Home > MOM > MOM issues as a result of W32.Esbot.C

MOM issues as a result of W32.Esbot.C

Had an issue that started yesterday on my MOM 2000 SP1 server.  The MMC would not launch, it was getting Access Denied.  Here is a sample event that I was seeing in the System Log:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10006
Date:  8/24/2005
Time:  4:56:16 PM
User:  Domain\MOMAccount
Computer: MYSERVER
DCOM got error "Class not registered " from the computer MYMOMSQLSERVER when attempting to activate the server:
This was happening every 30 seconds in the System Log.  This of course is because the DAS is trying to connect every 30 seconds (since losing connection to the SQL DB).  I was not aware that my servers were infected.  When I did notice the SAV alerts for my management server we patched and cleaned it.  The SQL server was infected but SAV was not detecting it.  So we cleaned that today.
When I tried to launch the MOM MMC I got these events in the Application Log:
Onepoint Operations: 25100 (DAS identity is one cause, the other is DCOM not enabled, please document that MSFT), 21126, 21155.
I checked COM + Components for MOM to make sure the DAS account/identity was correct.  I checked the client config to make sure named pipes and TCPIP was being used.  I checked the ODBC connection, SQL server remote access, etc.  I ran DCOMCNFG (on the Management server only).  DCOM was enabled.
Called PSS and opened a Crit Sit case.  After trying various things, I emailed our AD team who also uses MOM, and they replied with the fix.
W32.Esbot.C changes a reg key.  The reg key that enabled DCOM.  It changes it from Y to N.  Had I done the DCOMCNFG on my SQL server I would have realized DCOM was disabled. 
So what I learned was:
1) MSFT should document these events a little bit better (Access denied can also mean DCOM could be disabled – There are no KB’s on this).
2) I should not assume my machines have been cleaned, but should verify this on my own.
3) Improve communication between internal support teams using similar products and tools.
Categories: MOM
  1. marcus
    August 26, 2005 at 8:27 am

    thanks for the tip, blake. if i hadn\’t read this, i wouldn\’t have been able to help someone who had the same problem. 😀

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: