1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

XP Great Mystery Startup Hang

Discussion in 'Windows XP' started by besynes, Sep 26, 2008.

Thread Status:
Not open for further replies.
  1. besynes

    besynes Thread Starter

    Joined:
    Sep 13, 2008
    Messages:
    2
    Problem:

    My very stubborn problem: XP Media Edition (2005 update, and SP2) is hanging at startup. (As the little blue ‘pill’ moves along its track below the Windows XP logo, it only makes about two passes, then freezes.)

    The machine: HP Media Center m1050y Pentium 4 (3.4 GHz), 1GB DDR RAM, 250 HD, 1 TB external; Asus nVidia EN9600GT TOP/HTDI/512M RT graphics card; McAfee security suite

    Now, all is fine if I start in Safe Mode or Safe Mode with Networking. (Bootlogging as an F8 option hangs up. So does last known good config.)

    Attempted Fixes:

    I've unchecked everything through Autoruns that I researched as safe to disable (esp. startup stuff).

    I've run updated McAffee scans in safe mode -- nothing shows up.

    Tried the XP startup troubleshooting steps here: http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci968108,00.html)

    Unfortunately, these steps dead-ended me b/c at the end of Part 1 (last part of step 5), the problem reoccurs, but NOT "after" selecting the "Load System Services option." It reoccurs at the same original, pre-desktop place (as the XP logo displays, the blue segment moves a while left to right, then freezes).

    I removed two recent programs (an iTunes update and some CD burn software: EAC (that oddly requested a registry change that I <wish I hadn’t> allowed when it was searching for CD track info). I also recently allowed an auto Java update.

    I've tried various system restore points – to no avail. (Or, rarely, it'll start up ONCE ok, then freeze up at the desktop after a minute or so.)

    One real oddity: Kernal Fault Check. This MS program (dumprep.exe) reports when things screwup or when the system hangs, I guess, and can itself cause screwups, I've heard. So I removed it through Autoruns. But it reappeared at the next safe mode startup. So I removed it by Control Panel/System/Advanced ... Error Reporting. And yet it reappeared, now with NO publisher listed in Autoruns (instead of MS as the publisher). So I go to its previous location (c:\windows\system32\dumprep.exe); it's not there. And yet it re-generates this entry in Autoruns each time I restart in Safe Mode. Maybe this is nothing and isn't the hangup problem, but what do you think? Update: this stopped happening once I ran a Trend Micro online scan that uncovered this stuff:

    1. TROJ_DLOAD.JS
    2. ADWARE_BHOT_IMYONBAR
    3. ADWARE_SIDESTEP
    4. some http cookies
    5. MS08-046
    6. MS08-049

    Trend Micro removed the first 3, said I could ignore 4, and had no cleaning option for 5 and 6. Research on 5 and 6 showed that they’re known vulnerabilities, so I downloaded 2 MS patches designed to fix these. Ran them.

    And yet … I have the exact same startup hang problem, in the same spot.

    Questions:

    How can I be sure that I’ve really rid the computer of the 6 things found, above?

    Or, could my McAfee suite be at fault for a startup hang? I've never had problems with it, and I disabled its auto update part, and it runs fine in Safe Mode, but should I try uninstalling it?

    Fairly new to the system is a video NVIDIA 9600GT card, but all is fine in safe mode, display-wise.

    I've now spent days and days on this and taken 17 pages of notes.

    So, yeah, I’m stymied!

    If we can’t solve this mystery, should my next step be an HP System Restore? This (supposedly ...) restores the machine to its arrival state, removing all added programs, but leaves data files as is. (I have all crucial data backed up on an external HD anyway.)

    Or would it be better to just wipe the machine by loading XP Pro fresh from a disk? (I no longer have this computer hooked to the tv/stereo, so I don’t need the XP Media Edition it’s running now anyway.)

    Below is the logfile.
    I could send you an Autoruns log, too, if that might help.

    If you can figure this out and help me, I’ll be impressed!

    And very appreciative.

    Thanks,
    N

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:22:11 PM, on 9/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utexas.edu/depts/classics/links.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r4.attbi.com;localhost;*.local
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1203842962640
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

    --
    End of file - 6029 bytes
     
  2. speed_hog

    speed_hog

    Joined:
    Jul 28, 2008
    Messages:
    1,092
    Besynes, Welcome to TSG

    #1- It will take about 40 minutes to do a system restore and your system will be back to factory defaults and probably running pretty good.
    There is nothing like a fresh install.
    I would NOT wipe the drive until I created a ghost clone image of the restore partition first&#8230; and save it to DVD if it will fit or split it with a zip program if not.
    Make sure you have all your drivers first before you do a fresh new install from a disc.
    *Also I would make the recovery restore discs first if you can but most likely not with the system in it's current state.

    #2- you may still be infected probably very likely that you are&#8230;
    Only trained Experts are allowed to help with malware removal as it is very complicated.
    It can take quite a bit of time to do, but it will be a good learning experience.
    So if you want to go that route go to the link below;
    http://forums.techguy.org/54-malware-removal-hijackthis-logs/
    Read all the sticky posts and don&#8217;t do anything until instructed to by an Expert.
    Please be patient, there are a lot of people waiting for help as this is a big problem, so spend your time researching, Security Help Tools and any thing else that you can find to help you learn how to avoid this in the future.
    If you go this route you will need to contact and Admin or Moderator and have them help you.

    Rules:
    Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield [​IMG] next to their name and authorized malware removal trainees have a blue shield [​IMG] next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.
     
  3. besynes

    besynes Thread Starter

    Joined:
    Sep 13, 2008
    Messages:
    2
    Thanks Tony!

    I may go the malware removal route. As you say, it'd be a learning experience.

    Thanks again for your thoughts.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/753657

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice