Repeated DCOM errors in Event veiwer 1

[Jasonchatham]

I have a client whose fairly new PC has started to generate lots of the following errors in the event log ;

Event : ID 10003
Source : DCOM

Description
Access denied attempting to launch a DCOM server using
DefaultLaunchPermission. The server is :
{00020906-0000-0000-c000-000000000046}
The user is Unavailable/Unavailable,SID=Unavailable.

When the PC is booted, generally 6/7 minutes after the event log started notification appears in the log this error appears every 2 minutes.

Any one got any ideas how to stop ?

Jason

 

[jfp23]

You can try the following link to microsofts website

http://www.microsoft.com/technet/su...indows+Operating+System&LCID=1033&ProdVer=5.0

 

[Jasonchatham]

The article advises shutting down the server in task manager

Where is task manager in WXP ?

 

[jfp23]

ctrl+alt+delete and select task manager, or if you can run taskmgr from the run line.

 

[bcastner]

I really think there is a virus/trojan issue here. There is almost nothing on this DCOM event, and it worries me.

Does this user have a firewall in place?

 

[bcastner]

If you could get the user to run two online antivirus scans I would appreciate it. Use Trend Micro and Panda:

http://www.mvps.org/sramesh2k/Scanners.htm

This is exactly how Blaster, Sasser and SoBig started with reports such as something trying to create a DCOM server applet.

Run the AV. How well patched from Windows Update is this workstation?

 

[Jasonchatham]

The Machine has always been downloading the updates for windows + has Norton Antivirus installed and has the XP firewall inplace.

It is running on ADSL and a noticeable event happened on 6/6/04 when The latest version of messenger was installed.
The DCOM event seems to have started after this date.

CTRL+ALT+DEL brings up task manager but what service needs to be restarted ? DCOM is not listed.

In services the nearest thing to this is COM+ !

 

[linney]

Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is: {00020906-0000-0000-C000-000000000046} The user is <user name>/<computer name>

This comment from -

http://www.eventid.net/events.asp

"This message appears in the logs since a few days (July 2004). It''s pretty shure that a worm is causing these messages while trying to break into the system.
The affected system is windows server 2003 obviously the worm is only capable of infecting windows xp hosts."

 

[bcastner]

Lets watch this one.

If anyone else has this error, please post.

I am getting worried.

 

[Jasonchatham]

I was called out to this users PC because they were reporting abnormally slow operation.

One thing I did was to stop messenger appearing at start up.

Although as with all intermittent faults / events I could not replicate the slowing down fault.

I will revisit the users site and follow some of the instructions given above.

Many thanks

Jason

 

[Jasonchatham]

Bcastner,

If you think this may be a worm does the Panda and Trend micro scanners look for these? or is there a better scanner ?

I am thinking of talking the user (over the phone)through using something to scan with.

Jason

 

[bcastner]

I have found that antivirus programs (all of them) tend to miss things that another one may well pick up.

I have had good luck with Trend Micro and Panda online scans:

http://www.mvps.org/sramesh2k/Scanners.htm

 

[Sunrunner]

I know you said you were watching this so I thought I would bring this to your attention. Another form listed this problem, the cause, and a possible solution. Just thought I would mention it in case anyone was still wondering about it.

Here is the link:

http://www.dslreports.com/forum/remark,10385530

Sunrunner

 

[bcastner]

Sunrunner,

Thanks for the heads up. And a star.
Bill

 

[ser1]

Zugriff verweigert beim Versuch, einen DCOM-Server zu starten. Server:
{00020906-0000-0000-C000-000000000046}
Benutzer: Unavailable/Unavailable, SID=Unavailable.


same here but in german

running house call brought nothing

 

[pormonde]

Hi,

I'm getting something similar on my XP Pro system. Here's a copy of one of the many event log entries.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 28/10/2004
Time: 18:48:16
User: N/A
Computer: CARRERA
Description:
Access denied attempting to launch a DCOM Server. The server is:
{00020906-0000-0000-C000-000000000046}
The user is Unavailable/Unavailable, SID=Unavailable.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Additionally my system restarts itself too which is very annoying. It only restarts when there is an internet connection active. This has all of the characteristics of a virus but I cannot find one.

I have AVG Antivirus installed and is kept up to date. I have Agnitum Outpost Firewall running, and I have PrevX Intrusion Prevention running. All of these are kept up to date. I also run Search and Destroy spyware killer and AdAware.

I will try the Panda virus checker as sugested and see what comes up.
If anybody has any other ideas then I'm open to suggestions.

What is DCOM anyway?

Cheers
Pete

 

[bcastner]

If I tell you to just ignore the messages as harmless, will you believe me? That is the current advice from Microsoft.

The GUID is for Microsoft Word documents, formally (and mistakenly I believe) a DCOM Application object named "Microsoft Document."

You could remove the errors by following a similar path to this MS KB article, or more wisely, ignore this issue for the moment:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;290398

You would adjust the DCOM permissions for DCOM Application 'Microsoft Document'

 

[linney]

pormonde,

http://www.google.com/search?sourceid=navclient&ie=UTF-8&q="What+is+DCOM"+xp

Take any event error I.D. number and search for it on these sites.

http://www.eventid.net/events.asp

http://www.microsoft.com/technet/support/ee/search.aspx

Also check any "Information" line that mentions "savedump" and you should find reference to "recovered from a bug check". This is the Stop Error that caused your problem.

You can also turn off "automatically restart after an error" so it will just halt at the fault and display the full Stop Error and blue screen.

Right-click My Computer, and then click Properties .
On the Advanced tab, click Settings under Startup and Recovery .
Click to clear the Automatically restart check box under System failure , and then click OK . The error message on a blue screen should remain on the screen so you can record the error information.