Dcom Exploit

[LeeG]

My Avast online scanner keeps flashing up with a Dcom Exploit
88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154 being
two of the combinations.) Am I being targeted by someone.

 

[LeeG]

In addition could this be being caused due to upgrading to SP3? I know this
type of problem was addressed with sp2 but this seems to coincide with the
upgrade to sp3! I have tried a couple of ways to close down the DCOM port
135 but it is still showing as open. Anyone know any answers/solutions.

"LeeG" wrote:

> My Avast online scanner keeps flashing up with a Dcom Exploit
> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154 being
> two of the combinations.) Am I being targeted by someone.

 

[PA Bear [MS MVP]]

/Where/ is Avast find this?

Have you posted about this in Avast User Forums?
http://forum.avast.com/
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


LeeG wrote:
> In addition could this be being caused due to upgrading to SP3? I know
> this
> type of problem was addressed with sp2 but this seems to coincide with the
> upgrade to sp3! I have tried a couple of ways to close down the DCOM port
> 135 but it is still showing as open. Anyone know any answers/solutions.
>
> "LeeG" wrote:
>
>> My Avast online scanner keeps flashing up with a Dcom Exploit
>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154
>> being two of the combinations.) Am I being targeted by someone.

 

[LeeG]

Not yet. This exploit seems to coincide with the installation of SP3. Up
until now I had never had this exploit happen. I have been running Avast for
quite a while now and this is the first time it has flagged this exploit.


"PA Bear [MS MVP]" wrote:

> /Where/ is Avast find this?
>
> Have you posted about this in Avast User Forums?
> http://forum.avast.com/
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
>
> LeeG wrote:
> > In addition could this be being caused due to upgrading to SP3? I know
> > this
> > type of problem was addressed with sp2 but this seems to coincide with the
> > upgrade to sp3! I have tried a couple of ways to close down the DCOM port
> > 135 but it is still showing as open. Anyone know any answers/solutions.
> >
> > "LeeG" wrote:
> >
> >> My Avast online scanner keeps flashing up with a Dcom Exploit
> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154
> >> being two of the combinations.) Am I being targeted by someone.
>
>

 

[LeeG]

Forgot to mention. I have already looked at the avast forum and i can only
find explanations and possible cures and have also tried one and currently
monitoring the solution. I am curious has to why the change?

"PA Bear [MS MVP]" wrote:

> /Where/ is Avast find this?
>
> Have you posted about this in Avast User Forums?
> http://forum.avast.com/
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
>
> LeeG wrote:
> > In addition could this be being caused due to upgrading to SP3? I know
> > this
> > type of problem was addressed with sp2 but this seems to coincide with the
> > upgrade to sp3! I have tried a couple of ways to close down the DCOM port
> > 135 but it is still showing as open. Anyone know any answers/solutions.
> >
> > "LeeG" wrote:
> >
> >> My Avast online scanner keeps flashing up with a Dcom Exploit
> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154
> >> being two of the combinations.) Am I being targeted by someone.
>
>

 

[PA Bear [MS MVP]]

[I meant to ask, "Where is Avast finding this?"]

If you can post a few links to pertinent threads in that forum, I'd
appreciate it.

Is the Windows Firewall or a third-party firewall enabled?

What anti-spyware applications might be installed (other than Defender)?
What third-party firewall (if any)? Was Avast and/or any of these other
applications running when you installed SP3?

How did you install SP3 (e.g., manually via Windows Update)? Was the
machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the
machine fully patched before you installed SP3? Had you just reinstalled
Windows prior to installing SP3?

Can you successfully reach and scan for updates at Windows Update website?
Are any updates offered? If so, can you install them successfully?
--
~PA Bear


LeeG wrote:
<paste>
> Not yet. This exploit seems to coincide with the installation of SP3. Up
> until now I had never had this exploit happen. I have been running Avast
> for quite a while now and this is the first time it has flagged this
> exploit.
</paste>
> Forgot to mention. I have already looked at the avast forum and i can
> only
> find explanations and possible cures and have also tried one and currently
> monitoring the solution. I am curious has to why the change?
>
> "PA Bear [MS MVP]" wrote:
>> /Where/ is Avast find this?
>>
>> Have you posted about this in Avast User Forums?
>> http://forum.avast.com/
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L http://dts-l.net/
>>
>>
>> LeeG wrote:
>>> In addition could this be being caused due to upgrading to SP3? I know
>>> this
>>> type of problem was addressed with sp2 but this seems to coincide with
>>> the
>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM
>>> port
>>> 135 but it is still showing as open. Anyone know any answers/solutions.
>>>
>>>> My Avast online scanner keeps flashing up with a Dcom Exploit
>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154
>>>> being two of the combinations.) Am I being targeted by someone.

 

[LeeG]

Windows firewall is active and I am using the full home edition of Avast.
Also using Spybot S&D and regularily scan with Adaware. I do an AV and
spybot scans about twice a month.

The SP3 was a manual download direct from the Microsoft website and I still
had my resident scanners active when I installed it. I was fully up to date
with sp2 before I installed sp3

I have tried to reverse trace the different ip addresses that are flagged by
avast but no joy.

Here are some of the variations:

88.107.251.156
88.107.115.154
88.107.16.150
88.107.38.82
88.107.146.102
88.107.30.168

Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp

One link I have tried but this solution did not work is

http://www.grc.com/freeware/dcom.htm

I can access and install updates from the windows update site. Just
installed a couple of office updates on thursday.

