zdoe
asked on
winXP sp3 DCOM errors in event log, group policy
have spent probably two days googling around to find a remedy for this.
after recovering from a (virus-related?) crash where my start menu and minimized application tabs had disappeared, my system now has something askew - maybe has to do with group policy security settings.
most everything in the machine works at least in a single-user environment, but there's repeated and sometimes frequent DCOM errors in the log, and some .net apps don't run despite re-installation of the .net components.
Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-9
"Access is denied. "
Happened while starting this command:
C:\Windows\SYSTEM32\WBEM\w
when i try to access Local Security Policy i get an error message:
"The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\databas
to my understanding the file permissions on the drive are all as they should be. the permission on C:\Windows\SYSTEM32\WBEM\w
this problem started at sp2, i repair-installed once, and when that didn't fix the problem i decided to try if sp3 would cure the problem. it didn't.
clean install is not an option - there's way too many applications / tweaks on the system.
after recovering from a (virus-related?) crash where my start menu and minimized application tabs had disappeared, my system now has something askew - maybe has to do with group policy security settings.
most everything in the machine works at least in a single-user environment, but there's repeated and sometimes frequent DCOM errors in the log, and some .net apps don't run despite re-installation of the .net components.
Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-9
"Access is denied. "
Happened while starting this command:
C:\Windows\SYSTEM32\WBEM\w
when i try to access Local Security Policy i get an error message:
"The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\databas
to my understanding the file permissions on the drive are all as they should be. the permission on C:\Windows\SYSTEM32\WBEM\w
this problem started at sp2, i repair-installed once, and when that didn't fix the problem i decided to try if sp3 would cure the problem. it didn't.
clean install is not an option - there's way too many applications / tweaks on the system.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Need to make sure you are truly malware free.. also run the script in safe mode after running malwarebytes.
Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
then download and install www.malwarebytes.org and for its logfile do the same as the Hijackthis.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php
If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
then download and install www.malwarebytes.org and for its logfile do the same as the Hijackthis.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php
If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
ASKER
i'm 98% that the system is now clean. have run symantec antivirus, adaware & spybot search & destroy. but who knows?
attached please find the hijackthis log. (that i had without downloading)
btw - what i forgot to mention was that your script from earlier DID improve things - now the permissions for wmiprvse.exe are no longer grayed out.
zdoeXPsp3hijackthis.log
attached please find the hijackthis log. (that i had without downloading)
btw - what i forgot to mention was that your script from earlier DID improve things - now the permissions for wmiprvse.exe are no longer grayed out.
zdoeXPsp3hijackthis.log
Def install and run the malwarebytes.. it picks up a lot more stuff then Adaware..
Yeah I would say it looks like you have some issues..
O20 - Winlogon Notify: iiffgge - C:\WINDOWS\SYSTEM32\iiffgg
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.
O20 - Winlogon Notify: oleacc32 - C:\WINDOWS\SYSTEM32\oleacc
Please download ComboFix by sUBs:
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
O20 - Winlogon Notify: iiffgge - C:\WINDOWS\SYSTEM32\iiffgg
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.
O20 - Winlogon Notify: oleacc32 - C:\WINDOWS\SYSTEM32\oleacc
Please download ComboFix by sUBs:
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ASKER
the entries:
iiffgge.dll
mljgh.dll
oleacc32.dll
are hidden-read-only-system directories, NOT files. i've created those to keep files named as such out of the system after some long-ago problem. for some reason hijackthis picks those up.
iiffgge.dll
mljgh.dll
oleacc32.dll
are hidden-read-only-system directories, NOT files. i've created those to keep files named as such out of the system after some long-ago problem. for some reason hijackthis picks those up.
I'll take your word for it.. but I still think you shold run Combofix and MBAM.
ASKER
i ran combofix somewhere along my travels with this problem. just downloaded MBAM, but have to run out for a meeting now. will post its log a bit later.
ASKER
so have now ran MBAM. it found a bunch of things, but most of them seem to be false positives - the files it claimed to have found at start menu were non-existent. maybe it's just humoring us.
it, and symantec corp av while MBAM was scanning, did find a few things that are dubious:
nvdia.exe
rpcnetp.exe
rpcnet.dll
but killing these did not remove the symptoms.
mbam-log-2009-02-16--01-25-54-.txt
it, and symantec corp av while MBAM was scanning, did find a few things that are dubious:
nvdia.exe
rpcnetp.exe
rpcnet.dll
but killing these did not remove the symptoms.
mbam-log-2009-02-16--01-25-54-.txt
ASKER
the problem persists.
another pointer - before this problem appeared, erunt -registry backups would copy four "other open user profiles" as a part of the backup. now, only two.
what does the WMI service actually DO?
btw - combofix gets flagged as a virus by one of the scanners i use. is there a rogue version out there?
another pointer - before this problem appeared, erunt -registry backups would copy four "other open user profiles" as a part of the backup. now, only two.
what does the WMI service actually DO?
btw - combofix gets flagged as a virus by one of the scanners i use. is there a rogue version out there?
