Errors in My XP Error Log.

Question

JohnUK 0 Newbie Poster

20 Years Ago

I was looking into my error log and noticed these various errors:

Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is: {00020906-0000-0000-C000- 000000000046} The user is Unavailable/Unavailable, SID=Unavailable.

I have a lot of these in my error logs.

I also noticed recently that i started to get these errors also:

The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events \tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Also i cant seem to update XP, also had problems trying to do a system restore. Are these errors serious?, if so is it possible to fix them?

windows-nt-2000-xp

5 Contributors
24 Replies
304 Views
1 Day Discussion Span
Latest Post 20 Years Ago Latest Post by bentkey

bentkey 10 Posting Whiz

20 Years Ago

John, is this machine directly connected to the Internet or do you have a hardware firewall protecting it? My first thought is some sort of attack is causing this. You can probably turn off the DCOM service without any problem to stop the first error you posted it is normally not used anyway. If you can't update and you can't restore, yes I would say it is serious. What error do you get when you try to update? When you try to restore?

bentkey 10 Posting Whiz

20 Years Ago

John,

I still don't have any idea if you are really directly connected to the Internet or not. Who controls the wireless gateway? Is it yours, or is it part of a campus network that you get access to the Internet through or what? Having a firewall is not optional today, it is absolutely required. I have had customers have their computers completely destroyed by Internet hackers while they were trying to setup their dsl connection! No kidding. The time delay between the time you connect an unprotected machine to the Internet and the time it is first discovered by a hacker these days is probably best figured in minutes not days.

If you have to use a software firewall, Zonealarm is ok but they are not nearly as good as a hardware firewall. I have proven in my lab that attackers can still cause windows machines to crash with softwalls running, even though they can't upload trojans. Still..way better than nothing.

I'm all but certain you are under attack.

You might try going to a command prompt and enter "netstat -n -a > c:\netstat.txt" without the quotes. Post the content of that file here and let me see it. It will show all network connections and ports listening on your pc.

nmcom.dll is part of Netmeeting are you running netmeeting?

One of the most recent MS security updates addresses a security flaw in DCOM. I would disable it at least until you get this issue cleared up.

Try to run the online virus scan from TrendMicro and see if it finds anything.

Dcom is part of windows, but it is only used for very specialized network applications which there is almost no chance that you would be using on a lone PC. Follow these instructions to disable it. Ignore the instructions for testing apps right now, you can enable it later if you want.
Click on Start | Run | and enter: C:\WinNT\System32\Dcomcnfg.exe

Then click on the Applications tab.

Many programs "support" Distributed Communication (DCOM) but rarely ever use it. This includes such programs as Windows Media and Wordpad. When examining this option, look for third-party applications that might actually REQUIRE network support, as opposed to those that simply support it. To find out if these programs really require DCOM, you must disable it, run the programs, and see what happens.

Note that it is probably only necessary to look at third-party programs here.

Microsoft programs designed to run on a non-networked, stand-a-lone computer are usually written to support but do not require DCOM. To disable DCOM, go to the Default Properties tab and uncheck the box labeled "Enable Distributed COM on this computer".

Reboot, and try running the third-party software noted as above. Odds are that everything will still run correctly. If not, go back and enable DCOM again. As you re-enable it, also go to the Default Protocols tab and remove all protocols except "Connection-oriented TCP/IP". This doesn’t create any additional security but does reduce the number of connection methods you have to keep an eye on.

If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them, and that should stop Windows from listening on Port 135.

bentkey 10 Posting Whiz

20 Years Ago

OK John,
Don't mean to scare you, but you are absolutely being hacked.

A little info if you look in your log at these

port 139
NetBIOS Session (TCP), Windows File and Printer Sharing
This is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block.
port 445 is a secondary netbios port

port 1025 is assigned to a port of the "Active Directory logon and directory replication interface"

you had active connections on port 139 to somewhere in Russia

2 connections on port 445 to Amsterdam

1 Connection on port 1025 to China

and a whole lotta dropped connections to Texas on random ports to web port 80 since you enabled the firewall.