"PA Bear [MS MVP]" wrote:

> [I meant to ask, "Where is Avast finding this?"]
>
> If you can post a few links to pertinent threads in that forum, I'd
> appreciate it.
>
> Is the Windows Firewall or a third-party firewall enabled?
>
> What anti-spyware applications might be installed (other than Defender)?
> What third-party firewall (if any)? Was Avast and/or any of these other
> applications running when you installed SP3?
>
> How did you install SP3 (e.g., manually via Windows Update)? Was the
> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the
> machine fully patched before you installed SP3? Had you just reinstalled
> Windows prior to installing SP3?
>
> Can you successfully reach and scan for updates at Windows Update website?
> Are any updates offered? If so, can you install them successfully?
> --
> ~PA Bear
>
>
> LeeG wrote:
> <paste>
> > Not yet. This exploit seems to coincide with the installation of SP3. Up
> > until now I had never had this exploit happen. I have been running Avast
> > for quite a while now and this is the first time it has flagged this
> > exploit.
> </paste>
> > Forgot to mention. I have already looked at the avast forum and i can
> > only
> > find explanations and possible cures and have also tried one and currently
> > monitoring the solution. I am curious has to why the change?
> >
> > "PA Bear [MS MVP]" wrote:
> >> /Where/ is Avast find this?
> >>
> >> Have you posted about this in Avast User Forums?
> >> http://forum.avast.com/
> >> --
> >> ~Robear Dyer (PA Bear)
> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> >> AumHa VSOP & Admin http://aumha.net
> >> DTS-L http://dts-l.net/
> >>
> >>
> >> LeeG wrote:
> >>> In addition could this be being caused due to upgrading to SP3? I know
> >>> this
> >>> type of problem was addressed with sp2 but this seems to coincide with
> >>> the
> >>> upgrade to sp3! I have tried a couple of ways to close down the DCOM
> >>> port
> >>> 135 but it is still showing as open. Anyone know any answers/solutions.
> >>>
> >>>> My Avast online scanner keeps flashing up with a Dcom Exploit
> >>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154
> >>>> being two of the combinations.) Am I being targeted by someone.
>
>

 

[Roger Abell [MVP]]

You are running XP, and I will assume this is a home machine.
You have no need for DCOM.
Go to Administrative Tools and select Component Services.
When it opens, click into Component Services / Computers
and right click on My Computer and select Properties.
In the My Computer Properties window that opens select
the Default Properties tab and make sure that the checkbox
Enable Distributed COM on this computer is NOT checked.
Avast might detect something coming in from the network but
if DCOM is not enabled it will not get a response.
Make sure you have a firewall enabled and that the exceptions
are all ones that you know about and need.

Roger

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
> Forgot to mention. I have already looked at the avast forum and i can
> only
> find explanations and possible cures and have also tried one and currently
> monitoring the solution. I am curious has to why the change?
>
> "PA Bear [MS MVP]" wrote:
>
>> /Where/ is Avast find this?
>>
>> Have you posted about this in Avast User Forums?
>> http://forum.avast.com/
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L http://dts-l.net/
>>
>>
>> LeeG wrote:
>> > In addition could this be being caused due to upgrading to SP3? I know
>> > this
>> > type of problem was addressed with sp2 but this seems to coincide with
>> > the
>> > upgrade to sp3! I have tried a couple of ways to close down the DCOM
>> > port
>> > 135 but it is still showing as open. Anyone know any
>> > answers/solutions.
>> >
>> > "LeeG" wrote:
>> >
>> >> My Avast online scanner keeps flashing up with a Dcom Exploit
>> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
>> >> 115.154
>> >> being two of the combinations.) Am I being targeted by someone.
>>
>>

 

[Roger Abell [MVP]]

Check what exemptions are allowed in your firewall settings.
I am not aware of at what point in the network stack Avast might
be tying in, but the firewall should be disallowing tcp 135 traffic
from unknown machine addresses. If you use filesharing in your
home network you do need tcp 135 to be available to those boxes,
but it should not be open to the world.


"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
news:47917144-F76F-4060-93AC-89A62FD8DB09@microsoft.com...
> Windows firewall is active and I am using the full home edition of Avast.
> Also using Spybot S&D and regularily scan with Adaware. I do an AV and
> spybot scans about twice a month.
>
> The SP3 was a manual download direct from the Microsoft website and I
> still
> had my resident scanners active when I installed it. I was fully up to
> date
> with sp2 before I installed sp3
>
> I have tried to reverse trace the different ip addresses that are flagged
> by
> avast but no joy.
>
> Here are some of the variations:
>
> 88.107.251.156
> 88.107.115.154
> 88.107.16.150
> 88.107.38.82
> 88.107.146.102
> 88.107.30.168
>
> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp
>
> One link I have tried but this solution did not work is
>
> http://www.grc.com/freeware/dcom.htm
>
> I can access and install updates from the windows update site. Just
> installed a couple of office updates on thursday.
>
> "PA Bear [MS MVP]" wrote:
>
>> [I meant to ask, "Where is Avast finding this?"]
>>
>> If you can post a few links to pertinent threads in that forum, I'd
>> appreciate it.
>>
>> Is the Windows Firewall or a third-party firewall enabled?
>>
>> What anti-spyware applications might be installed (other than Defender)?
>> What third-party firewall (if any)? Was Avast and/or any of these other
>> applications running when you installed SP3?
>>
>> How did you install SP3 (e.g., manually via Windows Update)? Was the
>> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the
>> machine fully patched before you installed SP3? Had you just reinstalled
>> Windows prior to installing SP3?
>>
>> Can you successfully reach and scan for updates at Windows Update
>> website?
>> Are any updates offered? If so, can you install them successfully?
>> --
>> ~PA Bear
>>
>>
>> LeeG wrote:
>> <paste>
>> > Not yet. This exploit seems to coincide with the installation of SP3.
>> > Up
>> > until now I had never had this exploit happen. I have been running
>> > Avast
>> > for quite a while now and this is the first time it has flagged this
>> > exploit.
>> </paste>
>> > Forgot to mention. I have already looked at the avast forum and i can
>> > only
>> > find explanations and possible cures and have also tried one and
>> > currently
>> > monitoring the solution. I am curious has to why the change?
>> >
>> > "PA Bear [MS MVP]" wrote:
>> >> /Where/ is Avast find this?
>> >>
>> >> Have you posted about this in Avast User Forums?
>> >> http://forum.avast.com/
>> >> --
>> >> ~Robear Dyer (PA Bear)
>> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> >> AumHa VSOP & Admin http://aumha.net
>> >> DTS-L http://dts-l.net/
>> >>
>> >>
>> >> LeeG wrote:
>> >>> In addition could this be being caused due to upgrading to SP3? I
>> >>> know
>> >>> this
>> >>> type of problem was addressed with sp2 but this seems to coincide
>> >>> with
>> >>> the
>> >>> upgrade to sp3! I have tried a couple of ways to close down the DCOM
>> >>> port
>> >>> 135 but it is still showing as open. Anyone know any
>> >>> answers/solutions.
>> >>>
>> >>>> My Avast online scanner keeps flashing up with a Dcom Exploit
>> >>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
>> >>>> 115.154
>> >>>> being two of the combinations.) Am I being targeted by someone.
>>
>>

