dcomx.exe error (XP)

Topic

New Reply

Hi,
For the past three days when I’ve gone to use my computer there has been a microsoft error that dcomx.exe has an error and has had to be shut down. I’m not sure what this pertains to. When I did a search in Google I can’t find any info related to it. I searched my computer and found the file in C:Windowssystem32. I do not shut my computer down at night so this has nothing to do with rebooting it. The error seems to be there first thing in the morning.

My antivirus program detected a worm virus two days ago and got rid of it without any issues. This seemed to start prior to that.

Any idea?

Thanks,
Leesha

Reply | Quote

Replies

Leesha–

Can you reproduce/paste the exact error verbatim with any numbers associated? Reason: I can find a lot of errors associated with dcom.exe and corrupt dcom.exe dll files on newsgroups–none in searching the MSKB hard, so I want all the help I can get. The many msdn white papers on this aren’t going to help. I can get it defined for you:

825750: How to Disable DCOM Support in Windows
DCOM: Distritubed Component Object Model

You could always back up; set a restore point; back up the registry key/export it; and disable it as the KB describes if you aren’t networked reasoning you might not need it for networks support, but I don’t know enough about that as a fix to endorse that it’s completely safe. Sure would like to see the entire error then we might nail it.

SMBP

Reply | Quote

Hi SMBP,

I’m not sure what is causing the error so I’m not sure how to reproduce it. It seems to be a daily occurance so I will get you the info you requested the next time it comes up and post it. In the meantime I’ll take a look at the document you linked for me.

Re restoring, that will be my last resort as when I did that about 6 months ago due to a run of issues going on, the problems only got worse. I ended up having the computer reformatted for me (it was due as it had been over 2 years since it was built) and have had no issues since till now. I hesitate to do that as the computer is running smoothly other than this issue. The only new software installed is software for Sonicwall’s VPN client which I’ve uninstalled to see if it was the cause and it wasn’t related.

The other issue is that this computer is in fact networked with 3 other computers and acts as the server.

Thanks for you help,
Leesha

Reply | Quote

Leesha–

I didn’t so much mean run system restore as to set a restore point if you followed the KB being quick to admit, I don’t know enough about the adverse implications if you did to be able to stand behind that. I don’t know how recently this started–that might be a factor. I don’t think you would hurt yourself trying it( running system restore) if you knew when this behavior started, I think the downside would be that you might not get the snapshot restored. Sorry about and am not sure what happened in the sitaution you related.

But if you can get the information on the error, and some of the information Jefferson is looking for on a rt. click property–there are a number of people in the lounge who are used to working with com–component object models–I’m not one–who might be able to pinpoint this.

SMBP

Reply | Quote

One more thing. I noticed your link is specific to DCOM. This error was for dcomx.exe. I wasn’t sure if they were in the same family or not and just wanted to be sure.

Thanks again,
Leesha

Reply | Quote

I do not have this file (Windows XP Pro laptop, TCP/IP networking). Please give us the following information, if you can:

1. Right-click the file, choose Properties, then Version. Anything there that would identify the author, purpose, etc. of the EXE file?
2. Start>Run>regedit, please search for dcomx in the Registry and see if you can find any references to it.
3. Also, can you think of any processes that run during the night that might use this EXE? Maybe backup??

We’ll figure it out eventually.

Reply | Quote

Hi,

I’ve posted a screenshot of the properties for the file. I’m not sure why it says it was created Aug.1 as this started a little over a week ago. I’m not sure what program it would be related to. I’m running XP Pro on both this computer and my laptop. Both computers are pretty identical in programs. The laptop does not have a dcomx.exe file but does have a dcomx.dll file. Both computers had Sonic Wall’s VPN Client installed about a week and a half ago. The laptop has never given me this error , whoever I had to uninstall the program on the laptop due to network conflicts at the office (grrrrrrrrrr). For the heck of it I unistalled the VPN client from the computer that is having the isse but that did not correct the issue. I’ve virus scanned twice and show nothing. That is the only thing that is different between the two computers. The one with the issue got hit with the worm virus on Thursday of last week but was caught and gotten rid of I presumed before any damage was done.

When I looked at the author etc. under the properties it was blank. Other than the antivirus, there is nothing that runs during the night.

I didn’t see anything in the registry that contains the name of this file.

Thanks for the help!! I like my computers to run squeeky clean and although this doesn’t appear to be affecting the performance it is driving me nuts. Also, I’m been working on this computer most of the day making a video and the error came up once, so it isn’t just during the night. Unfortunately is was before I was asked to get all the specifics so I will do that next time it comes up.

