Problem with DCOM Exploit attack

[malberto]

Hello. My problem is because since the last Saturday avast has been showing me warning messages from the Network Shield telling me where I'm being attacked with an exploit. Some messages are as follows: 19.02.2009  10:57:39  DCOM Exploit attack, from 10.9.28.100:135
19.02.2009  12:36:26  DCOM Exploit attack, from 10.9.104.20:135
19.02.2009  12:46:48  DCOM Exploit attack, from 10.9.14.72:135
19.02.2009  13:38:14  DCOM Exploit attack, from 10.9.69.163:135
19.02.2009  14:02:40  DCOM Exploit attack, from 10.9.14.72:135
19.02.2009  14:03:41  DCOM Exploit attack, from 10.9.104.20:135
19.02.2009  16:07:12  DCOM Exploit attack, from 10.9.190.239:135
19.02.2009  16:11:55  DCOM Exploit attack, from 10.9.92.170:135
19.02.2009  16:32:47  DCOM Exploit attack, from 10.9.92.170:135
19.02.2009  16:32:52  DCOM Exploit attack, from 10.9.40.140:135
19.02.2009  16:42:09  DCOM Exploit attack, from 10.9.17.245:135
19.02.2009  16:49:27  DCOM Exploit attack, from 10.9.17.245:135

I downloaded Ad-Aware and detected 13 tracking cookies, I deleted this but the warnings are still appearing and no longer do .

I have installed Windows XP+SP3 and some updates, avast 4.8.1332, Ad-Aware 8.0.2 and PC Tools Firewall 5.0.

Help me please!!!

[DavidR]

Your firewall in theory should intercept these first (why it isn't is strange), the network shield only monitors ports commonly used for exploits, e.g. DCOM on port 135 in this case.

These are speculative attacks from outside (see edit below) your system so in theory you shouldn't find any thing on your system as it has been blocked by avast. They are speculative in that if you have your OS fully up to date (and your seems so) then it isn't vulnerable to this particular exploit.

EDIT Having said this originates from outside your system, this range IP addresses are special, assigned to "Address Allocation for Private Internets," see https://www.arin.net/documents/knowledge/rfc/rfc1918.txt So is your system on an an intranet if so one of your systems might be infected.

Personally adaware is a waste of hard disk space and there are better options, see below. The tracking cookies are a very minor issue and one of privacy rather than security, it is just that adaware makes a big deal about them.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode, for the first time and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

The latest version of avast is 4.8.1335 unless this is a typo you should do a manual program update, right click the avast 'a' icon, select Updating, Program Update.

[Lisandro]

Messages like:
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

Which firewall do you use?
And, most important, is your operational system updated?

You could get this free program from Steve Gibson's site.  This small program will test your PC to see if it's vulnerable.  The link below also explains what DCOM is all about.

Microsoft's DCOM security patch leaves DCOM running...
http://www.grc.com/freeware/dcom.htm

[DavidR]

Your questions answered in his post.

I have installed Windows XP+SP3 and some updates, avast 4.8.1332, Ad-Aware 8.0.2 and PC Tools Firewall 5.0.

[sparktronics]

how can you get the log where network shield is reporting these DCOM errors?

[DavidR]

Depends on which avast version you are using - What avast version are you using 4.8 or 5.0 ?