 

[LeeG]

I checked the Dcom setting was unchecked in component services last night but
I am still getting the exploit warning. Could someone unscrupulous be trying
to access my machine and eventually give up? Could this attack be from
someone obtaining my ip address through other sites, for example, facebook.
I only ask because my partner signed up recently to it. I have run XP home
for quite a while now and this has never cropped up before.

"Roger Abell [MVP]" wrote:

> You are running XP, and I will assume this is a home machine.
> You have no need for DCOM.
> Go to Administrative Tools and select Component Services.
> When it opens, click into Component Services / Computers
> and right click on My Computer and select Properties.
> In the My Computer Properties window that opens select
> the Default Properties tab and make sure that the checkbox
> Enable Distributed COM on this computer is NOT checked.
> Avast might detect something coming in from the network but
> if DCOM is not enabled it will not get a response.
> Make sure you have a firewall enabled and that the exceptions
> are all ones that you know about and need.
>
> Roger
>
> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
> > Forgot to mention. I have already looked at the avast forum and i can
> > only
> > find explanations and possible cures and have also tried one and currently
> > monitoring the solution. I am curious has to why the change?
> >
> > "PA Bear [MS MVP]" wrote:
> >
> >> /Where/ is Avast find this?
> >>
> >> Have you posted about this in Avast User Forums?
> >> http://forum.avast.com/
> >> --
> >> ~Robear Dyer (PA Bear)
> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> >> AumHa VSOP & Admin http://aumha.net
> >> DTS-L http://dts-l.net/
> >>
> >>
> >> LeeG wrote:
> >> > In addition could this be being caused due to upgrading to SP3? I know
> >> > this
> >> > type of problem was addressed with sp2 but this seems to coincide with
> >> > the
> >> > upgrade to sp3! I have tried a couple of ways to close down the DCOM
> >> > port
> >> > 135 but it is still showing as open. Anyone know any
> >> > answers/solutions.
> >> >
> >> > "LeeG" wrote:
> >> >
> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit
> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
> >> >> 115.154
> >> >> being two of the combinations.) Am I being targeted by someone.
> >>
> >>
>
>
>

 

[MowGreen [MVP]]

Info on the IP ranges you posted:
http://www.dnsstuff.com/tools/whois.ch?ip=88.107.38.82

> inetnum: 88.104.0.0 - 88.107.255.255
> netname: DSL-TISCALI-UK
> descr: Tiscali UK Ltd
> descr: Dynamic DSL

Is Tiscali your ISP ?

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


LeeG wrote:

> Windows firewall is active and I am using the full home edition of Avast.
> Also using Spybot S&D and regularily scan with Adaware. I do an AV and
> spybot scans about twice a month.
>
> The SP3 was a manual download direct from the Microsoft website and I still
> had my resident scanners active when I installed it. I was fully up to date
> with sp2 before I installed sp3
>
> I have tried to reverse trace the different ip addresses that are flagged by
> avast but no joy.
>
> Here are some of the variations:
>
> 88.107.251.156
> 88.107.115.154
> 88.107.16.150
> 88.107.38.82
> 88.107.146.102
> 88.107.30.168
>
> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp
>
> One link I have tried but this solution did not work is
>
> http://www.grc.com/freeware/dcom.htm
>
> I can access and install updates from the windows update site. Just
> installed a couple of office updates on thursday.
>
> "PA Bear [MS MVP]" wrote:
>
>
>>[I meant to ask, "Where is Avast finding this?"]
>>
>>If you can post a few links to pertinent threads in that forum, I'd
>>appreciate it.
>>
>>Is the Windows Firewall or a third-party firewall enabled?
>>
>>What anti-spyware applications might be installed (other than Defender)?
>>What third-party firewall (if any)? Was Avast and/or any of these other
>>applications running when you installed SP3?
>>
>>How did you install SP3 (e.g., manually via Windows Update)? Was the
>>machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the
>>machine fully patched before you installed SP3? Had you just reinstalled
>>Windows prior to installing SP3?
>>
>>Can you successfully reach and scan for updates at Windows Update website?
>>Are any updates offered? If so, can you install them successfully?
>>--
>>~PA Bear
>>
>>
>>LeeG wrote:
>><paste>
>>
>>>Not yet. This exploit seems to coincide with the installation of SP3. Up
>>>until now I had never had this exploit happen. I have been running Avast
>>>for quite a while now and this is the first time it has flagged this
>>>exploit.
>>
>></paste>
>>
>>>Forgot to mention. I have already looked at the avast forum and i can
>>>only
>>>find explanations and possible cures and have also tried one and currently
>>>monitoring the solution. I am curious has to why the change?
>>>
>>>"PA Bear [MS MVP]" wrote:
>>>
>>>>/Where/ is Avast find this?
>>>>
>>>>Have you posted about this in Avast User Forums?
>>>>http://forum.avast.com/
>>>>--
>>>>~Robear Dyer (PA Bear)
>>>>MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>>>AumHa VSOP & Admin http://aumha.net
>>>>DTS-L http://dts-l.net/
>>>>
>>>>
>>>>LeeG wrote:
>>>>
>>>>>In addition could this be being caused due to upgrading to SP3? I know
>>>>>this
>>>>>type of problem was addressed with sp2 but this seems to coincide with
>>>>>the
>>>>>upgrade to sp3! I have tried a couple of ways to close down the DCOM
>>>>>port
>>>>>135 but it is still showing as open. Anyone know any answers/solutions.
>>>>>
>>>>>
>>>>>>My Avast online scanner keeps flashing up with a Dcom Exploit
>>>>>>88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156, 115.154
>>>>>>being two of the combinations.) Am I being targeted by someone.
>>
>>

 

[PA Bear [MS MVP]]

> ...Could someone unscrupulous be
> trying to access my machine and eventually give up?

