6,185
社区成员
发帖
与我相关
我的任务
分享DCOM无法启动服务
系统日志如下:DCOM 遇到错误“无法启动服务,原因可能是它被禁用或与它相关联的设备没有启动。 ”,试图以参数“”启动服务 WinMgmt 以运行服务器:{8BC3F05E-D86B-11D0-A075-00C04FB68820}
DCOM有哪些关联的服务呢?
『注:今天我将一些服务禁止了,出现了这种情况,系统是Windows 2000 Server』
『另:“Windows 无法卸载注册表文件。如果有一个移动配置文件,您的DETAIL - 拒绝访问。 ,内部版本号((2195))。”这条信息是怎么回事?是应用程序日志里边的 』
DCOM有哪些关联的服务呢?
『注:今天我将一些服务禁止了,出现了这种情况,系统是Windows 2000 Server』
『另:“Windows 无法卸载注册表文件。如果有一个移动配置文件,您的DETAIL - 拒绝访问。 ,内部版本号((2195))。”这条信息是怎么回事?是应用程序日志里边的 』
...全文
请发表友善的回复…
发表回复
learnlife 2006-04-01
- 打赏
- 举报
我还是没有解决问题,不过还是谢谢几位朋友的回复。
learnlife 2006-03-29
- 打赏
- 举报
如何将这个服务启动呢?
net_sky 2006-03-28
- 打赏
- 举报
我的2003server也遇到过这样的情况,不过对系统影响不大,只是在日志文件处有记录。
learnlife 2006-03-27
- 打赏
- 举报
mudonfield(如影随行)你好,我不怎么熟悉2000,DCOM服务和哪些其它服务有关?是不是其它服务关闭了会导致DCOM启动失败?
mudonfield 2006-03-20
- 打赏
- 举报
以下为此病毒资料:
----------------------------------------------------------------------------
Details:
Installation and Autostart Technique
Upon execution, this memory-resident worm drops a copy of itself as in the Windows folder. It also drops into the Windows system folder the file REMON.SYS, which Trend Micro detects as TROJ_ROOTKIT.S.
To enable automatic execution at every system startup, it registers itself and its dropped malware as services by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\nvidGUIv2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\REMON
Other Registry Modifications
This worm disables Automatic Windows Update, Security Center functions, and firewall settings by modifying the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = "dword:00000001"
AntiVirusDisableNotify = "dword:00000001"
FirewallDisableNotify = "dword:00000001"
AntiVirusOverride = "dword:00000001"
FirewallOverride = "dword:00000001"
(Note: The default value for the said registry entries is "dword:00000000". Deleting these entries has the same effect as restoring them.)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = "dword:00000000"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = "dword:00000000"
(Note: By default, the said entries do not exist on most systems.)
It also attempts to disable the Task Manager and Registry Tools by creating the following registry entries:
HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001"
HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableRegistryTools = "dword:00000001"
It disables various system services by modifying the following registry entries:
Security Center service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "dword:00000004"
Remote Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteRegistry
Start = "dword:00000004"
Windows Update
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\WindowsUpdate\Auto Update
AuOptions = "dword:00000000"
Messenger service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Messenger
Start = "dword:00000004"
(Note: The default value for the said registry entries is "dword:00000002".)
TelNet Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TlntSvr
Start = "dword:00000004"
(Note: The default value for the said registry entries is "dword:00000003".)
To shorten the length of time the system waits for services to stop before shut down, it modifies the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout = "7000"
(Note: The default value for the said registry entry is "20000".)
On Windows XP systems, it disables the automatic update for Service Pack 2 by modifying the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2 = "dword:00000001"
(Note: The default value for the said registry entry is "dword:00000000". Deleting this entry has the same effect as restoring it.)
It disables administrative shares by creating the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareWks = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareServer = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation\parameters
AutoShareWks = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation\parameters
AutoShareServer = "dword:00000000"
This worm also disables the DCOM protocol and restricts anonymous access to the affected system by modifying the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
EnableDCOM = "N"
(Note: The default entry is EnableDCOM = "Y".)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
RestrictAnonymous = "dword:00000001"
(Note: Though there is no default value for RestrictAnonymous, it may be modified from the one defined by the user.)
Network Propagation and Exploits
This worm spreads via network shares. It searches for the following default shared folders, where it drops a copy of itself:
ADMIN$
ADMIN$\system32
C$\Windows\system32
C$\WINNT\system32
D$\Windows\system32
D$\WINNT\system32
IPC$
In addition, it takes advantage of the following Windows vulnerabilities to propagate across networks:
ASN.1 Library Bitstring Heap Overflow vulnerability, which is due to an unchecked buffer in the Microsoft ASN.1 library. An attacker or a specially designed malware can cause this buffer to overflow and execute code with system privileges on affected systems. With the ability to execute code with system privileges, the attacker or the malware may install programs, view and modify data, and create new accounts with full privileges. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-007.
The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.
