• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1364
  • Last Modified:

winXP sp3 DCOM errors in event log, group policy

have spent probably two days googling around to find a remedy for this.

after recovering from a (virus-related?) crash where my start menu and minimized application tabs had disappeared, my system now has something askew - maybe has to do with group policy security settings.

most everything in the machine works at least in a single-user environment, but there's repeated and sometimes frequent DCOM errors in the log, and some .net apps don't run despite re-installation of the .net components.

Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}. The error:
"Access is denied. "
Happened while starting this command:
C:\Windows\SYSTEM32\WBEM\wmiprvse.exe -Embedding

when i try to access Local Security Policy i get an error message:
"The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect.

to my understanding the file permissions on the drive are all as they should be. the permission on C:\Windows\SYSTEM32\WBEM\wmiprvse.exe are ticked for access but grayed out, and remain so even if i try to take ownership & manipulate them.

this problem started at sp2, i repair-installed once, and when that didn't fix the problem i decided to try if sp3 would cure the problem. it didn't.

clean install is not an option - there's way too many applications / tweaks on the system.
0
zdoe
Asked:
zdoe
  • 10
  • 7
2 Solutions
 
DMTechGrooupCommented:
Try following this.. it will rest permissions back that malware can corrupt..

Method 1: Reset the registry and the file permissions
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
To reset the registry and file permissions, follow these steps:
Download and then install the Subinacl.exe file. To do this, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en)
Start Notepad.
Copy and then paste the following text into Notepad.
cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
Save this Notepad file as Reset.cmd.
Double-click the Reset.cmd file to run the script.

Note This script file may take a long time to run. You must run this script as an administrator.
0
 
zdoeAuthor Commented:
have now ran the script. symptoms appear to be as before.

some of the script lines produce error messages, for example:
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
done ~200000 modified ~200000 failed 23 syntax errors 0

and there's no
%windir%\repair\secsetup.inf
-file in the system, so that line gives a "file not found" error. i looked for it also on an sp3 install disk and didn't find one. assuming that it would help, do you think you could attach it to this thread?
0
 
DMTechGrooupCommented:
Need to make sure you are truly malware free.. also run the script in safe mode after running malwarebytes.

Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download 

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.

then download and install www.malwarebytes.org and for its logfile do the same as the Hijackthis.


Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php 
If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button 
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
zdoeAuthor Commented:
i'm 98% that the system is now clean. have run symantec antivirus, adaware & spybot search & destroy. but who knows?

attached please find the hijackthis log. (that i had without downloading)

btw - what i forgot to mention was that your script from earlier DID improve things - now the permissions for wmiprvse.exe are no longer grayed out.
zdoeXPsp3hijackthis.log
0
 
DMTechGrooupCommented:
Def install and run the malwarebytes.. it picks up a lot more stuff then Adaware..
0
 
DMTechGrooupCommented:
Yeah I would say it looks like you have some issues..

O20 - Winlogon Notify: iiffgge - C:\WINDOWS\SYSTEM32\iiffgge.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: oleacc32 - C:\WINDOWS\SYSTEM32\oleacc32.dll


Please download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


0
 
zdoeAuthor Commented:
the entries:

iiffgge.dll
mljgh.dll
oleacc32.dll

are hidden-read-only-system directories, NOT files. i've created those to keep files named as such out of the system after some long-ago problem. for some reason hijackthis picks those up.
0
 
DMTechGrooupCommented:
I'll take your word for it.. but I still think you shold run Combofix and MBAM.
0
 
zdoeAuthor Commented:
i ran combofix somewhere along my travels with this problem. just downloaded MBAM, but have to run out for a meeting now. will post its log a bit later.
0
 
zdoeAuthor Commented:
so have now ran MBAM. it found a bunch of things, but most of them seem to be false positives - the files it claimed to have found at start menu were non-existent. maybe it's just humoring us.