IMHO, no, it's just normal network pinging, judging from the information
you've posted in this thread.


LeeG wrote:
> I checked the Dcom setting was unchecked in component services last night
> but I am still getting the exploit warning. Could someone unscrupulous be
> trying to access my machine and eventually give up? Could this attack be
> from someone obtaining my ip address through other sites, for example,
> facebook. I only ask because my partner signed up recently to it. I have
> run XP home for quite a while now and this has never cropped up before.
>
> "Roger Abell [MVP]" wrote:
>
>> You are running XP, and I will assume this is a home machine.
>> You have no need for DCOM.
>> Go to Administrative Tools and select Component Services.
>> When it opens, click into Component Services / Computers
>> and right click on My Computer and select Properties.
>> In the My Computer Properties window that opens select
>> the Default Properties tab and make sure that the checkbox
>> Enable Distributed COM on this computer is NOT checked.
>> Avast might detect something coming in from the network but
>> if DCOM is not enabled it will not get a response.
>> Make sure you have a firewall enabled and that the exceptions
>> are all ones that you know about and need.
>>
>> Roger
>>
>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
>>> Forgot to mention. I have already looked at the avast forum and i can
>>> only
>>> find explanations and possible cures and have also tried one and
>>> currently
>>> monitoring the solution. I am curious has to why the change?
>>>
>>> "PA Bear [MS MVP]" wrote:
>>>
>>>> /Where/ is Avast find this?
>>>>
>>>> Have you posted about this in Avast User Forums?
>>>> http://forum.avast.com/
>>>> --
>>>> ~Robear Dyer (PA Bear)
>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>>> AumHa VSOP & Admin http://aumha.net
>>>> DTS-L http://dts-l.net/
>>>>
>>>>
>>>> LeeG wrote:
>>>>> In addition could this be being caused due to upgrading to SP3? I
>>>>> know
>>>>> this
>>>>> type of problem was addressed with sp2 but this seems to coincide with
>>>>> the
>>>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM
>>>>> port
>>>>> 135 but it is still showing as open. Anyone know any
>>>>> answers/solutions.
>>>>>
>>>>> "LeeG" wrote:
>>>>>
>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit
>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
>>>>>> 115.154
>>>>>> being two of the combinations.) Am I being targeted by someone.

 

[PA Bear [MS MVP]]

Is Avast configured to automatically seek updates as least once a day?

Are you now running Avast v4.8.1201? There have been two (2) program
updates for Avast v4.8 since 12 May 2008:
http://www.avast.com/eng/avast-4-home_pro-revision-history.html

The above notwithstanding, the fact that you installed SP3 without having
first disabled all real-time protections may be related to the reports
you're seeing from Avast now. I'd recommend posting about this in a new
thread in the appropriate Avast Support Forum before doing anything else
about it: http://forum.avast.com/index.php?board=2.0
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


LeeG wrote:
> Windows firewall is active and I am using the full home edition of Avast.
> Also using Spybot S&D and regularily scan with Adaware. I do an AV and
> spybot scans about twice a month.
>
> The SP3 was a manual download direct from the Microsoft website and I
> still
> had my resident scanners active when I installed it. I was fully up to
> date
> with sp2 before I installed sp3
>
> I have tried to reverse trace the different ip addresses that are flagged
> by
> avast but no joy.
>
> Here are some of the variations:
>
> 88.107.251.156
> 88.107.115.154
> 88.107.16.150
> 88.107.38.82
> 88.107.146.102
> 88.107.30.168
>
> Avast flashes this message: dcom exploit 88.107.251.156:135 /tcp
>
> One link I have tried but this solution did not work is
>
> http://www.grc.com/freeware/dcom.htm
>
> I can access and install updates from the windows update site. Just
> installed a couple of office updates on thursday.
>
> "PA Bear [MS MVP]" wrote:
>
>> [I meant to ask, "Where is Avast finding this?"]
>>
>> If you can post a few links to pertinent threads in that forum, I'd
>> appreciate it.
>>
>> Is the Windows Firewall or a third-party firewall enabled?
>>
>> What anti-spyware applications might be installed (other than Defender)?
>> What third-party firewall (if any)? Was Avast and/or any of these other
>> applications running when you installed SP3?
>>
>> How did you install SP3 (e.g., manually via Windows Update)? Was the
>> machine running WinXP SP1 or WinXP SP2 before SP3 was installed? Was the
>> machine fully patched before you installed SP3? Had you just reinstalled
>> Windows prior to installing SP3?
>>
>> Can you successfully reach and scan for updates at Windows Update
>> website?
>> Are any updates offered? If so, can you install them successfully?
>> --
>> ~PA Bear
>>
>>
>> LeeG wrote:
>> <paste>
>>> Not yet. This exploit seems to coincide with the installation of SP3.
>>> Up
>>> until now I had never had this exploit happen. I have been running
>>> Avast
>>> for quite a while now and this is the first time it has flagged this
>>> exploit.
>> </paste>
>>> Forgot to mention. I have already looked at the avast forum and i can
>>> only
>>> find explanations and possible cures and have also tried one and
>>> currently
>>> monitoring the solution. I am curious has to why the change?
>>>
>>> "PA Bear [MS MVP]" wrote:
>>>> /Where/ is Avast find this?
>>>>
>>>> Have you posted about this in Avast User Forums?
>>>> http://forum.avast.com/
>>>> --
>>>> ~Robear Dyer (PA Bear)
>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>>> AumHa VSOP & Admin http://aumha.net
>>>> DTS-L http://dts-l.net/
>>>>
>>>>
>>>> LeeG wrote:
>>>>> In addition could this be being caused due to upgrading to SP3? I
>>>>> know
>>>>> this
>>>>> type of problem was addressed with sp2 but this seems to coincide with
>>>>> the
>>>>> upgrade to sp3! I have tried a couple of ways to close down the DCOM
>>>>> port
>>>>> 135 but it is still showing as open. Anyone know any
>>>>> answers/solutions.
>>>>>
>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit
>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
>>>>>> 115.154
>>>>>> being two of the combinations.) Am I being targeted by someone.

