John, is this machine directly connected to the Internet or do you have a hardware firewall protecting it? My first thought is some sort of attack is causing this. You can probably turn off the DCOM service without any problem to stop the first error you posted it is normally not used anyway. If you can't update and you can't restore, yes I would say it is serious. What error do you get when you try to update? When you try to restore?

I dont directly connect to the Internet on the machine, i connect using a wireless gateway. In terms of firewall i aint currently been using one (stupid i know). Was going to install Zone alarm, not a computer tech person myself.

I've been told by windows update there is 1 security update that i can download, i try and download it and all i get is an error on the page saying could not be installed.

I tried to do a system restore, it gets to the point where it reboots gets me back into XP and the window says restore unsuccessful and doesnt carry out the restore.

Only things i have done recently have been following the various guides and help to try and remove the About:Blank IE Hijacker.

The D-Com has been there for a while, never caused me any problems, however over the last two days i cant install the updates i download nor can i carry out the system restore.

I dunno if this helps but i created a system restore point and then an hour later i tried to revert back to it and it worked. It just wont restore points prior to today.

I looked at the folder where the updates download, which i believe is the wutemp folder on my c:\ drive, the update file was there but when i tried to run it and the error it came up with was:

c:\windows\system32\dlcache\nmcom.dll is open or in use by another application, close all applications then retry.

John,

I still don't have any idea if you are really directly connected to the Internet or not. Who controls the wireless gateway? Is it yours, or is it part of a campus network that you get access to the Internet through or what? Having a firewall is not optional today, it is absolutely required. I have had customers have their computers completely destroyed by Internet hackers while they were trying to setup their dsl connection! No kidding. The time delay between the time you connect an unprotected machine to the Internet and the time it is first discovered by a hacker these days is probably best figured in minutes not days.

If you have to use a software firewall, Zonealarm is ok but they are not nearly as good as a hardware firewall. I have proven in my lab that attackers can still cause windows machines to crash with softwalls running, even though they can't upload trojans. Still..way better than nothing.

I'm all but certain you are under attack.

You might try going to a command prompt and enter "netstat -n -a > c:\netstat.txt" without the quotes. Post the content of that file here and let me see it. It will show all network connections and ports listening on your pc.

nmcom.dll is part of Netmeeting are you running netmeeting?

One of the most recent MS security updates addresses a security flaw in DCOM. I would disable it at least until you get this issue cleared up.

Try to run the online virus scan from TrendMicro and see if it finds anything.

Dcom is part of windows, but it is only used for very specialized network applications which there is almost no chance that you would be using on a lone PC. Follow these instructions to disable it. Ignore the instructions for testing apps right now, you can enable it later if you want.
Click on Start | Run | and enter: C:\WinNT\System32\Dcomcnfg.exe

Then click on the Applications tab.

Many programs "support" Distributed Communication (DCOM) but rarely ever use it. This includes such programs as Windows Media and Wordpad. When examining this option, look for third-party applications that might actually REQUIRE network support, as opposed to those that simply support it. To find out if these programs really require DCOM, you must disable it, run the programs, and see what happens.

Note that it is probably only necessary to look at third-party programs here.

Microsoft programs designed to run on a non-networked, stand-a-lone computer are usually written to support but do not require DCOM. To disable DCOM, go to the Default Properties tab and uncheck the box labeled "Enable Distributed COM on this computer".

Reboot, and try running the third-party software noted as above. Odds are that everything will still run correctly. If not, go back and enable DCOM again. As you re-enable it, also go to the Default Protocols tab and remove all protocols except "Connection-oriented TCP/IP". This doesn’t create any additional security but does reduce the number of connection methods you have to keep an eye on.

If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them, and that should stop Windows from listening on Port 135.

Basically its a wireless adsl router in another room that i connect to via a wireless usb device. I can enable a firewall on the router i think. I have just enabled the firewall on my router i think.


Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1050 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1163 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 213.137.229.120:2206 ESTABLISHED
TCP 10.0.0.1:445 80.46.175.71:4404 ESTABLISHED
TCP 10.0.0.1:445 80.46.175.134:1310 ESTABLISHED
TCP 10.0.0.1:1025 61.163.12.56:3784 ESTABLISHED
UDP 0.0.0.0:445 *
UDP 0.0.0.0:500 *
UDP 0.0.0.0:1049 *
UDP 0.0.0.0:1052 *
UDP 10.0.0.1:123 *
UDP 10.0.0.1:137 *
UDP 10.0.0.1:138 *
UDP 10.0.0.1:1900 *
UDP 127.0.0.1:123 *
UDP 127.0.0.1:1035 *
UDP 127.0.0.1:1051 *
UDP 127.0.0.1:1166 *
UDP 127.0.0.1:1900 *

And this is the one after i enabled the firewall on the router:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1050 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1163 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 10.0.0.1:1025 61.163.12.56:3784 ESTABLISHED
TCP 10.0.0.1:1669 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1670 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1672 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1674 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1675 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1677 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1678 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1680 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1681 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1682 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1683 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1684 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1686 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1687 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1688 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1689 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1690 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1691 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1692 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1693 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1694 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1695 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1696 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1697 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1698 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1699 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1700 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1705 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1706 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1707 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1708 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1709 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1710 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1712 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1713 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1715 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1716 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1717 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1718 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1719 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1720 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1722 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1725 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1726 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1727 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1730 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1734 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1735 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1737 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1738 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1739 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1740 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1741 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1742 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1743 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1744 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1745 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1746 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1747 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1748 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1749 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1750 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1751 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1752 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1753 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1754 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1755 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1756 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1757 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1759 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1760 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1761 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1762 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1763 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1764 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1765 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1766 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1767 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1769 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1770 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1771 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1772 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1778 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1779 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1780 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1781 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1782 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1783 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1784 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1785 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1786 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1787 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1788 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1789 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1790 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1791 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1792 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1793 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1794 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1795 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1796 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1798 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1799 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1800 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1801 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1802 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1803 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1804 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1805 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1806 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1807 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1808 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1809 67.18.73.107:80 TIME_WAIT
UDP 0.0.0.0:445 *
UDP 0.0.0.0:500 *
UDP 0.0.0.0:1049 *
UDP 0.0.0.0:1052 *
UDP 10.0.0.1:123 *
UDP 10.0.0.1:137 *
UDP 10.0.0.1:138 *
UDP 10.0.0.1:1900 *
UDP 127.0.0.1:123 *
UDP 127.0.0.1:1035 *
UDP 127.0.0.1:1166 *
UDP 127.0.0.1:1665 *
UDP 127.0.0.1:1900 *

I have it installed, i dont think it is running though, i bought my pc a couple months back it was probably installed by them.


I'm a bit lost on this sorry, i dont see an applications tab, when i run dcomcnfg.exe it opens the component services, if i click on event viewer i see an applications, security and systems error records.

Checked my error logs today and i dont have any dcom ones so far.

OK John,
Don't mean to scare you, but you are absolutely being hacked.

A little info if you look in your log at these

port 139
NetBIOS Session (TCP), Windows File and Printer Sharing
This is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block.
port 445 is a secondary netbios port

port 1025 is assigned to a port of the "Active Directory logon and directory replication interface"

you had active connections on port 139 to somewhere in Russia

2 connections on port 445 to Amsterdam

1 Connection on port 1025 to China

and a whole lotta dropped connections to Texas on random ports to web port 80 since you enabled the firewall.

All doing God knows what.

Your second log shows the one on port 1025 still connected so I would guess they have a trojon on your machine phoning home.

Did you run the Virus Scan from TrendMicro ?

Oh heheh the port 80 connection is to Daniweb guess we don't need to worry about that one. Should of mentioned, before doing the scan, close all the stuff you have open to web. Makes it easier to read. But I think we got what we needed in this case anyway.