Remote Procedure Call error? DCOMX.EXE, RPC.EXE, RPCTEST.EXE on your computer? Possible hacking.

I've seen a number of people ask this question today, so I hope this is
helpful to someone:

FYI, the presence of the files Dcomx.exe or the other files mentioned below
along with a "Remote Procedure Call" or TFTP popup message on your system
are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE
is a normal file that comes with many versions of Windows, but it should
usually not be running on most systems.]

To fix this, you need a firewall [even a free one such as www.sygate.com or
www.kerio.com], to install all the latest Microsoft service packs and
patches from www.windowsupdate.com, check your firewall logs to see who has
hacked you, and install and run an antivirus with the latest updates that
detects this thing [ www.grisoft.com is free antivirus], or submit sample
files to your antivirus vendor if it does not detect this thing. I do
believe there may be new variants of Autorooter that possibly have not yet
been fully discovered. Unlike an automated event like a worm, this event
may indicate that someone personally ran a tool against you and may have
done things to your computer.

You can find out if you are infected with Autorooter or something new that
hasn't been discovered by going to one of the scanner sites below. If
nothing is detected, that's pretty interesting, let us and your antivirus
company know:

http://housecall.antivirus.com [my preference] OR
http://security2.norton.com

Once your computer has been hacked, these are some things I might recommend
doing are here:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

This Trojan has been given several different names by various anti-virus
companies:

RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)

References:

http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
.html
http://news.com.com/2100%2D1009%2D5059263.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
http://support.microsoft.com/?kbid=823980

Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:

"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe

Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."

I hope this helps. Let us know if you find anything interesting. Thanks to
Susan Bradley for pointing this information out.

John
Tue Aug 05 15:39:01 CDT 2003

On 5/8/2003 14:11, Karl Levinson [x y] mvp wrote:

> I've seen a number of people ask this question today, so I hope this is
> helpful to someone:
>
> FYI, the presence of the files Dcomx.exe or the other files mentioned below
> along with a "Remote Procedure Call" or TFTP popup message on your system
> are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE
> is a normal file that comes with many versions of Windows, but it should
> usually not be running on most systems.]
>
> To fix this, you need a firewall [even a free one such as www.sygate.com or
> www.kerio.com], to install all the latest Microsoft service packs and
> patches from www.windowsupdate.com, check your firewall logs to see who has
> hacked you, and install and run an antivirus with the latest updates that
> detects this thing [ www.grisoft.com is free antivirus], or submit sample
> files to your antivirus vendor if it does not detect this thing. I do
> believe there may be new variants of Autorooter that possibly have not yet
> been fully discovered. Unlike an automated event like a worm, this event
> may indicate that someone personally ran a tool against you and may have
> done things to your computer.
>
> You can find out if you are infected with Autorooter or something new that
> hasn't been discovered by going to one of the scanner sites below. If
> nothing is detected, that's pretty interesting, let us and your antivirus
> company know:
>
> http://housecall.antivirus.com [my preference] OR
> http://security2.norton.com
>
>
> Once your computer has been hacked, these are some things I might recommend
> doing are here:
>
> http://securityadmin.info/faq.htm#hacked
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden
>
> This Trojan has been given several different names by various anti-virus
> companies:
>
> RPC Worm (F-Secure)
> Downloader-DM (McAfee)
> Autorooter (Panda)
> Worm.Win32.Autorooter (AVP)
> Backdoor.IRC.Cirebot (Symantec)
>
> References:
>
> http://www.europe.f-secure.com/v-descs/rpc.shtml
> http://vil.nai.com/vil/content/v_100524.htm
> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
> .html
> http://news.com.com/2100%2D1009%2D5059263.html
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> http://www.microsoft.com/security/security_bulletins/MS03-026.asp
> http://support.microsoft.com/?kbid=823980
>
>
> Here are some signs of infection, though these do not necessarily match all
> the variants that might be out there:
>
> "Signs of infection:
> - the existence of one or more of the following files:
> rpc.exe
> rpctest.exe
> tftpd.exe
> dcomx.exe
> lolx.exe
> worm.exe
>
> Signs that a network is being attacked:
> - traffic on port 445 to sequential IP addresses.
> Signs that an attack has succeeded (allowing a remote shell and downloading
> of the backdoor):
> - port 57005 open;
> - an ftp [tftp] connection on port 69."
>
> I hope this helps. Let us know if you find anything interesting. Thanks to
> Susan Bradley for pointing this information out.
>
>
>
>
Good job, Susan and Karl!

