Dcom Exploit

May 16, 2008

My Avast online scanner keeps flashing up with a Dcom Exploit

88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154 being

two of the combinations.) Am I being targeted by someone.

May 16, 2008

In addition could this be being caused due to upgrading to SP3? I know this

type of problem was addressed with sp2 but this seems to coincide with the

upgrade to sp3! I have tried a couple of ways to close down the DCOM port

135 but it is still showing as open. Anyone know any answers/solutions.

"LeeG" wrote:

> My Avast online scanner keeps flashing up with a Dcom Exploit

> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154 being

> two of the combinations.) Am I being targeted by someone.

May 16, 2008

/Where/ is Avast find this?

Have you posted about this in Avast User Forums?

http://forum.avast.com/

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

LeeG wrote:

> In addition could this be being caused due to upgrading to SP3? I know

> this

> type of problem was addressed with sp2 but this seems to coincide with the

> upgrade to sp3! I have tried a couple of ways to close down the DCOM port

> 135 but it is still showing as open. Anyone know any answers/solutions.

>

> "LeeG" wrote:

>

>> My Avast online scanner keeps flashing up with a Dcom Exploit

>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

>> being two of the combinations.) Am I being targeted by someone.

May 16, 2008

Not yet. This exploit seems to coincide with the installation of SP3. Up

until now I had never had this exploit happen. I have been running Avast for

quite a while now and this is the first time it has flagged this exploit.

"PA Bear [MS MVP]" wrote:

> /Where/ is Avast find this?

>

> Have you posted about this in Avast User Forums?

> http://forum.avast.com/

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

> LeeG wrote:

> > In addition could this be being caused due to upgrading to SP3? I know

> > this

> > type of problem was addressed with sp2 but this seems to coincide with the

> > upgrade to sp3! I have tried a couple of ways to close down the DCOM port

> > 135 but it is still showing as open. Anyone know any answers/solutions.

> >

> > "LeeG" wrote:

> >

> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

> >> being two of the combinations.) Am I being targeted by someone.

>

>

May 16, 2008

Forgot to mention. I have already looked at the avast forum and i can only

find explanations and possible cures and have also tried one and currently

monitoring the solution. I am curious has to why the change?

"PA Bear [MS MVP]" wrote:

> /Where/ is Avast find this?

>

> Have you posted about this in Avast User Forums?

> http://forum.avast.com/

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

> LeeG wrote:

> > In addition could this be being caused due to upgrading to SP3? I know

> > this

> > type of problem was addressed with sp2 but this seems to coincide with the

> > upgrade to sp3! I have tried a couple of ways to close down the DCOM port

> > 135 but it is still showing as open. Anyone know any answers/solutions.

> >

> > "LeeG" wrote:

> >

> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

> >> being two of the combinations.) Am I being targeted by someone.

>

>

May 16, 2008

[i meant to ask, "Where is Avast finding this?"]

If you can post a few links to pertinent threads in that forum, I'd

appreciate it.

Is the Windows Firewall or a third-party firewall enabled?

What anti-spyware applications might be installed (other than Defender)?

What third-party firewall (if any)? Was Avast and/or any of these other

applications running when you installed SP3?

How did you install SP3 (e.g., manually; via Windows Update)? Was the

machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

machine fully patched before you installed SP3? Had you just reinstalled

Windows prior to installing SP3?

Can you successfully reach and scan for updates at Windows Update website?

Are any updates offered? If so, can you install them successfully?

--

~PA Bear

LeeG wrote:

<paste>

> Not yet. This exploit seems to coincide with the installation of SP3. Up

> until now I had never had this exploit happen. I have been running Avast

> for quite a while now and this is the first time it has flagged this

> exploit.

</paste>

> Forgot to mention. I have already looked at the avast forum and i can

> only

> find explanations and possible cures and have also tried one and currently

> monitoring the solution. I am curious has to why the change?

>

> "PA Bear [MS MVP]" wrote:

>> /Where/ is Avast find this?

>>

>> Have you posted about this in Avast User Forums?

>> http://forum.avast.com/

>> --

>> ~Robear Dyer (PA Bear)

>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> AumHa VSOP & Admin http://aumha.net

>> DTS-L http://dts-l.net/

>>

>> LeeG wrote:

>>> In addition could this be being caused due to upgrading to SP3? I know

>>> this

>>> type of problem was addressed with sp2 but this seems to coincide with

>>> the

>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>> port

>>> 135 but it is still showing as open. Anyone know any answers/solutions.

>>>

>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

>>>> being two of the combinations.) Am I being targeted by someone.

May 17, 2008

Windows firewall is active and I am using the full home edition of Avast.

Also using Spybot S&D and regularily scan with Adaware. I do an AV and

spybot scans about twice a month.

The SP3 was a manual download direct from the Microsoft website and I still

had my resident scanners active when I installed it. I was fully up to date

with sp2 before I installed sp3

I have tried to reverse trace the different ip addresses that are flagged by

avast but no joy.

Here are some of the variations:

88.107.251.156

88.107.115.154

88.107.16.150

88.107.38.82

88.107.146.102

88.107.30.168

Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

One link I have tried but this solution did not work is

http://www.grc.com/freeware/dcom.htm

I can access and install updates from the windows update site. Just

installed a couple of office updates on thursday.

"PA Bear [MS MVP]" wrote:

> [i meant to ask, "Where is Avast finding this?"]

>

> If you can post a few links to pertinent threads in that forum, I'd

> appreciate it.

>

> Is the Windows Firewall or a third-party firewall enabled?

>

> What anti-spyware applications might be installed (other than Defender)?

> What third-party firewall (if any)? Was Avast and/or any of these other

> applications running when you installed SP3?

>

> How did you install SP3 (e.g., manually; via Windows Update)? Was the

> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

> machine fully patched before you installed SP3? Had you just reinstalled

> Windows prior to installing SP3?

>

> Can you successfully reach and scan for updates at Windows Update website?

> Are any updates offered? If so, can you install them successfully?

> --

> ~PA Bear

>

> LeeG wrote:

> <paste>

> > Not yet. This exploit seems to coincide with the installation of SP3. Up

> > until now I had never had this exploit happen. I have been running Avast

> > for quite a while now and this is the first time it has flagged this

> > exploit.

> </paste>

> > Forgot to mention. I have already looked at the avast forum and i can

> > only

> > find explanations and possible cures and have also tried one and currently

> > monitoring the solution. I am curious has to why the change?

> >

> > "PA Bear [MS MVP]" wrote:

> >> /Where/ is Avast find this?

> >>

> >> Have you posted about this in Avast User Forums?

> >> http://forum.avast.com/

> >> --

> >> ~Robear Dyer (PA Bear)

> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> AumHa VSOP & Admin http://aumha.net

> >> DTS-L http://dts-l.net/

> >>

> >> LeeG wrote:

> >>> In addition could this be being caused due to upgrading to SP3? I know

> >>> this

> >>> type of problem was addressed with sp2 but this seems to coincide with

> >>> the

> >>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

> >>> port

> >>> 135 but it is still showing as open. Anyone know any answers/solutions.

> >>>

> >>>> My Avast online scanner keeps flashing up with a Dcom Exploit

> >>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

> >>>> being two of the combinations.) Am I being targeted by someone.

>

>

May 17, 2008

You are running XP, and I will assume this is a home machine.

You have no need for DCOM.

Go to Administrative Tools and select Component Services.

When it opens, click into Component Services / Computers

and right click on My Computer and select Properties.

In the My Computer Properties window that opens select

the Default Properties tab and make sure that the checkbox

Enable Distributed COM on this computer is NOT checked.

Avast might detect something coming in from the network but

if DCOM is not enabled it will not get a response.

Make sure you have a firewall enabled and that the exceptions

are all ones that you know about and need.

Roger

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

> Forgot to mention. I have already looked at the avast forum and i can

> only

> find explanations and possible cures and have also tried one and currently

> monitoring the solution. I am curious has to why the change?

>

> "PA Bear [MS MVP]" wrote:

>

>> /Where/ is Avast find this?

>>

>> Have you posted about this in Avast User Forums?

>> http://forum.avast.com/

>> --

>> ~Robear Dyer (PA Bear)

>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> AumHa VSOP & Admin http://aumha.net

>> DTS-L http://dts-l.net/

>>

>> LeeG wrote:

>> > In addition could this be being caused due to upgrading to SP3? I know

>> > this

>> > type of problem was addressed with sp2 but this seems to coincide with

>> > the

>> > upgrade to sp3! I have tried a couple of ways to close down the DCOM

>> > port

>> > 135 but it is still showing as open. Anyone know any

>> > answers/solutions.

>> >

>> > "LeeG" wrote:

>> >

>> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >> 115.154

>> >> being two of the combinations.) Am I being targeted by someone.

>>

>>

May 17, 2008

Check what exemptions are allowed in your firewall settings.

I am not aware of at what point in the network stack Avast might

be tying in, but the firewall should be disallowing tcp 135 traffic

from unknown machine addresses. If you use filesharing in your

home network you do need tcp 135 to be available to those boxes,

but it should not be open to the world.

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:47917144-F76F-4060-93AC-89A62FD8DB09@microsoft.com...

> Windows firewall is active and I am using the full home edition of Avast.

> Also using Spybot S&D and regularily scan with Adaware. I do an AV and

> spybot scans about twice a month.

>

> The SP3 was a manual download direct from the Microsoft website and I

> still

> had my resident scanners active when I installed it. I was fully up to

> date

> with sp2 before I installed sp3

>

> I have tried to reverse trace the different ip addresses that are flagged

> by

> avast but no joy.

>

> Here are some of the variations:

>

> 88.107.251.156

> 88.107.115.154

> 88.107.16.150

> 88.107.38.82

> 88.107.146.102

> 88.107.30.168

>

> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

>

> One link I have tried but this solution did not work is

>

> http://www.grc.com/freeware/dcom.htm

>

> I can access and install updates from the windows update site. Just

> installed a couple of office updates on thursday.

>

> "PA Bear [MS MVP]" wrote:

>

>> [i meant to ask, "Where is Avast finding this?"]

>>

>> If you can post a few links to pertinent threads in that forum, I'd

>> appreciate it.

>>

>> Is the Windows Firewall or a third-party firewall enabled?

>>

>> What anti-spyware applications might be installed (other than Defender)?

>> What third-party firewall (if any)? Was Avast and/or any of these other

>> applications running when you installed SP3?

>>

>> How did you install SP3 (e.g., manually; via Windows Update)? Was the

>> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

>> machine fully patched before you installed SP3? Had you just reinstalled

>> Windows prior to installing SP3?

>>

>> Can you successfully reach and scan for updates at Windows Update

>> website?

>> Are any updates offered? If so, can you install them successfully?

>> --

>> ~PA Bear

>>

>> LeeG wrote:

>> <paste>

>> > Not yet. This exploit seems to coincide with the installation of SP3.

>> > Up

>> > until now I had never had this exploit happen. I have been running

>> > Avast

>> > for quite a while now and this is the first time it has flagged this

>> > exploit.

>> </paste>

>> > Forgot to mention. I have already looked at the avast forum and i can

>> > only

>> > find explanations and possible cures and have also tried one and

>> > currently

>> > monitoring the solution. I am curious has to why the change?

>> >

>> > "PA Bear [MS MVP]" wrote:

>> >> /Where/ is Avast find this?

>> >>

>> >> Have you posted about this in Avast User Forums?

>> >> http://forum.avast.com/

>> >> --

>> >> ~Robear Dyer (PA Bear)

>> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> >> AumHa VSOP & Admin http://aumha.net

>> >> DTS-L http://dts-l.net/

>> >>

>> >> LeeG wrote:

>> >>> In addition could this be being caused due to upgrading to SP3? I

>> >>> know

>> >>> this

>> >>> type of problem was addressed with sp2 but this seems to coincide

>> >>> with

>> >>> the

>> >>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>> >>> port

>> >>> 135 but it is still showing as open. Anyone know any

>> >>> answers/solutions.

>> >>>

>> >>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >>>> 115.154

>> >>>> being two of the combinations.) Am I being targeted by someone.

>>

>>

May 17, 2008

I checked the Dcom setting was unchecked in component services last night but

I am still getting the exploit warning. Could someone unscrupulous be trying

to access my machine and eventually give up? Could this attack be from

someone obtaining my ip address through other sites, for example, facebook.

I only ask because my partner signed up recently to it. I have run XP home

for quite a while now and this has never cropped up before.

"Roger Abell [MVP]" wrote:

> You are running XP, and I will assume this is a home machine.

> You have no need for DCOM.

> Go to Administrative Tools and select Component Services.

> When it opens, click into Component Services / Computers

> and right click on My Computer and select Properties.

> In the My Computer Properties window that opens select

> the Default Properties tab and make sure that the checkbox

> Enable Distributed COM on this computer is NOT checked.

> Avast might detect something coming in from the network but

> if DCOM is not enabled it will not get a response.

> Make sure you have a firewall enabled and that the exceptions

> are all ones that you know about and need.

>

> Roger

>

> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

> > Forgot to mention. I have already looked at the avast forum and i can

> > only

> > find explanations and possible cures and have also tried one and currently

> > monitoring the solution. I am curious has to why the change?

> >

> > "PA Bear [MS MVP]" wrote:

> >

> >> /Where/ is Avast find this?

> >>

> >> Have you posted about this in Avast User Forums?

> >> http://forum.avast.com/

> >> --

> >> ~Robear Dyer (PA Bear)

> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> AumHa VSOP & Admin http://aumha.net

> >> DTS-L http://dts-l.net/

> >>

> >> LeeG wrote:

> >> > In addition could this be being caused due to upgrading to SP3? I know

> >> > this

> >> > type of problem was addressed with sp2 but this seems to coincide with

> >> > the

> >> > upgrade to sp3! I have tried a couple of ways to close down the DCOM

> >> > port

> >> > 135 but it is still showing as open. Anyone know any

> >> > answers/solutions.

> >> >

> >> > "LeeG" wrote:

> >> >

> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

> >> >> 115.154

> >> >> being two of the combinations.) Am I being targeted by someone.

> >>

> >>

>

>

May 17, 2008

Info on the IP ranges you posted:

http://www.dnsstuff.com/tools/whois.ch?ip=88.107.38.82

> inetnum: 88.104.0.0 - 88.107.255.255

> netname: DSL-TISCALI-UK

> descr: Tiscali UK Ltd

> descr: Dynamic DSL

Is Tiscali your ISP ?

MowGreen [MVP 2003-2008]

===============

-343- FDNY

Never Forgotten

===============

LeeG wrote:

> Windows firewall is active and I am using the full home edition of Avast.

> Also using Spybot S&D and regularily scan with Adaware. I do an AV and

> spybot scans about twice a month.

>

> The SP3 was a manual download direct from the Microsoft website and I still

> had my resident scanners active when I installed it. I was fully up to date

> with sp2 before I installed sp3

>

> I have tried to reverse trace the different ip addresses that are flagged by

> avast but no joy.

>

> Here are some of the variations:

>

> 88.107.251.156

> 88.107.115.154

> 88.107.16.150

> 88.107.38.82

> 88.107.146.102

> 88.107.30.168

>

> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

>

> One link I have tried but this solution did not work is

>

> http://www.grc.com/freeware/dcom.htm

>

> I can access and install updates from the windows update site. Just

> installed a couple of office updates on thursday.

>

> "PA Bear [MS MVP]" wrote:

>

>

>>[i meant to ask, "Where is Avast finding this?"]

>>

>>If you can post a few links to pertinent threads in that forum, I'd

>>appreciate it.

>>

>>Is the Windows Firewall or a third-party firewall enabled?

>>

>>What anti-spyware applications might be installed (other than Defender)?

>>What third-party firewall (if any)? Was Avast and/or any of these other

>>applications running when you installed SP3?

>>

>>How did you install SP3 (e.g., manually; via Windows Update)? Was the

>>machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

>>machine fully patched before you installed SP3? Had you just reinstalled

>>Windows prior to installing SP3?

>>

>>Can you successfully reach and scan for updates at Windows Update website?

>>Are any updates offered? If so, can you install them successfully?

>>--

>>~PA Bear

>>

>>LeeG wrote:

>><paste>

>>

>>>Not yet. This exploit seems to coincide with the installation of SP3. Up

>>>until now I had never had this exploit happen. I have been running Avast

>>>for quite a while now and this is the first time it has flagged this

>>>exploit.

>>

>></paste>

>>

>>>Forgot to mention. I have already looked at the avast forum and i can

>>>only

>>>find explanations and possible cures and have also tried one and currently

>>>monitoring the solution. I am curious has to why the change?

>>>

>>>"PA Bear [MS MVP]" wrote:

>>>

>>>>/Where/ is Avast find this?

>>>>

>>>>Have you posted about this in Avast User Forums?

>>>>http://forum.avast.com/

>>>>--

>>>>~Robear Dyer (PA Bear)

>>>>MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>>AumHa VSOP & Admin http://aumha.net

>>>>DTS-L http://dts-l.net/

>>>>

>>>>LeeG wrote:

>>>>

>>>>>In addition could this be being caused due to upgrading to SP3? I know

>>>>>this

>>>>>type of problem was addressed with sp2 but this seems to coincide with

>>>>>the

>>>>>upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>>>>port

>>>>>135 but it is still showing as open. Anyone know any answers/solutions.

