For some reason, some strange unknown reason, my computer will lock up for 3 or for seconds at a time every 2-3 minutes. I don't understand what's causing it. Sygate firewall is blocking all possible spyware, and I've defragged my computer twice. Rebooting doesn't work. I really don't have anymore information, but perhaps someone has suffered this problem once before and could give me some insight as to how to fix it? It's like clockwork!
if you rbing up the task manager and go the processes tab you can click on the col headers to sort by them, try sorting by Mem Usage descending and CPU descending and see what process it is that jumps in there at the time. 3 seconds oughta be enough to catch it
It could be a non-software cause.
=> A possible hardware cause.
In any event...
Does it do the same if you create a new Windows user profile and use that to login?
* This one is important: often, applications degrade because some data in the Windows user profile has become corrupt.
Have your recently installed new device drivers?
* Revert to another version of the drivers, or remove (this or that new driver that could conflict with an old one) and check.
Does the comp overheat?
I strongly think about a hardware issue though. Without being able to see the problem, I assume "all Windows" is freezing every once in a while,
and this just doesn't make sense to me at a software level.
I mean, Windows has the exclusive control of the display, and delegates privileges to other applications when needed,
so basically, if there was one software acting up to the extent of freezing the complete activity of the pc, then the mentionned software would be Windows itself.
And it would act up for exactly 2-3 each few minutes It makes even less sens if we still are talking about a software issue.
So? Don't make assumptions anyway: consider some hardware component is likely to die soon, and backup your data first,
then investigate possible causes, one by one.
And between major software modifications, reboot, or better yet, shut down, to let Windows store the newly modified settings and
try to start in a stable state.
Actually, I have brought up the task manager. explorer.exe (windows shell) seems to be taking up the most mem usage and probably 3 times more than its regular amount.
I've considered the possibility of a hardware issue. The only recent hardware change was like a month ago when I got a new video card... but like I said that was a month ago. I seriously doubt my computer is overheating, it's cooled very efficiently.
As far as other users? Yup, the other user on my computer has also experienced this awkward rotation.
From: Den Haag: The Royal Residence Insane since: Jul 2000
posted 02-28-2006 23:43
I had this once a long time ago, i was using win98 or win95 or so. It turned out to be a virus which was hiding itself in the win-explorer file.
It was a very long time ago so i don't remember its name but every half decent virusscanner should be helpfull.
Get a livedisc of some sort with an virus scanner aboard and boot from the disk, scan and remove.
.........................................................................
:: Develop yourself, develop your life, develop the world ::
.........................................................................
Yeah, if it obviously is a process (explorer.exe), investigate that.
With those info, it starts looking like a software issue to me.
(still, what we can say for sure is that it is machine dependent, so OS/application layer, or Hardware, the error is not located "above" those levels,
in application settings or such).
A virusscan is a good idea.
And, in order to repair Windows software components, you can use, for instance, start>run>scf /scannow with your Windows XP CD (restores original windows files).
You can also use a reg cleaning utility, but the only one I would recommend are regclean from Microsoft, the only +/- reliable ones.
And you should also uninstall the video card drivers, reboot, then reinstall them.
Once all these have been done, you'll have a virus free system with software components in their original state.
Reinstalling the driver on top of a regclean then means installing it on a stable system.
It should help already.
---------------------------------------------------------------------------------------------------------------------------
To better "target" the cause, you can also use the Windows event viewer, for application logs in this case.
If there is a warning or error every three minutes in the application logs, copy/paste the error description to google
and you'll get Microsoft's workaround/fix for the mentionned error.
Other than that, there are detailed diagnosis tools available from sysinternals, but you won't need them unless
all that I suggest above fails.
With all of the nice tips in here, it may not be needed, but I want to clarify the important part of JK's suggestion jsut in case it was missed - don't just look at what's using your memory/CPU, but watch to see what happens during the interval in which the problem occurs. There's a good chance whatever process is involved will show itself then and there.
Yes... JK's suggestion's one of the best ways to see if it's possibly someting else during those cycles. Bring up the task manager, go to processes and click on the CPU column header twice to sort decending by CPU usage. I once had a program that used to use up every bit of processor power it could grab. Turned out to be Windows Media Player's update service. Had this big memory leak in it. I only found out what it was because I sorted by processes like that.