HarryJMK
Wed Aug 06 04:10:07 CDT 2003

This is a multi-part message in MIME format.

------=_NextPart_000_0110_01C35C0B.4B1AA960
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0111_01C35C0B.4B1AA960"

------=_NextPart_001_0111_01C35C0B.4B1AA960
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote =
news:O8ZKw64WDHA.1368@TK2MSFTNGP11.phx.gbl...
[..]
If nothing is detected, that's pretty interesting, let us and your =
antivirus company know:
[..]

Hi Karl, great info. As per yr request:

Done and I am completely clean and completely safe, see report below. =
How? I've got the free ZoneAlarm v3.7.193 personal firewall installed. =
Downloadable from www.download.com. At 1 August they've put the newer =
v3.7.202 on the site, so it's still improving... It's the latest =
predecessor from the current commercial v4 Pro, see www.powerquest.com =
for differences. IMHO it's the best personal firewall available, it's =
the only FW stopping Trojan's from the inside, see http://grc.com . Next =
to that I'm running Ad-aware v6.0, also very valuable.=20

The report below does not recognize McAfee Virusscan v4.5.1 SP1, scan =
engine v4.2.60, which I have installed, because McAfee is now at a much =
later version, and the one I've got is not commercial but from my =
company license. So as to viruses I'm completely safe also.

Another tip: check MS Plug'nPlay vulnerability, see =
http://grc.com/UnPnP/UnPnP.htm. It's just waiting to happen...

Kind regards, Harry

Security Status: At Risk!=20
You are vulnerable to at least one form of security threat.=20
=20
=20
=3D At Risk! =3D Possible Risk! =3D Safe=20
=20
=20
=20
Hacker Exposure Check Show Details=20
Hide Details
=20
Description:
Tests your TCP ports for unauthorized Internet connections.

Analysis:
Your computer appears safe from most common intrusions. To =
learn more about the threats you are protected against, view a detailed =
analysis of your test results.

=20
Windows Vulnerability Check Show Details=20
Hide Details
=20
Description:
Tests whether basic information, including your PC's network =
identity, can be seen by hackers.

Analysis:
Your computer's identity is secure. However, this does not =
mean you are completely safe from all Internet security threats.
=20
Trojan Horse Check Show Details=20
Hide Details
=20
Description:
Attempts to test for access to your computer through methods =
commonly used by Trojan horses.

Analysis:
Your computer and data are not vulnerable to Trojan horse =
attacks. However, Trojan horse threats are constantly evolving, and =
unless you have a personal firewall and current virus protection, you're =
not completely safe. To learn more about threats you are protected =
against, view a detailed analysis of your test results.

=20
Antivirus Product Check Show Details=20
Hide Details
=20
Description:
Checks for a current version of a commonly-used virus =
protection product.

Analysis:
WARNING! No known virus protection software found. This =
means your computer and data are vulnerable to virus attacks. Virus =
attacks can have serious consequences, including system damage and data =
loss.

Recommendation:
Install the latest version of a commonly-used virus =
protection product.
=20
=20
=20

