XP Great Mystery Startup Hang

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

besynes

Thread Starter
Joined
Sep 13, 2008
Messages
2
Problem:

My very stubborn problem: XP Media Edition (2005 update, and SP2) is hanging at startup. (As the little blue ‘pill’ moves along its track below the Windows XP logo, it only makes about two passes, then freezes.)

The machine: HP Media Center m1050y Pentium 4 (3.4 GHz), 1GB DDR RAM, 250 HD, 1 TB external; Asus nVidia EN9600GT TOP/HTDI/512M RT graphics card; McAfee security suite

Now, all is fine if I start in Safe Mode or Safe Mode with Networking. (Bootlogging as an F8 option hangs up. So does last known good config.)

Attempted Fixes:

I've unchecked everything through Autoruns that I researched as safe to disable (esp. startup stuff).

I've run updated McAffee scans in safe mode -- nothing shows up.

Tried the XP startup troubleshooting steps here: http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci968108,00.html)

Unfortunately, these steps dead-ended me b/c at the end of Part 1 (last part of step 5), the problem reoccurs, but NOT "after" selecting the "Load System Services option." It reoccurs at the same original, pre-desktop place (as the XP logo displays, the blue segment moves a while left to right, then freezes).

I removed two recent programs (an iTunes update and some CD burn software: EAC (that oddly requested a registry change that I <wish I hadn’t> allowed when it was searching for CD track info). I also recently allowed an auto Java update.


I've tried various system restore points – to no avail. (Or, rarely, it'll start up ONCE ok, then freeze up at the desktop after a minute or so.)

One real oddity: Kernal Fault Check. This MS program (dumprep.exe) reports when things screwup or when the system hangs, I guess, and can itself cause screwups, I've heard. So I removed it through Autoruns. But it reappeared at the next safe mode startup. So I removed it by Control Panel/System/Advanced ... Error Reporting. And yet it reappeared, now with NO publisher listed in Autoruns (instead of MS as the publisher). So I go to its previous location (c:\windows\system32\dumprep.exe); it's not there. And yet it re-generates this entry in Autoruns each time I restart in Safe Mode. Maybe this is nothing and isn't the hangup problem, but what do you think? Update: this stopped happening once I ran a Trend Micro online scan that uncovered this stuff:

1. TROJ_DLOAD.JS
2. ADWARE_BHOT_IMYONBAR
3. ADWARE_SIDESTEP
4. some http cookies
5. MS08-046
6. MS08-049

Trend Micro removed the first 3, said I could ignore 4, and had no cleaning option for 5 and 6. Research on 5 and 6 showed that they’re known vulnerabilities, so I downloaded 2 MS patches designed to fix these. Ran them.

And yet … I have the exact same startup hang problem, in the same spot.

Questions:

How can I be sure that I’ve really rid the computer of the 6 things found, above?

Or, could my McAfee suite be at fault for a startup hang? I've never had problems with it, and I disabled its auto update part, and it runs fine in Safe Mode, but should I try uninstalling it?

Fairly new to the system is a video NVIDIA 9600GT card, but all is fine in safe mode, display-wise.

I've now spent days and days on this and taken 17 pages of notes.

So, yeah, I’m stymied!

If we can’t solve this mystery, should my next step be an HP System Restore? This (supposedly ...) restores the machine to its arrival state, removing all added programs, but leaves data files as is. (I have all crucial data backed up on an external HD anyway.)

Or would it be better to just wipe the machine by loading XP Pro fresh from a disk? (I no longer have this computer hooked to the tv/stereo, so I don’t need the XP Media Edition it’s running now anyway.)

Below is the logfile.
I could send you an Autoruns log, too, if that might help.

If you can figure this out and help me, I’ll be impressed!

And very appreciative.

Thanks,
N

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:11 PM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utexas.edu/depts/classics/links.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r4.attbi.com;localhost;*.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1203842962640
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 6029 bytes
 
Joined
Jul 28, 2008
Messages
1,092
Besynes, Welcome to TSG

#1- It will take about 40 minutes to do a system restore and your system will be back to factory defaults and probably running pretty good.
There is nothing like a fresh install.
I would NOT wipe the drive until I created a ghost clone image of the restore partition first&#8230; and save it to DVD if it will fit or split it with a zip program if not.
Make sure you have all your drivers first before you do a fresh new install from a disc.
*Also I would make the recovery restore discs first if you can but most likely not with the system in it's current state.

#2- you may still be infected probably very likely that you are&#8230;
Only trained Experts are allowed to help with malware removal as it is very complicated.
It can take quite a bit of time to do, but it will be a good learning experience.
So if you want to go that route go to the link below;
http://forums.techguy.org/54-malware-removal-hijackthis-logs/
Read all the sticky posts and don&#8217;t do anything until instructed to by an Expert.
Please be patient, there are a lot of people waiting for help as this is a big problem, so spend your time researching, Security Help Tools and any thing else that you can find to help you learn how to avoid this in the future.
If you go this route you will need to contact and Admin or Moderator and have them help you.

Rules:
Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield
next to their name and authorized malware removal trainees have a blue shield
next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.
 

besynes

Thread Starter
Joined
Sep 13, 2008
Messages
2
Thanks Tony!

I may go the malware removal route. As you say, it'd be a learning experience.

Thanks again for your thoughts.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top