Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

dcom exploit rpc- winit.exe--- it keeps returning- how to stop it?

Posted on 2004-10-08
7
Medium Priority
?
553 Views
Last Modified: 2013-12-04
recently i noticed the file 'winit.exe' asked Zone Alarm for permission to enter the internet. I gave it a -yes. but that file bothered me. a little while later, i decided to check for trojans and it discovered a trojan in memory- dcom exploit rpc. I deleted it. then i took my av and double checked everything. i looked at win updates and nothing was needed. so i was satisfied.

i also took the precaution of zone alarm- not allowing winit.exe to enter the internet. so i thought i covered everything.

wrong- a day later- i looked at my registry this morning and saw winit.exe was still in the registry, i deleted it. so i did a registry scan for the words - winit.exe and found 7 places it existed. it was located in 'RunServices' which i deleted yesterday. 4 places it was located in the spy programs (possibly as a cautionary description) and the other two places was located in MS\OLE directory.

i will now delete the 'Run Services' and reboot- but i am sure it will return.

what am i overlooking?
0
Comment
Question by:cityman12000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 

Author Comment

by:cityman12000
ID: 12259390
i think it is gone. i rebooted 2 times and did a registry search and found - winit.exe- did not return to the registry.

i did find a - winitN.exe in the registry but i left it alone.

any other ideas?
0
 
LVL 2

Expert Comment

by:kitisak
ID: 12264884
If you don't need to use RPC DCOM, you should disble it.
Follow this Microsoft's artical : How to disable DCOM support in Windows (http://support.microsoft.com/default.aspx?kbid=825750)
0
 

Author Comment

by:cityman12000
ID: 12270801
Good idea. I will try it out for a few days... but i am not sure i really know what to do- the instructions are... daunting. also i used a wireless network.  i wonder if it will block the connection?
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 2

Expert Comment

by:kitisak
ID: 12273691
OK, you should try and let me know the result please.
0
 

Author Comment

by:cityman12000
ID: 12275048
i look over the instructions and i am relunctant to do it. because i am aftaid to do it so...right now i have scanned several times - virus and trojan and did registry scan and it is not there nor repeating itself.

i also went to grc.com and my ports were closed and in stealth mode. also activated a trojan program for continual surveillance.

this i think will be a good alternative.. i hope

cm
0
 
LVL 2

Accepted Solution

by:
kitisak earned 400 total points
ID: 12278936
Maybe I used to test infected by Blaster before. I use TCPView to check the connection from my PC. You can make sure that you don't have any Blaster in you PC. And use RPC Scanner to scan your PC for vulner.

TCPView : http://www.sysinternals.com/ntw2k/source/tcpview.shtml
Retina RPC Scanner : http://www.eeye.com/html/resources/downloads/download.asp?file=RetinaRPCDCOM

Try it !!!
0
 

Author Comment

by:cityman12000
ID: 12283675
i used retina and all is good. the pcpview is a little confusing but.. it is fine and i am willing to learn.

thanks kitisak
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question