it, and symantec corp av while MBAM was scanning, did find a few things that are dubious:
nvdia.exe
rpcnetp.exe
rpcnet.dll

but killing these did not remove the symptoms.
mbam-log-2009-02-16--01-25-54-.txt
0
 
zdoeAuthor Commented:
the problem persists.

another pointer - before this problem appeared, erunt -registry backups would copy four "other open user profiles" as a part of the backup. now, only two.

what does the WMI service actually DO?

btw - combofix gets flagged as a virus by one of the scanners i use. is there a rogue version out there?
0
 
DMTechGrooupCommented:
No combofix uses some processes like pskill from www.sysinternals.com and a lot of scanners tag that as bad because it can kill processes.

This from your MBAM log:
C:\Windows\SYSTEM32\a.exe (Trojan.Agent) -> Not selected for removal.
C:\Windows\SYSTEM32\sav.cpl (Rogue.SystemAntivirus2008) -> Not selected for removal.
C:\Windows\SYSTEM\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\services.exe (Trojan.Agent) -> Not selected for removal.

Those are not false positives, it looks like you have a rootkit installed.  Did you ever run combofix?  If not redownload it and run it.
0
 
zdoeAuthor Commented:
a.exe
sav.cpl
services.exe

are all empty, hidden directories that i've created on some earlier rounds to avert troubles stemming from similarly named files. thus, yes, they are false positives - and not getting flagged by symantec corp antivirus that looks a bit deeper into matters.

msiexec.exe does exist in my system. i suppose it's the MSI installer program: manufacturer microsoft, file version 3.1.4001.5512 - seems very consistent /w the real winXP sp3 files.
0
 
DMTechGrooupCommented:
Well.. it removed the msiexec.

At this point I have no further help to offer.  I would recommend deleting the question for a points refund as there is no useful information in here.  As long as you do strange things like the a, sav.cpl, etc. it is hard to figure out your problem.  Symantec can be set to ignore those files but you take the risk of rouge software just overwriting those.  Good luck.
0
 
zdoeAuthor Commented:
probably the system file restorer has put msiexec back on.

i don't have ignore on those files - they don't get flagged i suspect because the av checks what's behind the name.

i've seen a few instances - not on this machine but elsewhere, where my "dummy directory" approach helped kill threats that no scanner could remove.

the answer is somewhere in group policy / security -related matters - if only i knew where!

would there be a way to remove / reinstall the WMI service?
0
 
zdoeAuthor Commented:
how about - an instruction snippet from somewhere on the net:
1. Start / Run / dcomcnfg / OK.
2. Expand the Component Services tree.
3. Expand the Computers tree under Component Services.
4. Right-click on My Computer and choose Properties.
5. On the Default Properties tab, change the Default Authentication Level to
Connect.
6. Select the Default COM Security tab.
7. Press Edit Default under Default Access Permissions
8. Press Add.
9. Enter "Administrators" in the box and click OK.
10. Set the Access Permission to "Allow" for Administrators.
10. Press OK, OK, and OK.
11. Shutdown and restart your computer.

BUT there is NO "Default COM Security" tab on my computer

playing around with this, the DCOM error message recurring on the event log has now changed:
The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

and there's a new one:
The Distributed Transaction Coordinator service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
0
 
zdoeAuthor Commented:
DCOM errors are gone - though there's now a bunch of other errors now on the event log.

i'm not completely positive that this is what did it, but suspect so:

30-08-2006
wavellan
              
Posts: n/a
Re: Windows Server 2003 Standard - DCOM Problems
For those of you who are interested, I finally resolved this issue. It
apears as some MS patch changed the permissions on the following
registry key:

HKEY_CLASSES_ROOT\CLSID

In order to resolve the problem, the following permissions were added

Registry Key: HKEY_CLASSES_ROOT\CLSID (and all child keys and values)

Permissions Added:

Authenticated users: Read access
Network Service: full control

from: http://forums.techarena.in/windows-server-help/571730.htm

now - i may soon start another thread to loose the current event log errors...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now