Yeah, agreed. Basically, the sysinternals things are "enhanced" monitoring tools for -anything- windows: regmon, filemon, procmon (process), tpcmon, yourmom. No, not that one.
Anyway, you get the idea.
A single click fires loads of actions inside the Windows mechanics, so DL and JK are right, and the sysinternals tools are just another way to get to know the details of what occurs, instead of the task manager.
That depends upon the virus. Usually you hope a good, up-to-date antivirus could wipe it out... but that's not always the case. Sometimes it takes a little bit of research with the symptoms to find a way to get rid of the bastard yourself.
I'd recommend McAffee or Panda off the top of my head, they both are decent at finding virii, and they have trial or online versions, but I don't personally "think" it's a virus, my recommendation
was here for completion, and giving a full list of tips.
Frankly, my next tip will be: "get at least one hint about the root cause", eg. Control Panel->Administrative Tools->Event viewer->Applications or System
It should look like this, and as you scroll down, it's easy to spot the red crosses, if they occur regularly, you nailed the origin of your problem.
And I was wrong, you don't even have to copy/paste to google for known issues (the ones which have well known fixes), they are linked to the Microsoft Knowledge base directly from the event viewer.
Plus, if you spot something that looks like the issue, you can copy/paste it here for advice.
Well, I brought that up and I think I've found the problem...
I have hundreds of crosses and i's (for information) labeled DCOM (crosses) and service control manager (i's) that occur within 1:30 to 3 minutes apart from each other, they're definitely the cause of the problem.
I'd post a screen shot but I no longer own any webspace. Now that I've identified the problem, where do I go from here?
Hmmm... DCOM Stands for Distributed Component Object Model and the scm thing is, as the name says, a generic host for services.
Looks like some service is trying to instantiate a component every three minutes and failing, and it is tightly intricated in your explorer.exe mechanics.
You can take three routes from here, you should take all three.
1) Find one of these error messages, when you double-click it, do you get a link to the MS knowledge base?
2) Copy/paste one of the error messages to google, with quotes, to find more info.
3) Intuition: is there something that occurs regularly, some service which fails at startup, something that should be "listening" (like an antivirus and other tray tools) during your Windows sessions (and something which is installed for all users)?
Could be a browser plugin, could be anything that acts as a "waiter" and runs along explorer.exe or iexplore.exe.
You can also safely apply the "sfc /scannow" trick I gave above, and the regclean thing (because a service and related component are the cause, and because the registry contains settings for such things - and the whole system).
We're limiting the possible causes now, and finding our way.
The best for me to be able to search root causes, is to copy/paste the exact error messages for each of the two errors in your application log here.
Just double-click an entry to get the error description.
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.
I don't mean to sound droll but, I typed it into google and found many responses and possible solutions, but I don't understand the lot of any of them. I'm not nearly that computer literate =\. Although I did read on one of the pages that google found that someone fixed it by changing a registry key...
Another one involved someone having DCOM blocked by their firewall, and once they enabled it, it did it's thing and installed something then they uninstalled it and scanned for viruses and all was good. That seems like something I think I have the knowledge to attempt... So I'll try that and get back to you all.
Skaarjj, I am sorry, but I am categoric: this is not a virus. Insider may take your advice, of course, but imho, it's a waste of time. Virii hide better than this for one, and the more he gives details, the more I am fleshing out the real cause.
I've also copy pasted your error message into google.
The weird number between weird quotes is Iexplore, as it is registered in the.. registry. (regedit-> search it, and you'll see it corresponds to IE).
Has apparently found a way. NOT disabling Dcom (although you can safely disable it), but the following solution he provides.
I understand you're just a user, but you're a few clicks away from fixing it methinks.
I can't provide Windows screencaps as I don't have a Windows machine handy, due to my laptop dying on me (I am on Mac OS. I HATE OS 9 btw).
But google "enabling Dcom", you'll find your way to the dialogs the guy in the link above describes, and then you can do exactly what he did, it's safe, and should solve it.