Thanks!
Leesha

Reply | Quote

Have you worked with/installed any financial programs, done day trading or similar?

Reply | Quote

Hi Bruce,

Nope to both of these questions. Just for my own constant “need to understand”, why do you ask?

Leesha

Reply | Quote

Hi, Leesh ~

I thought it may be associated with some pecuniary app. Have you run SpyBot and AdAware?

Reply | Quote

Hey Bruce,

Funny that you should mention Spybot. I just uninstalled it from the computer. Your mention of it made me recall that I had uninstalled it over early last week due to getting error messages re a virus being associated with it. I’d do a virus scan and nothing would be picked up. Yet each AM I’d get the same message. I figured my antivirus didn’t like Spybot. Of course I’ve had both on the computer for forever so I don’t know what the issue was. I honestly don’t recall if the dcomx.exe issue started after I removed spybot or not.

Thank God I love a good mystery! Although this one is driving me nuts. It does give me some comfort that if you guys don’t have an immediate fix, then at least I’m not an idiot!

Leesha

Reply | Quote

Hi, Leesh ~

First time I ever heard of anybody not liking SpyBot-S&D – it should be your one saving grace.

There are NO virii associated with SpyBot-S&D. Except the same name, this relatively new virus named ‘Spybot’ has absolutely nothing to do with Spybot-S&D. The virus ‘Spybot’ (see different names below) is basically a keylogger. Here is some information from AV companies:

• McAfee: W32/Spybot.worm.gen
• Symantec: W32.Spybot.Worm
• Panda Software: W32/Spybot
• Kaspersky: Worm.P2P.SpyBot.gen[/list] This virus is NOT part of Spybot-S&D, nor is the Spybot-S&D infected with it. I, as well as most other Loungers, highly recommend you download, install & update SpyBot-S&D 1.2, then run it.

  If SpyBot does not find and remove it as a result of being related to adware, spyware or some other nuisance or malware, however, my suspicion is that ‘dcomx.exe’ is a vestigial remnant component of something similar yet that isn’t defined and crashing as a result of its inability to locate other files such as DLLs on which it may depend or may just be corrupted. I would try the renaming and if all goes well, then obliterate it and any other references of same in system files/folders and registry.

  That file may be part of the ‘SpyBot’ worm with which you were indeed infected and you may need to run a good AV removal tool.

Reply | Quote

Hi Bruce,

First, I did like SpyBot and only removed it due to misreading the virus file which was in fact called “symantc:W32.spybot.worm. I’m pretty anal about my “boys” (all my computers are named as I spend so much time with them) and I can’t believe this got past me. I hope I’ve at least redeemed myself by admitting I use and like Sypbot. If it helps, the networking engineer for my job didn’t realize there was a worn virus with a similar name and he’s a rocket scientist!!!

Anyway, I will do another virus scan on “Jake”. If it comes up clean I wil reinstall spybot and run it. I will then go in and rename the dcomx.exe file and pray there are no network related issues. If in 2-3 weeks there are no functional issues I’ll get rid of it. For good measure I will run the tool you gave me in your post.

Thanks so much for all the info.

Leesha

Reply | Quote

I’d be inclined to rename the file dcomx_exe.old and see what happens.

Reply | Quote

I didn’t think of that. I will try this as soon as I get the error message again, and can make a copy of the info contained it so that I can post it here. It wasn’t there this morning and I haven’t had it since yesterday afternoon.

Leesha

Reply | Quote

I”ve got a user complaining about dcomx as well. She gets the following error message:
AppName: dcomx.exe AppVer: 0.0.0.0 ModName: msvcrt.dll
ModVer: 7.0.2600.1106 Offset: 0002f5ea
C:DOCUME~1DummyLOCALS~1TempWER40.tmp.dir00appcompat.txt

Reply | Quote

Hi,

That is exactly what I’m getting. With the exception of where its being saved on the C:drive. My folder was different and to top it off at quick glance I didn’t see the folder! I got tied up with other stuff and forgot to do a searvh again later. Every time I tried to get a screen shot of the more detailed info but the computer froze every time I tried to paste it into paint or Paint Shop Pro.

Any idea what it means?