 

[Roger Abell [MVP]]

Good, then what they are trying, IF Avast is accurately
reporting, will not work. There was a remote DCOM
exploit some years back that someone's infected machine
might be using, among other things, in attempt to spread
itself. If I were you I would not be thinking this is at all
related to XP SP3 but I would be looking at my firewall
to see why the packets got that far.

Roger

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...
>I checked the Dcom setting was unchecked in component services last night
>but
> I am still getting the exploit warning. Could someone unscrupulous be
> trying
> to access my machine and eventually give up? Could this attack be from
> someone obtaining my ip address through other sites, for example,
> facebook.
> I only ask because my partner signed up recently to it. I have run XP
> home
> for quite a while now and this has never cropped up before.
>
> "Roger Abell [MVP]" wrote:
>
>> You are running XP, and I will assume this is a home machine.
>> You have no need for DCOM.
>> Go to Administrative Tools and select Component Services.
>> When it opens, click into Component Services / Computers
>> and right click on My Computer and select Properties.
>> In the My Computer Properties window that opens select
>> the Default Properties tab and make sure that the checkbox
>> Enable Distributed COM on this computer is NOT checked.
>> Avast might detect something coming in from the network but
>> if DCOM is not enabled it will not get a response.
>> Make sure you have a firewall enabled and that the exceptions
>> are all ones that you know about and need.
>>
>> Roger
>>
>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
>> > Forgot to mention. I have already looked at the avast forum and i can
>> > only
>> > find explanations and possible cures and have also tried one and
>> > currently
>> > monitoring the solution. I am curious has to why the change?
>> >
>> > "PA Bear [MS MVP]" wrote:
>> >
>> >> /Where/ is Avast find this?
>> >>
>> >> Have you posted about this in Avast User Forums?
>> >> http://forum.avast.com/
>> >> --
>> >> ~Robear Dyer (PA Bear)
>> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> >> AumHa VSOP & Admin http://aumha.net
>> >> DTS-L http://dts-l.net/
>> >>
>> >>
>> >> LeeG wrote:
>> >> > In addition could this be being caused due to upgrading to SP3? I
>> >> > know
>> >> > this
>> >> > type of problem was addressed with sp2 but this seems to coincide
>> >> > with
>> >> > the
>> >> > upgrade to sp3! I have tried a couple of ways to close down the
>> >> > DCOM
>> >> > port
>> >> > 135 but it is still showing as open. Anyone know any
>> >> > answers/solutions.
>> >> >
>> >> > "LeeG" wrote:
>> >> >
>> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit
>> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
>> >> >> 115.154
>> >> >> being two of the combinations.) Am I being targeted by someone.
>> >>
>> >>
>>
>>
>>

 

[LeeG]

As far as I can tell Avast is stopping the attempts (therefore I am
protected). So far it has not happened today. What exactly do you mean by
"looking at my firewall to see why the packets got that far." Could someone
be deliberately trying to access my computer this way?

"Roger Abell [MVP]" wrote:

> Good, then what they are trying, IF Avast is accurately
> reporting, will not work. There was a remote DCOM
> exploit some years back that someone's infected machine
> might be using, among other things, in attempt to spread
> itself. If I were you I would not be thinking this is at all
> related to XP SP3 but I would be looking at my firewall
> to see why the packets got that far.
>
> Roger
>
> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...
> >I checked the Dcom setting was unchecked in component services last night
> >but
> > I am still getting the exploit warning. Could someone unscrupulous be
> > trying
> > to access my machine and eventually give up? Could this attack be from
> > someone obtaining my ip address through other sites, for example,
> > facebook.
> > I only ask because my partner signed up recently to it. I have run XP
> > home
> > for quite a while now and this has never cropped up before.
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> You are running XP, and I will assume this is a home machine.
> >> You have no need for DCOM.
> >> Go to Administrative Tools and select Component Services.
> >> When it opens, click into Component Services / Computers
> >> and right click on My Computer and select Properties.
> >> In the My Computer Properties window that opens select
> >> the Default Properties tab and make sure that the checkbox
> >> Enable Distributed COM on this computer is NOT checked.
> >> Avast might detect something coming in from the network but
> >> if DCOM is not enabled it will not get a response.
> >> Make sure you have a firewall enabled and that the exceptions
> >> are all ones that you know about and need.
> >>
> >> Roger
> >>
> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
> >> > Forgot to mention. I have already looked at the avast forum and i can
> >> > only
> >> > find explanations and possible cures and have also tried one and
> >> > currently
> >> > monitoring the solution. I am curious has to why the change?
> >> >
> >> > "PA Bear [MS MVP]" wrote:
> >> >
> >> >> /Where/ is Avast find this?
> >> >>
> >> >> Have you posted about this in Avast User Forums?
> >> >> http://forum.avast.com/
> >> >> --
> >> >> ~Robear Dyer (PA Bear)
> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> >> >> AumHa VSOP & Admin http://aumha.net
> >> >> DTS-L http://dts-l.net/
> >> >>
> >> >>
> >> >> LeeG wrote:
> >> >> > In addition could this be being caused due to upgrading to SP3? I
> >> >> > know
> >> >> > this
> >> >> > type of problem was addressed with sp2 but this seems to coincide
> >> >> > with
> >> >> > the
> >> >> > upgrade to sp3! I have tried a couple of ways to close down the
> >> >> > DCOM
> >> >> > port
> >> >> > 135 but it is still showing as open. Anyone know any
> >> >> > answers/solutions.
> >> >> >
> >> >> > "LeeG" wrote:
> >> >> >
> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit
> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
> >> >> >> 115.154
> >> >> >> being two of the combinations.) Am I being targeted by someone.
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

