Author Topic: DCOM exploit  (Read 10762 times)

0 Members and 1 Guest are viewing this topic.

Offline Mark2234

  • Newbie
  • *
  • Posts: 4
DCOM exploit
« on: August 28, 2010, 08:04:55 PM »
Hi,

I have been using Avast for more than a year now and have never had this happen before. Every 30 minutes or so, regardless of what I am doing on my laptop, a message will come up saying that a DCOM exploit was stopped.

A bit of background info may be of use:
- The laptop was recently infected with Vundo
- With the help of a kind member at MBAM forums we think we managed to sort it out with Combofix
- Following the virus removal, AntiMalwareBytes deep scan comes back clean, and..
- Windows Defender scan comes back clean, and..
- Spybot Search and Destroy combes back clean (apart from a couple of relatively harmless cookies sometimes), and..
- Avast deep scan and boot scan come back clean (apart from what I have been told is a false positive in C:\hp\bin\endprocess.exe)
- Comboxfix scan comes back clean

I have since made the following alterations/additions:
- Installed Online Armour firewall (and disabled windows firewall)
- Installed Spyware Guard
- Removed all old versions of Java and updated to latest
- Added MVPS hosts file list
- Updated all software mentioned above

Any ideas what may be causing it? What can I do to stop it from happening?

Thanks,

Mark

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4125
  • There is no magic, only lost physics
    • spg SCOTT
Re: DCOM exploit
« Reply #1 on: August 28, 2010, 08:17:00 PM »
Hi Mark, welcome to the forum :)

From what I have read here, avast! is doing it's job, and preventing the attack from succeeding. 

I will steal a more knowledgeable user's answer here:

You're welcome.

DCOM Attacks are speculative, not targeted and tries to exploit a vulnerability in out of date OS, if your OS is up to date then you aren't vulnerable to the exploit. That doesn't stop them (usually someone from the same ISP with an infected computer) trying to see if it can infect others.
 
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.


-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69954
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: DCOM exploit
« Reply #2 on: August 28, 2010, 08:23:50 PM »
From what I have read here, avast! is doing it's job, and preventing the attack from succeeding. 

Still the firewall should have blocked it before avast...!!
asyn
Win 8.1 [x64] - Avast PremSec 21.3.2459.Beta4 [UI.610] - EEK - Firefox ESR 78.9 [NS/uBO/PB] - TB 78.9
Avast-Tools: Secure Browser 89.1 - Cleanup 21.1 - SecureLine 5.11 - Driver Updater 21.1 - CCleaner 5.78
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: DCOM exploit
« Reply #3 on: August 28, 2010, 08:30:03 PM »

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4125
  • There is no magic, only lost physics
    • spg SCOTT
Re: DCOM exploit
« Reply #4 on: August 28, 2010, 08:31:58 PM »
From what I have read here, avast! is doing it's job, and preventing the attack from succeeding. 

Still the firewall should have blocked it before avast...!!
asyn

Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: DCOM exploit
« Reply #5 on: August 28, 2010, 08:36:23 PM »
Quote
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.
Quote
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
So if you turn on your router firewall, you want see this ?
« Last Edit: August 28, 2010, 08:38:01 PM by Pondus »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69954
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: DCOM exploit
« Reply #6 on: August 28, 2010, 08:37:50 PM »
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.

A good firewall shouldn't be 'beaten' by an AV. (or it's setup is faulty)
Or does the OP use AIS..? As he doesn't refer to which program pops up with this message...
Is it avast after all..??
asyn
Win 8.1 [x64] - Avast PremSec 21.3.2459.Beta4 [UI.610] - EEK - Firefox ESR 78.9 [NS/uBO/PB] - TB 78.9
Avast-Tools: Secure Browser 89.1 - Cleanup 21.1 - SecureLine 5.11 - Driver Updater 21.1 - CCleaner 5.78
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84764
  • No support PMs thanks
Re: DCOM exploit
« Reply #7 on: August 28, 2010, 08:48:41 PM »
DCOMbobulator
http://www.grc.com/freeware/dcom.htm

Won't make a blind bit of difference as it doesn't stop the external attempt (which the network shield willl detect, if not done by the firewall) as this is an internal tool.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.2.2455 (build 21.2.6096.648) UI 1.0.608/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4125
  • There is no magic, only lost physics
    • spg SCOTT
Re: DCOM exploit
« Reply #8 on: August 28, 2010, 08:53:26 PM »
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.

