Long pause at boot

Thank you for the info.

Helps me to understan a little better

Like I said before
"I am learning too. "

Thanks again

Being called to help Nancy make Cabbage Rolls for the family. Not an easy job for someone with a BAD shoulder and trying to handle HOT
pots.

Plud I have been asked to ( and did ) install two new games on Nancys Computer. and WOW !! it still works. Will wonders never stop ?

A miss-behaving PC I can shutdown or ignore. But helping someone to keep them from getting hurt I can't

Bob

 

You said above that you set the regional settings to Trinidad, but the export shows it as United States ( "Nation "= "244 "). Lets see if fixing it in the registry will help.

First go to the Regional and Language settings console and make sure Trinidad is selected, then proceed. Highlight and copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Double click fix.reg and allow it to merge with the registry.

Log off and then back on and see if the displays have corrected. Run that registry export command again as well, and see if the value for "Nation" now shows "225 ".

 

Well I had put it back to US to see if it helped the dialog boxes. Still do what you asked.

 

This does work! But what is causing this? Cause I need my network cards working.

 

First, check for driver updates to the network card. Remove it and re-install it if none are available. We'll see what that results in and go from there.

 

Ok maybe I was wrong. I tried it again and there is no effect on the problem.
I have two on board network cards and firewire. After I thought disabling the network stuff fixed the problem I tried doing different combinations to see which was causing the problem. No combination seemed to affect the problem. Then I disabled all and the problem was still there.

 

I was playing around with the languages and I noticed this in the drop down list of languages.

http://download.yousendit.com/9A9E59310487CC24

 

Good find! I'm working on a batch to gather some registry exports and will post it in a bit.

Check the C:\qoobox folder for a log named ComboFix-quarantined-files.txt and post it here please.

Recommend you check for driver updates to the NIC card anyway, and remove and re-install (via device manager) as well if no updates are available. Generally you can uninstall it then reboot and it will re-install automatically. Grab the correct drivers for it, just in case they are needed (you may have the driver cd?).

 

Lets gather some registry information. Highlight and copy ALL of the bolded text below.

md "%userprofile%\desktop\regs "
reg export "HKCU\Keyboard Layout" "%userprofile%\desktop\regs\CUKL.reg "
reg export "HKCU\Software\Microsoft\CTF" "%userprofile%\desktop\regs\CTF.reg "
reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes" "%userprofile%\desktop\regs\FS.reg "
reg export "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts" "%userprofile%\desktop\regs\LMKL.reg "
reg export "HKLM\SYSTEM\CurrentControlSet\Control\Nls" "%userprofile%\desktop\regs\Nls.reg "
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and a folder named regs will be created on your desktop. Please zip that folder and email it to me so I can examine it.

After more examination of the BootlogXP log you sent, I fear I may have sent you on a goose chase with the NIC card drivers. I also think I may have identified the culprit.


I previously stated that BootlogXP was buggy and unreliable. I would like to retract that statement, in part. Buggy? Yes ....... in the way that it reports, making it appear as though there are more than 1 windows installation directories. Unreliable? No. It is in fact a very useful utility. It wasn't until I started looking at the bootlog emailed to me that I realized BootlogXP does not log the bootup process, but rather logs the user logon process ..... the processes between initiating and completing logon, and the files loaded into those processes along with the time it takes for each file to load. Lets take a look at some relevant to this problem extracts of the BootlogXP log. Included are all of the processes that show the hang time.


13.12.2007 9:53:2.674 << logging/logon completion
_______________________

ProcessId 880
G:\WINDOWS\system32\smss.exe
13.12.2007 09:48:56.788 << first log entry ...... session manager initiating the logon process
________________________

ProcessId 936
G:\WINDOWS\system32\csrss.exe
13.12.2007 09:48:58.613 << first process in the log that shows hang time ...... others follow in order of occurance, with separate processes starting and completing in between

C:\WINDOWS\system32\rpcrt4.dll
13.12.2007 09:49:00.322
C:\WINDOWS\system32\apphelp.dll
13.12.2007 09:52:26.469
_______________________

ProcessId 1008
G:\WINDOWS\system32\services.exe
13.12.2007 09:49:00.517

C:\WINDOWS\system32\wtsapi32.dll
13.12.2007 09:49:01.160
C:\WINDOWS\system32\setupapi.dll
13.12.2007 09:51:52.967
___________________________

