154

> 88.107.16.150

> 88.107.38.82

> 88.107.146.102

> 88.107.30.168

>

> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

>

> One link I have tried but this solution did not work is

>

> http://www.grc.com/freeware/dcom.htm

>

> I can access and install updates from the windows update site. Just

> installed a couple of office updates on thursday.

>

> "PA Bear [MS MVP]" wrote:

><span style="color:green">

>> [i meant to ask, "Where is Avast finding this?"]

>>

>> If you can post a few links to pertinent threads in that forum, I'd

>> appreciate it.

>>

>> Is the Windows Firewall or a third-party firewall enabled?

>>

>> What anti-spyware applications might be installed (other than Defender)?

>> What third-party firewall (if any)? Was Avast and/or any of these other

>> applications running when you installed SP3?

>>

>> How did you install SP3 (e.g., manually; via Windows Update)? Was the

>> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

>> machine fully patched before you installed SP3? Had you just reinstalled

>> Windows prior to installing SP3?

>>

>> Can you successfully reach and scan for updates at Windows Update

>> website?

>> Are any updates offered? If so, can you install them successfully?

>> --

>> ~PA Bear

>>

>>

>> LeeG wrote:

>> <paste><span style="color:darkred">

>> > Not yet. This exploit seems to coincide with the installation of SP3.

>> > Up

>> > until now I had never had this exploit happen. I have been running

>> > Avast

>> > for quite a while now and this is the first time it has flagged this

>> > exploit.</span>

>> </paste><span style="color:darkred">

>> > Forgot to mention. I have already looked at the avast forum and i can

>> > only

>> > find explanations and possible cures and have also tried one and

>> > currently

>> > monitoring the solution. I am curious has to why the change?

>> >

>> > "PA Bear [MS MVP]" wrote:

>> >> /Where/ is Avast find this?

>> >>

>> >> Have you posted about this in Avast User Forums?

>> >> http://forum.avast.com/

>> >> --

>> >> ~Robear Dyer (PA Bear)

>> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> >> AumHa VSOP & Admin http://aumha.net

>> >> DTS-L http://dts-l.net/

>> >>

>> >>

>> >> LeeG wrote:

>> >>> In addition could this be being caused due to upgrading to SP3? I

>> >>> know

>> >>> this

>> >>> type of problem was addressed with sp2 but this seems to coincide

>> >>> with

>> >>> the

>> >>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>> >>> port

>> >>> 135 but it is still showing as open. Anyone know any

>> >>> answers/solutions.

>> >>>

>> >>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >>>> 115.154

>> >>>> being two of the combinations.) Am I being targeted by someone.</span>

>>

>> </span></span>

 
L

LeeG

Guest
I checked the Dcom setting was unchecked in component services last night but

I am still getting the exploit warning. Could someone unscrupulous be trying

to access my machine and eventually give up? Could this attack be from

someone obtaining my ip address through other sites, for example, facebook.

I only ask because my partner signed up recently to it. I have run XP home

for quite a while now and this has never cropped up before.

"Roger Abell [MVP]" wrote:

<span style="color:blue">

> You are running XP, and I will assume this is a home machine.

> You have no need for DCOM.

> Go to Administrative Tools and select Component Services.

> When it opens, click into Component Services / Computers

> and right click on My Computer and select Properties.

> In the My Computer Properties window that opens select

> the Default Properties tab and make sure that the checkbox

> Enable Distributed COM on this computer is NOT checked.

> Avast might detect something coming in from the network but

> if DCOM is not enabled it will not get a response.

> Make sure you have a firewall enabled and that the exceptions

> are all ones that you know about and need.

>

> Roger

>

> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...<span style="color:green">

> > Forgot to mention. I have already looked at the avast forum and i can

> > only

> > find explanations and possible cures and have also tried one and currently

> > monitoring the solution. I am curious has to why the change?

> >

> > "PA Bear [MS MVP]" wrote:

> ><span style="color:darkred">

> >> /Where/ is Avast find this?

> >>

> >> Have you posted about this in Avast User Forums?

> >> http://forum.avast.com/

> >> --

> >> ~Robear Dyer (PA Bear)

> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> AumHa VSOP & Admin http://aumha.net

> >> DTS-L http://dts-l.net/

> >>

> >>

> >> LeeG wrote:

> >> > In addition could this be being caused due to upgrading to SP3? I know

> >> > this

> >> > type of problem was addressed with sp2 but this seems to coincide with

> >> > the

> >> > upgrade to sp3! I have tried a couple of ways to close down the DCOM

> >> > port

> >> > 135 but it is still showing as open. Anyone know any

> >> > answers/solutions.

> >> >

> >> > "LeeG" wrote:

> >> >

> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

> >> >> 115.154

> >> >> being two of the combinations.) Am I being targeted by someone.