A good firewall shouldn't be 'beaten' by an AV. (or it's setup is faulty)

Or maybe avast! is just that good ;)
I presume that in OA, you could create a rule that blocks that port completely. That would do it I supppose...or the router firewall might, as Pondus suggests?
Quote
Or does the OP use AIS..? As he doesn't refer to which program pops up with this message...
Is it avast after all..??
asyn
I's guess either Free or Pro...since the OP says they have Online Armour installed.

-Scott-
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69954
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: DCOM exploit
« Reply #9 on: August 28, 2010, 09:01:22 PM »
1. Or maybe avast! is just that good ;)
2. I presume that in OA, you could create a rule that blocks that port completely. That would do it I supppose...or the router firewall might, as Pondus suggests?
3. I's guess either Free or Pro...since the OP says they have Online Armour installed.

1. It sure is very good, as it blocks DCOM, which should have been blocked by the firewall.
But as said, the FW should block it first...!!!
2. True and yes.
3. Let's wait for a reply, I saw some rather confused users here already... ;)
asyn
Win 8.1 [x64] - Avast PremSec 21.3.2459.Beta4 [UI.610] - EEK - Firefox ESR 78.9 [NS/uBO/PB] - TB 78.9
Avast-Tools: Secure Browser 89.1 - Cleanup 21.1 - SecureLine 5.11 - Driver Updater 21.1 - CCleaner 5.78
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84764
  • No support PMs thanks
Re: DCOM exploit
« Reply #10 on: August 28, 2010, 09:07:52 PM »
The order things would run would I guess be down to windows and may or may not have to do with which was installed first, but it is a bit like black magic as there doesn't appear to be any reasoning in it.

Blocking the port in OA would be the same as using decombobulator, since avast is getting in first it would alert before the OA block (or decombobulator) got a look in.

@ Mark2234
If you have avast 4.8 I would suggest now would be a good time to update to avast 5.0, if you already have avast 5.0 then, all I can suggest is that you leave OA installed and do a clean reinstall of avast:
This assumes you are using the free version of avast - Download the latest version of avast, 5.0.594 http://www.avast.com/free-antivirus-download and save it to your HDD, somewhere you can find it again (if you didn't save your last download). Use that when you reinstall.

- Download the avast! Uninstall Utility, aswClear5.exe find it here and save it to your HDD (it has uninstall tools for both 4.8 and 5.0).
  • 1. Now uninstall (using add remove programs, if you can't do that start from the next step), reboot.
  • 2. run the avast! Uninstall Utility from safe mode, first for 4.8 if previously installed and then for 5.0, once complete reboot into normal mode.
  • 3. install the latest version, reboot.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.2.2455 (build 21.2.6096.648) UI 1.0.608/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mark2234

  • Newbie
  • *
  • Posts: 4
Re: DCOM exploit
« Reply #11 on: August 30, 2010, 05:26:58 AM »
Thanks for your input everyone, and sorry for the delayed reply! Unexpectedly busy the last couple of days.

Anyway, I had the latest Avast, the free version currently (as well as all windows updates which I think I forgot to mention). I have uninstalled via David's instructions and reinstalled. I will let you know if the DCOM exploit warnings continue!

Thanks,

Mark

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84764
  • No support PMs thanks
Re: DCOM exploit
« Reply #12 on: August 30, 2010, 04:17:18 PM »
You're welcome, good luck.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.2.2455 (build 21.2.6096.648) UI 1.0.608/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mark2234

  • Newbie
  • *
  • Posts: 4
Re: DCOM exploit
« Reply #13 on: August 31, 2010, 04:50:08 AM »
Unfortunately I'm still getting a few of the messages! Any ideas?

Offline Gargamel360

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2346
  • Memento Mori
Re: DCOM exploit
« Reply #14 on: August 31, 2010, 05:05:58 AM »
Do you use a router w/firewall, or are you hooked directly to cable modem?

An external firewall might help, provided you don't already have one.
Signature?  But I gots no pen....