Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DCOM event id 10016/10015 Virus?

Status
Not open for further replies.
atodorski

atodorski

IS-IT--Management
Jun 14, 2005
8
US
I had been getting a DCOM 10015 error event every minute on my 2k3 Server box with the userid of a user whose computer was infested with viruses and junk. Unplugging the computer from the network made the errors go away. After reloading that desktop the errors ceased. Now when a certain user logs into another pre-tightened security desktop on the same network I get a bunch of 10015 events but they do not go on every minute as the first compromised system did. Also, sometimes in the middle of the night I will see a bunch of 10016 DCOM events associated with my user!

I suspect that my problem is virus related but the only viruses I know of that exploit DCOM are blaster and a few older trojans.

Any information would be appreciated.
 
Sort by date Sort by votes
Well for the 10016 I did the following

1. Open the registry and go to “HKEY_CLASSES_ROOT\CLSID\{<CLSID in the event message>} to find out friendly name of this component. In my case, this is "Machine Debug Manager” (CLSID: 0C0A3666-30C9-11D0-8F20-00805F2CD064).
2. Go to Component Services via Start -> Control Panel -> Administrative Tools -> Components Services. Expand the Component Services branch then expand “Computers”, “My Computer”, and “DCOM Config”. Right-click on "Machine Debug Manager" (or whatever your CLSID represents) and choose Properties. Click on the Security tab and under “Launch and Activation Permissions” select “Use Default”. Click OK, close the Component Services window. The error should disappear now.

Hope this helps you.
 
Upvote 0 Downvote
Wow, I was doubtful that there was a non-malicious cause for this sort of thing - shows what I know. Thanks for the information.

Is there any danger in doing nothing about the DCOM errors?
 
Upvote 0 Downvote
DCOM errors ard generally created witb application that have not been configured correctly or are corrupt. So this users PC/System is trying to access resource and does not have the correct settings/code etc.. if you know what I mean..

Best to wipe the PC from scratch and reinstall windows.. and re add to the domain. It is alway good practice to clean the logs as this error is adding an entry every minute, it would be easy to overlook other errors.

Run Virus checker on the server to make sure all is well and make sure that all patches are up to date.. But I would say rebuild that PC..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
108
RRankin355
RRankin355
blpcrs
  • Locked
  • Question
Disk Space warning in real time in Event Viewer?
Replies
0
Views
160
blpcrs
blpcrs
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
110
MarkSweetland
MarkSweetland
amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
92
amanua
amanua
amanua
  • Locked
  • Question
Event ID 13508 Sysvol replication problems
Replies
0
Views
81
amanua
amanua

Part and Inventory Search

Sponsor

Back
Top