Leesha

Reply | Quote

We’re finding out more – it looks as though she picked up a trojan last Friday or so, called KeySpy – it’s a remote keystroke logger/remote control thingy. KeySpy itself is easy enough to find and download on the web; instructions for removing it are harder to find. I don’t know if the two are connected, but they both appeared last Friday. She has also had problems using regedit – it flashes up, then goes away. She’s in the process of trying to download a third-party registry viewer, and a utility Spy Sweeper which promises to get rid of keystroke loggers.

Reply | Quote

I can’t help but think its related as the create date in the properties of the file are August 1 which is the same as your user.

Leesha

Reply | Quote

Spy Sweeper found nothing. My user is going to attemp to do a system restore to a point before last Friday (Aug 1, as you point out). If she has something with a payload triggered Aug 1, it may or may not come back. By the way, we are running Trend OfficeScan antivirus software, which does not seem to find anything.

Reply | Quote

Thanks for the info and I would be interested to know how it goes. I’m using Symantec Antivirus – home edition. My laptop which has not had issues, even with being on home network every day, uses the corporate edition.

I hesitate to restore back to Aug 1 or prior as the last time I did a system restore I had more issues and ended having to reformat the computer. Although I love a squeaky clean computer following a reformat, its not really an option at to do right now.

Good luck and let me know how it goes,
Leesha

Reply | Quote

Have either of you installed this patch?

Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

I notice a lot of “DCOM Exploit” code was posted on the web last week, and dcomx sure sounds like an executable version of that exploit. But if you patched Windows, the exploit might fail, leading to the error message you got. Just a thought.

Reply | Quote

No, I haven’t used this patch. In addition, I haven’t had an error since I did all the suggestions from the lounge including renaming the file. However, this morning I was locked out of my AOL account due to 300+ emails being sent from my account at 8:05 AM. I was on the computer that is giving me the issues vs my work laptop. They are not sure whether it was virus related or not, but rather, felt it was due to someone getting my password. I double checked with our work network engineer who set up my home netword and he doesn’t see how this could’ve happened based on the firewall protection etc. The computer virus scans show no viruses. I’m stumped.

Leesha

Reply | Quote

[indent]

---

We’re finding out more – it looks as though she picked up a trojan last Friday or so, called KeySpy

---

[/indent]KeySpy is a keylogger as is Spybot (not SpyBot-S&D). ‘Dcom.exe’ and ‘Dcomx.exe’ are separate and confusingly similar names as is Spybot, some Microsoft apps/processes and other malware intended to hide out among your system files to avoid conspicuity.

KeySpy is specifically included in the definitions and SpyBot-S&D 1.2 WILL remove it.

Reply | Quote

Bruce,

I ran sypbot and haven’t had any further dcomx.exe errors, however now there ae other issues, as you will see in my above reply. .
Ugh. If I end up having to reformat this computer I will cry.

Leesha

Reply | Quote

Hi, Leesh ~

If isn’t one thing, it is another, huh? Glad to hear you rid yourself of the first issue. Now, the thing with AOL is surely a pain, but it shouldn’t require you to reformat. I have never used AOL (nor will I ever), so hopefully another AOLer might be able to help here.

Reply | Quote

>>I have never used AOL (nor will I ever)

Big sigh, now you sound like our network engineer. It’s been a bone of contention between us for the past 5 years that I use AOL. (I think its more just to get me going than anything else). Given the amount of travel I do, it is truly the easiest method and most cost effective method of accessing the internet. Even our engineer has conceeded that point.

Now on to see what I have to do next.

Thanks for the help,
Leesha

Reply | Quote

Hi, Leesh ~

If cost effectiveness and ease of accessibility is truly the issue, then it would be in your best interest to switch to Juno Platinum.

Juno costs less than half the cost of AOL, by far easier to use than AOL, accessible anywhere in the entire world, and unlike AOL, you may utilize your choice of their Juno client interface, your own client such as Outlook, Outlook Express, Eudora, etc., or via HTTP on the web. Also, unlike AOL, you may use the standard of POP/SMTP and will never be bothered with proprietary configuration of AOL that often conflicts with other systems.

I’d even be more than happy to buy your first month.

Reply | Quote

It’s gotta be a guy thing! What is it with you men and AOL?

I’m loyal to a fault and AOL has served me well so I think I’ll stick with it, although I’m confident that you will consider me a fool for doing so. Hopefully I will save face by the fact that I Re-installed Spybot as well as installed Ad-Aware.

Here’s a tidbit, after running the updates to both programs and then running Spybot first, Ad-Aware found 7 items Spybot didn’t find. I’m now off to bootup in safe mode to re-run my antivirus software to ensure nothing else gets picked up.

Leesha

Reply | Quote