> >>

> >> </span></span>

>

>

> </span>

 
M

MowGreen [MVP]

Guest
Info on the IP ranges you posted:

http://www.dnsstuff.com/tools/whois.ch?ip=88.107.38.82

<span style="color:blue">

> inetnum: 88.104.0.0 - 88.107.255.255

> netname: DSL-TISCALI-UK

> descr: Tiscali UK Ltd

> descr: Dynamic DSL</span>

Is Tiscali your ISP ?

MowGreen [MVP 2003-2008]

===============

-343- FDNY

Never Forgotten

===============

LeeG wrote:

<span style="color:blue">

> Windows firewall is active and I am using the full home edition of Avast.

> Also using Spybot S&D and regularily scan with Adaware. I do an AV and

> spybot scans about twice a month.

>

> The SP3 was a manual download direct from the Microsoft website and I still

> had my resident scanners active when I installed it. I was fully up to date

> with sp2 before I installed sp3

>

> I have tried to reverse trace the different ip addresses that are flagged by

> avast but no joy.

>

> Here are some of the variations:

>

> 88.107.251.156

> 88.107.115.154

> 88.107.16.150

> 88.107.38.82

> 88.107.146.102

> 88.107.30.168

>

> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

>

> One link I have tried but this solution did not work is

>

> http://www.grc.com/freeware/dcom.htm

>

> I can access and install updates from the windows update site. Just

> installed a couple of office updates on thursday.

>

> "PA Bear [MS MVP]" wrote:

>

> <span style="color:green">

>>[i meant to ask, "Where is Avast finding this?"]

>>

>>If you can post a few links to pertinent threads in that forum, I'd

>>appreciate it.

>>

>>Is the Windows Firewall or a third-party firewall enabled?

>>

>>What anti-spyware applications might be installed (other than Defender)?

>>What third-party firewall (if any)? Was Avast and/or any of these other

>>applications running when you installed SP3?

>>

>>How did you install SP3 (e.g., manually; via Windows Update)? Was the

>>machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

>>machine fully patched before you installed SP3? Had you just reinstalled

>>Windows prior to installing SP3?

>>

>>Can you successfully reach and scan for updates at Windows Update website?

>>Are any updates offered? If so, can you install them successfully?

>>--

>>~PA Bear

>>

>>

>>LeeG wrote:

>><paste>

>><span style="color:darkred">

>>>Not yet. This exploit seems to coincide with the installation of SP3. Up

>>>until now I had never had this exploit happen. I have been running Avast

>>>for quite a while now and this is the first time it has flagged this

>>>exploit.</span>

>>

>></paste>

>><span style="color:darkred">

>>>Forgot to mention. I have already looked at the avast forum and i can

>>>only

>>>find explanations and possible cures and have also tried one and currently

>>>monitoring the solution. I am curious has to why the change?

>>>

>>>"PA Bear [MS MVP]" wrote:

>>>

>>>>/Where/ is Avast find this?

>>>>

>>>>Have you posted about this in Avast User Forums?

>>>>http://forum.avast.com/

>>>>--

>>>>~Robear Dyer (PA Bear)

>>>>MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>>AumHa VSOP & Admin http://aumha.net

>>>>DTS-L http://dts-l.net/

>>>>

>>>>

>>>>LeeG wrote:

>>>>

>>>>>In addition could this be being caused due to upgrading to SP3? I know

>>>>>this

>>>>>type of problem was addressed with sp2 but this seems to coincide with

>>>>>the

>>>>>upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>>>>port

>>>>>135 but it is still showing as open. Anyone know any answers/solutions.

>>>>>

>>>>>

>>>>>>My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>>88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

>>>>>>being two of the combinations.) Am I being targeted by someone. </span>

>>

>></span></span>

 
P

PA Bear [MS MVP]

Guest
> ...Could someone unscrupulous be<span style="color:blue">

> trying to access my machine and eventually give up?</span>

IMHO, no, it's just normal network pinging, judging from the information

you've posted in this thread.

LeeG wrote:<span style="color:blue">

> I checked the Dcom setting was unchecked in component services last night

> but I am still getting the exploit warning. Could someone unscrupulous be

> trying to access my machine and eventually give up? Could this attack be

> from someone obtaining my ip address through other sites, for example,

> facebook. I only ask because my partner signed up recently to it. I have

> run XP home for quite a while now and this has never cropped up before.

>

> "Roger Abell [MVP]" wrote:

><span style="color:green">

>> You are running XP, and I will assume this is a home machine.

>> You have no need for DCOM.

>> Go to Administrative Tools and select Component Services.

>> When it opens, click into Component Services / Computers

>> and right click on My Computer and select Properties.

>> In the My Computer Properties window that opens select

>> the Default Properties tab and make sure that the checkbox

>> Enable Distributed COM on this computer is NOT checked.

