I’m on Windows 7, 64-bit and for about the past week I’ve been receiving the following warning message every hour or two:
Network Shield: blocked “DCOM Exploit” - Attack from 74.214.11:135/tcp
The ip varies, but this was the latest message I received. I’ve read through all the other threads regarding this topic and have done the following:
Ensured Windows is up-to-date
Ensured Windows Firewall in enabled
Ran a thorough virus and Ad-Aware scan, with nothing malicious found
Ran DCOMbobulator
Disabled DCOM through Windows Component Services and verified it was disabled in Regedit
Even after disabling and rebooting, I’m still receiving the errors. I also rant the DCOMbobulator “Remote Port 135 Test” again after all of the steps above, and am still receiving a warning message that the port is open.
As far as security goes, I have the latest version and updates for Avast, Ad-Aware and just using the Microsoft Firewall included with Win 7.
you did not remove it, your log says " no acton taken" you have to click the button “remove selected” after the scan to quarantine the infection
did it solve your problem?
DCOM exploits are external, random and speculative and may end as quickly as they started. Your firewall should really get in on the act first, but consider the avast Network Shield another line of defence, why it happens to get in before the Vista Firewall I don’t know.
Vista in itself isn’t vulnerable to the DCOM exploit, though that doesn’t stop the random, speculative attempts in the hope of hitting a system that is vulnerable.
The IP reported in the attack belongs to SOUTHEAST TELEPHONE INCORPORATED, I presume that is your ISP or they provide the connection for the ISP. They personally aren’t attacking you but most likely one of their customers system is infected and trying to infect others.
Thanks for the info and checking identifying the ip. I find it strange that Windows 7 Firewall isn’t stopping it either.
As for removing the critical item above, that was a bad idea. I later rebooted my pc and ended up having to do a system restore because I couldn’t access any applications, including the command prompt, task manager, and control panel. I should have Googled it first because others are saying this is a false positive.
Now that I’ve restored to the previous state, I’m guessing the alert will come back but will let you know.
You can enter the MBAM Quarantine area and restore it.
For some that setting could be an indication of malicious intent, for others it is a setting that they want, unfortunately scanners can’t determine intent, that is down to a user to decide. If it does happen to come back, now you know you can add it to the Ignore list.
As I said it is external, random and speculative.
Disabling the service as far as I’m aware doesn’t close the port and in general you don’t want to physically close a port, just not respond to contact by external traffic that didn’t originate from your system as that just tells them that there is something there as the port is closed.
Do you have a router that also has a firewall (as that may have the port open ?
What is actually telling you that port 235 is open ?
Check out ShieldsUp at grc.com which checks if your system is stealthed.
Oh! I figured disabling the service would have stopped it.
I’m using a Linksys Wireless G router, but no ports have been manually opened. But if you say I don’t want to close it, then I won’t mess with it. The alerts are just more of an annoyance than anything else.
I used ‘Remote Port 135 Test’ in DCOMbobulator (http://www.grc.com/freeware/dcom.htm), which shows the port is open to the public internet. Oddly, I have another PC that I work on simulatneously throughout the day… same operating system, identical setup in terms of firewall and ant-virus. The other computer does not receive these warnings. I also tried the DCOMBobulator remote port test on that PC, and it indicates that port 135 is closed.
Thanks for pointing me to ShieldsUp. I’ll give that a shot and post back.
Edit: I should have mentioned earlier that on the PC experiencing this trouble, I use a private VPN service. I’ve used this service for about 5 months now with no problems though, but might have something to do with the issue here.
Well there we have it! Looks like it is the VPN service that is causing the problem. When I rant the ShieldsUp test, there were a few alerts about port 135, 139, 445 being open. When I disabled VPN and ran the test again, everything looked good.