Long pause at boot

Ok. Well if I was looking for where the calls to the G: are coming from where would I look? For example all G: references in the registry are for CDs as the G: drive is a DVD-ROM.

 

Found it!!!

I finally found it!! Or at least for this computer...

Go to Services (Start | Run | "services.msc ")

Disable Shell Hardware Detection. Restart the computer and try it out. I've been using Procmon, and kept noticing references to ShellHWDetection in the registry right before a period of time when nothing would happen. I also noticed in the Services list that it was stuck on "Starting... "

Of course, I believe this apparently disables the ability for Windows to automatically run things when you plug in a drive, such as a thumb drive or insert a CD. I am going to test this, and now that I know what it is, find out why it's happening.

Let me know if you are having the same problem.

 

Roxio

kryptic, if this turns out to be your problem, you wouldn't happen to have Roxio 5 installed, would you? I am noticing problems with the CD burner, and I am thinking outdated Roxio software (an install of AVG Antivirus just alerted me that it too has a problem with it).

 

Disabling that service did indeed fix the problem but I don't want to keep it off though.

I don't have Roxio. I use Nero.

I have re-enabled the service and the problem returns (Just checking, you never know)

 

Not much help but maybe some kind of clue:
http://support.microsoft.com/kb/913630/en-us

 

Does the COM+ Event System service hang at 'Starting...' as well?

@ krypticChewie ....... your HijackThis log shows at the very least some remnants of a nasty infection. Recommend you read this post and start a new topic in the Removing Spyware & Viruses forum. Post a main.txt log from Deckard's System Scanner (links and instructions in that post ...... no need for a HijackThis log too as the main.txt log will have that info) and we'll see if you still have an active infection. It's quite possible that the infection(s) are behind your slow boot problem.

I would also recommend that both you and electronerdz run the signature verification (sigverif) tool on the xpsp2res.dll file. There should be several other copies on the drive, at least one of which will match the current system32 copy in date and version, that could be used to replace the system32 file. xpsp2res.dll is hooked into many system processes, so replacing it may need done via the recovery console ..... not sure as I have not attempted it.

@ electronerdz ...... are you quite sure that your machine is free of infections?

@ BillyBob ...... please refer to this topic re: upper and lower case.

 

I may be learning something new . So I must ask.

Would the possible infection explain this ?

Windows starting ( apparrently twice ) from a CD(G) and then switching to the HD.(C)

Or at least from one place and then switching to another.

About the Upper-Lower case . I forgot LOL. Thanks for the reminder.

BillyBob

 

Whoops! Here is the VundoFix log


VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 07:21:13 AM 17/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qomllig.dll
C:\WINDOWS\system32\sttbnana.dll
C:\WINDOWS\system32\ufkbbyln.dll
C:\WINDOWS\system32\usvcdudp.dll
C:\windows\system32\wybyttgq.dll
C:\WINDOWS\system32\xcytwotg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\sttbnana.dll
C:\WINDOWS\system32\sttbnana.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ufkbbyln.dll
C:\WINDOWS\system32\ufkbbyln.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\usvcdudp.dll
C:\WINDOWS\system32\usvcdudp.dll Has been deleted!

Attempting to delete C:\windows\system32\wybyttgq.dll
C:\windows\system32\wybyttgq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xcytwotg.dll
C:\WINDOWS\system32\xcytwotg.dll Has been deleted!

Performing Repairs to the registry.
Done!

 

We don't deal with malware in the XP forum, we do that in the forum I indicated. Please start a new topic as suggested and I will move your VundoFix log to the new topic.

Thanks!

 

Ermmm, just saw that you previously did start a new topic, and posted the VundiFix log there as well. Just ignore the above post

 

I love how Microsoft only provides a "workaround" in that article. I am going back to my office today to get that computer to deliver to my customer, so I've only got a little more time with it, and am not sure if I will have time to figure out how to make it work with ShellHWDetection. I've already had the computer for a few weeks (granted, he was out of town, and told me to hold onto it). I'll be messing around on Google off and on to do some more research on what could be causing it. It's Shell Hardware Detection, so I am guessing it has something to do with either disk drives, and getting the wrong information, faulty drivers, or even a fault device. I've got copies of my output from Procmon, so I'll play with that too.

 

I do recommend running signature verification on the Windows directory to rule out a possible patched system file. Have you done a chkdsk /r ? Try booting with the cd drive disconnected too.

 

noahdfear,

I am not sure on the COM+, but I will check it. I do remember something about that in Procmon about the time it would hang.

And I am pretty sure there is no spyware infection, I checked this computer months ago, and I quick checked it again recently, and there was nothing to suggest a spyware infection.

BillyBob, take a look at this and go halfway down: http://phorums.com.au/archive/index.php/t-174986.html
This guy also has G: drive in his logs. I believe it is just the way BootLogXP works by loading things virtually to be able to hook onto them and record their progress. I'd email the authors, but the only contact information they have on their page is a tech support page where you fill out a form.

 

noahdfear, I actually ran the signature verification last night (the only bad files were some bios files from Dell), and have ran the chkdsk several times. There actually was a bad block being reported in event viewer, but the problem persisted before and after the repair of the bad block (it's actually supposedly been happening for months).

 

I did look at the log as requested.

And I see EXACTLY THE same things.

Windows installed in and loading ( or attemoting to ) from two Different locations.

Again I ask.
Where do any updates go. C: or G: ?

BillyBob

 

@ electronerdz

Thank you for confirming chkdsk and sigverif has been done.

I questioned the Com+ Events service because of this MS Article, despite it relating to the 2003 OS. Possible that the procedures in step 3 may help.

The bootlog, despite it appearing to be looking for two different operating systems, I suspect is looking for a cd and suggests some possible registry corruption. A registry search for G:\WINDOWS might provide some insight.

@ krypticChewie

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in G:\WINDOWS ....... wait for it to complete the search, click ok at the prompt. When wordpad opens, copy that back here please.

 

My suspicions also

And one with Windows installed on it.

BillyBob

 

I ran the script and it found 25 instances but when I click ok wordpad does not open.

 

Sorry. I read it wrong. It said that search completed in 25secs and 0 instances found.

 

After you've completed my latest set of cleanup instructions in your other topic, please delete the current ntbtlog and shutdown. Disconnect the cd-rom drive and startup again with the Enable bootlog option. Either post the log here, or if it's too large, email it to me so I can review it.