>> Avast might detect something coming in from the network but

>> if DCOM is not enabled it will not get a response.

>> Make sure you have a firewall enabled and that the exceptions

>> are all ones that you know about and need.

>>

>> Roger

>>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...<span style="color:darkred">

>>> Forgot to mention. I have already looked at the avast forum and i can

>>> only

>>> find explanations and possible cures and have also tried one and

>>> currently

>>> monitoring the solution. I am curious has to why the change?

>>>

>>> "PA Bear [MS MVP]" wrote:

>>>

>>>> /Where/ is Avast find this?

>>>>

>>>> Have you posted about this in Avast User Forums?

>>>> http://forum.avast.com/

>>>> --

>>>> ~Robear Dyer (PA Bear)

>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>> AumHa VSOP & Admin http://aumha.net

>>>> DTS-L http://dts-l.net/

>>>>

>>>>

>>>> LeeG wrote:

>>>>> In addition could this be being caused due to upgrading to SP3? I

>>>>> know

>>>>> this

>>>>> type of problem was addressed with sp2 but this seems to coincide with

>>>>> the

>>>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>>>> port

>>>>> 135 but it is still showing as open. Anyone know any

>>>>> answers/solutions.

>>>>>

>>>>> "LeeG" wrote:

>>>>>

>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>>>>>> 115.154

>>>>>> being two of the combinations.) Am I being targeted by someone. </span></span></span>

 
P

PA Bear [MS MVP]

Guest
Is Avast configured to automatically seek updates as least once a day?

Are you now running Avast v4.8.1201? There have been two (2) program

updates for Avast v4.8 since 12 May 2008:

http://www.avast.com/eng/avast-4-home_pro-...on-history.html

The above notwithstanding, the fact that you installed SP3 without having

first disabled all real-time protections may be related to the reports

you're seeing from Avast now. I'd recommend posting about this in a new

thread in the appropriate Avast Support Forum before doing anything else

about it: http://forum.avast.com/index.php?board=2.0

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

LeeG wrote:<span style="color:blue">

> Windows firewall is active and I am using the full home edition of Avast.

> Also using Spybot S&D and regularily scan with Adaware. I do an AV and

> spybot scans about twice a month.

>

> The SP3 was a manual download direct from the Microsoft website and I

> still

> had my resident scanners active when I installed it. I was fully up to

> date

> with sp2 before I installed sp3

>

> I have tried to reverse trace the different ip addresses that are flagged

> by

> avast but no joy.

>

> Here are some of the variations:

>

> 88.107.251.156

> 88.107.115.154

> 88.107.16.150

> 88.107.38.82

> 88.107.146.102

> 88.107.30.168

>

> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

>

> One link I have tried but this solution did not work is

>

> http://www.grc.com/freeware/dcom.htm

>

> I can access and install updates from the windows update site. Just

> installed a couple of office updates on thursday.

>

> "PA Bear [MS MVP]" wrote:

><span style="color:green">

>> [i meant to ask, "Where is Avast finding this?"]

>>

>> If you can post a few links to pertinent threads in that forum, I'd

>> appreciate it.

>>

>> Is the Windows Firewall or a third-party firewall enabled?

>>

>> What anti-spyware applications might be installed (other than Defender)?

>> What third-party firewall (if any)? Was Avast and/or any of these other

>> applications running when you installed SP3?

>>

>> How did you install SP3 (e.g., manually; via Windows Update)? Was the

>> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

>> machine fully patched before you installed SP3? Had you just reinstalled

>> Windows prior to installing SP3?

>>

>> Can you successfully reach and scan for updates at Windows Update

>> website?

>> Are any updates offered? If so, can you install them successfully?

>> --

>> ~PA Bear

>>

>>

>> LeeG wrote:

>> <paste><span style="color:darkred">

>>> Not yet. This exploit seems to coincide with the installation of SP3.

>>> Up

>>> until now I had never had this exploit happen. I have been running

>>> Avast

>>> for quite a while now and this is the first time it has flagged this

>>> exploit.</span>

>> </paste><span style="color:darkred">

>>> Forgot to mention. I have already looked at the avast forum and i can

>>> only

>>> find explanations and possible cures and have also tried one and

>>> currently

>>> monitoring the solution. I am curious has to why the change?

>>>

>>> "PA Bear [MS MVP]" wrote:

>>>> /Where/ is Avast find this?

>>>>

>>>> Have you posted about this in Avast User Forums?

>>>> http://forum.avast.com/

>>>> --

>>>> ~Robear Dyer (PA Bear)

>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>> AumHa VSOP & Admin http://aumha.net

>>>> DTS-L http://dts-l.net/

>>>>

>>>>

>>>> LeeG wrote:

>>>>> In addition could this be being caused due to upgrading to SP3? I

>>>>> know

>>>>> this

>>>>> type of problem was addressed with sp2 but this seems to coincide with

>>>>> the

>>>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>>>> port

>>>>> 135 but it is still showing as open. Anyone know any

>>>>> answers/solutions.