All doing God knows what.

Your second log shows the one on port 1025 still connected so I would guess they have a trojon on your machine phoning home.

Did you run the Virus Scan from TrendMicro ?

bentkey 10 Posting Whiz

20 Years Ago

Oh heheh the port 80 connection is to Daniweb guess we don't need to worry about that one. Should of mentioned, before doing the scan, close all the stuff you have open to web. Makes it easier to read. But I think we got what we needed in this case anyway.

kc0arf 68 Posting Virtuoso

20 Years Ago

Hello,

Seeing the damage that is done, I think it is best for you to re-format your drives and start over. You don't know what modifications were made to the system, and could spend the next few months of your life making things work again. Sometimes it is smart to just start over.

But when you do start over, plan how you are going to stop internet attacks from the start. I have seen machines get hacked into in as little as 10 minutes after being "completed" but before proper patches are installed. A firewall should be the FIRST thing installed after the OS boots up. Have the firewall ready on CD, so that you can boot and install it pronto.

Christian

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

JohnUK 0 Newbie Poster · Answer 1 · 2004-07-01T01:05:11+00:00

I dont directly connect to the Internet on the machine, i connect using a wireless gateway. In terms of firewall i aint currently been using one (stupid i know). Was going to install Zone alarm, not a computer tech person myself.

I've been told by windows update there is 1 security update that i can download, i try and download it and all i get is an error on the page saying could not be installed.

I tried to do a system restore, it gets to the point where it reboots gets me back into XP and the window says restore unsuccessful and doesnt carry out the restore.

JohnUK 0 Newbie Poster · Answer 2 · 2004-07-01T01:33:52+00:00

Only things i have done recently have been following the various guides and help to try and remove the About:Blank IE Hijacker.

The D-Com has been there for a while, never caused me any problems, however over the last two days i cant install the updates i download nor can i carry out the system restore.

I dunno if this helps but i created a system restore point and then an hour later i tried to revert back to it and it worked. It just wont restore points prior to today.

JohnUK 0 Newbie Poster · Answer 3 · 2004-07-01T02:24:37+00:00

I looked at the folder where the updates download, which i believe is the wutemp folder on my c:\ drive, the update file was there but when i tried to run it and the error it came up with was:

c:\windows\system32\dlcache\nmcom.dll is open or in use by another application, close all applications then retry.

JohnUK 0 Newbie Poster · Answer 4 · 2004-07-01T17:56:23+00:00

John,
I still don't have any idea if you are really directly connected to the Internet or not. Who controls the wireless gateway? Is it yours, or is it part of a campus network that you get access to the Internet through or what? Having a firewall is not optional today, it is absolutely required. I have had customers have their computers completely destroyed by Internet hackers while they were trying to setup their dsl connection! No kidding. The time delay between the time you connect an unprotected machine to the Internet and the time it is first discovered by a hacker these days is probably best figured in minutes not days.

Basically its a wireless adsl router in another room that i connect to via a wireless usb device. I can enable a firewall on the router i think. I have just enabled the firewall on my router i think.

John,
You might try going to a command prompt and enter "netstat -n -a > c:\netstat.txt" without the quotes. Post the content of that file here and let me see it. It will show all network connections and ports listening on your pc.

Active Connections

And this is the one after i enabled the firewall on the router:

Active Connections

John,
nmcom.dll is part of Netmeeting are you running netmeeting?

I have it installed, i dont think it is running though, i bought my pc a couple months back it was probably installed by them.