ProcessId 1020
G:\WINDOWS\system32\lsass.exe
13.12.2007 09:49:00.523

C:\WINDOWS\system32\scecli.dll
13.12.2007 09:49:00.704
C:\WINDOWS\system32\ipsecsvc.dll
13.12.2007 09:51:48.945
____________________________

ProcessId 1176
G:\WINDOWS\system32\svchost.exe
13.12.2007 09:49:00.755

C:\WINDOWS\system32\comres.dll
13.12.2007 09:49:02.385
C:\WINDOWS\system32\termsrv.dll
13.12.2007 09:51:53.028
_____________________________

ProcessId 1236
G:\WINDOWS\system32\svchost.exe
13.12.2007 09:49:01.062

C:\WINDOWS\system32\comres.dll
13.12.2007 09:49:02.296
C:\WINDOWS\system32\msi.dll
13.12.2007 09:52:34.419
_____________________________

ProcessId 1380
G:\WINDOWS\system32\svchost.exe
13.12.2007 09:49:01.126

C:\WINDOWS\system32\wkssvc.dll
13.12.2007 09:49:06.974
C:\WINDOWS\system32\cryptsvc.dll
13.12.2007 09:51:39.297
____________________________

ProcessId 1672
G:\WINDOWS\system32\svchost.exe
13.12.2007 09:49:01.277

C:\WINDOWS\system32\ws2help.dll
13.12.2007 09:49:01.312
C:\WINDOWS\system32\webclnt.dll
13.12.2007 09:51:39.005
________________________________

ProcessId 1696
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
13.12.2007 09:49:01.326

C:\WINDOWS\system32\ZoneLabs\camupd.dll
13.12.2007 09:49:06.782
C:\WINDOWS\system32\msv1_0.dll
13.12.2007 09:51:58.304
_________________________________

ProcessId 1900
G:\WINDOWS\explorer.exe
13.12.2007 09:49:02.157

C:\WINDOWS\system32\xpsp2res.dll
13.12.2007 09:49:02.293
C:\WINDOWS\system32\actxprxy.dll
13.12.2007 09:51:53.279
________________________________

ProcessId 608
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
13.12.2007 09:49:06.640

C:\WINDOWS\system32\ZoneLabs\avsys\DMAP.ppl
13.12.2007 09:49:08.042
C:\WINDOWS\system32\fltlib.dll
13.12.2007 09:51:27.341
_________________________________

ProcessId 744
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
13.12.2007 09:49:08.063

C:\WINDOWS\system32\secur32.dll
13.12.2007 09:49:08.096
C:\WINDOWS\system32\ntmarta.dll
13.12.2007 09:51:26.317
_________________________________

ProcessId 4
C:\WINDOWS\system32\DRIVERS\nic1394.sys
13.12.2007 09:48:47.277 << this is the last process in the log

C:\WINDOWS\system32\drivers\drmkaud.sys
13.12.2007 09:49:08.105
C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13.12.2007 09:51:38.993
________________________________

I first looked in on this topic shortly after electronerdz had indicated a problem with xpsp2res.dll, and without closely reviewing the whole topic I went off chasing that file. That was completely unnecessary (sorry kryptic). I later did some reviewing and saw that Zander had indicated a hang at drmkaud.sys, yet I still hadn't looked closely at the bootlog. After now having studied it, it's easy to see that the file hung differs in each process, which tells us that it's not the loading files that are hanging, but the process itself. But which one?

I spent a good deal of time trying to find a link between the hung processes, the drivers that failed to load in the ntbtlog and the reported normal boot when disabling the Shell Hardware Detection service. Parts of it were easy to link together, others I had to stretch. Looking at the last log entry (the firewire network device), and that it was actually the first process to start (check the start time against the first process logged) in the hung processes, I leaned toward drivers for that device and ultimately recommended updating the drivers for all of the network devices.

While studying the log some more, comparing this and that, it finally hit me .... which of the hung processes moved on to the next file first? And the answer is, ProcessId 744 - ScanningProcess.exe, and followed immediately by ProcessId 608 - ScanningProcess.exe. Two of the same executable in separate processes. Easy enough to see that file belongs to Zone Alarm, and a quick stroll through a few of the google search results of that file easily resulted in finding that there are many complaints about that process. High cpu usage and incredibly slow logons are what I found the most of. Without doing much research on it, it seems there doesn't seem to be any way to stop the processes from loading either, short of uninstalling Zone Alarm. I suggest another means, to see if it can be done, and if it corrects the logon issue.