Also, try the same search (with the whole error message between quotes), and then append "msdn" or "microsoft knowledge base" to your search to have a very technical msdn description... assuming it is a known issue (it doesn't seem to be, otherwise google would have returned it as first result).
Apparently, a software component related to IE is causing DCOM registration issues. This component, for some reasons, tries to do something every three minutes.
It may be a normal Windows "job" though, and most probably is: such a timed action sounds like, for instance, the clock trying to upgrade, or if there is a fan control, maybe the fan control soft querying the cpu temp, etc.
But I can't see a virus doing this every three minutes, I can't think of a reason for it. Same for spywares.
Well I typed "enabling DCOM" into google and followed the instructions given here:http://support.sas.com/rnd/itech/doc9/admin_oma/sasserver/comdcom/dcom_enable.html
They didn't seem to work at first so I rebooted, but still no luck =\. Though I keep feeling like we're nearing the solution.
Well, _Mauro... you can be as categoric as you want, but having been caught out by things like this before, I prefer to be thorough. Over-confidence on a given path hen other possibilities still present themselves is one of the fastest ways to royall screw things up, in my experience. But, in the end, it's up to Insider what he wishes to do, not you or me.
Skaarjj, no offense meant, I do think completion is good for resolution of such issues and I do agree on that and said it before. I do not think randomness is good, it is not a so called best practice at least.
I do think you've experienced comp issues in the past.
I have too. For 9 months now, I've resolved 40 issues of this kind per week for a multinational company.
So yes, experience sounds good, I agree. Order in steps taken for the resolution, methodology and thinking sound even better.
Of course, an advice is an advice, an opinion is an opinion, and everything is good for Insider, but my opinion is that you are wrong on the virus issue, and the way to investigate this.
And I don't want to attack or insult you by saying this, I just happen to 150% disagree with you.
Here we have proven, and logged evidence, of Iexplore being the originator of the issues: Insider's Windows reports it, not me.
So this investigation should be "led to an end" prior to making stabs in the dark, me thinks, on this track we do already have some light.
----------------
Iexplore here is only acting as a "parent", cover to the real, software component which tries to register itself as Dcom and fails.
An application in general involves lots of processes. Iexplore software components are shared, in part, by explorer.exe, hence the fact your explorer.exe "magically locks" each and every time an error pertaining to Iexplore is logged in your applications log: something is saying to IE "hold on, have to try registering myself as DCOM" and never succeeds.
And it really is what happens: a sub process requires his top-level parent to wait for an action which can't be performed, and fails after a couple of seconds of lag.
Consider the reformatting vs tracking down issue balance, also: which one will resolve the problem faster and with the smallest impact on bus... your activities
The link you gave for DCOM is correct, try unchecking everything, restarting, checking everything again, restarting, etc. a couple of times.
To let the system apply this setting fully on startup: it's important.
Of course, a decent default state is important: is your system protected at all? Is it up-to-date? Issues like this can be bugfixed by Windows update.
All my assumptions above take for granted a Windows XP sp 2 with at least a firewall, and maybe a popup blocker and casual spyware check.
But the symptoms still don't look -at all- like a virus.
A Virus which is stupid enough to tell the applications log it has messed up every three minutes would be dead before long, it would basically write down "hello world, I am a nasty piece of software causing others to lock".
I just, in terms of logic and statistics, can't imagine such an obvious activity allow a virus to spread, as it would be identified so early.
Let alone the fact that DCOM is rarely used. Lmao... Think of a nasty virus maker saying to himself "to hide my virus, I'll use a feature which is never used by normal applications and that will lead any error to cause a log entry about the origin".
Way to go! The only possible worse way to write a virus would be writing one which auto-erases itself.
My 2 cents.
One more cent though: on the sysinternals site (www.sysinternals.com) there is a nice piece of software called "procmon": keep it running in the foreground,and when your comp hangs, procom can tell you the exact sub-process which causes this.
If you get a procmon window to run in the foreground while the issue occurs...
And of course, all this is advice indeed, hence the 2 cents price.
My bad, -memory glitch. It's pslist for you. pmon could help as well, but first, pslist. As I said, it monitors processes as they appear and disappear, act, etc. It could not be enough, I don't know all the sysinternals tools by heart, but it should display the guilty process when your computer freezes.
