Author Topic: I get Exploit Blocked message all the time  (Read 3324 times)

Offline Kekurikekaka

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
I get Exploit Blocked message all the time
« on: March 12, 2010, 10:18:41 PM »
Hello!  :)

I get a exploit blocked message all the time. Maybe once every 5-20 minutes, and its very annoying. Never got this with the old avast. I now run version 100312.

The content of message:
Quote
EXPLOIT BLOCKED

avast! Network Shield has blocked a threat.
No further action is required.

Object: 88.111.44.247:135/tcp
Infection: DCOM Exploit
Action: Blocked

The threat was detected and blocked just before the attack.

This is almost a clean install of Windows 7, with all valid and bought software. All the installed software is the same i had installed before i reformatted the harddrive. The difference is avast.

I have also searched for viruses, with 0 infected files. I've run a open port scanner, and i get full scores with no open ports.

Please, help me stop this message! I like avast, but this popup is killing me..

Offline disPlay

  • Sr. Member
  • ****
  • Posts: 238
  • Gender: Male
  • DISPLAY!
    • Personal Message (Offline)
Re: I get Exploit Blocked message all the time
« Reply #1 on: March 12, 2010, 10:42:17 PM »
The IP Address 88.111.44.247 goes for United Kingdom with the ISP Tiscali UK Limited.And here is the desciption of the 135 port.
Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.
"The quieter you become, the more you are able to hear."

Offline Kekurikekaka

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: I get Exploit Blocked message all the time
« Reply #2 on: March 12, 2010, 10:45:22 PM »
So what you are saying is that my IP adress is listed som where and people try to attack me by it?

And will it stop if i get my ISP to change my IP?

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21727
  • Gender: Male
    • Personal Message (Offline)
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69217
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: I get Exploit Blocked message all the time
« Reply #4 on: March 12, 2010, 11:25:49 PM »
It is a DCOM Exploit, which is both random and speculative:
Random in that it is not targeted to your but uses a randomly generated IP address (which has hit upon your IP), your IP address is generated dynamically by your ISP so it is changing so that is why it is random and not targeted.
Speculative in the fact that if your OS is up to date and everything after XP SP2 (and a bit) isn't vulnerable to the exploit, but the speculate that at some point they will hit an IP with an out of date OS.

So this is more of a pain in the rear and avast's network shield has stopped it getting on to your system, why you didn't find anything.

Under normal circumstances your firewall should intercept these exploit attempts and just block them, for whatever reason avast is either loading before the windows 7 firewall (or your firewall) or your firewall is letting it through (possibly file and printer sharing is enabled).

What is your firewall ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Kekurikekaka

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: I get Exploit Blocked message all the time
« Reply #5 on: March 12, 2010, 11:29:44 PM »
Thanks.

I actually got the very same infected registry item.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.


After searching in Google, i have found out that this is a file in Windows 7, and is not a infected files. All x64 Windiws 7 have this "infection".
I dont want to remove it either, as the guy in the topic you gave me link to had to take a system restore.

Any more ideas? If i cant figure this out soon, i have to change AV  :(

EDIT
I use Windows 7 64 bit with default firewall.

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69217
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: I get Exploit Blocked message all the time
« Reply #6 on: March 12, 2010, 11:37:01 PM »
The registry hit in MBAM is I believe flawed as some people actually make this change not to allow changes to the active desktop if they use it.

I wouldn't remove it either - So I would either report it as a false positive or flag it as Ignore or just take no action on it.

What is a file, what you have posted is a registry entry not a file.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21727
  • Gender: Male
    • Personal Message (Offline)
Re: I get Exploit Blocked message all the time
« Reply #7 on: March 12, 2010, 11:38:14 PM »
quote: http://groups.google.com/group/alt.privacy.spyware/browse_thread/thread/009ef8cc0c7cf3ae

The HKLM\...\NoActiveDesktopChanges registry key above determines
whether or not the users of the machine have the ability to change
their active desktop configuration. There are a large number of
trojans and malware that change that registry entry to "1" in order to
prevent users from removing the displayed content within the active
desktop.  You can also set this to 1 to prevent users from changing
their wallpaper, for instance.  It is not necessarily an indication
that you are compromised, but by default users are allowed to change
their active desktop settings.  The Malwarebytes program flagged the
registry entry because it is more often than not an indication that
malware may be present.  If you are comfortable with the appearance
and functioning of your Windows desktop, and don't plan on allowing
other users to change the desktop settings, then leave the registry
entry set to 1, otherwise set it to zero or allow Malwarebytes to do
it for you.

and DavidR is spot on.....
« Last Edit: March 12, 2010, 11:39:59 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now