------=_NextPart_001_0111_01C35C0B.4B1AA960
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<DIV><FONT size=3D2>"Karl Levinson [x y] mvp" <</FONT><A=20
href=3D"mailto:levinson_k@despammed.com"><FONT color=3D#000000=20
size=3D2>levinson_k@despammed.com</FONT></A><FONT =
size=3D2>> wrote </FONT><A=20
href=3D"news:O8ZKw64WDHA.1368@TK2MSFTNGP11.phx.gbl"><FONT =
color=3D#000000=20
size=3D2>news:O8ZKw64WDHA.1368@TK2MSFTNGP11.phx.gbl</FONT></A><FONT=20
size=3D2>...</FONT></DIV></DIV>
<DIV><FONT size=3D2>[..]</FONT></DIV>
<DIV><FONT size=3D2>If nothing is detected, that's pretty interesting, =
let us and=20
your antivirus company know:<BR>[..]</FONT></DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff size=3D2>Hi Karl, great info. As per yr=20
request:</FONT></DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff size=3D2>Done and I am completely clean and =
completely=20
safe, see report below. How? I've got the free ZoneAlarm v3.7.193 =
personal=20
firewall installed. Downloadable from <A=20
href=3D"http://www.download.com">www.download.com</A>. At 1 August =
they've=20
put the newer v3.7.202 on the site, so it's still improving... It's the =
latest=20
predecessor from the current commercial v4 Pro, see <A=20
href=3D"http://www.powerquest.com">www.powerquest.com</A> for =
differences.=20
IMHO it's the best personal firewall available, it's the only FW =
stopping=20
Trojan's from the <EM>inside</EM>, see <A=20
href=3D"http://grc.com">http://grc.com</A> . Next to that I'm =
running=20
Ad-aware v6.0, also very valuable. </FONT></DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff size=3D2>The report below does not recognize =
McAfee=20
Virusscan v4.5.1 SP1, scan engine v4.2.60, which I have installed, =
because=20
McAfee is now at a much later version, and the one I've got is not =
commercial=20
but from my company license. So as to viruses I'm completely safe=20
also.</FONT></DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff size=3D2>Another tip: check MS Plug'nPlay =
vulnerability,=20
see <A=20
href=3D"http://grc.com/UnPnP/UnPnP.htm">http://grc.com/UnPnP/UnPnP.htm</A=
>.</FONT> <FONT=20
color=3D#0000ff size=3D2>It's just waiting to happen...</FONT></DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff size=3D2>Kind regards, Harry</FONT></DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV>
<TABLE cellSpacing=3D0 cellPadding=3D0 width=3D438 border=3D0>
<TBODY>
<TR>
<TD class=3Dblack16 width=3D418>Security Status: <FONT =
color=3Dred>At=20
Risk!</FONT></TD></TR>
<TR>
<TD width=3D20> </TD>
<TD class=3Dred10 vAlign=3Dtop width=3D418 height=3D30><FONT =
color=3Dred>You are=20
vulnerable to at least one form of security =
threat.</FONT></TD></TR>
<TR>
<TD width=3D438 colSpan=3D2 height=3D20>
<TABLE cellSpacing=3D0 cellPadding=3D0 width=3D"100%" border=3D0>
<TBODY>
<TR>
<TD background=3Dsharedcontent/common/images/grey_fade.gif =
colSpan=3D4=20
height=3D10></TD></TR>
<TR bgColor=3D#efebef>
<TD colSpan=3D4 height=3D5></TD></TR>
<TR bgColor=3D#efebef>
<TD width=3D20></TD>
<TD class=3Dblack10><IMG height=3D20=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/ale=
rt_red_20.gif"=20
width=3D20 align=3DabsMiddle></IMG> =3D At Risk!</TD>
<TD class=3Dblack10><IMG height=3D20=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/ale=
rt_yellow_20.gif"=20
width=3D20 align=3DabsMiddle></IMG> =3D Possible Risk!</TD>
<TD class=3Dblack10><IMG height=3D20=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/ale=
rt_green_20.gif"=20
width=3D20 align=3DabsMiddle></IMG> =3D Safe</TD></TR>
<TR bgColor=3D#efebef>
<TD colSpan=3D4 height=3D9></TD></TR>
<TR>
<TD background=3Dsharedcontent/common/images/grey_fade.gif =
colSpan=3D4=20
height=3D10></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD width=3D20 height=3D30> </TD>
<TD width=3D418>
<TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0>
<TBODY>
<TR>
<TD align=3Dleft width=3D30><IMG id=3Did_sc_results_greencheck =
height=3D20=20
alt=3DSafe=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/ale=
rt_green_20.gif"=20
width=3D20 border=3D0></TD>
<TD class=3Dblack10 vAlign=3Dcenter align=3Dleft =
width=3D278><B>Hacker=20
Exposure Check</B></TD>
<TD width=3D10> </TD>
<TD vAlign=3Dcenter align=3Dleft width=3D100><SPAN =
id=3Dmh03Show=20
style=3D"DISPLAY: none"><A =
href=3D"javascript:showDetails('mh03')"><IMG=20
id=3Did_sc_results_show alt=3D"Show details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_show_red.gif"=20
border=3D0> Show Details</A></SPAN> <SPAN id=3Dmh03Hide =