After restarting my computer and trying to reconfigure the DCOM settings like I did before, I noticed that all the things I had checked were not checked. So I checked them again as stated in the procedure and restarted. Nope, went back to unchecked.
And as far as that pslist, I can't seem to get it to work. I double click it and command prompt comes up for a milisecond and disappears.
I'm considering just reformatting my whole hard drive =\.
I figure if you're going that far, might as well make sure there's nothing on that hard drive.
The other BIG thing to remember is disconenct from the internet while you're reinstalling the OS... set up your firewall etc 'before' going back on line.
Well I'm going to xfer all my music, vids, photos, and various other paitings or artworks onto a second hard drive, then reformat the one with the OS on it.
quote:
Consider the reformatting vs tracking down issue balance, also: which one will resolve the problem faster and with the smallest impact on bus... your activities
And this:
quote:
And as far as that pslist, I can't seem to get it to work. I double click it and command prompt comes up for a milisecond and disappears.
When such a thing happens, you are generally running a command-line prog.
There is a Windows version of pslist, but when in doubt about wether a soft is command-line or not,
just create a text file besides the prog, inside that text file, put:
code:
progname.exe
pause
And name that file "something.bat", then double-click it.
From: buttcrack of the midwest Insane since: Oct 2000
posted 03-13-2006 13:44
Not to change the subject or anything, but I have the same problem with the sfc.exe. When you tell it to run, it flashes on the sreen almost long enough to identify it, and it`s gone. (Win 2K pro).
Why does it do that ?
<edit> it also happens on my machine at work that`s running XP Pro</edit>
From: Madison, Indiana, USA Insane since: Aug 2000
posted 03-13-2006 19:31
bob: sfc.exe is a command line program. You need to run it from a command prompt to see any output from it. If you try to run any command line program from within windows, it will exhibit that behavior.
Start menu --> Run.
Type cmd.
In the command window type sfc
From: buttcrack of the midwest Insane since: Oct 2000
posted 03-14-2006 07:02
Exibits the same behavior from the "run" command.
At least in XP. I`m at work now. But I have tried the run command on the 2K Pro box , and it does the same thing.
That's because you're missing out the step where you type 'cmd' and hit enter to bring up the windows command prompt. In that DOS window that then comes up you navigate to where sfc is and type 'sfc.exe' and let it run.
Ok I made the .bat file and put exactly what you told me to put in there, when I double click it a command prompt comes up and says press any key to continue, then it disappears =\.
...Consider seriously remastering that pc, eg. backup/format/reinstall.
If you want to keep your local settings, they are stored to {systemroot}:\Documents and Settings\{username}
So back that up among things.
Because, in the amount of time it'll take for me to guide you through a resolution, with all the misunderstandings due to various factors,
computers will have been replaced by genetically created pocket multipurpose bots, and we will be in some cryogenic sleep state waiting to be resurrected.
...
If you persist in tracking and removing the root cause, though, then I've just tested a bunch of sysinternals on my home pc,
and there's a better one for you, one with a cool gui on top.
A sort of super-task-manager, and by far one of the best.
When you use it, sort by cpu, and in the "view" menu, check all "show" options. The most important is the "show process tree".
And try to spot which one freezes, and post us with a screencap.
It's easy, the one which freezes will have something close to 100% cpu.
By monitoring the process tree, if it's a program that depends on another, we can track the exact originator.
Actually, Process Explorer is a hell of a monitoring tool.
I mean, it will replace 10 other system tools I used to use, from now on.
It just shows processes that are currently accessing the filesystem in green, or other colors,
it shows -exactly- what's going on, and allows you to lookup any process on google in a click.
Plus 10000 other amazing features. This thing rocks.
Don't have webspace, but bottom line is I've found the program. When it's not locking up, 'System Idle Process' is taking up 80-90% of my CPU, but after a little research I've found that to be perfectly normal. However, when it IS locking up, I've located the program that's doing it. When it locks up, 'winlogon.exe' is now taking up 80-90% and SID is down to 10-20%. Once it's done locking up SID is back to where it was and winlogon.exe goes back to 10-20% CPU usage. I've typed winlogon.exe into google and found this useful definition. It's a backdoor trojan that hides itself in my comp to steal and send out personal information. I also found another discussion of this virus here.