>>>>>

>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>>>>>> 115.154

>>>>>> being two of the combinations.) Am I being targeted by someone. </span></span></span>

 
R

Roger Abell [MVP]

Guest
Good, then what they are trying, IF Avast is accurately

reporting, will not work. There was a remote DCOM

exploit some years back that someone's infected machine

might be using, among other things, in attempt to spread

itself. If I were you I would not be thinking this is at all

related to XP SP3 but I would be looking at my firewall

to see why the packets got that far.

Roger

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...<span style="color:blue">

>I checked the Dcom setting was unchecked in component services last night

>but

> I am still getting the exploit warning. Could someone unscrupulous be

> trying

> to access my machine and eventually give up? Could this attack be from

> someone obtaining my ip address through other sites, for example,

> facebook.

> I only ask because my partner signed up recently to it. I have run XP

> home

> for quite a while now and this has never cropped up before.

>

> "Roger Abell [MVP]" wrote:

><span style="color:green">

>> You are running XP, and I will assume this is a home machine.

>> You have no need for DCOM.

>> Go to Administrative Tools and select Component Services.

>> When it opens, click into Component Services / Computers

>> and right click on My Computer and select Properties.

>> In the My Computer Properties window that opens select

>> the Default Properties tab and make sure that the checkbox

>> Enable Distributed COM on this computer is NOT checked.

>> Avast might detect something coming in from the network but

>> if DCOM is not enabled it will not get a response.

>> Make sure you have a firewall enabled and that the exceptions

>> are all ones that you know about and need.

>>

>> Roger

>>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...<span style="color:darkred">

>> > Forgot to mention. I have already looked at the avast forum and i can

>> > only

>> > find explanations and possible cures and have also tried one and

>> > currently

>> > monitoring the solution. I am curious has to why the change?

>> >

>> > "PA Bear [MS MVP]" wrote:

>> >

>> >> /Where/ is Avast find this?

>> >>

>> >> Have you posted about this in Avast User Forums?

>> >> http://forum.avast.com/

>> >> --

>> >> ~Robear Dyer (PA Bear)

>> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> >> AumHa VSOP & Admin http://aumha.net

>> >> DTS-L http://dts-l.net/

>> >>

>> >>

>> >> LeeG wrote:

>> >> > In addition could this be being caused due to upgrading to SP3? I

>> >> > know

>> >> > this

>> >> > type of problem was addressed with sp2 but this seems to coincide

>> >> > with

>> >> > the

>> >> > upgrade to sp3! I have tried a couple of ways to close down the

>> >> > DCOM

>> >> > port

>> >> > 135 but it is still showing as open. Anyone know any

>> >> > answers/solutions.

>> >> >

>> >> > "LeeG" wrote:

>> >> >

>> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >> >> 115.154

>> >> >> being two of the combinations.) Am I being targeted by someone.

>> >>

>> >></span>

>>

>>

>> </span></span>

 
L

LeeG

Guest
As far as I can tell Avast is stopping the attempts (therefore I am

protected). So far it has not happened today. What exactly do you mean by

"looking at my firewall to see why the packets got that far." Could someone

be deliberately trying to access my computer this way?

"Roger Abell [MVP]" wrote:

<span style="color:blue">

> Good, then what they are trying, IF Avast is accurately

> reporting, will not work. There was a remote DCOM

> exploit some years back that someone's infected machine

> might be using, among other things, in attempt to spread

> itself. If I were you I would not be thinking this is at all

> related to XP SP3 but I would be looking at my firewall

> to see why the packets got that far.

>

> Roger

>

> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...<span style="color:green">

> >I checked the Dcom setting was unchecked in component services last night

> >but

> > I am still getting the exploit warning. Could someone unscrupulous be

> > trying

> > to access my machine and eventually give up? Could this attack be from

> > someone obtaining my ip address through other sites, for example,

> > facebook.

> > I only ask because my partner signed up recently to it. I have run XP

> > home

> > for quite a while now and this has never cropped up before.

> >

> > "Roger Abell [MVP]" wrote:

> ><span style="color:darkred">

> >> You are running XP, and I will assume this is a home machine.

> >> You have no need for DCOM.

> >> Go to Administrative Tools and select Component Services.

> >> When it opens, click into Component Services / Computers

> >> and right click on My Computer and select Properties.

> >> In the My Computer Properties window that opens select

> >> the Default Properties tab and make sure that the checkbox

> >> Enable Distributed COM on this computer is NOT checked.