Boot into safe mode and check Task Manger for the ScanningProcess.exe process. If it's running, try to end process on it. If/when the process is effectively killed, navigate to C:\WINDOWS\system32\ZoneLabs\avsys and rename ScanningProcess.exe to ScanningProcess.exe.old then boot back to normal mode.

Let me know what happens!

BTW, yes, I still want you to post the ComboFix-quarantined-files.txt log as requested.

 

Good Morning noahdfear

Before the house get too noisey I will jump in here.

Basiicly I believe you are seing the same thing that I do.

Duplications
And both processes show switching from G: to C:

The above does not make sense. At least to me.

This makes even less sense
Again time consumming.

Every Process start with G: then to C: Then back to G: for the Next Process. Not only time consumming but I personally feel creates a very unstable System.

I repeat.
DO Updates etc. get installed properly . Where do they go. My GUESS is actually C: because that seems to be where Windows is running from. But what happens on a re-start ?

BillyBob

 

Hi BillyBob Again, the behavior you're seeing RE: G: and C: is just a bug in the way BootlogXP reports. Just disregard the drive letters ..... they are irrelevant.

There is not a problem with duplications of anything either. You may be referring to the multiple processes of svchost.exe in the above log excerpts. Those are quite normal. svchost.exe is called in several different process events to load various services. Below is the complete log of one the svchost.exe processes that shows the hang. You can see the many different files that load under that process. All very normal. The files being loaded into a process aren't what is important to us in this case though, only the times are.

ProcessId 1672
G:\WINDOWS\system32\svchost.exe
13.12.2007 09:49:01.277
184148 ms
{
G:\WINDOWS\system32\svchost.exe
13.12.2007 09:49:01.277
C:\WINDOWS\system32\ntdll.dll
13.12.2007 09:49:01.277
C:\WINDOWS\system32\kernel32.dll
13.12.2007 09:49:01.277
C:\WINDOWS\system32\advapi32.dll
13.12.2007 09:49:01.278
C:\WINDOWS\system32\rpcrt4.dll
13.12.2007 09:49:01.278
C:\WINDOWS\system32\shimeng.dll
13.12.2007 09:49:01.278
C:\WINDOWS\AppPatch\AcGenral.dll
13.12.2007 09:49:01.280
C:\WINDOWS\system32\user32.dll
13.12.2007 09:49:01.280
C:\WINDOWS\system32\gdi32.dll
13.12.2007 09:49:01.281
C:\WINDOWS\system32\winmm.dll
13.12.2007 09:49:01.281
C:\WINDOWS\system32\ole32.dll
13.12.2007 09:49:01.281
C:\WINDOWS\system32\msvcrt.dll
13.12.2007 09:49:01.281
C:\WINDOWS\system32\oleaut32.dll
13.12.2007 09:49:01.281
C:\WINDOWS\system32\msacm32.dll
13.12.2007 09:49:01.282
C:\WINDOWS\system32\version.dll
13.12.2007 09:49:01.282
C:\WINDOWS\system32\shell32.dll
13.12.2007 09:49:01.282
C:\WINDOWS\system32\shlwapi.dll
13.12.2007 09:49:01.282
C:\WINDOWS\system32\userenv.dll
13.12.2007 09:49:01.282
C:\WINDOWS\system32\uxtheme.dll
13.12.2007 09:49:01.283
C:\WINDOWS\system32\imm32.dll
13.12.2007 09:49:01.285
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
13.12.2007 09:49:01.295
C:\WINDOWS\system32\comctl32.dll
13.12.2007 09:49:01.302
C:\WINDOWS\system32\ntmarta.dll
13.12.2007 09:49:01.305
C:\WINDOWS\system32\wldap32.dll
13.12.2007 09:49:01.305
C:\WINDOWS\system32\samlib.dll
13.12.2007 09:49:01.305
C:\WINDOWS\system32\xpsp2res.dll
13.12.2007 09:49:01.307
C:\WINDOWS\system32\lmhsvc.dll
13.12.2007 09:49:01.311
C:\WINDOWS\system32\iphlpapi.dll
13.12.2007 09:49:01.312
C:\WINDOWS\system32\ws2_32.dll
13.12.2007 09:49:01.312
C:\WINDOWS\system32\ws2help.dll
13.12.2007 09:49:01.312
C:\WINDOWS\system32\webclnt.dll
13.12.2007 09:51:39.005
C:\WINDOWS\system32\wininet.dll
13.12.2007 09:51:39.005
C:\WINDOWS\system32\normaliz.dll
13.12.2007 09:51:39.005
C:\WINDOWS\system32\iertutil.dll
13.12.2007 09:51:39.005
C:\WINDOWS\system32\secur32.dll
13.12.2007 09:51:39.064
C:\WINDOWS\system32\alrsvc.dll
13.12.2007 09:51:39.307
C:\WINDOWS\system32\netapi32.dll
13.12.2007 09:51:39.319
C:\WINDOWS\system32\regsvc.dll
13.12.2007 09:51:50.181
C:\WINDOWS\system32\ssdpsrv.dll
13.12.2007 09:52:05.250
C:\WINDOWS\system32\hnetcfg.dll
13.12.2007 09:52:05.417
C:\WINDOWS\system32\clbcatq.dll
13.12.2007 09:52:05.420
C:\WINDOWS\system32\comres.dll
13.12.2007 09:52:05.420
C:\WINDOWS\system32\mswsock.dll
13.12.2007 09:52:05.424
C:\WINDOWS\system32\wshtcpip.dll
13.12.2007 09:52:05.425