After searching for winlogon.exe on my hard drive, I've found that I have:
WINLOGON.EXE in C:\i386 WINLOGON.EXE-0957F9B2.pf in C:\WINDOWS\Prefetch winlogon.exe in C:\WINDOWS\SYSTEM32
So basically, I have to somehow determine which one is the real winlogon and which one is the virus. Then I have to disable/kill the program, and finally delete it from my hard drive. And probably run adaware afterwards...
So. My question is, how do I determine which one is the virus?
The real one. But here's the problem. the i386 folder looks like it's left over from the installation of windows, and the Prefetch folder is, I believe (and I could be wrong) something like a process cache. All three of those files may very well be legitimate, however it is displaying abberant behaviour. You can try, of course, running Symantec's Netsky Removal Tool and see if it catches anything. Worth a shot if nothing else presents itself.
Hold on a sec, winlogon.exe, the default one I mean, is the process on which all session specific processes depend, and my process explorer shows it.
If you have a virus which disguises as another winlogon, you should use removal tools, but if it turns out it is not a virus,
check it in process explorer, in a tree view, to see dependencies (and which sub-process may cause the lock)
(other than that, one of them may be a virus indeed. Process explorer also allows you, on a right click, to find the path to the executable, another way to find which one is doing what,
but the tips you just received from others sound right).
I wonder... this feel like a stab in the dark, but it sounds like something is making a login attempt every three minutes or so, so winlogon is being called again. If your prefetch is packed it can slow down program execution (rather than speeding it up, which is what it's meant to do. Go Microsoft!) so that could be why winlogon.exe is suddenly chewing up ~90% of your processor time.
Processes don't need to login: winlogon.exe is for human users.
Processes are started by a given virtual user anyway, would it be System, etc. And this doesn't require a logon or password,
these users are provided by the system and cannot be accessed as user accounts from a Windows logon pad.
As far as I can tell, some winlogon subproc, or a virus disguised as winlogon, try to register themselves as dcom components and fail.
From: Den Haag: The Royal Residence Insane since: Jul 2000
posted 03-20-2006 17:55
Maybe it is posible to remove all winlogon.exe variants on your system an reinstall them from the .cab files from your windows cd. However this will not help when something is calling winlogon. But it might if winlogon.exe is tainted.
.........................................................................
:: Develop yourself, develop your life, develop the world ::
.........................................................................
It might mess up more if it isn't done correctly: I've considered this option, Rnd2th, and if
the virus has added registry entries, for example, to register itself as a service, or application running from startup,
the casual lag will be removed, but sporadic errors will pop up instead, at startup for instance, or whenever the registry
tries to refer to something that was pointing to the now missing object.
...the best way to safely remove them is to either follow a step-by-step guide from an antivirus vendor,
or use an antivirus.
Btw, what's up on the antivirus front? You didn't mention such a software, or an av scan Insider?
Handy tip: In Process Explorer go to Add column and select Imgae Path. It shows up the directory where the process was called. Winlogon.exe should usually be located at system32. Ideally, you could replace it with another clean copy if you boot in "DOS mode" and change it from there. Make sure not to delete the old one in case something goes wrong.
You might want to consider Avast! as an antivirus. http://www.avast.com/
__________________________________
From: Den Haag: The Royal Residence Insane since: Jul 2000
posted 03-21-2006 02:47
_mauro you are right ofcourse but i still consider reinstalling winlogon as an serious option. But only if it's infected in one way or another. If it is clean reinstalling winlogon would be pretty uesless.
.........................................................................
:: Develop yourself, develop your life, develop the world ::
.........................................................................
Screencap the Process Explorer Tree view, and post away. At least I will be able to tell you which subproc depend on this.
After that, I have ways to dig for more info (should be easy: one of the subproc of winlogon tries to register as DCOM... should be easy as googling "subproc names" + DCOM).
What you gave me is the process list, the bare trunk.
It's what the Task manager shows normally.
You have to select "View -> show process tree" for me to be able to use new informations.
Basically, a tree is.. if you used Windows Explorer before, a tree is just that: nodes with branches and leafs.