 

[Roger Abell [MVP]]

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...
> As far as I can tell Avast is stopping the attempts (therefore I am
> protected). So far it has not happened today. What exactly do you mean
> by
> "looking at my firewall to see why the packets got that far." Could
> someone
> be deliberately trying to access my computer this way?

Someone could, but more likely someone's machine is via some
infection that the owning someone is not even aware is there

>
> "Roger Abell [MVP]" wrote:
>
>> Good, then what they are trying, IF Avast is accurately
>> reporting, will not work. There was a remote DCOM
>> exploit some years back that someone's infected machine
>> might be using, among other things, in attempt to spread
>> itself. If I were you I would not be thinking this is at all
>> related to XP SP3 but I would be looking at my firewall
>> to see why the packets got that far.
>>
>> Roger
>>
>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...
>> >I checked the Dcom setting was unchecked in component services last
>> >night
>> >but
>> > I am still getting the exploit warning. Could someone unscrupulous be
>> > trying
>> > to access my machine and eventually give up? Could this attack be from
>> > someone obtaining my ip address through other sites, for example,
>> > facebook.
>> > I only ask because my partner signed up recently to it. I have run XP
>> > home
>> > for quite a while now and this has never cropped up before.
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> >> You are running XP, and I will assume this is a home machine.
>> >> You have no need for DCOM.
>> >> Go to Administrative Tools and select Component Services.
>> >> When it opens, click into Component Services / Computers
>> >> and right click on My Computer and select Properties.
>> >> In the My Computer Properties window that opens select
>> >> the Default Properties tab and make sure that the checkbox
>> >> Enable Distributed COM on this computer is NOT checked.
>> >> Avast might detect something coming in from the network but
>> >> if DCOM is not enabled it will not get a response.
>> >> Make sure you have a firewall enabled and that the exceptions
>> >> are all ones that you know about and need.
>> >>
>> >> Roger
>> >>
>> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
>> >> > Forgot to mention. I have already looked at the avast forum and i
>> >> > can
>> >> > only
>> >> > find explanations and possible cures and have also tried one and
>> >> > currently
>> >> > monitoring the solution. I am curious has to why the change?
>> >> >
>> >> > "PA Bear [MS MVP]" wrote:
>> >> >
>> >> >> /Where/ is Avast find this?
>> >> >>
>> >> >> Have you posted about this in Avast User Forums?
>> >> >> http://forum.avast.com/
>> >> >> --
>> >> >> ~Robear Dyer (PA Bear)
>> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> >> >> AumHa VSOP & Admin http://aumha.net
>> >> >> DTS-L http://dts-l.net/
>> >> >>
>> >> >>
>> >> >> LeeG wrote:
>> >> >> > In addition could this be being caused due to upgrading to SP3?
>> >> >> > I
>> >> >> > know
>> >> >> > this
>> >> >> > type of problem was addressed with sp2 but this seems to coincide
>> >> >> > with
>> >> >> > the
>> >> >> > upgrade to sp3! I have tried a couple of ways to close down the
>> >> >> > DCOM
>> >> >> > port
>> >> >> > 135 but it is still showing as open. Anyone know any
>> >> >> > answers/solutions.
>> >> >> >
>> >> >> > "LeeG" wrote:
>> >> >> >
>> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit
>> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
>> >> >> >> 115.154
>> >> >> >> being two of the combinations.) Am I being targeted by someone.
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>

 

[LeeG]

Thank you for your reply. You have given the most plausible explanation so
far. If I send a global message to the friends list on facebook, (someone on
the friends list seems like the most obvious source,) can you tell me the
most likely virus name to inform them to look for?

"Roger Abell [MVP]" wrote:

> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...
> > As far as I can tell Avast is stopping the attempts (therefore I am
> > protected). So far it has not happened today. What exactly do you mean
> > by
> > "looking at my firewall to see why the packets got that far." Could
> > someone
> > be deliberately trying to access my computer this way?
>
> Someone could, but more likely someone's machine is via some
> infection that the owning someone is not even aware is there
>
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> Good, then what they are trying, IF Avast is accurately
> >> reporting, will not work. There was a remote DCOM
> >> exploit some years back that someone's infected machine
> >> might be using, among other things, in attempt to spread
> >> itself. If I were you I would not be thinking this is at all
> >> related to XP SP3 but I would be looking at my firewall
> >> to see why the packets got that far.
> >>
> >> Roger
> >>
> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
> >> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...
> >> >I checked the Dcom setting was unchecked in component services last
> >> >night
> >> >but
> >> > I am still getting the exploit warning. Could someone unscrupulous be
> >> > trying
> >> > to access my machine and eventually give up? Could this attack be from
> >> > someone obtaining my ip address through other sites, for example,
> >> > facebook.
> >> > I only ask because my partner signed up recently to it. I have run XP
> >> > home
> >> > for quite a while now and this has never cropped up before.
> >> >
> >> > "Roger Abell [MVP]" wrote:
> >> >
> >> >> You are running XP, and I will assume this is a home machine.
> >> >> You have no need for DCOM.
> >> >> Go to Administrative Tools and select Component Services.
> >> >> When it opens, click into Component Services / Computers
> >> >> and right click on My Computer and select Properties.
> >> >> In the My Computer Properties window that opens select
> >> >> the Default Properties tab and make sure that the checkbox
> >> >> Enable Distributed COM on this computer is NOT checked.
> >> >> Avast might detect something coming in from the network but
> >> >> if DCOM is not enabled it will not get a response.
> >> >> Make sure you have a firewall enabled and that the exceptions
> >> >> are all ones that you know about and need.
> >> >>
> >> >> Roger
> >> >>
> >> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
> >> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
> >> >> > Forgot to mention. I have already looked at the avast forum and i
> >> >> > can
> >> >> > only
> >> >> > find explanations and possible cures and have also tried one and
> >> >> > currently
> >> >> > monitoring the solution. I am curious has to why the change?
> >> >> >
> >> >> > "PA Bear [MS MVP]" wrote:
> >> >> >
> >> >> >> /Where/ is Avast find this?
> >> >> >>
> >> >> >> Have you posted about this in Avast User Forums?
> >> >> >> http://forum.avast.com/
> >> >> >> --
> >> >> >> ~Robear Dyer (PA Bear)
> >> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> >> >> >> AumHa VSOP & Admin http://aumha.net
> >> >> >> DTS-L http://dts-l.net/
> >> >> >>
> >> >> >>
> >> >> >> LeeG wrote:
> >> >> >> > In addition could this be being caused due to upgrading to SP3?
> >> >> >> > I
> >> >> >> > know
> >> >> >> > this
> >> >> >> > type of problem was addressed with sp2 but this seems to coincide
> >> >> >> > with
> >> >> >> > the
> >> >> >> > upgrade to sp3! I have tried a couple of ways to close down the
> >> >> >> > DCOM
> >> >> >> > port
> >> >> >> > 135 but it is still showing as open. Anyone know any
> >> >> >> > answers/solutions.
> >> >> >> >
> >> >> >> > "LeeG" wrote:
> >> >> >> >
> >> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit
> >> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
> >> >> >> >> 115.154
> >> >> >> >> being two of the combinations.) Am I being targeted by someone.
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

 

[PA Bear [MS MVP]]

No need to be such an alarmist, Lee.

LeeG wrote:
> Thank you for your reply. You have given the most plausible explanation
> so
> far. If I send a global message to the friends list on facebook, (someone
> on the friends list seems like the most obvious source,) can you tell me
> the
> most likely virus name to inform them to look for?
>
> "Roger Abell [MVP]" wrote:
>
>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...
>>> As far as I can tell Avast is stopping the attempts (therefore I am
>>> protected). So far it has not happened today. What exactly do you mean
>>> by
>>> "looking at my firewall to see why the packets got that far." Could
>>> someone
>>> be deliberately trying to access my computer this way?
>>
>> Someone could, but more likely someone's machine is via some
>> infection that the owning someone is not even aware is there
>>
>>>
>>> "Roger Abell [MVP]" wrote:
>>>
>>>> Good, then what they are trying, IF Avast is accurately
>>>> reporting, will not work. There was a remote DCOM
>>>> exploit some years back that someone's infected machine
>>>> might be using, among other things, in attempt to spread
>>>> itself. If I were you I would not be thinking this is at all
>>>> related to XP SP3 but I would be looking at my firewall
>>>> to see why the packets got that far.
>>>>
>>>> Roger
>>>>
>>>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>>>> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...
>>>>> I checked the Dcom setting was unchecked in component services last
>>>>> night
>>>>> but
>>>>> I am still getting the exploit warning. Could someone unscrupulous be
>>>>> trying
>>>>> to access my machine and eventually give up? Could this attack be
>>>>> from
>>>>> someone obtaining my ip address through other sites, for example,
>>>>> facebook.
>>>>> I only ask because my partner signed up recently to it. I have run XP
>>>>> home
>>>>> for quite a while now and this has never cropped up before.
>>>>>
>>>>> "Roger Abell [MVP]" wrote:
>>>>>
>>>>>> You are running XP, and I will assume this is a home machine.
>>>>>> You have no need for DCOM.
>>>>>> Go to Administrative Tools and select Component Services.
>>>>>> When it opens, click into Component Services / Computers
>>>>>> and right click on My Computer and select Properties.
>>>>>> In the My Computer Properties window that opens select
>>>>>> the Default Properties tab and make sure that the checkbox
>>>>>> Enable Distributed COM on this computer is NOT checked.
>>>>>> Avast might detect something coming in from the network but
>>>>>> if DCOM is not enabled it will not get a response.
>>>>>> Make sure you have a firewall enabled and that the exceptions
>>>>>> are all ones that you know about and need.
>>>>>>
>>>>>> Roger
>>>>>>
>>>>>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>>>>>> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
>>>>>>> Forgot to mention. I have already looked at the avast forum and i
>>>>>>> can
>>>>>>> only
>>>>>>> find explanations and possible cures and have also tried one and
>>>>>>> currently
>>>>>>> monitoring the solution. I am curious has to why the change?
>>>>>>>
>>>>>>> "PA Bear [MS MVP]" wrote:
>>>>>>>
>>>>>>>> /Where/ is Avast find this?
>>>>>>>>
>>>>>>>> Have you posted about this in Avast User Forums?
>>>>>>>> http://forum.avast.com/
>>>>>>>> --
>>>>>>>> ~Robear Dyer (PA Bear)
>>>>>>>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>>>>>>>> AumHa VSOP & Admin http://aumha.net
>>>>>>>> DTS-L http://dts-l.net/
>>>>>>>>
>>>>>>>>
>>>>>>>> LeeG wrote:
>>>>>>>>> In addition could this be being caused due to upgrading to SP3?
>>>>>>>>> I
>>>>>>>>> know
>>>>>>>>> this
>>>>>>>>> type of problem was addressed with sp2 but this seems to coincide
>>>>>>>>> with
>>>>>>>>> the
>>>>>>>>> upgrade to sp3! I have tried a couple of ways to close down the
>>>>>>>>> DCOM
>>>>>>>>> port
>>>>>>>>> 135 but it is still showing as open. Anyone know any
>>>>>>>>> answers/solutions.
>>>>>>>>>
>>>>>>>>> "LeeG" wrote:
>>>>>>>>>
>>>>>>>>>> My Avast online scanner keeps flashing up with a Dcom Exploit
>>>>>>>>>> 88.107.???.???:135 /tcp (the ???.??? keeps changing. 251.156,
>>>>>>>>>> 115.154
>>>>>>>>>> being two of the combinations.) Am I being targeted by someone.

