Disable DCOM

Discussion in 'other security issues & news' started by Rico, May 20, 2006.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi Guys,

    Sometimes upon boot all tray icons load, with the exception of ZoneAlarm. Taking a look at my "Event Viewer" the failure of ZA's icon, is preceded by, or the sequence of errors just before ZA are:

    DCOM got error "This service cannot be started... the next error
    The DHCP client service depends on NetBT failed to start... next error
    Timeout waiting for Webroot Spy Sweeper engine... next error
    The Webroot Spy Sweeper engine failed... next error
    True Vector Internet Monitor depends on vsdatant service failed to start

    Okay! I have (long time ago) "disable Net Bios over TCP/IP was told to do this to avoid malware. Not exactly sure why I'm mentioning it here. Could it be possible that the DCOM error sets up the failure of ZA, and ultimately the hang?

    Note this occurs only sometimes, requiring turning off the machine (no control, to shutdown) then re-boot & all is well.

    This is a standalone desktop running XPSP2, with a dsl connection & NAT router. Has anyone tried or used the following:

    http://www.grc.com/freeware/dcom.htm

    Grc says DCOM is not needed, and can allow malware. I think I tried this a few years back & had no internet. Also is "DCOM Server Process Launcher" service, the same DCOM grc.com is talking about disabling? If so why would TweakHound recommend leaving this service in automatic?

    I guess i'm rambling, but if anyone has run the DCOM thing from GRC with DSL & no problems, I would try it hoping to eliminate my occasional hangs & ZA failure.
     
  2. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    I have disabled DCOM using GRC's decombobulator, also used their unplug and pray [i dont game] and their windows messenger disabler, all without any problem. All 3 small progs [only 25KB each] firstly check your system for the vulnerability and allow you to reverse your actions if you need to. I run XPSP1.
    Gordon
     
  3. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi Rico,

    Go over service dependencies, deal with the NetBT driver here which I'm confident should be running - http://windowsxp.mvps.org/dhcp.htm
    Check it's current status by opening a prompt and typing - sc query netbt

    "Could it be possible that the DCOM error sets up the failure of ZA ...." Again, you need to check dependencies. Your setup includes a NAT router which I don't know enough to comment on, but could be involved somewhere, possibly a port issue.

    "Also is DCOM Server Process Launcher service, the same DCOM grc.com is talking about disabling?"
    No, different. Technical's as applied to sp2 - http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx
    TCP/IP Fundamental's - http://www.microsoft.com/technet/itsolutions/network/evaluate/technol/tcpipfund/tcpipfund.mspx

    ".... why would TweakHound recommend leaving this service in automatic?"
    Because it's used when accessing Window's own defragmenter, the Window's firewall, and possibly other 3rd party components (suspect ZA).

    You can see which dcom protocol's are active by running dcomcnfg > dblclking Component Services > rt clk My Computer > Properties > Default Protocols. Furthermore, DCOM may be disabled from inside the Default Properties tab. Alternately, dbl-check your registry ....
    hkey_local_machine\software\microsoft\ole for the string EnableDCOM, N is disabled.

    Sorry I don't find myself at liberty to provide a direct answer concerning how all this including your NAT may be affecting ZA or vise-versa, someone with a similar setup will have to come forward.

    EDIT: It's possible I'm bark'in up the wrong tree here Rico but would you take a look in the same place as above except this time expanding Component Services on your left side > Computers > My Computer > then looking under both COM+ Applications and/or DCOM Config (I'm not sure which but most likely the latter) for a ZA listing. Then if there, rt clk and open the security tab inside properties. Selecting "customize" under any of the three heading's will allow you to review individual account permission's.

    I'm still inconclusive due to time restraint's, nontheless an important area worthy of deeper investigation.
    PS - Windows Firewall is listed under DCOM Config, "SharedAccess."


    GF
     

    Attached Files:

    Last edited: May 21, 2006
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Might add that Perfect Disk throws up an error with Dcom disabled.
     
  5. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi GlobalForce,

    I've looked & cannot find ZA at:
    I did find Zb at DCOM config.

    Thanks
    rico

    I've been where you pic shows, ZA is definetly not at DCOM config., I'll look again at com+app
     
  6. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi GlobalForce,

    Did not find ZA (see pic)
     

    Attached Files:

    • com.jpg
      com.jpg
      File size:
      36.2 KB
      Views:
      1,300
  7. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Rico,

    It may be listed as a numbered entry down the column under DCOM Config.
    You'll have to rt clk each to determine it's presence or not.

    Re-check my post above again, a few thing's were changed/added.

    PS - ZA's service .... what's it listed as (name)?