And pay attention to sorting your list prior to enabling "show process tree", because a sort could alter the tree view and switch it back to list (ps explorer bug apparently).
Ok, much better. command.exe has nothing to do on that list.
On a win ME or 98, ok, on a WinXP, it shouldn't exist, and you can safely assume it is a virus.
For the rest, all the winlogon subprocs look like valid entries.
Check the auto-updates though, try disabling it too, but I *strongly* think command.exe is the virus.
And to make it clear: on Win2k+, command.exe is known as CMD.exe and never appears as command.exe,
nowhere.
So if you're running a 2k+ version, that's the cause, and that's what you should remove:
either by using an Antivirus now, any antivirus, before this thing spams more people
with itself, or by googling "command.exe" or "virusname" and finding a step-by-step guide.
Ah, it could also be this virus: check the symptoms (some specific files in your system folders). http://www.sophos.fr/virusinfo/analyses/w32rontokbra.html
By any means, install an Antivirus now, and run a comprehensive check: I wasn't able to figure out wether one these virii
registers itself as DCOM, but rontokstuff does use Remote Procedure Calls (so it does use a Distributed software
component architecture of some sort).
Please, Avast Antivirus is a pain in the rear to uninstall, but you'll be better off having Avast and a hard time to uninstall it
than nurturing this lil' worm.
Sorry, but this relationship is not going anywhere
Nah, seriously, I have the expertise, you have the comp, and there are miles between us.
I am *certain* command.exe is a nasty thing, certain it is a subproc of winlogon.exe, not certain you spotted it right
when you mentionned winlogon.exe (simply cause I didn't see it freeze myself).
With the info provided and the adequate skills, you could look up the symptoms of a virus without the antivirus:
registry entries, files that shouldn't be where they are... all of these could be spotted manually, removed manually.
Avast could just not be aware of it, or the virus could be one which affects known antivirii to limit their capabilities, etc.
It's sad though, I admire your perseverence and we are getting so close... But if you keep depending on my tip,
the physical distance per se will cause lots of stabs in the dark.
----
One thing though: to accelerate the resolution process, you should have mentionned you had no antivirus a while ago,
and filled that gap. There's no shame in going around without an antivirus.
Well I'm positive that it's command.exe, all I need to do is figure out how to disable the program (turn it off) and then I can go in and manually delete it follwed by a few virus scans... I just don't know how to turn it off. I try to kill the process in procexplorer and it says it can't.
From: Den Haag: The Royal Residence Insane since: Jul 2000
posted 03-31-2006 00:18
OR
boot from a linux live disk or a bartPE cd start file manager kill & delete command.exe
.........................................................................
:: Develop yourself, develop your life, develop the world ::
.........................................................................
From: buttcrack of the midwest Insane since: Oct 2000
posted 03-31-2006 06:56
Skaarjj :
Entirely off-topic again... I tried running sfc.exe from the command prompt and it told me that they (scannow,scanonce,etc) were invalid commands.
I don`t get it.
From: buttcrack of the midwest Insane since: Oct 2000
posted 04-11-2006 01:14
Sorry it took so long to answer.
Now it tries to run, (must have had a syntax error) but right after it starts, it asks for my Service pack 2 CD. Never had one. And it won`t continue without it.
From: Madison, Indiana, USA Insane since: Aug 2000
posted 04-11-2006 17:07
I think that means it wants to update some files. Try putting the Windows install CD in the drive and see if it will run with that. I'm just guessing here because I'm running tests on w2k and it asks for the install CD.
If you try it with the install CD and that doesn't work, try downloading the SP2 ISO file from MircoSoft, burn it to a CD and run sfc again. When it asks for the SP2 CD, give it the one you downloaded.
Note: When you burn the ISO file to a CD, you need to make sure your burning software writes it as a disc image, not as a file.
From: buttcrack of the midwest Insane since: Oct 2000
posted 04-15-2006 21:26
Ok, just for closure`s sake, I was still having trouble with sfc running, so I ran the Repair program from the install CD. SFC now runs flawlessly, and when I tell it to.
All is well in Wonderland.
posted 02-28-2006 04:46
It makes even less sens if we still are talking about a software issue.