style=3D"DISPLAY: block"><A =
href=3D"javascript:hideDetails('mh03')"><IMG=20
id=3Did_sc_results_hide alt=3D"Hide details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_hide_red.gif"=20
border=3D0> Hide Details</A></SPAN> </TD></TR>
<TR>
<TD width=3D30></TD>
<TD width=3D388 colSpan=3D3><SPAN id=3Dmh03 style=3D"DISPLAY: =
block">
<P><B>Description:</B><BR>Tests your TCP ports for =
unauthorized=20
Internet connections.</P>
<P><B>Analysis:</B><BR>Your computer appears safe from most =
common=20
intrusions. To learn more about the threats you are =
protected=20
against, <A=20
=
href=3D"http://security.symantec.com/sscv6/sc_TCPScanDetails.asp?langid=3D=
ie&venid=3Dsym&plfid=3D23&pkj=3DVQPYWOBWYSHSFVIGMKI"><B>view =

a detailed analysis of your test=20
results.</B><BR></A><BR><BR></P></SPAN></TD></TR>
<TR>
<TD align=3Dleft width=3D30><IMG id=3Did_sc_results_greencheck =
height=3D20=20
alt=3DSafe=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/ale=
rt_green_20.gif"=20
width=3D20 border=3D0></TD>
<TD class=3Dblack10 vAlign=3Dcenter align=3Dleft =
width=3D278><B>Windows=20
Vulnerability Check</B></TD>
<TD width=3D10> </TD>
<TD vAlign=3Dcenter align=3Dleft width=3D100><SPAN =
id=3Dpi04Show=20
style=3D"DISPLAY: none"><A =
href=3D"javascript:showDetails('pi04')"><IMG=20
id=3Did_sc_results_show alt=3D"Show details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_show_red.gif"=20
border=3D0> Show Details</A></SPAN> <SPAN id=3Dpi04Hide =

style=3D"DISPLAY: block"><A =
href=3D"javascript:hideDetails('pi04')"><IMG=20
id=3Did_sc_results_hide alt=3D"Hide details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_hide_red.gif"=20
border=3D0> Hide Details</A></SPAN> </TD></TR>
<TR>
<TD width=3D30></TD>
<TD width=3D388 colSpan=3D3><SPAN id=3Dpi04 style=3D"DISPLAY: =
block">
<P><B>Description:</B><BR>Tests whether basic information, =
including=20
your PC's network identity, can be seen by hackers.</P>
<P><B>Analysis:</B><BR>Your computer's identity is secure. =
However,=20
this does not mean you are completely safe from all Internet =

security threats.</P></SPAN></TD></TR>
<TR>
<TD align=3Dleft width=3D30><IMG id=3Did_sc_results_greencheck =
height=3D20=20
alt=3DSafe=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/ale=
rt_green_20.gif"=20
width=3D20 border=3D0></TD>
<TD class=3Dblack10 vAlign=3Dcenter align=3Dleft =
width=3D278><B>Trojan Horse=20
Check</B></TD>
<TD width=3D10> </TD>
<TD vAlign=3Dcenter align=3Dleft width=3D100><SPAN =
id=3Dcv04Show=20
style=3D"DISPLAY: none"><A =
href=3D"javascript:showDetails('cv04')"><IMG=20
id=3Did_sc_results_show alt=3D"Show details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_show_red.gif"=20
border=3D0> Show Details</A></SPAN> <SPAN id=3Dcv04Hide =

