XP keeps randomly locking up completely

[A4875]

Just recently my computer has been completely locking up on me. I can't move the mouse, can't do ctrl+alt+del, can't do anything. I know it's not a heat related issue because my temperatures are all cool. I did boot into safe mode and it didn't appear to lock up at all so I'd assume is a windows related issue. I'm using Windows XP Professional x64 edition. I tried going into msconfig and disabling some startup programs and when I disabled jusched a java related program. After I did this the computer didn't seem to lock up as often so I'm not sure if it's related or not. Any help would be greatly appreciated. Thanks

[GaryRouth]

Hi A4875

"jusched" probably is the Java updater - you can safely disable that. But you might want to doublecheck the spelling & the executable to make sure it's not a malware using that same filename. Here's sysorg's info on it http://www.sysinfo.org/startuplist.php?filter=jusched

It sounds like you already know about identifying processes - the list at sysinfo.org is one of the most thorough I've seen.

Run full-system malware scans in both normal and Safe mode, since they can cause instability and lockups. Check in Event Viewer, too, for clues [in Administrative Tools in the Control Panel]. If you suspect a recent driver change - or have recently added a program - follow those clues as well [try a driver update/ or roll-back --- check on the program vendor's website for possible patches].

And of course, you can try a System Restore to before the misbehavior started.

Best of luck
. . . Gary

[A4875]

Thank you for the reply. I'll go through what you said and see what I can do.

[A4875]

I think I found the problem. While I was viewing the event viewer, my anti-virus reported that it found the virus which is called trojan.muldrop. I deleted this file and so far things appear to be working normally again. If something else goes wrong I'll be sure to post here again. Thanks again for the help.

[A4875]

Well the virus I guess wasn't the problem because my computer locked up again a few hours later. I did a system restore to the day before the problem started and I'll try going from there.

[A4875]

So I finally found the cause or error that keeps occurring when my system locks up. In the event viewer under the system category, the error occurs with the DCOM source. I tried following microsoft's help and support center to fix the problem, but the registry folder they direct me to doesn't exist. Here is the error message..."The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {555F3418-D99E-4E51-800A-6E89CFD8B1D7} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services adminsitrative tool."

[GaryRouth]

Hi again

The infection may have reappeared - and it's possible you have two seperate problems. To try to make sure, why not --->
1) Download & install CCleaner ( it's free, and it's recommended by many -- http://www.download.com/CCleaner/300...ml?tag=lst-0-1 )
2) Disconnect from any networks (disable wireless if you connect wirelessly)
3) Uninstall Java installations that you find in "Add or Remove Programs" in Control Panel
4) Run CCleaner
5) Reboot - if system reboots OK, then:
4) Disable System Restore
5) Run full system malware scans (both antivirus & antispyware) from both Normal mode and Safe Mode.
6) Run CCleaner once more
7) Reboot - if system reboots OK, then:
8) Re-enable System Restore
9) Test your system and programs - if everything is running OK - you can then visit the Sun site and reinstall the latest version of Java (if you decide you need it).

I suspect the DCOM error is spyware related. Hope that once you've got it cleaned up - it stays away. Remember to keep your firewall, antivirus, and antispyware programs up-to-date and always-on.

Best of luck
. . . Gary

[A4875]

Thanks for the help Gary. I will try what you said and hope it works.

[kev7555]

#1 in all of that....

Disable system restore. Likely you solved the problem and re-installed with your system restore. Good to clear system restore after an infection, make sure you are clean and then re-enable system restore.

Good luck,

-Kev

[A4875]

I ran everything and did everything you told me to, and so far so good. I'm going to keep playing around with things to see if everything is running ok now. Thanks again for all the help.

[A4875]

Well just when I thought things were finally fixed...almost 2 days without locking up...it happened again. The same error as before with the DCOM source. Here is what microsoft says to do...
1. Using Regedit, navigate to the following registry value
HKCR\Clsid\clsid value\localserver32
The clsid value is the information displayed in the message.
2. In the right pane, double-click Default. The Edit String dialog box is displayed. Leave this dialog box open.
3. Click Start, and then click Control Panel.
4. Double-click Administrative Tools, and then double-click Component Services.
5. In the Component Services snap-in, expand Computers, expand My Computer, and double-click DCOM Config.
6. In the right pane, locate the program by using its friendly name.
7. Right-click the program name, and then select Properties.
8.On the Security tab, in the Launch and Activation Permissions group box, select Customize, and then click Edit.
The only problem is I can't seem to find the part of the registry they are directing me to. I'm assuming HKCR is HKEY_CLASSES_ROOT...so I go there and I find a folder called CLSID...but then I can't find whatever clsid value is. Any ideas on this? Thanks.

[GaryRouth]

Just to see, try booting into Safe Mode as Administrator, and look for the CLSID in that Registry hive.

I wonder if you are getting reinfected - sometimes removing remote attacks is difficult, especially if the attack is the type that you had = a trojan, where the attacker may have hidden different bits of code here and there in your system. Some trojans can let the attacker have full control over your computer and it's files. ---And, of course, once removed, it is also important to elevate your levels of protection, since the attacker has proven able to break through your present defenses. It may take higher walls and more vigilance to keep things clean.

What about this - what if we disable DCOM on your system (unless you have a legitimate program that actually requires it [few legit ones do]), and then repeat the procedure we did last time (with the scans, & CCLeaner, & disable/re-enable System Restore]. And if your current antivirus/antispyware/firewall aren't performing well enough, a pretty good team for a Windows XP system with strong hardware might be avast! antivirus/AdAware antispyware/SpyBot antispyware/and ZoneAlarm personal firewall [these all have free-for-personal use versions].

To disable DCOM, you can try the "DCOMbobulator" the free tool from Gibson Reseach (the famous hosts of the Internet Vulnerability test suite "Shields UP!" --- which I highly recommend visiting, & see how vulnerable your system is) . . . here's the link for the DCOMbobulator http://www.grc.com/freeware/dcom.htm

You can also try the "Shoot the Messenger" and "UnPlug n' Pray" utilities to test for those vulnerabilities.

[The wild card in all this is that you are running the 64-bit version of XP Pro -- and I didn't see any mentions on Gibson's site if regarding version compatibility . . . so you might want to check that out]

Let's see how it goes this round.
. . . Gary

[A4875]

Thanks again for all the help Gary. Actually, I got sick of the computer locking up so I just reinstalled windows, and everything is working great right now. Hopefully everything will stay that way. I did go to the website of the DCOM program you recommended and disabled the DCOM port in hopes that it will prevent any problems like this from happening again. It says my DCOM is in stealth status, so I guess it's hidden from outside connections. As for firewall/anti-virus/anti-spyware programs, I found that avast! Anti-Virus is compatible with 64-bit windows which is also what I'm currently using. Right now I'm using the built in windows firewall, but I've heard that Zone Alarm has a 64-bit beta version of a firewall so I'll have to check that out. I'm also using Spybot Search and Destroy and Windows Defender, so hopefully no intruders, virus's or spyware can enter my system. If anything else happens I'll be sure to post here at PCMechanic again because it is a very helpful site. Thanks again.