>>>>>

>>>>>>My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>>88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154

>>>>>>being two of the combinations.) Am I being targeted by someone.

>>

>>

May 17, 2008

> ...Could someone unscrupulous be

> trying to access my machine and eventually give up?

IMHO, no, it's just normal network pinging, judging from the information

you've posted in this thread.

LeeG wrote:

> I checked the Dcom setting was unchecked in component services last night

> but I am still getting the exploit warning. Could someone unscrupulous be

> trying to access my machine and eventually give up? Could this attack be

> from someone obtaining my ip address through other sites, for example,

> facebook. I only ask because my partner signed up recently to it. I have

> run XP home for quite a while now and this has never cropped up before.

>

> "Roger Abell [MVP]" wrote:

>

>> You are running XP, and I will assume this is a home machine.

>> You have no need for DCOM.

>> Go to Administrative Tools and select Component Services.

>> When it opens, click into Component Services / Computers

>> and right click on My Computer and select Properties.

>> In the My Computer Properties window that opens select

>> the Default Properties tab and make sure that the checkbox

>> Enable Distributed COM on this computer is NOT checked.

>> Avast might detect something coming in from the network but

>> if DCOM is not enabled it will not get a response.

>> Make sure you have a firewall enabled and that the exceptions

>> are all ones that you know about and need.

>>

>> Roger

>>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>>> Forgot to mention. I have already looked at the avast forum and i can

>>> only

>>> find explanations and possible cures and have also tried one and

>>> currently

>>> monitoring the solution. I am curious has to why the change?

>>>

>>> "PA Bear [MS MVP]" wrote:

>>>

>>>> /Where/ is Avast find this?

>>>>

>>>> Have you posted about this in Avast User Forums?

>>>> http://forum.avast.com/

>>>> --

>>>> ~Robear Dyer (PA Bear)

>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>> AumHa VSOP & Admin http://aumha.net

>>>> DTS-L http://dts-l.net/

>>>>

>>>> LeeG wrote:

>>>>> In addition could this be being caused due to upgrading to SP3? I

>>>>> know

>>>>> this

>>>>> type of problem was addressed with sp2 but this seems to coincide with

>>>>> the

>>>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>>>> port

>>>>> 135 but it is still showing as open. Anyone know any

>>>>> answers/solutions.

>>>>>

>>>>> "LeeG" wrote:

>>>>>

>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>>>>>> 115.154

>>>>>> being two of the combinations.) Am I being targeted by someone.

May 17, 2008

Is Avast configured to automatically seek updates as least once a day?

Are you now running Avast v4.8.1201? There have been two (2) program

updates for Avast v4.8 since 12 May 2008:

http://www.avast.com/eng/avast-4-home_pro-...on-history.html

The above notwithstanding, the fact that you installed SP3 without having

first disabled all real-time protections may be related to the reports

you're seeing from Avast now. I'd recommend posting about this in a new

thread in the appropriate Avast Support Forum before doing anything else

about it: http://forum.avast.com/index.php?board=2.0

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

LeeG wrote:

> Windows firewall is active and I am using the full home edition of Avast.

> Also using Spybot S&D and regularily scan with Adaware. I do an AV and

> spybot scans about twice a month.

>

> The SP3 was a manual download direct from the Microsoft website and I

> still

> had my resident scanners active when I installed it. I was fully up to

> date

> with sp2 before I installed sp3

>

> I have tried to reverse trace the different ip addresses that are flagged

> by

> avast but no joy.

>

> Here are some of the variations:

>

> 88.107.251.156

> 88.107.115.154

> 88.107.16.150

> 88.107.38.82

> 88.107.146.102

> 88.107.30.168

>

> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

>

> One link I have tried but this solution did not work is

>

> http://www.grc.com/freeware/dcom.htm

>

> I can access and install updates from the windows update site. Just

> installed a couple of office updates on thursday.

>

> "PA Bear [MS MVP]" wrote:

>

>> [i meant to ask, "Where is Avast finding this?"]

>>

>> If you can post a few links to pertinent threads in that forum, I'd

>> appreciate it.

>>

>> Is the Windows Firewall or a third-party firewall enabled?

>>

>> What anti-spyware applications might be installed (other than Defender)?

>> What third-party firewall (if any)? Was Avast and/or any of these other

>> applications running when you installed SP3?

>>

>> How did you install SP3 (e.g., manually; via Windows Update)? Was the

>> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the

>> machine fully patched before you installed SP3? Had you just reinstalled

>> Windows prior to installing SP3?

>>

>> Can you successfully reach and scan for updates at Windows Update

>> website?

>> Are any updates offered? If so, can you install them successfully?

>> --

>> ~PA Bear

>>

>> LeeG wrote:

>> <paste>

>>> Not yet. This exploit seems to coincide with the installation of SP3.

>>> Up

>>> until now I had never had this exploit happen. I have been running

>>> Avast

>>> for quite a while now and this is the first time it has flagged this

>>> exploit.

>> </paste>

>>> Forgot to mention. I have already looked at the avast forum and i can

>>> only

>>> find explanations and possible cures and have also tried one and

>>> currently

>>> monitoring the solution. I am curious has to why the change?

>>>

>>> "PA Bear [MS MVP]" wrote:

>>>> /Where/ is Avast find this?

>>>>

>>>> Have you posted about this in Avast User Forums?

