Solved

dcom exploit rpc- winit.exe--- it keeps returning- how to stop it?

Posted on 2004-10-08
7
539 Views
Last Modified: 2013-12-04
recently i noticed the file 'winit.exe' asked Zone Alarm for permission to enter the internet. I gave it a -yes. but that file bothered me. a little while later, i decided to check for trojans and it discovered a trojan in memory- dcom exploit rpc. I deleted it. then i took my av and double checked everything. i looked at win updates and nothing was needed. so i was satisfied.

i also took the precaution of zone alarm- not allowing winit.exe to enter the internet. so i thought i covered everything.

wrong- a day later- i looked at my registry this morning and saw winit.exe was still in the registry, i deleted it. so i did a registry scan for the words - winit.exe and found 7 places it existed. it was located in 'RunServices' which i deleted yesterday. 4 places it was located in the spy programs (possibly as a cautionary description) and the other two places was located in MS\OLE directory.

i will now delete the 'Run Services' and reboot- but i am sure it will return.

what am i overlooking?
0
Comment
Question by:cityman12000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 

Author Comment

by:cityman12000
ID: 12259390
i think it is gone. i rebooted 2 times and did a registry search and found - winit.exe- did not return to the registry.

i did find a - winitN.exe in the registry but i left it alone.

any other ideas?
0
 
LVL 2

Expert Comment

by:kitisak
ID: 12264884
If you don't need to use RPC DCOM, you should disble it.
Follow this Microsoft's artical : How to disable DCOM support in Windows (http://support.microsoft.com/default.aspx?kbid=825750)
0
 

Author Comment

by:cityman12000
ID: 12270801
Good idea. I will try it out for a few days... but i am not sure i really know what to do- the instructions are... daunting. also i used a wireless network.  i wonder if it will block the connection?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 2

Expert Comment

by:kitisak
ID: 12273691
OK, you should try and let me know the result please.
0
 

Author Comment

by:cityman12000
ID: 12275048
i look over the instructions and i am relunctant to do it. because i am aftaid to do it so...right now i have scanned several times - virus and trojan and did registry scan and it is not there nor repeating itself.

i also went to grc.com and my ports were closed and in stealth mode. also activated a trojan program for continual surveillance.

this i think will be a good alternative.. i hope

cm
0
 
LVL 2

Accepted Solution

by:
kitisak earned 100 total points
ID: 12278936
Maybe I used to test infected by Blaster before. I use TCPView to check the connection from my PC. You can make sure that you don't have any Blaster in you PC. And use RPC Scanner to scan your PC for vulner.

TCPView : http://www.sysinternals.com/ntw2k/source/tcpview.shtml
Retina RPC Scanner : http://www.eeye.com/html/resources/downloads/download.asp?file=RetinaRPCDCOM

Try it !!!
0
 

Author Comment

by:cityman12000
ID: 12283675
i used retina and all is good. the pcpview is a little confusing but.. it is fine and i am willing to learn.

thanks kitisak
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Firewall -- detecting ex-owner activity ? 1 71
Can Viruses spread while transferring Binary data with Winsock 2 107
How to implement SSO? 22 89
is this a virus? 3 111
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question