?
Solved

winXP sp3 DCOM errors in event log, group policy

Posted on 2009-02-14
17
Medium Priority
?
1,356 Views
Last Modified: 2013-11-25
have spent probably two days googling around to find a remedy for this.

after recovering from a (virus-related?) crash where my start menu and minimized application tabs had disappeared, my system now has something askew - maybe has to do with group policy security settings.

most everything in the machine works at least in a single-user environment, but there's repeated and sometimes frequent DCOM errors in the log, and some .net apps don't run despite re-installation of the .net components.

Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}. The error:
"Access is denied. "
Happened while starting this command:
C:\Windows\SYSTEM32\WBEM\wmiprvse.exe -Embedding

when i try to access Local Security Policy i get an error message:
"The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%windir%\security\database\secedit.sdb) was: The parameter is incorrect.

to my understanding the file permissions on the drive are all as they should be. the permission on C:\Windows\SYSTEM32\WBEM\wmiprvse.exe are ticked for access but grayed out, and remain so even if i try to take ownership & manipulate them.

this problem started at sp2, i repair-installed once, and when that didn't fix the problem i decided to try if sp3 would cure the problem. it didn't.

clean install is not an option - there's way too many applications / tweaks on the system.
0
Comment
Question by:zdoe
  • 10
  • 7
17 Comments
 
LVL 24

Assisted Solution

by:DMTechGrooup
DMTechGrooup earned 400 total points
ID: 23641724
Try following this.. it will rest permissions back that malware can corrupt..

Method 1: Reset the registry and the file permissions
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
To reset the registry and file permissions, follow these steps:
Download and then install the Subinacl.exe file. To do this, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en)
Start Notepad.
Copy and then paste the following text into Notepad.
cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
Save this Notepad file as Reset.cmd.
Double-click the Reset.cmd file to run the script.

Note This script file may take a long time to run. You must run this script as an administrator.
0
 
LVL 1

Author Comment

by:zdoe
ID: 23642782
have now ran the script. symptoms appear to be as before.

some of the script lines produce error messages, for example:
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
done ~200000 modified ~200000 failed 23 syntax errors 0

and there's no
%windir%\repair\secsetup.inf
-file in the system, so that line gives a "file not found" error. i looked for it also on an sp3 install disk and didn't find one. assuming that it would help, do you think you could attach it to this thread?
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 23643702
Need to make sure you are truly malware free.. also run the script in safe mode after running malwarebytes.

Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download 

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.

then download and install www.malwarebytes.org and for its logfile do the same as the Hijackthis.


Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php 
If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button 
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:zdoe
ID: 23645907
i'm 98% that the system is now clean. have run symantec antivirus, adaware & spybot search & destroy. but who knows?

attached please find the hijackthis log. (that i had without downloading)

btw - what i forgot to mention was that your script from earlier DID improve things - now the permissions for wmiprvse.exe are no longer grayed out.
zdoeXPsp3hijackthis.log
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 23645921
Def install and run the malwarebytes.. it picks up a lot more stuff then Adaware..
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 23645938
Yeah I would say it looks like you have some issues..

O20 - Winlogon Notify: iiffgge - C:\WINDOWS\SYSTEM32\iiffgge.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: oleacc32 - C:\WINDOWS\SYSTEM32\oleacc32.dll


Please download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


0
 
LVL 1

Author Comment

by:zdoe
ID: 23646022
the entries:

iiffgge.dll
mljgh.dll
oleacc32.dll

are hidden-read-only-system directories, NOT files. i've created those to keep files named as such out of the system after some long-ago problem. for some reason hijackthis picks those up.
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 23646024
I'll take your word for it.. but I still think you shold run Combofix and MBAM.
0
 
LVL 1

Author Comment

by:zdoe
ID: 23646059
i ran combofix somewhere along my travels with this problem. just downloaded MBAM, but have to run out for a meeting now. will post its log a bit later.
0
 
LVL 1

Author Comment

by:zdoe
ID: 23647498
so have now ran MBAM. it found a bunch of things, but most of them seem to be false positives - the files it claimed to have found at start menu were non-existent. maybe it's just humoring us.

it, and symantec corp av while MBAM was scanning, did find a few things that are dubious:
nvdia.exe
rpcnetp.exe
rpcnet.dll

but killing these did not remove the symptoms.
mbam-log-2009-02-16--01-25-54-.txt
0
 
LVL 1

Author Comment

by:zdoe
ID: 23898150
the problem persists.

another pointer - before this problem appeared, erunt -registry backups would copy four "other open user profiles" as a part of the backup. now, only two.

what does the WMI service actually DO?

btw - combofix gets flagged as a virus by one of the scanners i use. is there a rogue version out there?
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 23899151
No combofix uses some processes like pskill from www.sysinternals.com and a lot of scanners tag that as bad because it can kill processes.