No combofix uses some processes like pskill from www.sysinternals.com and a lot of scanners tag that as bad because it can kill processes.
This from your MBAM log:
C:\Windows\SYSTEM32\a.exe (Trojan.Agent) -> Not selected for removal.
C:\Windows\SYSTEM32\sav.cp
C:\Windows\SYSTEM\msiexec.
C:\services.exe (Trojan.Agent) -> Not selected for removal.
Those are not false positives, it looks like you have a rootkit installed. Did you ever run combofix? If not redownload it and run it.
This from your MBAM log:
C:\Windows\SYSTEM32\a.exe (Trojan.Agent) -> Not selected for removal.
C:\Windows\SYSTEM32\sav.cp
C:\Windows\SYSTEM\msiexec.
C:\services.exe (Trojan.Agent) -> Not selected for removal.
Those are not false positives, it looks like you have a rootkit installed. Did you ever run combofix? If not redownload it and run it.
ASKER
a.exe
sav.cpl
services.exe
are all empty, hidden directories that i've created on some earlier rounds to avert troubles stemming from similarly named files. thus, yes, they are false positives - and not getting flagged by symantec corp antivirus that looks a bit deeper into matters.
msiexec.exe does exist in my system. i suppose it's the MSI installer program: manufacturer microsoft, file version 3.1.4001.5512 - seems very consistent /w the real winXP sp3 files.
sav.cpl
services.exe
are all empty, hidden directories that i've created on some earlier rounds to avert troubles stemming from similarly named files. thus, yes, they are false positives - and not getting flagged by symantec corp antivirus that looks a bit deeper into matters.
msiexec.exe does exist in my system. i suppose it's the MSI installer program: manufacturer microsoft, file version 3.1.4001.5512 - seems very consistent /w the real winXP sp3 files.
Well.. it removed the msiexec.
At this point I have no further help to offer. I would recommend deleting the question for a points refund as there is no useful information in here. As long as you do strange things like the a, sav.cpl, etc. it is hard to figure out your problem. Symantec can be set to ignore those files but you take the risk of rouge software just overwriting those. Good luck.
At this point I have no further help to offer. I would recommend deleting the question for a points refund as there is no useful information in here. As long as you do strange things like the a, sav.cpl, etc. it is hard to figure out your problem. Symantec can be set to ignore those files but you take the risk of rouge software just overwriting those. Good luck.
ASKER
probably the system file restorer has put msiexec back on.
i don't have ignore on those files - they don't get flagged i suspect because the av checks what's behind the name.
i've seen a few instances - not on this machine but elsewhere, where my "dummy directory" approach helped kill threats that no scanner could remove.
the answer is somewhere in group policy / security -related matters - if only i knew where!
would there be a way to remove / reinstall the WMI service?
i don't have ignore on those files - they don't get flagged i suspect because the av checks what's behind the name.
i've seen a few instances - not on this machine but elsewhere, where my "dummy directory" approach helped kill threats that no scanner could remove.
the answer is somewhere in group policy / security -related matters - if only i knew where!
would there be a way to remove / reinstall the WMI service?
ASKER
how about - an instruction snippet from somewhere on the net:
1. Start / Run / dcomcnfg / OK.
2. Expand the Component Services tree.
3. Expand the Computers tree under Component Services.
4. Right-click on My Computer and choose Properties.
5. On the Default Properties tab, change the Default Authentication Level to
Connect.
6. Select the Default COM Security tab.
7. Press Edit Default under Default Access Permissions
8. Press Add.
9. Enter "Administrators" in the box and click OK.
10. Set the Access Permission to "Allow" for Administrators.
10. Press OK, OK, and OK.
11. Shutdown and restart your computer.
BUT there is NO "Default COM Security" tab on my computer
playing around with this, the DCOM error message recurring on the event log has now changed:
The server {73E709EA-5D93-4B2E-BBB0-9
and there's a new one:
The Distributed Transaction Coordinator service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
1. Start / Run / dcomcnfg / OK.
2. Expand the Component Services tree.
3. Expand the Computers tree under Component Services.
4. Right-click on My Computer and choose Properties.
5. On the Default Properties tab, change the Default Authentication Level to
Connect.
6. Select the Default COM Security tab.
7. Press Edit Default under Default Access Permissions
8. Press Add.
9. Enter "Administrators" in the box and click OK.
10. Set the Access Permission to "Allow" for Administrators.
10. Press OK, OK, and OK.
11. Shutdown and restart your computer.
BUT there is NO "Default COM Security" tab on my computer
playing around with this, the DCOM error message recurring on the event log has now changed:
The server {73E709EA-5D93-4B2E-BBB0-9
and there's a new one:
The Distributed Transaction Coordinator service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
some of the script lines produce error messages, for example:
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
done ~200000 modified ~200000 failed 23 syntax errors 0
and there's no
%windir%\repair\secsetup.i
-file in the system, so that line gives a "file not found" error. i looked for it also on an sp3 install disk and didn't find one. assuming that it would help, do you think you could attach it to this thread?