style=3D"DISPLAY: block"><A =
href=3D"javascript:hideDetails('cv04')"><IMG=20
id=3Did_sc_results_hide alt=3D"Hide details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_hide_red.gif"=20
border=3D0> Hide Details</A></SPAN> </TD></TR>
<TR>
<TD width=3D30></TD>
<TD width=3D388 colSpan=3D3><SPAN id=3Dcv04 style=3D"DISPLAY: =
block">
<P><B>Description:</B><BR>Attempts to test for access to =
your=20
computer through methods commonly used by Trojan horses.</P>
<P><B>Analysis:</B><BR>Your computer and data are not =
vulnerable to=20
Trojan horse attacks. However, Trojan horse threats are =
constantly=20
evolving, and unless you have a personal firewall and =
current virus=20
protection, you're not completely safe. To learn more about =
threats=20
you are protected against, <A=20
=
href=3D"http://security.symantec.com/sscv6/sc_TrojanScanDetails.asp?langi=
d=3Die&venid=3Dsym&plfid=3D23&pkj=3DVQPYWOBWYSHSFVIGMKI"><B>v=
iew=20
a detailed analysis of your test=20
results.</B><BR></A><BR><BR></P></SPAN></TD></TR>
<TR>
<TD align=3Dleft width=3D30><IMG id=3Did_sc_results_redcheck =
height=3D20=20
alt=3D"At Risk"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/ale=
rt_red_20.gif"=20
width=3D20 border=3D0></TD>
<TD class=3Dblack10 vAlign=3Dcenter align=3Dleft =
width=3D278><B>Antivirus=20
Product Check</B></TD>
<TD width=3D10> </TD>
<TD vAlign=3Dcenter align=3Dleft width=3D100><SPAN =
id=3Dcv01Show=20
style=3D"DISPLAY: none"><A =
href=3D"javascript:showDetails('cv01')"><IMG=20
id=3Did_sc_results_show alt=3D"Show details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_show_red.gif"=20
border=3D0> Show Details</A></SPAN> <SPAN id=3Dcv01Hide =

style=3D"DISPLAY: block"><A =
href=3D"javascript:hideDetails('cv01')"><IMG=20
id=3Did_sc_results_hide alt=3D"Hide details"=20
=
src=3D"http://security.symantec.com/sscv6/SharedContent/common/images/det=
ails_hide_red.gif"=20
border=3D0> Hide Details</A></SPAN> </TD></TR>
<TR>
<TD width=3D30></TD>
<TD width=3D388 colSpan=3D3><SPAN id=3Dcv01 style=3D"DISPLAY: =
block">
<P><B>Description:</B><BR>Checks for a current version of a=20
commonly-used virus protection product.</P>
<P><B>Analysis:</B><BR>WARNING! No known virus protection =
software=20
found. This means your computer and data are vulnerable to =
virus=20
attacks. Virus attacks can have serious consequences, =
including=20
system damage and data=20
loss.<BR><BR><B>Recommendation:</B><BR>Install the latest =
version of=20
a commonly-used virus protection=20
product.</P></SPAN></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD width=3D438 colSpan=3D2><IMG height=3D5=20
=
src=3D"http://security.symantec.com/sscv6/sharedcontent/common/images/gre=
y_line.gif"=20
width=3D438></TD></TR></TBODY></TABLE></DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV><FONT =
color=3D#0000ff=20
size=3D2></FONT></BODY></HTML>

------=_NextPart_001_0111_01C35C0B.4B1AA960--

------=_NextPart_000_0110_01C35C0B.4B1AA960
Content-Type: image/gif;
name="alert_red_20.gif"
Content-Transfer-Encoding: base64
Content-Location: http://security.symantec.com/sscv6/SharedContent/common/images/alert_red_20.gif