>>>> http://forum.avast.com/

>>>> --

>>>> ~Robear Dyer (PA Bear)

>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>> AumHa VSOP & Admin http://aumha.net

>>>> DTS-L http://dts-l.net/

>>>>

>>>> LeeG wrote:

>>>>> In addition could this be being caused due to upgrading to SP3? I

>>>>> know

>>>>> this

>>>>> type of problem was addressed with sp2 but this seems to coincide with

>>>>> the

>>>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM

>>>>> port

>>>>> 135 but it is still showing as open. Anyone know any

>>>>> answers/solutions.

>>>>>

>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>>>>>> 115.154

>>>>>> being two of the combinations.) Am I being targeted by someone.

May 18, 2008

Good, then what they are trying, IF Avast is accurately

reporting, will not work. There was a remote DCOM

exploit some years back that someone's infected machine

might be using, among other things, in attempt to spread

itself. If I were you I would not be thinking this is at all

related to XP SP3 but I would be looking at my firewall

to see why the packets got that far.

Roger

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

>I checked the Dcom setting was unchecked in component services last night

>but

> I am still getting the exploit warning. Could someone unscrupulous be

> trying

> to access my machine and eventually give up? Could this attack be from

> someone obtaining my ip address through other sites, for example,

> facebook.

> I only ask because my partner signed up recently to it. I have run XP

> home

> for quite a while now and this has never cropped up before.

>

> "Roger Abell [MVP]" wrote:

>

>> You are running XP, and I will assume this is a home machine.

>> You have no need for DCOM.

>> Go to Administrative Tools and select Component Services.

>> When it opens, click into Component Services / Computers

>> and right click on My Computer and select Properties.

>> In the My Computer Properties window that opens select

>> the Default Properties tab and make sure that the checkbox

>> Enable Distributed COM on this computer is NOT checked.

>> Avast might detect something coming in from the network but

>> if DCOM is not enabled it will not get a response.

>> Make sure you have a firewall enabled and that the exceptions

>> are all ones that you know about and need.

>>

>> Roger

>>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>> > Forgot to mention. I have already looked at the avast forum and i can

>> > only

>> > find explanations and possible cures and have also tried one and

>> > currently

>> > monitoring the solution. I am curious has to why the change?

>> >

>> > "PA Bear [MS MVP]" wrote:

>> >

>> >> /Where/ is Avast find this?

>> >>

>> >> Have you posted about this in Avast User Forums?

>> >> http://forum.avast.com/

>> >> --

>> >> ~Robear Dyer (PA Bear)

>> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> >> AumHa VSOP & Admin http://aumha.net

>> >> DTS-L http://dts-l.net/

>> >>

>> >> LeeG wrote:

>> >> > In addition could this be being caused due to upgrading to SP3? I

>> >> > know

>> >> > this

>> >> > type of problem was addressed with sp2 but this seems to coincide

>> >> > with

>> >> > the

>> >> > upgrade to sp3! I have tried a couple of ways to close down the

>> >> > DCOM

>> >> > port

>> >> > 135 but it is still showing as open. Anyone know any

>> >> > answers/solutions.

>> >> >

>> >> > "LeeG" wrote:

>> >> >

>> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >> >> 115.154

>> >> >> being two of the combinations.) Am I being targeted by someone.

>> >>

>> >>

>>

>>

May 18, 2008

As far as I can tell Avast is stopping the attempts (therefore I am

protected). So far it has not happened today. What exactly do you mean by

"looking at my firewall to see why the packets got that far." Could someone

be deliberately trying to access my computer this way?

"Roger Abell [MVP]" wrote:

> Good, then what they are trying, IF Avast is accurately

> reporting, will not work. There was a remote DCOM

> exploit some years back that someone's infected machine

> might be using, among other things, in attempt to spread

> itself. If I were you I would not be thinking this is at all

> related to XP SP3 but I would be looking at my firewall

> to see why the packets got that far.

>

> Roger

>

> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

> >I checked the Dcom setting was unchecked in component services last night

> >but

> > I am still getting the exploit warning. Could someone unscrupulous be

> > trying

> > to access my machine and eventually give up? Could this attack be from

> > someone obtaining my ip address through other sites, for example,

> > facebook.

> > I only ask because my partner signed up recently to it. I have run XP

> > home

> > for quite a while now and this has never cropped up before.

> >

> > "Roger Abell [MVP]" wrote:

> >

> >> You are running XP, and I will assume this is a home machine.

> >> You have no need for DCOM.

> >> Go to Administrative Tools and select Component Services.

> >> When it opens, click into Component Services / Computers

> >> and right click on My Computer and select Properties.

> >> In the My Computer Properties window that opens select

> >> the Default Properties tab and make sure that the checkbox

> >> Enable Distributed COM on this computer is NOT checked.

> >> Avast might detect something coming in from the network but

> >> if DCOM is not enabled it will not get a response.

> >> Make sure you have a firewall enabled and that the exceptions

> >> are all ones that you know about and need.

> >>

> >> Roger

> >>

> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

> >> > Forgot to mention. I have already looked at the avast forum and i can

> >> > only

> >> > find explanations and possible cures and have also tried one and

> >> > currently

> >> > monitoring the solution. I am curious has to why the change?

> >> >

> >> > "PA Bear [MS MVP]" wrote:

> >> >

> >> >> /Where/ is Avast find this?

> >> >>

> >> >> Have you posted about this in Avast User Forums?

> >> >> http://forum.avast.com/

> >> >> --

> >> >> ~Robear Dyer (PA Bear)

> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> >> AumHa VSOP & Admin http://aumha.net

> >> >> DTS-L http://dts-l.net/

> >> >>

> >> >> LeeG wrote:

> >> >> > In addition could this be being caused due to upgrading to SP3? I

> >> >> > know

> >> >> > this

> >> >> > type of problem was addressed with sp2 but this seems to coincide

> >> >> > with

> >> >> > the

> >> >> > upgrade to sp3! I have tried a couple of ways to close down the

> >> >> > DCOM

> >> >> > port

> >> >> > 135 but it is still showing as open. Anyone know any

> >> >> > answers/solutions.