> >> Avast might detect something coming in from the network but

> >> if DCOM is not enabled it will not get a response.

> >> Make sure you have a firewall enabled and that the exceptions

> >> are all ones that you know about and need.

> >>

> >> Roger

> >>

> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

> >> > Forgot to mention. I have already looked at the avast forum and i can

> >> > only

> >> > find explanations and possible cures and have also tried one and

> >> > currently

> >> > monitoring the solution. I am curious has to why the change?

> >> >

> >> > "PA Bear [MS MVP]" wrote:

> >> >

> >> >> /Where/ is Avast find this?

> >> >>

> >> >> Have you posted about this in Avast User Forums?

> >> >> http://forum.avast.com/

> >> >> --

> >> >> ~Robear Dyer (PA Bear)

> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> >> AumHa VSOP & Admin http://aumha.net

> >> >> DTS-L http://dts-l.net/

> >> >>

> >> >>

> >> >> LeeG wrote:

> >> >> > In addition could this be being caused due to upgrading to SP3? I

> >> >> > know

> >> >> > this

> >> >> > type of problem was addressed with sp2 but this seems to coincide

> >> >> > with

> >> >> > the

> >> >> > upgrade to sp3! I have tried a couple of ways to close down the

> >> >> > DCOM

> >> >> > port

> >> >> > 135 but it is still showing as open. Anyone know any

> >> >> > answers/solutions.

> >> >> >

> >> >> > "LeeG" wrote:

> >> >> >

> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

> >> >> >> 115.154

> >> >> >> being two of the combinations.) Am I being targeted by someone.

> >> >>

> >> >>

> >>

> >>

> >> </span></span>

>

>

> </span>

 
R

Roger Abell [MVP]

Guest
"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...<span style="color:blue">

> As far as I can tell Avast is stopping the attempts (therefore I am

> protected). So far it has not happened today. What exactly do you mean

> by

> "looking at my firewall to see why the packets got that far." Could

> someone

> be deliberately trying to access my computer this way?</span>

Someone could, but more likely someone's machine is via some

infection that the owning someone is not even aware is there

<span style="color:blue">

>

> "Roger Abell [MVP]" wrote:

><span style="color:green">

>> Good, then what they are trying, IF Avast is accurately

>> reporting, will not work. There was a remote DCOM

>> exploit some years back that someone's infected machine

>> might be using, among other things, in attempt to spread

>> itself. If I were you I would not be thinking this is at all

>> related to XP SP3 but I would be looking at my firewall

>> to see why the packets got that far.

>>

>> Roger

>>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...<span style="color:darkred">

>> >I checked the Dcom setting was unchecked in component services last

>> >night

>> >but

>> > I am still getting the exploit warning. Could someone unscrupulous be

>> > trying

>> > to access my machine and eventually give up? Could this attack be from

>> > someone obtaining my ip address through other sites, for example,

>> > facebook.

>> > I only ask because my partner signed up recently to it. I have run XP

>> > home

>> > for quite a while now and this has never cropped up before.

>> >

>> > "Roger Abell [MVP]" wrote:

>> >

>> >> You are running XP, and I will assume this is a home machine.

>> >> You have no need for DCOM.

>> >> Go to Administrative Tools and select Component Services.

>> >> When it opens, click into Component Services / Computers

>> >> and right click on My Computer and select Properties.

>> >> In the My Computer Properties window that opens select

>> >> the Default Properties tab and make sure that the checkbox

>> >> Enable Distributed COM on this computer is NOT checked.

>> >> Avast might detect something coming in from the network but

>> >> if DCOM is not enabled it will not get a response.

>> >> Make sure you have a firewall enabled and that the exceptions

>> >> are all ones that you know about and need.

>> >>

>> >> Roger

>> >>

>> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>> >> > Forgot to mention. I have already looked at the avast forum and i

>> >> > can

>> >> > only

>> >> > find explanations and possible cures and have also tried one and

>> >> > currently

>> >> > monitoring the solution. I am curious has to why the change?

>> >> >

>> >> > "PA Bear [MS MVP]" wrote:

>> >> >

>> >> >> /Where/ is Avast find this?

>> >> >>

>> >> >> Have you posted about this in Avast User Forums?

>> >> >> http://forum.avast.com/

>> >> >> --

>> >> >> ~Robear Dyer (PA Bear)

>> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> >> >> AumHa VSOP & Admin http://aumha.net

>> >> >> DTS-L http://dts-l.net/

>> >> >>

>> >> >>

>> >> >> LeeG wrote:

>> >> >> > In addition could this be being caused due to upgrading to SP3?

>> >> >> > I

>> >> >> > know

>> >> >> > this

>> >> >> > type of problem was addressed with sp2 but this seems to coincide

>> >> >> > with

>> >> >> > the

>> >> >> > upgrade to sp3! I have tried a couple of ways to close down the

>> >> >> > DCOM

>> >> >> > port

>> >> >> > 135 but it is still showing as open. Anyone know any

>> >> >> > answers/solutions.