R0lGODlhFAAUAOZ/AJU1J7EpCsl8a9XAwPz7+/uksvlqUsZreepoeccWA/umlf/f59qWiYqIiNM3
MeO0rvlHWdeimeHLzLhaSPw4S5kXBvr19PPm5fLDucpQOYdzd7hVZYdscaUXAfsVHPM1NcaFdbWj
otUKAvsqNrOVleY1KrYZAqZeVboiJqhhW5xbY6FNPYJnbebR0KuFieYUB/QbJ5QrIptsc/glJPdB
S/UMCd0XCqVBLbZONaIKAf+EmftVc/HK0+m4uKShot2wpuu1qsqlrbhqV8lyff/K1vbx8e7c3P6a
q7WJkvLf39ldaap7gphwdaxodHxlaNekpKdPWOiClPTv8KF3eeerp7Z8fPq1xIFOU7aCfvNLYvhW
aORGVrumqb4XEP3V359kb8goFflviflhb+Z0f+d3Z7qsq+pgbMpDUOqVhuyTppGAgblmb7VneNZk
deWek//N2OvExvEUDvYJEfo8UPMeF9lyYOkGAbuLiO9VUqhQPfhoe+7U0+cgMf/Cz////wAAACH5
BAEAAH8ALAAAAAAUABQAAAf/gH+Cg393JysrJ1iEjIMpeUICICACQnkpjYM3EyARPw8PPxEgEzeZ
ADgCDEAYrRhADAI4AIwAARl1EW4KvApoEQIZAbSDFSYOD34XZAbNPX5JGSYVgwAdCWAtfn5GeCVU
2wQ4Jh0xgsYJCTES23vJfhYpOQnkf2XXL3Rd69vb8Tk2bNALESJBvg8fUACQ0q9KhRIz4ogQQSKE
iBojIODZ8oRAvxZKaNCYUcMOiT8iPNAQY+aZnyJGtiVBoIWCBzlc/qCAAQEBHH9TrrBTNgbCCD6C
VPBsw86CiyVIZGgrMiQLhQ2DUMxRomIACRc8vARhMmDJhh1bCKlxsOPAFyQ8PRYsECuDTZgdGhhx
OKMnSoE+RN4QsZJGBwIOmTRAQaDjSIHHR3QcQJxJkBMVaw4MOdCERWVGPhqIbuAjUyAAOw==

------=_NextPart_000_0110_01C35C0B.4B1AA960
Content-Type: image/gif;
name="alert_yellow_20.gif"
Content-Transfer-Encoding: base64
Content-Location: http://security.symantec.com/sscv6/SharedContent/common/images/alert_yellow_20.gif

R0lGODlhFAAUAOZ/AP/6yv/ojv/zn//scP/7zv/ZEf/0ovPcOdSHFu9tQt7IeLShef7bEdiwON+B
Iv7QHfLMavfOBr+fUYYlAv/rb+aLcoJ7WpJ6YKtyOuy4C//ykLdzMPn0xfvvcf/sPvu5dP/oj//s
brigaPjSBop9WP/zs3odB/ru4uzHEf/rbqJ7Utu6Nue6P+7AD5CAWf/hXeO/R/LKCOPCXP/9zNu3
EOUtGPLVBrWCKPLk0Yp0VNanH82jTnEAAOC2Bf/6pv/rkI6BW//0ofDLCdOkJ/ziEv/jPV8AAJkA
AP/cP98AAP/rcIwZE9MbAruWRv/zoP/pXuA2L7sHAPDCCf/mkKo4A9q0Pv/iPP3YEeLGX8aeO7yh
ZP/2of/pj//iffrRBv/jOf/iO8qlQ6mGSP3NBPjHDtU9EP/hM86hB//UDsGbWOarOPTjweW+KalM
N8CtetqxbP/wcbyHS+PGfMicgLaCC//kO8ynQ8dMAue0EttkB/rmjf//1freiOfFCZGDWgAAACH5
BAEAAH8ALAAAAAAUABQAAAe4gH+Cg4SFhoeCc4iLfyobjIs4YpCFTWsncpSEMm1Lb1maf0MrJkY3
bAuUIi00Ezx0KDqUeDF9VEdnQlISjGFjXjZ3UT0jERmMZAUFRHlMKAxXaHaIDWZFVh4OZQd1YF8P
iEgDShRwWDsdISkDT1WGMBoGAkFbCTUfPgJOBi9uhFpdCAAAMIMDlCQV9gwkUIIFIQQQpgQIwEVP
GgwKfkwEwUdNnEEXSPgZOZKEBSAk/bjIEaqly5eBAAA7

------=_NextPart_000_0110_01C35C0B.4B1AA960
Content-Type: image/gif;
name="alert_green_20.gif"
Content-Transfer-Encoding: base64
Content-Location: http://security.symantec.com/sscv6/SharedContent/common/images/alert_green_20.gif

R0lGODlhFAAUAOZ/AFSIZp3ZoqbjqKe3qJXblsrrzdLz1UOrSsXqyfP79EeZSoWWjbbqusTyx43Z
k0aaVYWyjbHhtWK6baDapY/VleX15wxEAHy2hGzJcWXGaky2VVm9ZJarlK/gs+P05IOigSlaG1W4
XsHpxHOod4aOiO347nSUe6ioqOn362yfeKLeqHXJfXKSi1GkXOHz4hFIAM3s0BpODFmRUjqWQ16N
ctfv2Mjiy7Hlto2WkLO9s52qs4fRjdvx3bvtv7blu7zCvzNfJnWhbp6fnuD04uPv5LfeuxdOCdLv
1b7mwd3z39Xu10a1TDVoJxlPBujx6by8vOv37HuGfoKog87z0Yusi3LHdnLIdou/jXehfoSegdHt
07vlvtTp1tnx2+zz7cLkxXjNf1KRXt70336bg36qgN/z4a7bs+f26Nby2GOEfGqbYoGniGWYXdDi
05/io9fk2UqLV5/Sp3eudL3BwKver4jKkEmvVqHVpWuzcytlH22ShFvDY3+Gg16XWIm5hwAAACH5
BAEAAH8ALAAAAAAUABQAAAf/gH+Cg386LDQ0LDqEjIQtVQQCAgRWLXqNgwAYDGIoJSUoSQwYYZgA
GSIuHqseqhUIGXCMaQcUCAgFMLowBkFBDgcAhDMhFHQdyB0RPmwWFgoaM4M0SxgUAdgBEyp9Fi8W
eSEHpX8PezsBKiraKjLeFiAjKxoKgnZgATdycgw37t8gyNyhkOFAjh/FblwxYsSPmncgpJiJoAKM
hgFzNgQowsRbkxcAqRQRgSTCjg0D/khQ8eVDDG8AOdiAUaDAFgoSfvxJ4QaBjSwvLQAZwIVHDSVa
kDjAI2gBBRE12gAdSqSChzI8lPhwMGZQCgZHhrzhkMNJghJQzriAIeACowsNQrp4IOIlgd0SFWr0
qIODEQ4IDdAMOYMCRYUkR3pcIYHpj4k4DQxIntJgAhbGjf/wMbEGAoQ1JqJkZnRCiJATTzAFAgA7

------=_NextPart_000_0110_01C35C0B.4B1AA960
Content-Type: image/gif;
name="details_show_red.gif"
Content-Transfer-Encoding: base64
Content-Location: http://security.symantec.com/sscv6/SharedContent/common/images/details_show_red.gif

R0lGODlhCgAOALMAAP8QNf8wUP+vvP9Qa//P1/+/yf9whv/v8v+Pof9/k/8AKP///wAAAAAAAAAA
AAAAACH5BAAAAAAALAAAAAAKAA4AAAQkcMlJq70yjXOTAojlKUpAUCOpGNySqkamfsKUsmhZWEiI
/cAIADs=

------=_NextPart_000_0110_01C35C0B.4B1AA960
Content-Type: image/gif;
name="details_hide_red.gif"
Content-Transfer-Encoding: base64
Content-Location: http://security.symantec.com/sscv6/SharedContent/common/images/details_hide_red.gif

R0lGODlhCgAOALMAAP/v8f8SN/9CX//f5P9hef8yUf+wvP9xh/+Qof/P1//Ayf8DKv///wAAAAAA
AAAAACH5BAAAAAAALAAAAAAKAA4AAAQmkMlJa1U448TI+uBiMEAQLsKEhMFAFSBSJV9qHQtnAbLl
/8AgJQIAOw==

------=_NextPart_000_0110_01C35C0B.4B1AA960
Content-Type: image/gif;
name="grey_line.gif"
Content-Transfer-Encoding: base64
Content-Location: http://security.symantec.com/sscv6/sharedcontent/common/images/grey_line.gif

R0lGODlhtgEFAIABAMzMzP///yH5BAEAAAEALAAAAAC2AQUAAAJEjI+py+0Po5y02ouz3rz7D4bi
SJbmiabqyrYTAMfyTNf2jef6zvf+DwwKh8Si8YhMKpcxl/MJjUqn1Kr1is1qt9yupwAAOw==

------=_NextPart_000_0110_01C35C0B.4B1AA960--

Karl
Wed Aug 06 09:03:02 CDT 2003

Thanks for the helpful information.

