Author Topic: ZoneAlarm......final answer  (Read 12700 times)

0 Members and 1 Guest are viewing this topic.

cartel

  • Guest
Re: ZoneAlarm......final answer
« Reply #15 on: May 08, 2005, 04:47:49 PM »
Cool, thanks that did help but 1 more left......
Distributed COM Services ?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: ZoneAlarm......final answer
« Reply #16 on: May 08, 2005, 04:50:13 PM »
As far as I know there is no requirement for DCOM to access the net you might want to go here to download the decombobulator 
http://www.grc.com/dcom/intro.htm

It also has further data on DCOM

Quote
What does DCOM do for you?

Well let's see . . . it attracts Internet worms and permits your system to be remotely compromised by malicious hackers. Other than that, it's of absolutely no practical use other than to adorn Microsoft's "We Have That Too" chart. There may be some custom corporate application developers who have managed to make some use of it, but mostly no one ever has. Nonetheless, it's there in Windows so that the competitors' CORBA isn't.

The DCOMbobulator will help everyone test
their DCOM patches and finally turn DCOM off.

cartel

  • Guest
Re: ZoneAlarm......final answer
« Reply #17 on: May 08, 2005, 05:02:23 PM »
It is running with "ashserv.exe"
Is the DCOMbobulator for 98se ?
I thought its for XP

Process   PID   CPU   Description   Command Line   Version   Window Status
Idle   0x0   91.81   System Idle Process         
DDHELP.EXE   0xFFFCCB09      Microsoft DirectX Helper   ddhelp.exe   4.09.0000.0900   
RUNDLL32.EXE   0xFFFBAEB5      Run a DLL as an App   rundll32    4.10.0000.1998   
PSTORES.EXE   0xFFF8AF35      Protected storage server   C:\WINDOWS\SYSTEM\PSTORES.EXE   5.00.1877.0003   
KERNEL32.DLL   0xFFCF8691   0.57   Win32 Kernel core component      4.10.0000.2222   
 MSGSRV32.EXE   0xFFFFF22D      Windows 32-bit VxD Message Server      4.10.0000.2222   
  MPREXE.EXE   0xFFFFCFB9      WIN32 Network Interface Service Process   C:\WINDOWS\SYSTEM\MPREXE.EXE   4.10.0000.1998   
   VSMON.EXE   0xFFFE87E5   1.14   TrueVector Service   C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service   4.05.0594.0000   
   ASHSERV.EXE   0xFFFE200D   0.38   avast! antivirus service   "C:\Program Files\Alwil Software\Avast4\ashServ.exe"   4.06.0622.0000   
    RPCSS.EXE   0xFFFC44CD      Distributed COM Services   RPCSS   4.71.2900.0000   
  EXPLORER.EXE   0xFFFECC65   0.19   Windows Explorer   C:\WINDOWS\Explorer.exe   4.72.3612.1700   Running
   SYSTRAY.EXE   0xFFFDDF8D      System Tray Applet   "C:\WINDOWS\SYSTEM\SysTray.Exe"    4.10.0000.2224   
   TASKMON.EXE   0xFFFDC48D      Task Monitor   "C:\WINDOWS\taskmon.exe"    4.10.0000.1998   
   ZLCLIENT.EXE   0xFFFC911D   1.33   Zone Labs Client   "C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe"    4.05.0594.0000   
   ASHWEBSV.EXE   0xFFFC5419      avast! Web Scanner   "C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE"    4.06.0652.0000   
   PROCEXP.EXE   0xFFF88F81   4.57   Sysinternals Process Explorer   "C:\Utilities\Sysinternals\process\procexp.exe"    8.06.0001.0000   Running
   IEXPLORE.EXE   0xFFF84675      Internet Explorer   "C:\PROGRA~1\INTERN~1\iexplore.exe"   6.00.2800.1106   Running
  mmtask.tsk   0xFFFE2709      Multimedia background task support module      4.03.0000.1998   

Process: RPCSS.EXE Pid: FFFC44CD

Type   Name   Handle   Access
Device   WSOCK2    0x60   0x00000000
Event      0x10   0x001F0003
Event      0x18   0x001F0003
Event      0xA0   0x001F0003
Event      0xA8   0x001F0003
Event      0xB0   0x001F0003
Event      0xB8   0x001F0003
Event      0xC8   0x001F0003
Event   RPCSS_Initialized_Successfully   0xD0   0x001F0003
Event      0xD8   0x001F0003
Event      0xE4   0x001F0003
Event      0xEC   0x001F0003
File   C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT   0x7C   0x00000133
File   C:\WINDOWS\COOKIES\INDEX.DAT   0x88   0x00000133
File   C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT   0x94   0x00000133
MappedFile   rpcrt4sharedmem   0x14   0x00000000
MappedFile   fileAllocatorMutex   0x40   0x00000000
MappedFile   DCOMSharedGlobals12321   0x48   0x00000000
MappedFile   fileAllocatorMutex   0x50   0x00000000
MappedFile   C:_WINDOWS_Temporary Internet Files_Content.IE5_index.dat_65536   0x80   0x00000000
MappedFile   C:_WINDOWS_Cookies_index.dat_32768   0x8C   0x00000000
MappedFile   C:_WINDOWS_History_History.IE5_index.dat_32768   0x98   0x00000000
MappedFile   nView Shared Memory   0xF8   0x00000000
Mutex   nView Shared Desk Mutex   0x100   0x001F0001
Mutex   nView Shared Trans Mutex   0x104   0x001F0001
Mutex   MsnSspcPrivatePwdMutex   0x1C   0x001F0001
Mutex      0x20   0x001F0001
Mutex   OleCoSharedStateMtx   0x24   0x001F0001
Mutex   OLESCMSRVREGLISTMUTEX   0x28   0x001F0001
Mutex   OLESCMGETHANDLEMUTEX   0x2C   0x001F0001
Mutex   OLESCMROTMUTEX   0x30   0x001F0001
Mutex   OleDfSharedMemoryMutex   0x34   0x001F0001
Mutex   ScmWIPMutex   0x38   0x001F0001
Mutex   ObjectResolverGlobalMutex   0x44   0x001F0001
Mutex   Winsock2ProtocolCatalogMutex   0x54   0x001F0001
Mutex   Winsock2ProtocolCatalogMutex   0x58   0x001F0001
Mutex   WininetConnectionMutex   0x68   0x001F0001
Mutex      0x6C   0x001F0001
Mutex   WininetProxyRegistryMutex   0x70   0x001F0001
Mutex   _!MSFTHISTORY!_   0x74   0x001F0001
Mutex   c:!windows!temporary internet files!content.ie5!   0x78   0x001F0001
Mutex   RPCSS_RUNNING   0x8   0x001F0001
Mutex   c:!windows!cookies!   0x84   0x001F0001
Mutex   c:!windows!history!history.ie5!   0x90   0x001F0001
Mutex   WininetStartupMutex   0x9C   0x001F0001
Mutex   OLESCMLOCKMUTEX   0xC   0x001F0001
Mutex   MPRMutex   0xD4   0x001F0001
Mutex      0xDC   0x001F0001
Mutex      0xE8   0x001F0001
Mutex      0xF0   0x001F0001
Mutex   nView Shared Memory Mutex   0xFC   0x001F0001
Process   RPCSS.EXE(FFFC44CD)   0x4   0x001F0FFF
Semaphore   DocfileAllocatorMutex   0x3C   0x001F0003
Semaphore   DocfileAllocatorMutex   0x4C   0x001F0003
Semaphore      0xB4   0x001F0003
Semaphore   PowerProfileRegistrySemaphore   0xF4   0x001F0003
Socket      0x64   0x00001130
Socket      0xA4   0x00001130
Thread   RPCSS.EXE(FFFC44CD): FFFC4291   0x5C   0x001F03FF
Thread   RPCSS.EXE(FFFC44CD): FFFA26BD   0xAC   0x00000000
Thread   RPCSS.EXE(FFFC44CD): FFFA26BD   0xBC   0x001F03FF
Thread   RPCSS.EXE(FFFC44CD): FFFA2239   0xC0   0x00000000
Thread   RPCSS.EXE(FFFC44CD): FFFA3949   0xC4   0x00000000
Thread   RPCSS.EXE(FFFC44CD): FFFA2F5D   0xCC   0x00000000
« Last Edit: May 08, 2005, 05:08:47 PM by Cartel »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: ZoneAlarm......final answer
« Reply #18 on: May 08, 2005, 05:10:08 PM »
DCOM is disabled on my system with no adverse affects.  Dcombobulator is for all versions of windows.  Your DCOM appears to be running as a subprocess of rpcss.exe which is not a file held on XP however, I do have a rpcss.dll on my system.