>> >> >> >

>> >> >> > "LeeG" wrote:

>> >> >> >

>> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >> >> >> 115.154

>> >> >> >> being two of the combinations.) Am I being targeted by someone.

>> >> >>

>> >> >>

>> >>

>> >>

>> >></span>

>>

>>

>> </span></span>

 
L

LeeG

Guest
Thank you for your reply. You have given the most plausible explanation so

far. If I send a global message to the friends list on facebook, (someone on

the friends list seems like the most obvious source,) can you tell me the

most likely virus name to inform them to look for?

"Roger Abell [MVP]" wrote:

<span style="color:blue">

> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...<span style="color:green">

> > As far as I can tell Avast is stopping the attempts (therefore I am

> > protected). So far it has not happened today. What exactly do you mean

> > by

> > "looking at my firewall to see why the packets got that far." Could

> > someone

> > be deliberately trying to access my computer this way?</span>

>

> Someone could, but more likely someone's machine is via some

> infection that the owning someone is not even aware is there

> <span style="color:green">

> >

> > "Roger Abell [MVP]" wrote:

> ><span style="color:darkred">

> >> Good, then what they are trying, IF Avast is accurately

> >> reporting, will not work. There was a remote DCOM

> >> exploit some years back that someone's infected machine

> >> might be using, among other things, in attempt to spread

> >> itself. If I were you I would not be thinking this is at all

> >> related to XP SP3 but I would be looking at my firewall

> >> to see why the packets got that far.

> >>

> >> Roger

> >>

> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> >> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

> >> >I checked the Dcom setting was unchecked in component services last

> >> >night

> >> >but

> >> > I am still getting the exploit warning. Could someone unscrupulous be

> >> > trying

> >> > to access my machine and eventually give up? Could this attack be from

> >> > someone obtaining my ip address through other sites, for example,

> >> > facebook.

> >> > I only ask because my partner signed up recently to it. I have run XP

> >> > home

> >> > for quite a while now and this has never cropped up before.

> >> >

> >> > "Roger Abell [MVP]" wrote:

> >> >

> >> >> You are running XP, and I will assume this is a home machine.

> >> >> You have no need for DCOM.

> >> >> Go to Administrative Tools and select Component Services.

> >> >> When it opens, click into Component Services / Computers

> >> >> and right click on My Computer and select Properties.

> >> >> In the My Computer Properties window that opens select

> >> >> the Default Properties tab and make sure that the checkbox

> >> >> Enable Distributed COM on this computer is NOT checked.

> >> >> Avast might detect something coming in from the network but

> >> >> if DCOM is not enabled it will not get a response.

> >> >> Make sure you have a firewall enabled and that the exceptions

> >> >> are all ones that you know about and need.

> >> >>

> >> >> Roger

> >> >>

> >> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> >> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

> >> >> > Forgot to mention. I have already looked at the avast forum and i

> >> >> > can

> >> >> > only

> >> >> > find explanations and possible cures and have also tried one and

> >> >> > currently

> >> >> > monitoring the solution. I am curious has to why the change?

> >> >> >

> >> >> > "PA Bear [MS MVP]" wrote:

> >> >> >

> >> >> >> /Where/ is Avast find this?

> >> >> >>

> >> >> >> Have you posted about this in Avast User Forums?

> >> >> >> http://forum.avast.com/

> >> >> >> --

> >> >> >> ~Robear Dyer (PA Bear)

> >> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> >> >> AumHa VSOP & Admin http://aumha.net

> >> >> >> DTS-L http://dts-l.net/

> >> >> >>

> >> >> >>

> >> >> >> LeeG wrote:

> >> >> >> > In addition could this be being caused due to upgrading to SP3?

> >> >> >> > I

> >> >> >> > know

> >> >> >> > this

> >> >> >> > type of problem was addressed with sp2 but this seems to coincide

> >> >> >> > with

> >> >> >> > the

> >> >> >> > upgrade to sp3! I have tried a couple of ways to close down the

> >> >> >> > DCOM

> >> >> >> > port

> >> >> >> > 135 but it is still showing as open. Anyone know any

> >> >> >> > answers/solutions.

> >> >> >> >

> >> >> >> > "LeeG" wrote:

> >> >> >> >

> >> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

> >> >> >> >> 115.154

> >> >> >> >> being two of the combinations.) Am I being targeted by someone.

> >> >> >>

> >> >> >>

> >> >>

> >> >>

> >> >>

> >>

> >>

> >> </span></span>

>

>

> </span>

 
P

PA Bear [MS MVP]

Guest
No need to be such an alarmist, Lee.