One small thought... www.grc.com is a helpful site, but there is some
misinformation there, and their Shields Up scan is helpful but not very
thorough. I personally disagree with GRC that Zone Alarm is the best
firewall for everyone, since rating firewalls based solely on ONE feature of
them is not necessarily the best way to do it. I think Sygate and other
firewalls now do the same thing Zone Alarm does. Just my two cents.

"HarryJMK" <harryjmk@home.nl> wrote in message
news:bgqgqc$rjm$1@news4.tilbu1.nb.home.nl...
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote
news:O8ZKw64WDHA.1368@TK2MSFTNGP11.phx.gbl...
[..]
If nothing is detected, that's pretty interesting, let us and your antivirus
company know:
[..]

Hi Karl, great info. As per yr request:

Done and I am completely clean and completely safe, see report below. How?
I've got the free ZoneAlarm v3.7.193 personal firewall installed.
Downloadable from www.download.com. At 1 August they've put the newer
v3.7.202 on the site, so it's still improving... It's the latest predecessor
from the current commercial v4 Pro, see www.powerquest.com for differences.
IMHO it's the best personal firewall available, it's the only FW stopping
Trojan's from the inside, see http://grc.com . Next to that I'm running
Ad-aware v6.0, also very valuable.

The report below does not recognize McAfee Virusscan v4.5.1 SP1, scan engine
v4.2.60, which I have installed, because McAfee is now at a much later
version, and the one I've got is not commercial but from my company license.
So as to viruses I'm completely safe also.

Another tip: check MS Plug'nPlay vulnerability, see
http://grc.com/UnPnP/UnPnP.htm. It's just waiting to happen...

Kind regards, Harry

Security Status: At Risk!
You are vulnerable to at least one form of security threat.

= At Risk! = Possible Risk! = Safe

Hacker Exposure Check Show Details
Hide Details

Description:
Tests your TCP ports for unauthorized Internet connections.
Analysis:
Your computer appears safe from most common intrusions. To learn more about
the threats you are protected against, view a detailed analysis of your test
results.

Windows Vulnerability Check Show Details
Hide Details

Description:
Tests whether basic information, including your PC's network identity, can
be seen by hackers.
Analysis:
Your computer's identity is secure. However, this does not mean you are
completely safe from all Internet security threats.
Trojan Horse Check Show Details
Hide Details

Description:
Attempts to test for access to your computer through methods commonly used
by Trojan horses.
Analysis:
Your computer and data are not vulnerable to Trojan horse attacks. However,
Trojan horse threats are constantly evolving, and unless you have a personal
firewall and current virus protection, you're not completely safe. To learn
more about threats you are protected against, view a detailed analysis of
your test results.

Antivirus Product Check Show Details
Hide Details

Description:
Checks for a current version of a commonly-used virus protection product.
Analysis:
WARNING! No known virus protection software found. This means your computer
and data are vulnerable to virus attacks. Virus attacks can have serious
consequences, including system damage and data loss.

Recommendation:
Install the latest version of a commonly-used virus protection product.

Remote Procedure Call error? DCOMX.EXE, RPC.EXE, RPCTEST.EXE on your computer? Possible hacking.

Re: Remote Procedure Call error? DCOMX.EXE, RPC.EXE, RPCTEST.EXE by John

Re: Remote Procedure Call error? DCOMX.EXE, RPC.EXE, RPCTEST.EXE on your computer? Possible hacking. by HarryJMK

Re: Remote Procedure Call error? DCOMX.EXE, RPC.EXE, RPCTEST.EXE on your computer? Possible hacking. by Karl