This from your MBAM log:
C:\Windows\SYSTEM32\a.exe (Trojan.Agent) -> Not selected for removal.
C:\Windows\SYSTEM32\sav.cpl (Rogue.SystemAntivirus2008) -> Not selected for removal.
C:\Windows\SYSTEM\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\services.exe (Trojan.Agent) -> Not selected for removal.

Those are not false positives, it looks like you have a rootkit installed.  Did you ever run combofix?  If not redownload it and run it.
0
 
LVL 1

Author Comment

by:zdoe
ID: 23899460
a.exe
sav.cpl
services.exe

are all empty, hidden directories that i've created on some earlier rounds to avert troubles stemming from similarly named files. thus, yes, they are false positives - and not getting flagged by symantec corp antivirus that looks a bit deeper into matters.

msiexec.exe does exist in my system. i suppose it's the MSI installer program: manufacturer microsoft, file version 3.1.4001.5512 - seems very consistent /w the real winXP sp3 files.
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 23899491
Well.. it removed the msiexec.

At this point I have no further help to offer.  I would recommend deleting the question for a points refund as there is no useful information in here.  As long as you do strange things like the a, sav.cpl, etc. it is hard to figure out your problem.  Symantec can be set to ignore those files but you take the risk of rouge software just overwriting those.  Good luck.
0
 
LVL 1

Author Comment

by:zdoe
ID: 23899613
probably the system file restorer has put msiexec back on.

i don't have ignore on those files - they don't get flagged i suspect because the av checks what's behind the name.

i've seen a few instances - not on this machine but elsewhere, where my "dummy directory" approach helped kill threats that no scanner could remove.

the answer is somewhere in group policy / security -related matters - if only i knew where!

would there be a way to remove / reinstall the WMI service?
0
 
LVL 1

Author Comment

by:zdoe
ID: 23935759
how about - an instruction snippet from somewhere on the net:
1. Start / Run / dcomcnfg / OK.
2. Expand the Component Services tree.
3. Expand the Computers tree under Component Services.
4. Right-click on My Computer and choose Properties.
5. On the Default Properties tab, change the Default Authentication Level to
Connect.
6. Select the Default COM Security tab.
7. Press Edit Default under Default Access Permissions
8. Press Add.
9. Enter "Administrators" in the box and click OK.
10. Set the Access Permission to "Allow" for Administrators.
10. Press OK, OK, and OK.
11. Shutdown and restart your computer.

BUT there is NO "Default COM Security" tab on my computer

playing around with this, the DCOM error message recurring on the event log has now changed:
The server {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} did not register with DCOM within the required timeout.

and there's a new one:
The Distributed Transaction Coordinator service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
0
 
LVL 1

Accepted Solution

by:
zdoe earned 0 total points
ID: 23942293
DCOM errors are gone - though there's now a bunch of other errors now on the event log.

i'm not completely positive that this is what did it, but suspect so:

30-08-2006
wavellan
              
Posts: n/a
Re: Windows Server 2003 Standard - DCOM Problems
For those of you who are interested, I finally resolved this issue. It
apears as some MS patch changed the permissions on the following
registry key:

HKEY_CLASSES_ROOT\CLSID

In order to resolve the problem, the following permissions were added

Registry Key: HKEY_CLASSES_ROOT\CLSID (and all child keys and values)

Permissions Added:

Authenticated users: Read access
Network Service: full control

from: http://forums.techarena.in/windows-server-help/571730.htm

now - i may soon start another thread to loose the current event log errors...
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
Article by: evilrix
Looking for a way to avoid searching through large data sets for data that doesn't exist? A Bloom Filter might be what you need. This data structure is a probabilistic filter that allows you to avoid unnecessary searches when you know the data defin…
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
Suggested Courses
Course of the Month16 days, 7 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question