John,
One of the most recent MS security updates addresses a security flaw in DCOM. I would disable it at least until you get this issue cleared up.
Try to run the online virus scan from TrendMicro and see if it finds anything.
Dcom is part of windows, but it is only used for very specialized network applications which there is almost no chance that you would be using on a lone PC. Follow these instructions to disable it. Ignore the instructions for testing apps right now, you can enable it later if you want.
Click on Start | Run | and enter: C:\WinNT\System32\Dcomcnfg.exe
Then click on the Applications tab.
Many programs "support" Distributed Communication (DCOM) but rarely ever use it. This includes such programs as Windows Media and Wordpad. When examining this option, look for third-party applications that might actually REQUIRE network support, as opposed to those that simply support it. To find out if these programs really require DCOM, you must disable it, run the programs, and see what happens.
Note that it is probably only necessary to look at third-party programs here.
Microsoft programs designed to run on a non-networked, stand-a-lone computer are usually written to support but do not require DCOM. To disable DCOM, go to the Default Properties tab and uncheck the box labeled "Enable Distributed COM on this computer".
Reboot, and try running the third-party software noted as above. Odds are that everything will still run correctly. If not, go back and enable DCOM again. As you re-enable it, also go to the Default Protocols tab and remove all protocols except "Connection-oriented TCP/IP". This doesn’t create any additional security but does reduce the number of connection methods you have to keep an eye on.
If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them, and that should stop Windows from listening on Port 135.

I'm a bit lost on this sorry, i dont see an applications tab, when i run dcomcnfg.exe it opens the component services, if i click on event viewer i see an applications, security and systems error records.

JohnUK 0 Newbie Poster · Answer 5 · 2004-07-01T19:36:25+00:00

Checked my error logs today and i dont have any dcom ones so far.

JohnUK 0 Newbie Poster · Answer 6 · 2004-07-01T22:00:59+00:00

I cant get the scan to work on their site, my Internet Explorer crashes, should i install firefox for example and try and run it from that?

JohnUK 0 Newbie Poster · Answer 7 · 2004-07-01T23:07:57+00:00

Hello,
Seeing the damage that is done, I think it is best for you to re-format your drives and start over. You don't know what modifications were made to the system, and could spend the next few months of your life making things work again. Sometimes it is smart to just start over.
But when you do start over, plan how you are going to stop internet attacks from the start. I have seen machines get hacked into in as little as 10 minutes after being "completed" but before proper patches are installed. A firewall should be the FIRST thing installed after the OS boots up. Have the firewall ready on CD, so that you can boot and install it pronto.
Christian

I have been considering it, my pc is newish bought it from Mesh at the end of May, i dont want to reformat due to a possible breach in my warranty etc, i hope i can fix it somehow first, or maybe get them to look at it.

In terms of system stablity it runs fine, only probs i have are these suspected hacks and i cant install windows updates,i can download but not install due to a program using a .dll file. And i have the annoying about:blank hijacker which resets my homepage and gives me popups, shame cause a week ago my pc was working fine, though i've had the dcom error logs for ages.

JohnUK 0 Newbie Poster · Answer 8 · 2004-07-01T23:43:02+00:00

Mesh did give me a recovery disk, which lets me either:

1. roll back to last good boot.
2. roll back to the original installation- state when delivered.
3. reinstall clean windows.
4 reformat drive-and install windows.

bentkey 10 Posting Whiz · Answer 9 · 2004-07-02T00:14:26+00:00

I agree with Christian. But sometimes people have things that are just about irreplaceable installed. If you're not in that category, then by all means, reformat drive and reinstall windows. AND get that firewall ready.

JohnUK 0 Newbie Poster · Answer 10 · 2004-07-02T00:17:46+00:00

I agree with Christian. But sometimes people have things that are just about irreplaceable installed. If you're not in that category, then by all means, reformat drive and reinstall windows. AND get that firewall ready.

Concerning the firewall will the one i enabled on my router be suffcient? or should i install zone alarm for example?

JohnUK 0 Newbie Poster · Answer 11 · 2004-07-02T02:59:03+00:00

And should a format/reinstall wipe the stuff clean from my hardrive, the hijacker etc?

bentkey 10 Posting Whiz · Answer 12 · 2004-07-02T03:17:09+00:00

A format and reinstall when booted from a bootable CD will destroy everything. Most any type of DSL router these days, that is set up to do NAT is sufficient for what you need. Sometimes people still use zonealarm so they can see what is trying to get out. Remember, if you're browsing the Internet and you download something like Malware, normally your firewall won't protect you from that. It's main purpose is to prevent hackers from ever even seeing your machine from the outside. They won't be able to "touch" any of your ports. But if you download something, and it "phones home", then you still have a problem. In that case something like ZoneAlarm will at least alert you that somethings trying to get out and you know something is going on. So although I never do it myself because I don't like these applications running on my machine, you probably should until you really know what's what. Hope that makes sense.

