Solved

dcom exploit rpc- winit.exe--- it keeps returning- how to stop it?

Posted on 2004-10-08
7
536 Views
Last Modified: 2013-12-04
recently i noticed the file 'winit.exe' asked Zone Alarm for permission to enter the internet. I gave it a -yes. but that file bothered me. a little while later, i decided to check for trojans and it discovered a trojan in memory- dcom exploit rpc. I deleted it. then i took my av and double checked everything. i looked at win updates and nothing was needed. so i was satisfied.

i also took the precaution of zone alarm- not allowing winit.exe to enter the internet. so i thought i covered everything.

wrong- a day later- i looked at my registry this morning and saw winit.exe was still in the registry, i deleted it. so i did a registry scan for the words - winit.exe and found 7 places it existed. it was located in 'RunServices' which i deleted yesterday. 4 places it was located in the spy programs (possibly as a cautionary description) and the other two places was located in MS\OLE directory.

i will now delete the 'Run Services' and reboot- but i am sure it will return.

what am i overlooking?
0
Comment
Question by:cityman12000
  • 4
  • 3
7 Comments
 

Author Comment

by:cityman12000
ID: 12259390
i think it is gone. i rebooted 2 times and did a registry search and found - winit.exe- did not return to the registry.

i did find a - winitN.exe in the registry but i left it alone.

any other ideas?
0
 
LVL 2

Expert Comment

by:kitisak
ID: 12264884
If you don't need to use RPC DCOM, you should disble it.
Follow this Microsoft's artical : How to disable DCOM support in Windows (http://support.microsoft.com/default.aspx?kbid=825750)
0
 

Author Comment

by:cityman12000
ID: 12270801
Good idea. I will try it out for a few days... but i am not sure i really know what to do- the instructions are... daunting. also i used a wireless network.  i wonder if it will block the connection?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 2

Expert Comment

by:kitisak
ID: 12273691
OK, you should try and let me know the result please.
0
 

Author Comment

by:cityman12000
ID: 12275048
i look over the instructions and i am relunctant to do it. because i am aftaid to do it so...right now i have scanned several times - virus and trojan and did registry scan and it is not there nor repeating itself.

i also went to grc.com and my ports were closed and in stealth mode. also activated a trojan program for continual surveillance.

this i think will be a good alternative.. i hope

cm
0
 
LVL 2

Accepted Solution

by:
kitisak earned 100 total points
ID: 12278936
Maybe I used to test infected by Blaster before. I use TCPView to check the connection from my PC. You can make sure that you don't have any Blaster in you PC. And use RPC Scanner to scan your PC for vulner.

TCPView : http://www.sysinternals.com/ntw2k/source/tcpview.shtml
Retina RPC Scanner : http://www.eeye.com/html/resources/downloads/download.asp?file=RetinaRPCDCOM

Try it !!!
0
 

Author Comment

by:cityman12000
ID: 12283675
i used retina and all is good. the pcpview is a little confusing but.. it is fine and i am willing to learn.

thanks kitisak
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
suspending the anti virus 6 140
Forensic audit of SBS 2008 3 91
Thin secure Windows 10 5 102
Security Permissions Issues 10 79
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question