> >> >> >

> >> >> > "LeeG" wrote:

> >> >> >

> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

> >> >> >> 115.154

> >> >> >> being two of the combinations.) Am I being targeted by someone.

> >> >>

> >>

> >>

>

>

May 18, 2008

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...

> As far as I can tell Avast is stopping the attempts (therefore I am

> protected). So far it has not happened today. What exactly do you mean

> by

> "looking at my firewall to see why the packets got that far." Could

> someone

> be deliberately trying to access my computer this way?

Someone could, but more likely someone's machine is via some

infection that the owning someone is not even aware is there

>

> "Roger Abell [MVP]" wrote:

>

>> Good, then what they are trying, IF Avast is accurately

>> reporting, will not work. There was a remote DCOM

>> exploit some years back that someone's infected machine

>> might be using, among other things, in attempt to spread

>> itself. If I were you I would not be thinking this is at all

>> related to XP SP3 but I would be looking at my firewall

>> to see why the packets got that far.

>>

>> Roger

>>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

>> >I checked the Dcom setting was unchecked in component services last

>> >night

>> >but

>> > I am still getting the exploit warning. Could someone unscrupulous be

>> > trying

>> > to access my machine and eventually give up? Could this attack be from

>> > someone obtaining my ip address through other sites, for example,

>> > facebook.

>> > I only ask because my partner signed up recently to it. I have run XP

>> > home

>> > for quite a while now and this has never cropped up before.

>> >

>> > "Roger Abell [MVP]" wrote:

>> >

>> >> You are running XP, and I will assume this is a home machine.

>> >> You have no need for DCOM.

>> >> Go to Administrative Tools and select Component Services.

>> >> When it opens, click into Component Services / Computers

>> >> and right click on My Computer and select Properties.

>> >> In the My Computer Properties window that opens select

>> >> the Default Properties tab and make sure that the checkbox

>> >> Enable Distributed COM on this computer is NOT checked.

>> >> Avast might detect something coming in from the network but

>> >> if DCOM is not enabled it will not get a response.

>> >> Make sure you have a firewall enabled and that the exceptions

>> >> are all ones that you know about and need.

>> >>

>> >> Roger

>> >>

>> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>> >> > Forgot to mention. I have already looked at the avast forum and i

>> >> > can

>> >> > only

>> >> > find explanations and possible cures and have also tried one and

>> >> > currently

>> >> > monitoring the solution. I am curious has to why the change?

>> >> >

>> >> > "PA Bear [MS MVP]" wrote:

>> >> >

>> >> >> /Where/ is Avast find this?

>> >> >>

>> >> >> Have you posted about this in Avast User Forums?

>> >> >> http://forum.avast.com/

>> >> >> --

>> >> >> ~Robear Dyer (PA Bear)

>> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> >> >> AumHa VSOP & Admin http://aumha.net

>> >> >> DTS-L http://dts-l.net/

>> >> >>

>> >> >> LeeG wrote:

>> >> >> > In addition could this be being caused due to upgrading to SP3?

>> >> >> > I

>> >> >> > know

>> >> >> > this

>> >> >> > type of problem was addressed with sp2 but this seems to coincide

>> >> >> > with

>> >> >> > the

>> >> >> > upgrade to sp3! I have tried a couple of ways to close down the

>> >> >> > DCOM

>> >> >> > port

>> >> >> > 135 but it is still showing as open. Anyone know any

>> >> >> > answers/solutions.

>> >> >> >

>> >> >> > "LeeG" wrote:

>> >> >> >

>> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>> >> >> >> 115.154

>> >> >> >> being two of the combinations.) Am I being targeted by someone.

>> >> >>

>> >>

>> >>

>>

>>

May 19, 2008

Thank you for your reply. You have given the most plausible explanation so

far. If I send a global message to the friends list on facebook, (someone on

the friends list seems like the most obvious source,) can you tell me the

most likely virus name to inform them to look for?

"Roger Abell [MVP]" wrote:

> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...

> > As far as I can tell Avast is stopping the attempts (therefore I am

> > protected). So far it has not happened today. What exactly do you mean

> > by

> > "looking at my firewall to see why the packets got that far." Could

> > someone

> > be deliberately trying to access my computer this way?

>

> Someone could, but more likely someone's machine is via some

> infection that the owning someone is not even aware is there

>

> >

> > "Roger Abell [MVP]" wrote:

> >

> >> Good, then what they are trying, IF Avast is accurately

> >> reporting, will not work. There was a remote DCOM

> >> exploit some years back that someone's infected machine

> >> might be using, among other things, in attempt to spread

> >> itself. If I were you I would not be thinking this is at all

> >> related to XP SP3 but I would be looking at my firewall

> >> to see why the packets got that far.

> >>

> >> Roger

> >>

> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> >> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

> >> >I checked the Dcom setting was unchecked in component services last

> >> >night

> >> >but

> >> > I am still getting the exploit warning. Could someone unscrupulous be

> >> > trying

> >> > to access my machine and eventually give up? Could this attack be from

> >> > someone obtaining my ip address through other sites, for example,

> >> > facebook.

> >> > I only ask because my partner signed up recently to it. I have run XP

> >> > home

> >> > for quite a while now and this has never cropped up before.

> >> >

> >> > "Roger Abell [MVP]" wrote:

> >> >

> >> >> You are running XP, and I will assume this is a home machine.

> >> >> You have no need for DCOM.

> >> >> Go to Administrative Tools and select Component Services.

> >> >> When it opens, click into Component Services / Computers

> >> >> and right click on My Computer and select Properties.

> >> >> In the My Computer Properties window that opens select

> >> >> the Default Properties tab and make sure that the checkbox

> >> >> Enable Distributed COM on this computer is NOT checked.