Info about RPCSS.exe here  http://www.cexx.org/rpc.htm

cartel

  • Guest
Re: ZoneAlarm......final answer
« Reply #19 on: May 08, 2005, 05:15:03 PM »
I took ashserv.exe out of the startup and rebooted and rpcss is gone.........


Process   PID   CPU   Description   Command Line   Version   Window Status   Window Title   Company Name   Path
Idle   0x0   93.93   System Idle Process                  
RUNDLL32.EXE   0xFFFC860D      Run a DLL as an App   rundll32    4.10.0000.1998         Microsoft Corporation   C:\WINDOWS\RUNDLL32.EXE
DDHELP.EXE   0xFFFC7F21      Microsoft DirectX Helper   ddhelp.exe   4.09.0000.0900         Microsoft Corporation   C:\WINDOWS\SYSTEM\DDHELP.EXE
KERNEL32.DLL   0xFFCF867D   0.78   Win32 Kernel core component      4.10.0000.2222         Microsoft Corporation   C:\WINDOWS\SYSTEM\KERNEL32.DLL
 MSGSRV32.EXE   0xFFFFF2C1      Windows 32-bit VxD Message Server      4.10.0000.2222         Microsoft Corporation   C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  MPREXE.EXE   0xFFFFCF55      WIN32 Network Interface Service Process   C:\WINDOWS\SYSTEM\MPREXE.EXE   4.10.0000.1998         Microsoft Corporation   C:\WINDOWS\SYSTEM\MPREXE.EXE
   VSMON.EXE   0xFFFE6BC9   0.39   TrueVector Service   C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service   4.05.0594.0000         Zone Labs Inc.   C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
  EXPLORER.EXE   0xFFFEA44D   0.39   Windows Explorer   C:\WINDOWS\Explorer.exe   4.72.3612.1700   Running   Program Manager   Microsoft Corporation   C:\WINDOWS\EXPLORER.EXE
   ASHWEBSV.EXE   0xFFFDED99   0.20   avast! Web Scanner   "C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE"    4.06.0652.0000         ALWIL Software   C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
   SYSTRAY.EXE   0xFFFD451D      System Tray Applet   "C:\WINDOWS\SYSTEM\SysTray.Exe"    4.10.0000.2224         Microsoft Corporation   C:\WINDOWS\SYSTEM\SYSTRAY.EXE
   TASKMON.EXE   0xFFFD44C1      Task Monitor   "C:\WINDOWS\taskmon.exe"    4.10.0000.1998         Microsoft Corporation   C:\WINDOWS\TASKMON.EXE
   ZLCLIENT.EXE   0xFFFC1285   0.59   Zone Labs Client   "C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe"    4.05.0594.0000         Zone Labs Inc.   C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
   PROCEXP.EXE   0xFFFBBCED   3.72   Sysinternals Process Explorer   "C:\Utilities\Sysinternals\process\procexp.exe"    8.06.0001.0000   Running   Process Explorer - Sysinternals: www.sysinternals.com   Sysinternals   C:\UTILITIES\SYSINTERNALS\PROCESS\PROCEXP.EXE
  mmtask.tsk   0xFFFE27E5      Multimedia background task support module      4.03.0000.1998         Microsoft Corporation   C:\WINDOWS\SYSTEM\mmtask.tsk

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: ZoneAlarm......final answer
« Reply #20 on: May 08, 2005, 05:17:55 PM »
OK must be a 98SE thing hopefully someone else who runs 98se can provide you with an answer.  Although I used to run 98 without dcom and avast with no probs but that was a few years back.

cartel

  • Guest
Re: ZoneAlarm......final answer
« Reply #21 on: May 08, 2005, 05:36:14 PM »
1 other thing........it says ashserv and web scanner aren't running ????????

cartel

  • Guest
Re: ZoneAlarm......final answer
« Reply #22 on: May 08, 2005, 05:47:49 PM »
Here's some open ports too ?
TCP   :135         :0   LISTENING      
TCP   :1025   :0   LISTENING      
TCP   :12080   :0   LISTENING   

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: ZoneAlarm......final answer
« Reply #23 on: May 08, 2005, 05:53:47 PM »
Unfortunately now I am lost because in XP they start as services.  The open listening ports are part of DCOM/RPCSS.  Can you start ASHSERV  from the programme folder and did you reset Avast at start up.