JohnUK 0 Newbie Poster · Answer 13 · 2004-07-02T03:46:01+00:00

A format and reinstall when booted from a bootable CD will destroy everything. Most any type of DSL router these days, that is set up to do NAT is sufficient for what you need. Sometimes people still use zonealarm so they can see what is trying to get out. Remember, if you're browsing the Internet and you download something like Malware, normally your firewall won't protect you from that. It's main purpose is to prevent hackers from ever even seeing your machine from the outside. They won't be able to "touch" any of your ports. But if you download something, and it "phones home", then you still have a problem. In that case something like ZoneAlarm will at least alert you that somethings trying to get out and you know something is going on. So although I never do it myself because I don't like these applications running on my machine, you probably should until you really know what's what. Hope that makes sense.

Based on the two logs i posted earlier, when i turned the router firewall on did it restrict some of the activity and if so is it ok just to use that?

DMR 152 Wombat At Large Team Colleague · Answer 14 · 2004-07-02T04:16:01+00:00

As bentkey alluded to- if you still see some of the activity, you still have active nasties in your system that need to go. The router may be able to be configured to block outgoing attempts to "phone home", but the programs responsible for the activity are still alive and festering on you machine.

JohnUK 0 Newbie Poster · Answer 15 · 2004-07-02T04:44:57+00:00

Just posting to firstly say thankyou for the help that has been submitted in the thread.:)

In terms of my error report the dcom errors seem to have stopped a bit,
instead i get the ocasional

"The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events \tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error."

Secondly i am going to probably reformat and reinstall windows, first i am going to notify the company that i bought the pc from (mesh) and tell them i have probs, they will probably tell me to reformat, just doing this to make sure my ass is covered basically.

I'm hoping the reformat will fix the .dll errors i got and hopefully get rid of this browser hijacker, then making sure my router firewall is on and maybe put zonelarm on just to incrase the safety a bit more. Reason why i stupidly never used one before was i thought it would effect my gaming, in terms of ping etc, though now i see that it doesnt really. I might install a new browser instead of IE cause i read that its a security risk, firefox perhaps.

Once again thankyou for the information, i'll keep you informed or if i have any more queires after i reformat and reinstall.

caperjack 875 I hate 20 Questions Team Colleague · Answer 16 · 2004-07-02T04:47:00+00:00

So a move to the security section of this fourm and get some of the programs like ad-aware and spy-bot and hijackthis ,to help remove the Baddies from within is in order maybe!:)

JohnUK 0 Newbie Poster · Answer 17 · 2004-07-02T04:50:26+00:00

So a move to the security section of this fourm and get some of the programs like ad-aware and spy-bot and hijackthis ,to help remove the Baddies from within is in orde maybe!:)

Yeah i've been in there before posted aout the about:blank hijacker, you might of seen my post. Basically i've tried loads of things, however it seems to come back 2 days later, tried that fix solution by phage but it came back also. Real pain in the arse :evil:

caperjack 875 I hate 20 Questions Team Colleague · Answer 18 · 2004-07-02T04:54:01+00:00

Ah! so you have ,someone just recomended you use a updated cwshredder to fix it

bentkey 10 Posting Whiz · Answer 19 · 2004-07-02T05:30:13+00:00

His machine has been so ravaged now, it only makes sense to format and start over. Personally I would love to have my hands on that machine for a while just to find and kill the things. Guess that's why I'm in the business. Of course, I'd still format it after I had fixed it just to be sure. :D John, I think you should go ahead and put ZoneAlarm on it, AdAware, Spybot, SpywareBlaster, Spyware Guard and some kind of up-to-date antivirus too. Do as much of it as you can with net cable unplugged too. Good Luck.