Backdoor Routine
Using various ports, this worm acts as an Internet Relay Chat (IRC) bot that connects to a remote IRC server. It then joins a specific IRC channel, where it listens for commands from a remote malicious user. The following commands are executed locally on the affected machine, providing virtual control to the remote malicious user:
Create threads
Execute files
Flush DNS cache
List and terminate processes and services
List, open, read, and delete files or folders
Scan IP addresses, threads, and ports
Send system information
Shut down, log off, and restart a system
Sniff and send packets
Upload and download files
Denial of Service
This worm launches denial of service attacks against target addresses using any of the following flooding methods:
ACK
ICMP
SYN
UDP
Process Termination
This worm terminates processes, which are related to the following variants of WORM_BAGLE and WORM_MYDOOM malware programs.
Bagle.a
Bagle.j
Bagle.k
Bagle.v
Bagle.X
bbeagle.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
MSBLAST.exe
mscvb32.exe
Mydoom.h
Penis32.exe
rate.exe
ssate.exe
sysinfo.exe
System MScvb
TaskMon
taskmon.exe
teekids.exe
winsys.exe
It also terminates the following processes, which are related to other malware programs' variants, as well as processes and services related to the Windows system:
Microsoft Inet Xp..
Netsky.r
PandaAVEngine
PandaAVEngine.exe
Sobig.c
W32.Blaster
W32.Blaster.B
W32.Blaster.C
windows auto update
Other Details
This worm accesses the following File Transfer Protocol (FTP) addresses to download and upload files:
download.nvidia.{BLOCKED}NVIDIA_EuroNews_English.wmv
ftp.aol.com//aim{BLOCKED}exe
ftp.ea.com/pub/e{BLOCKED}nfs/nfs-cd.zip
ftp.ncsa.uiuc.ed{BLOCKED}kTime/RealTime1.sea.bin
ftp.osc.edu/pub/{BLOCKED}cttssh.exe
ftp.symantec.com{BLOCKED}ngarian/liveupdate/lusetup.exe
This worm runs on Windows 2000, XP, and Server 2003.
----------------------------------------------------------------------------
Details:
Installation and Autostart Technique
Upon execution, this memory-resident worm drops a copy of itself as in the Windows folder. It also drops into the Windows system folder the file REMON.SYS, which Trend Micro detects as TROJ_ROOTKIT.S.
To enable automatic execution at every system startup, it registers itself and its dropped malware as services by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\nvidGUIv2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\REMON
Other Registry Modifications
This worm disables Automatic Windows Update, Security Center functions, and firewall settings by modifying the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = "dword:00000001"
AntiVirusDisableNotify = "dword:00000001"
FirewallDisableNotify = "dword:00000001"
AntiVirusOverride = "dword:00000001"
FirewallOverride = "dword:00000001"
(Note: The default value for the said registry entries is "dword:00000000". Deleting these entries has the same effect as restoring them.)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = "dword:00000000"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = "dword:00000000"
(Note: By default, the said entries do not exist on most systems.)
It also attempts to disable the Task Manager and Registry Tools by creating the following registry entries:
HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001"
HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableRegistryTools = "dword:00000001"
It disables various system services by modifying the following registry entries:
Security Center service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "dword:00000004"
Remote Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteRegistry
Start = "dword:00000004"
Windows Update
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\WindowsUpdate\Auto Update
AuOptions = "dword:00000000"
Messenger service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Messenger
Start = "dword:00000004"
(Note: The default value for the said registry entries is "dword:00000002".)
TelNet Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TlntSvr
Start = "dword:00000004"
(Note: The default value for the said registry entries is "dword:00000003".)
To shorten the length of time the system waits for services to stop before shut down, it modifies the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout = "7000"
(Note: The default value for the said registry entry is "20000".)
On Windows XP systems, it disables the automatic update for Service Pack 2 by modifying the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2 = "dword:00000001"
(Note: The default value for the said registry entry is "dword:00000000". Deleting this entry has the same effect as restoring it.)
It disables administrative shares by creating the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareWks = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareServer = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation\parameters
AutoShareWks = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation\parameters
AutoShareServer = "dword:00000000"
This worm also disables the DCOM protocol and restricts anonymous access to the affected system by modifying the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
EnableDCOM = "N"
(Note: The default entry is EnableDCOM = "Y".)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
RestrictAnonymous = "dword:00000001"
(Note: Though there is no default value for RestrictAnonymous, it may be modified from the one defined by the user.)
Network Propagation and Exploits
This worm spreads via network shares. It searches for the following default shared folders, where it drops a copy of itself:
ADMIN$
ADMIN$\system32
C$\Windows\system32
C$\WINNT\system32
D$\Windows\system32
D$\WINNT\system32
IPC$
In addition, it takes advantage of the following Windows vulnerabilities to propagate across networks:
ASN.1 Library Bitstring Heap Overflow vulnerability, which is due to an unchecked buffer in the Microsoft ASN.1 library. An attacker or a specially designed malware can cause this buffer to overflow and execute code with system privileges on affected systems. With the ability to execute code with system privileges, the attacker or the malware may install programs, view and modify data, and create new accounts with full privileges. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-007.
