On Windows XP I use Avast 4.7 HE and (usually) Windows firewall. Due to a mix-up with firewall settings I was connected to the internet temporarily without the firewall being on. I immediately was hit with this Avast message:-
DCOM exploit attack from XX.XXX.XX.XXX (IP address).
I immediately disconnected, set firewall on and ran Avast virus check…it came back with nothing malicious. I assumed (incorrectly I guess) that Avast had operated as an IDS and blocked anything dangerous coming in. However when I rebooted and then tried to connect to the internet i noticed that my firewall was set as default off. I ran Spybot search and destroy and it found that 3 or 4 registry changes had happened including setting on start up my firewall and virus check off. I removed these and reran Avast virus check and all looked OK. I have rebooted again and it looks like the issue is resolved, firewall is back on OK but I am not so sure everything is OK as I am puzzled as to why something got onto my machine (to change registry settings) when Avast is blocking (I thought).
I have run Hijackthis and it has created the attached which looks to me to be OK as I can’t see anything serious.
My question is do I have anything to be worried about still or am I clear?
This looks like the Network Shield at work and it has done what it was designed to do block entry to known virus/worm exploit entry points. So there should be nothing on your system.
I doubt that these registry changes were made by this particular attempt as it was blocked but at some point this occurred
What concerns me is why your firewall didn’t catch this.
Having had a quick look at your HJT log and you have two resident AV installed. Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. You should uninstall McAfee and reboot, you can then do a custom install and don’t include the AV component of the McAfee suite, this will ensure no conflict. Since the McAfee also failed to catch the DCOM expliot attempt I have my reservations as to if you might be better off completely removing McAfee and use another firewall.
You should post the contents rather than attach a file (it might need to be broken over two posts) so people can see it without having to download an unknown file.
There are those who consider MyWay search bar to be adware, other than that I don’t see anything obvious.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
As I mentioned my firewall was off when I connected (was wavering btwn McAfee and Windows firewalls…I didn’t notice until too late) so that explains why it wasn’t working first time. I am going to uninstall McAfee to prevent any future confusions & stick with Windows firewall.
Will bear in mind the comment re posting the hijack file in future.
Well The XP firewall has no outbound protection so you have other things to be concerned with.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.