    GF
     
  8. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi GlobalForce,

    Please take a look at https://www.wilderssecurity.com/showthread.php?t=131647

    The first time I went to component area, windows said snagit, is at:

    Hkey_Classes_Root\AppID\Bho.dll is not recorded. record it yes/no. I choose no. Thinking if this is correct I could do it later. I'll bet this is why I got the FP. If I should have said yes, how do I get back to? So i can say yes?

    Thanks
    rico

    The only numbers are CLSID, I'll open each to see if ZA is hidden behind one. I'll be back
     
  9. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi GlobalForce,

    Disregard my last post about yes/no & SnagIt. I've now said yes to recording its location at hkeyroot/appid/bho.dll. Intresting though I'll test that scanner again & I'll bet it won't get flagged.

    At dcom config the only numbered items are CLSID's r-click or properties shows up like (see pic):
     

    Attached Files:

  10. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Yeah Rico .... had me go'in there with "how do I ..." :D
    OK, barring no entry for ZA .... what's your NetBT driver doing right now (cmd in post three)?

    Is there any other security type pro that may be holding up ZA's follow-through?

    Question: What happen's if you set ZA for a manual start and then fire it?
    ~ I know you'll need time offline to test ~

    PS - In that last screenshot it's important you go through them all, some will have an .exe associated with the local path.
    If a ZA .exe still isn't listed, then the issue is probably elsewhere.


    GF
     
    Last edited: May 21, 2006
  11. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi GlobalForce,

    see pic

    I went through the list twice & no ZA!

    I'll bet ZA is (see pic post nine) ZClientm or zb
     

    Attached Files:

  12. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Rico,

    I don't think so .... "I'll bet ZA is (see pic post nine) ZClientm or zb" at least not the first which is listed on my system and I don't run ZA. Try re-focusing your effort's back toward's other system defences that may be causing the failure, there must be some other dependency holdup or block. I'm thinking SysInternal's LoadOrder would show what's being loaded before ZA initializes. So let me ask .... what other program's do you have onboard that are capable of running interference?


    GF
     
  13. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi GlobalForce,

    Here's the startup icons: Adobe Downloader, Process Guard, Regdefend, NOD32, SpySweeper, Roboform, Belkin Bulldog (UPS software), Guru Net, & ZA.

    The hang involving ZA is before or predates: Adobe, PG, RD, NOD, SpySweeper, Robo. The hang occured prior to the install.

    So the old timers on this machine are Belkin, & Guru. I believe its Belkin, just as its icon is appearing (tray) two sounds or musical notes happen. Also Belkin & Guru show up about the same time & a 3/8's" X 1/4" white rectangle (white rectangle replaces a small area of the desktop) near where Guru puts its small icon, note clicking the icon (normal use) causes the GuruNet Toolbar to appear, and you can type something, for it to look up. A little later in booting/loading the white rectangle, goes away. The two musical notes & white rectangle, always occur. Also Belkin UPS is attached via USB cable to the computer. Also note this hang can occur very randomly, maybe 1 out of 20 -30 or more reboots.

    Something weird occured recently with the UPS, while reading "TweakHounds" services, I found in windows list of services UPS service was not started. I tried to start the service & an error message occured, saying service can't start. When I tried to reboot, windows wanted to use the last known good confiuration. I used safe mode & found the (circle with exclamation point, in device mgr) on battery. Next the UPS service had changed from Manual to Auto. I think with the change to Auto windows at time to load Belkin, got the same error when, I previously tried to start UPS & this made windows want to use last known good config. I used a recent restore point from safe mode to correct. This does not have anything to do with the ZA sometimes does not load/hang issue, I think. I'll give that load order thing a look.

    Take Care
    rico
     
  14. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi Rico,

    Ah .... you will allow me some time investigating, won't you? ~ Unless of course someone else see's some correlation I may be missing ~
    Fact is I'm not familiar with a few of those program's.

    Few item's please .... "The hang involving ZA is before or predates: Adobe, PG, RD, NOD, SpySweeper, Robo. The hang occured prior to the install."
    Are you saying prior to installing ZA? And ZA .... which version?

    PG .... paid or free?

    Also, if Belkin and Guru have version's, please include.
    TIA Rico. I'll see what I can turn up.


    GF
     
  15. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,703
    Location:
    Texas
    Hi GlobalForce,

    ZA has always (from the get/go) been on this machine. So the "hang" was happening before the installation of: PG (paid), RD, Adobe, Robo, Nod, & Webroot.

    Belkin Bulldog ver. 3.2.19 build 1108
    Guru Net ver. 5.1.4.1468

    Many Thanks & Take Care
    rico
     
Loading...
Thread Status:
Not open for further replies.