The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.
Backdoor Routine
Using various ports, this worm acts as an Internet Relay Chat (IRC) bot that connects to a remote IRC server. It then joins a specific IRC channel, where it listens for commands from a remote malicious user. The following commands are executed locally on the affected machine, providing virtual control to the remote malicious user:
Create threads
Execute files
Flush DNS cache
List and terminate processes and services
List, open, read, and delete files or folders
Scan IP addresses, threads, and ports
Send system information
Shut down, log off, and restart a system
Sniff and send packets
Upload and download files
Denial of Service
This worm launches denial of service attacks against target addresses using any of the following flooding methods:
ACK
ICMP
SYN
UDP
Process Termination
This worm terminates processes, which are related to the following variants of WORM_BAGLE and WORM_MYDOOM malware programs.
Bagle.a
Bagle.j
Bagle.k
Bagle.v
Bagle.X
bbeagle.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
MSBLAST.exe
mscvb32.exe
Mydoom.h
Penis32.exe
rate.exe
ssate.exe
sysinfo.exe
System MScvb
TaskMon
taskmon.exe
teekids.exe
winsys.exe
It also terminates the following processes, which are related to other malware programs' variants, as well as processes and services related to the Windows system:
Microsoft Inet Xp..
Netsky.r
PandaAVEngine
PandaAVEngine.exe
Sobig.c
W32.Blaster
W32.Blaster.B
W32.Blaster.C
windows auto update
Other Details
This worm accesses the following File Transfer Protocol (FTP) addresses to download and upload files:
download.nvidia.{BLOCKED}NVIDIA_EuroNews_English.wmv
ftp.aol.com//aim{BLOCKED}exe
ftp.ea.com/pub/e{BLOCKED}nfs/nfs-cd.zip
ftp.ncsa.uiuc.ed{BLOCKED}kTime/RealTime1.sea.bin
ftp.osc.edu/pub/{BLOCKED}cttssh.exe
ftp.symantec.com{BLOCKED}ngarian/liveupdate/lusetup.exe
This worm runs on Windows 2000, XP, and Server 2003.
mudonfield 2006-03-20
- 打赏
- 举报
这是本人遇到过的DCOM服务无法启动的故障处理的例,希望有所帮助。
昨日在为某服务器配置备份时发现无法访问,查其管理共享及IPC$管理被关闭。后来还查Dcom访问被关闭。
今日检查处理:
修改注册表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks = "dword:00000000"(改为1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer = "dword:00000000"(改为1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
RestrictAnonymous = "dword:00000001"(改为0)
重起Server服务,共享恢复,访问正常,但过几十秒或数分钟共享又消失。
Dcomcnfg配置Dcom服务打开后,一样过数十秒后又自动关闭。
检查组策略,发再相关选项未被配置。
检查系统进程,未发现可疑,检查系统服务中已起动的服务,发现有以下可疑服务
NVIDGUIV
查找资料。。。在趋势科技网站找到以下相关信息,此为一特洛伊木马。
昨日工作人员在配置服务器用户时,把七八个用户都加到Administrator组。判断为客户机上中此木马,因赋于管理员权限,故而传染到服务器,导致服务器异常。
对照资料中提供的病毒特征,逐步修复:
1、把普通用户退出管理员组
2、删除注册表相关服务项,重起计算机
3、修复被修改的注册表项,恢复初始值
4、用Mcafee Virue全盘杀毒,查杀到C:\Winnt\remon.sys和C:\Winnt\NVIDGUIV.EXE
5、修复Dcom配置
6、重打Windows2000SP4补丁及其后的所有补丁
7、重起计算机后检查正常。
昨日在为某服务器配置备份时发现无法访问,查其管理共享及IPC$管理被关闭。后来还查Dcom访问被关闭。
今日检查处理:
修改注册表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks = "dword:00000000"(改为1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer = "dword:00000000"(改为1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
RestrictAnonymous = "dword:00000001"(改为0)
重起Server服务,共享恢复,访问正常,但过几十秒或数分钟共享又消失。
Dcomcnfg配置Dcom服务打开后,一样过数十秒后又自动关闭。
检查组策略,发再相关选项未被配置。
检查系统进程,未发现可疑,检查系统服务中已起动的服务,发现有以下可疑服务
NVIDGUIV
查找资料。。。在趋势科技网站找到以下相关信息,此为一特洛伊木马。
昨日工作人员在配置服务器用户时,把七八个用户都加到Administrator组。判断为客户机上中此木马,因赋于管理员权限,故而传染到服务器,导致服务器异常。
对照资料中提供的病毒特征,逐步修复:
1、把普通用户退出管理员组
2、删除注册表相关服务项,重起计算机
3、修复被修改的注册表项,恢复初始值
4、用Mcafee Virue全盘杀毒,查杀到C:\Winnt\remon.sys和C:\Winnt\NVIDGUIV.EXE
5、修复Dcom配置
6、重打Windows2000SP4补丁及其后的所有补丁
7、重起计算机后检查正常。