 

[Roger Abell [MVP]]

"LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
news:A7A69DE8-4ACC-48D6-BC12-77E0E211FAB6@microsoft.com...
> Thank you for your reply. You have given the most plausible explanation
> so
> far. If I send a global message to the friends list on facebook, (someone
> on
> the friends list seems like the most obvious source,) can you tell me the
> most likely virus name to inform them to look for?

No, I cannot. This may have nothing whatsoever to do with
emails or websites you have visited. It can be some machine
on the network that "decided" to try at your current IP address,
with no prior awareness of who you are, that you or your comp
exist, etc..
Lee, this stuff happens all the time. It is the source of the personal
firewall, and of the anti-malware industries.

>
> "Roger Abell [MVP]" wrote:
>
>> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> news:65E376BB-60A2-42DB-A486-3B1EF00B41A5@microsoft.com...
>> > As far as I can tell Avast is stopping the attempts (therefore I am
>> > protected). So far it has not happened today. What exactly do you
>> > mean
>> > by
>> > "looking at my firewall to see why the packets got that far." Could
>> > someone
>> > be deliberately trying to access my computer this way?
>>
>> Someone could, but more likely someone's machine is via some
>> infection that the owning someone is not even aware is there
>>
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> >> Good, then what they are trying, IF Avast is accurately
>> >> reporting, will not work. There was a remote DCOM
>> >> exploit some years back that someone's infected machine
>> >> might be using, among other things, in attempt to spread
>> >> itself. If I were you I would not be thinking this is at all
>> >> related to XP SP3 but I would be looking at my firewall
>> >> to see why the packets got that far.
>> >>
>> >> Roger
>> >>
>> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> >> news:9977061E-DD51-41A1-94BF-A2067C4EEDDA@microsoft.com...
>> >> >I checked the Dcom setting was unchecked in component services last
>> >> >night
>> >> >but
>> >> > I am still getting the exploit warning. Could someone unscrupulous
>> >> > be
>> >> > trying
>> >> > to access my machine and eventually give up? Could this attack be
>> >> > from
>> >> > someone obtaining my ip address through other sites, for example,
>> >> > facebook.
>> >> > I only ask because my partner signed up recently to it. I have run
>> >> > XP
>> >> > home
>> >> > for quite a while now and this has never cropped up before.
>> >> >
>> >> > "Roger Abell [MVP]" wrote:
>> >> >
>> >> >> You are running XP, and I will assume this is a home machine.
>> >> >> You have no need for DCOM.
>> >> >> Go to Administrative Tools and select Component Services.
>> >> >> When it opens, click into Component Services / Computers
>> >> >> and right click on My Computer and select Properties.
>> >> >> In the My Computer Properties window that opens select
>> >> >> the Default Properties tab and make sure that the checkbox
>> >> >> Enable Distributed COM on this computer is NOT checked.
>> >> >> Avast might detect something coming in from the network but
>> >> >> if DCOM is not enabled it will not get a response.
>> >> >> Make sure you have a firewall enabled and that the exceptions
>> >> >> are all ones that you know about and need.
>> >> >>
>> >> >> Roger
>> >> >>
>> >> >> "LeeG" <lee.gorton(removethis)@hotmail.co.uk> wrote in message
>> >> >> news:8C507A76-56DC-4FDD-8152-3DDA68BBBFC4@microsoft.com...
>> >> >> > Forgot to mention. I have already looked at the avast forum and
>> >> >> > i
>> >> >> > can
>> >> >> > only
>> >> >> > find explanations and possible cures and have also tried one and
>> >> >> > currently
>> >> >> > monitoring the solution. I am curious has to why the change?
>> >> >> >
>> >> >> > "PA Bear [MS MVP]" wrote:
>> >> >> >
>> >> >> >> /Where/ is Avast find this?
>> >> >> >>
>> >> >> >> Have you posted about this in Avast User Forums?
>> >> >> >> http://forum.avast.com/
>> >> >> >> --
>> >> >> >> ~Robear Dyer (PA Bear)
>> >> >> >> MS MVP-IE, Mail, Security, Windows Desktop Experience - since
>> >> >> >> 2002
>> >> >> >> AumHa VSOP & Admin http://aumha.net
>> >> >> >> DTS-L http://dts-l.net/
>> >> >> >>
>> >> >> >>
>> >> >> >> LeeG wrote:
>> >> >> >> > In addition could this be being caused due to upgrading to
>> >> >> >> > SP3?
>> >> >> >> > I
>> >> >> >> > know
>> >> >> >> > this
>> >> >> >> > type of problem was addressed with sp2 but this seems to
>> >> >> >> > coincide
>> >> >> >> > with
>> >> >> >> > the
>> >> >> >> > upgrade to sp3! I have tried a couple of ways to close down
>> >> >> >> > the
>> >> >> >> > DCOM
>> >> >> >> > port
>> >> >> >> > 135 but it is still showing as open. Anyone know any
>> >> >> >> > answers/solutions.
>> >> >> >> >
>> >> >> >> > "LeeG" wrote:
>> >> >> >> >
>> >> >> >> >> My Avast online scanner keeps flashing up with a Dcom Exploit
>> >> >> >> >> 88.107.???.???:135 /tcp (the ???.??? keeps changing.
>> >> >> >> >> 251.156,
>> >> >> >> >> 115.154
>> >> >> >> >> being two of the combinations.) Am I being targeted by
>> >> >> >> >> someone.
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>