LeeG wrote:<span style="color:blue">

> Thank you for your reply. You have given the most plausible explanation

> so

> far. If I send a global message to the friends list on facebook, (someone

> on the friends list seems like the most obvious source,) can you tell me

> the

> most likely virus name to inform them to look for?

>

> "Roger Abell [MVP]" wrote:

><span style="color:green">

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...<span style="color:darkred">

>>> As far as I can tell Avast is stopping the attempts (therefore I am

>>> protected). So far it has not happened today. What exactly do you mean

>>> by

>>> "looking at my firewall to see why the packets got that far." Could

>>> someone

>>> be deliberately trying to access my computer this way?</span>

>>

>> Someone could, but more likely someone's machine is via some

>> infection that the owning someone is not even aware is there

>><span style="color:darkred">

>>>

>>> "Roger Abell [MVP]" wrote:

>>>

>>>> Good, then what they are trying, IF Avast is accurately

>>>> reporting, will not work. There was a remote DCOM

>>>> exploit some years back that someone's infected machine

>>>> might be using, among other things, in attempt to spread

>>>> itself. If I were you I would not be thinking this is at all

>>>> related to XP SP3 but I would be looking at my firewall

>>>> to see why the packets got that far.

>>>>

>>>> Roger

>>>>

>>>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>>>> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

>>>>> I checked the Dcom setting was unchecked in component services last

>>>>> night

>>>>> but

>>>>> I am still getting the exploit warning. Could someone unscrupulous be

>>>>> trying

>>>>> to access my machine and eventually give up? Could this attack be

>>>>> from

>>>>> someone obtaining my ip address through other sites, for example,

>>>>> facebook.

>>>>> I only ask because my partner signed up recently to it. I have run XP

>>>>> home

>>>>> for quite a while now and this has never cropped up before.

>>>>>

>>>>> "Roger Abell [MVP]" wrote:

>>>>>

>>>>>> You are running XP, and I will assume this is a home machine.

>>>>>> You have no need for DCOM.

>>>>>> Go to Administrative Tools and select Component Services.

>>>>>> When it opens, click into Component Services / Computers

>>>>>> and right click on My Computer and select Properties.

>>>>>> In the My Computer Properties window that opens select

>>>>>> the Default Properties tab and make sure that the checkbox

>>>>>> Enable Distributed COM on this computer is NOT checked.

>>>>>> Avast might detect something coming in from the network but

>>>>>> if DCOM is not enabled it will not get a response.

>>>>>> Make sure you have a firewall enabled and that the exceptions

>>>>>> are all ones that you know about and need.

>>>>>>

>>>>>> Roger

>>>>>>

>>>>>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>>>>>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>>>>>>> Forgot to mention. I have already looked at the avast forum and i

>>>>>>> can

>>>>>>> only

>>>>>>> find explanations and possible cures and have also tried one and

>>>>>>> currently

>>>>>>> monitoring the solution. I am curious has to why the change?

>>>>>>>

>>>>>>> "PA Bear [MS MVP]" wrote:

>>>>>>>

>>>>>>>> /Where/ is Avast find this?

>>>>>>>>

>>>>>>>> Have you posted about this in Avast User Forums?

>>>>>>>> http://forum.avast.com/

>>>>>>>> --

>>>>>>>> ~Robear Dyer (PA Bear)

>>>>>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>>>>>> AumHa VSOP & Admin http://aumha.net

>>>>>>>> DTS-L http://dts-l.net/

>>>>>>>>

>>>>>>>>

>>>>>>>> LeeG wrote:

>>>>>>>>> In addition could this be being caused due to upgrading to SP3?

>>>>>>>>> I

>>>>>>>>> know

>>>>>>>>> this

>>>>>>>>> type of problem was addressed with sp2 but this seems to coincide

>>>>>>>>> with

>>>>>>>>> the

>>>>>>>>> upgrade to sp3! I have tried a couple of ways to close down the

>>>>>>>>> DCOM

>>>>>>>>> port

>>>>>>>>> 135 but it is still showing as open. Anyone know any

>>>>>>>>> answers/solutions.

>>>>>>>>>

>>>>>>>>> "LeeG" wrote:

>>>>>>>>>

>>>>>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>>>>>>>>>> 115.154

>>>>>>>>>> being two of the combinations.) Am I being targeted by someone. </span></span></span>

 
R

Roger Abell [MVP]

Guest
"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:A7A69DE8-4ACC-48D6-BC12-77E0E211FAB6@microsoft.com...<span style="color:blue">

> Thank you for your reply. You have given the most plausible explanation

> so

> far. If I send a global message to the friends list on facebook, (someone

> on

> the friends list seems like the most obvious source,) can you tell me the

> most likely virus name to inform them to look for?</span>

No, I cannot. This may have nothing whatsoever to do with

emails or websites you have visited. It can be some machine

on the network that "decided" to try at your current IP address,

with no prior awareness of who you are, that you or your comp

exist, etc..