> >> >> Avast might detect something coming in from the network but

> >> >> if DCOM is not enabled it will not get a response.

> >> >> Make sure you have a firewall enabled and that the exceptions

> >> >> are all ones that you know about and need.

> >> >>

> >> >> Roger

> >> >>

> >> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

> >> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

> >> >> > Forgot to mention. I have already looked at the avast forum and i

> >> >> > can

> >> >> > only

> >> >> > find explanations and possible cures and have also tried one and

> >> >> > currently

> >> >> > monitoring the solution. I am curious has to why the change?

> >> >> >

> >> >> > "PA Bear [MS MVP]" wrote:

> >> >> >

> >> >> >> /Where/ is Avast find this?

> >> >> >>

> >> >> >> Have you posted about this in Avast User Forums?

> >> >> >> http://forum.avast.com/

> >> >> >> --

> >> >> >> ~Robear Dyer (PA Bear)

> >> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> >> >> >> AumHa VSOP & Admin http://aumha.net

> >> >> >> DTS-L http://dts-l.net/

> >> >> >>

> >> >> >> LeeG wrote:

> >> >> >> > In addition could this be being caused due to upgrading to SP3?

> >> >> >> > I

> >> >> >> > know

> >> >> >> > this

> >> >> >> > type of problem was addressed with sp2 but this seems to coincide

> >> >> >> > with

> >> >> >> > the

> >> >> >> > upgrade to sp3! I have tried a couple of ways to close down the

> >> >> >> > DCOM

> >> >> >> > port

> >> >> >> > 135 but it is still showing as open. Anyone know any

> >> >> >> > answers/solutions.

> >> >> >> >

> >> >> >> > "LeeG" wrote:

> >> >> >> >

> >> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

> >> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

> >> >> >> >> 115.154

> >> >> >> >> being two of the combinations.) Am I being targeted by someone.

> >> >> >>

> >> >>

> >>

> >>

>

>

May 19, 2008

No need to be such an alarmist, Lee.

LeeG wrote:

> Thank you for your reply. You have given the most plausible explanation

> so

> far. If I send a global message to the friends list on facebook, (someone

> on the friends list seems like the most obvious source,) can you tell me

> the

> most likely virus name to inform them to look for?

>

> "Roger Abell [MVP]" wrote:

>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...

>>> As far as I can tell Avast is stopping the attempts (therefore I am

>>> protected). So far it has not happened today. What exactly do you mean

>>> by

>>> "looking at my firewall to see why the packets got that far." Could

>>> someone

>>> be deliberately trying to access my computer this way?

>>

>> Someone could, but more likely someone's machine is via some

>> infection that the owning someone is not even aware is there

>>

>>>

>>> "Roger Abell [MVP]" wrote:

>>>

>>>> Good, then what they are trying, IF Avast is accurately

>>>> reporting, will not work. There was a remote DCOM

>>>> exploit some years back that someone's infected machine

>>>> might be using, among other things, in attempt to spread

>>>> itself. If I were you I would not be thinking this is at all

>>>> related to XP SP3 but I would be looking at my firewall

>>>> to see why the packets got that far.

>>>>

>>>> Roger

>>>>

>>>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>>>> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

>>>>> I checked the Dcom setting was unchecked in component services last

>>>>> night

>>>>> but

>>>>> I am still getting the exploit warning. Could someone unscrupulous be

>>>>> trying

>>>>> to access my machine and eventually give up? Could this attack be

>>>>> from

>>>>> someone obtaining my ip address through other sites, for example,

>>>>> facebook.

>>>>> I only ask because my partner signed up recently to it. I have run XP

>>>>> home

>>>>> for quite a while now and this has never cropped up before.

>>>>>

>>>>> "Roger Abell [MVP]" wrote:

>>>>>

>>>>>> You are running XP, and I will assume this is a home machine.

>>>>>> You have no need for DCOM.

>>>>>> Go to Administrative Tools and select Component Services.

>>>>>> When it opens, click into Component Services / Computers

>>>>>> and right click on My Computer and select Properties.

>>>>>> In the My Computer Properties window that opens select

>>>>>> the Default Properties tab and make sure that the checkbox

>>>>>> Enable Distributed COM on this computer is NOT checked.

>>>>>> Avast might detect something coming in from the network but

>>>>>> if DCOM is not enabled it will not get a response.

>>>>>> Make sure you have a firewall enabled and that the exceptions

>>>>>> are all ones that you know about and need.

>>>>>>

>>>>>> Roger

>>>>>>

>>>>>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>>>>>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>>>>>>> Forgot to mention. I have already looked at the avast forum and i

>>>>>>> can

>>>>>>> only

>>>>>>> find explanations and possible cures and have also tried one and

>>>>>>> currently

>>>>>>> monitoring the solution. I am curious has to why the change?

>>>>>>>

>>>>>>> "PA Bear [MS MVP]" wrote:

>>>>>>>

>>>>>>>> /Where/ is Avast find this?

>>>>>>>>

>>>>>>>> Have you posted about this in Avast User Forums?

>>>>>>>> http://forum.avast.com/

>>>>>>>> --

>>>>>>>> ~Robear Dyer (PA Bear)

>>>>>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>>>>>>>> AumHa VSOP & Admin http://aumha.net

>>>>>>>> DTS-L http://dts-l.net/

>>>>>>>>

>>>>>>>> LeeG wrote:

>>>>>>>>> In addition could this be being caused due to upgrading to SP3?

>>>>>>>>> I

>>>>>>>>> know

>>>>>>>>> this

>>>>>>>>> type of problem was addressed with sp2 but this seems to coincide

>>>>>>>>> with

>>>>>>>>> the

>>>>>>>>> upgrade to sp3! I have tried a couple of ways to close down the

>>>>>>>>> DCOM

>>>>>>>>> port

>>>>>>>>> 135 but it is still showing as open. Anyone know any

>>>>>>>>> answers/solutions.

>>>>>>>>>

>>>>>>>>> "LeeG" wrote:

>>>>>>>>>

>>>>>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit

>>>>>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,

>>>>>>>>>> 115.154

>>>>>>>>>> being two of the combinations.) Am I being targeted by someone.

May 21, 2008

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

news:A7A69DE8-4ACC-48D6-BC12-77E0E211FAB6@microsoft.com...

> Thank you for your reply. You have given the most plausible explanation

> so

> far. If I send a global message to the friends list on facebook, (someone

> on

> the friends list seems like the most obvious source,) can you tell me the

> most likely virus name to inform them to look for?

No, I cannot. This may have nothing whatsoever to do with

emails or websites you have visited. It can be some machine

on the network that "decided" to try at your current IP address,

with no prior awareness of who you are, that you or your comp

exist, etc..

Lee, this stuff happens all the time. It is the source of the personal

firewall, and of the anti-malware industries.

>

> "Roger Abell [MVP]" wrote:

>

>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...

>> > As far as I can tell Avast is stopping the attempts (therefore I am

>> > protected). So far it has not happened today. What exactly do you

>> > mean

>> > by

>> > "looking at my firewall to see why the packets got that far." Could

>> > someone

>> > be deliberately trying to access my computer this way?

>>

>> Someone could, but more likely someone's machine is via some

>> infection that the owning someone is not even aware is there

>>

>> >

>> > "Roger Abell [MVP]" wrote:

>> >

>> >> Good, then what they are trying, IF Avast is accurately

>> >> reporting, will not work. There was a remote DCOM

>> >> exploit some years back that someone's infected machine

>> >> might be using, among other things, in attempt to spread

>> >> itself. If I were you I would not be thinking this is at all

>> >> related to XP SP3 but I would be looking at my firewall

>> >> to see why the packets got that far.

>> >>

>> >> Roger

>> >>

>> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> >> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...

>> >> >I checked the Dcom setting was unchecked in component services last

>> >> >night

>> >> >but

>> >> > I am still getting the exploit warning. Could someone unscrupulous

>> >> > be

>> >> > trying

>> >> > to access my machine and eventually give up? Could this attack be

>> >> > from

>> >> > someone obtaining my ip address through other sites, for example,

>> >> > facebook.

>> >> > I only ask because my partner signed up recently to it. I have run

>> >> > XP

>> >> > home

>> >> > for quite a while now and this has never cropped up before.

>> >> >

>> >> > "Roger Abell [MVP]" wrote:

>> >> >

>> >> >> You are running XP, and I will assume this is a home machine.

>> >> >> You have no need for DCOM.

>> >> >> Go to Administrative Tools and select Component Services.

>> >> >> When it opens, click into Component Services / Computers

>> >> >> and right click on My Computer and select Properties.

>> >> >> In the My Computer Properties window that opens select

>> >> >> the Default Properties tab and make sure that the checkbox

>> >> >> Enable Distributed COM on this computer is NOT checked.

>> >> >> Avast might detect something coming in from the network but

>> >> >> if DCOM is not enabled it will not get a response.

>> >> >> Make sure you have a firewall enabled and that the exceptions

>> >> >> are all ones that you know about and need.

>> >> >>

>> >> >> Roger

>> >> >>

>> >> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message

>> >> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...

>> >> >> > Forgot to mention. I have already looked at the avast forum and

>> >> >> > i

>> >> >> > can

>> >> >> > only

>> >> >> > find explanations and possible cures and have also tried one and

>> >> >> > currently

>> >> >> > monitoring the solution. I am curious has to why the change?

>> >> >> >

>> >> >> > "PA Bear [MS MVP]" wrote:

>> >> >> >

>> >> >> >> /Where/ is Avast find this?

>> >> >> >>

>> >> >> >> Have you posted about this in Avast User Forums?

>> >> >> >> http://forum.avast.com/

>> >> >> >> --

>> >> >> >> ~Robear Dyer (PA Bear)

>> >> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since

>> >> >> >> 2002

>> >> >> >> AumHa VSOP & Admin http://aumha.net

>> >> >> >> DTS-L http://dts-l.net/

>> >> >> >>

>> >> >> >> LeeG wrote:

>> >> >> >> > In addition could this be being caused due to upgrading to

>> >> >> >> > SP3?

>> >> >> >> > I

>> >> >> >> > know

>> >> >> >> > this

>> >> >> >> > type of problem was addressed with sp2 but this seems to

>> >> >> >> > coincide

>> >> >> >> > with

>> >> >> >> > the

>> >> >> >> > upgrade to sp3! I have tried a couple of ways to close down

>> >> >> >> > the

>> >> >> >> > DCOM

>> >> >> >> > port

>> >> >> >> > 135 but it is still showing as open. Anyone know any

>> >> >> >> > answers/solutions.

>> >> >> >> >

>> >> >> >> > "LeeG" wrote:

>> >> >> >> >

>> >> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit

>> >> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing.

>> >> >> >> >> 251.156,

>> >> >> >> >> 115.154

>> >> >> >> >> being two of the combinations.) Am I being targeted by

>> >> >> >> >> someone.

>> >> >> >>

>> >> >>

>> >>

>> >>

>>

>>

Sign In

Dcom Exploit

Recommended Posts

Guest LeeG

Popular Days

Popular Days

Guest LeeG

Guest PA Bear [MS MVP]

Guest LeeG

Guest LeeG

Guest PA Bear [MS MVP]

Guest LeeG

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Guest LeeG

Guest MowGreen [MVP]

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Guest Roger Abell [MVP]

Guest LeeG

Guest Roger Abell [MVP]

Guest LeeG

Guest PA Bear [MS MVP]

Guest Roger Abell [MVP]

Join the conversation

Browse

Activity

Support