Lee, this stuff happens all the time. It is the source of the personal

firewall, and of the anti-malware industries.

<span style="color:blue">

>

> "Roger Abell [MVP]" wrote:

><span style="color:green">

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...<span style="color:darkred">

>> > As far as I can tell Avast is stopping the attempts (therefore I am

>> > protected). So far it has not happened today. What exactly do you

>> > mean

>> > by

>> > "looking at my firewall to see why the packets got that far." Could

>> > someone

>> > be deliberately trying to access my computer this way?</span>

>>

>> Someone could, but more likely someone's machine is via some

>> infection that the owning someone is not even aware is there

>><span style="color:darkred">

>> >

>> > "Roger Abell [MVP]" wrote:

>> >

>> >> Good, then what they are trying, IF Avast is accurately

>> >> reporting, will not work. There was a remote DCOM

>> >> exploit some years back that someone's infected machine

>> >> might be using, among other things, in attempt to spread

>> >> itself. If I were you I would not be thinking this is at all

>> >> related to XP SP3 but I would be looking at my firewall

>> >> to see why the packets got that far.

>> >>

>> >> Roger

>> >>

>> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> >> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

>> >> >I checked the Dcom setting was unchecked in component services last

>> >> >night

>> >> >but

>> >> > I am still getting the exploit warning. Could someone unscrupulous

>> >> > be

>> >> > trying

>> >> > to access my machine and eventually give up? Could this attack be

>> >> > from

>> >> > someone obtaining my ip address through other sites, for example,

>> >> > facebook.

>> >> > I only ask because my partner signed up recently to it. I have run

>> >> > XP

>> >> > home

>> >> > for quite a while now and this has never cropped up before.

>> >> >

>> >> > "Roger Abell [MVP]" wrote:

>> >> >

>> >> >> You are running XP, and I will assume this is a home machine.

>> >> >> You have no need for DCOM.

>> >> >> Go to Administrative Tools and select Component Services.

>> >> >> When it opens, click into Component Services / Computers

>> >> >> and right click on My Computer and select Properties.

>> >> >> In the My Computer Properties window that opens select

>> >> >> the Default Properties tab and make sure that the checkbox

>> >> >> Enable Distributed COM on this computer is NOT checked.

>> >> >> Avast might detect something coming in from the network but

>> >> >> if DCOM is not enabled it will not get a response.

>> >> >> Make sure you have a firewall enabled and that the exceptions

>> >> >> are all ones that you know about and need.

>> >> >>

>> >> >> Roger

>> >> >>

>> >> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> >> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>> >> >> > Forgot to mention. I have already looked at the avast forum and

>> >> >> > i

>> >> >> > can

>> >> >> > only

>> >> >> > find explanations and possible cures and have also tried one and

>> >> >> > currently

>> >> >> > monitoring the solution. I am curious has to why the change?

>> >> >> >

>> >> >> > "PA Bear [MS MVP]" wrote:

>> >> >> >

>> >> >> >> /Where/ is Avast find this?

>> >> >> >>

>> >> >> >> Have you posted about this in Avast User Forums?

>> >> >> >> http://forum.avast.com/

>> >> >> >> --

>> >> >> >> ~Robear Dyer (PA Bear)

>> >> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since

>> >> >> >> 2002

>> >> >> >> AumHa VSOP & Admin http://aumha.net

>> >> >> >> DTS-L http://dts-l.net/

>> >> >> >>

>> >> >> >>

>> >> >> >> LeeG wrote:

>> >> >> >> > In addition could this be being caused due to upgrading to

>> >> >> >> > SP3?

>> >> >> >> > I

>> >> >> >> > know

>> >> >> >> > this

>> >> >> >> > type of problem was addressed with sp2 but this seems to

>> >> >> >> > coincide

>> >> >> >> > with

>> >> >> >> > the

>> >> >> >> > upgrade to sp3! I have tried a couple of ways to close down

>> >> >> >> > the

>> >> >> >> > DCOM

>> >> >> >> > port

>> >> >> >> > 135 but it is still showing as open. Anyone know any

>> >> >> >> > answers/solutions.

>> >> >> >> >

>> >> >> >> > "LeeG" wrote:

>> >> >> >> >

>> >> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing.

>> >> >> >> >> 251.156,

>> >> >> >> >> 115.154

>> >> >> >> >> being two of the combinations.) Am I being targeted by

>> >> >> >> >> someone.

>> >> >> >>

>> >> >> >>

>> >> >>

>> >> >>

>> >> >>

>> >>

>> >>

>> >></span>

>>

>>

>> </span></span>

 
You must log in or register to reply here.
Top Bottom