I highlighted in red above the time that the loading of that process hangs, and when it agains continues to load. Those are the entries I posted for each process that shows the hang in my last post, the entries showing when the hang began and stopped. Compare the times that each process began loading again (when the hang stopped) and you will then see what I do .... the hung process that first began loading again (below).

ProcessId 608
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
13.12.2007 09:49:06.640

C:\WINDOWS\system32\ZoneLabs\avsys\DMAP.ppl
13.12.2007 09:49:08.042
C:\WINDOWS\system32\fltlib.dll
13.12.2007 09:51:27.341 << this was the second of the hung processes to begin loading again

_________________________________

ProcessId 744
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
13.12.2007 09:49:08.063

C:\WINDOWS\system32\secur32.dll
13.12.2007 09:49:08.096
C:\WINDOWS\system32\ntmarta.dll
13.12.2007 09:51:26.317 << this was the first of the hung processes to begin loading again, suggesting this process being hung caused the others to hang as well
_________________________________

And no, there is not a problem with there being two separate instances of the above process. It is being called to load twice, and that is normal.

Hope this helps

 

One more time.

It is not the loading more than once that concerns me.

It is the DISTINCTLY different locations of Windows32\system folder that does concern me.[/b]

Grand kids (8 of them ) are calling AGAIN
Gotta go

BillyBob

 

And I repeat one more time ......... ignore the drive letters in the report. It is a bug in the way BootlogXP reports.

 

I not seeing updates on the motherboard site, ASUS, but windows update has. I will try those eventhough I have had bad experiences with windows update drivers.

2007-07-19 13:46 34494 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir
2007-11-05 18:11 83008 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\qidsgemk.dll.vir
2007-11-12 20:09 81472 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jgcdyuau.dll.vir
2007-11-13 22:13 130333 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.bak2.vir
2007-11-14 22:14 102978 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.bak1.vir
2007-11-15 21:19 105434 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.ini.vir
2007-12-22 10:48 352 --a------ C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.dat
2007-12-22 10:50 2185 --a------ C:\Qoobox\Quarantine\C\ComboFix\errdbg.dat.vir

 

Ok. Well I'll hold off on the driver updates. At least until I can find them directly from the manufacturer.

 

Btw, sorry I took so long to post. Last night I was waiting around and just fell asleep till just now. *sigh*

You'd swear I was hanger over but on Nestle Quick!!???

 

Do NOT use the drivers from the Windows Update site!

For the moment, skip the drivers part and proceed with the registry exports and renaming of ScanningProcess.exe in safe mode.

Additionally, copy the bolded text below and paste it into a command window. Post the contents of the CFQ.txt file it creates on the desktop when the command window closes.

dir %systemdrive%\ComboFix-quarantined-files.txt /a /s> "%userprofile%\desktop\CFQ.txt "
exit
cls

Note: If the file is not found CFQ.txt will not be created.

 

Please replace the Windows\system32 and windows\system32\dllcache copies of xpsp2res.dll with a copy from C:\WINDOWS\$NtUninstallKB894472$ and reboot.
That may have something to do with the regional display problems.

Note that the $NtUninstallKB894472$ folder is likely a hidden folder, so you will need to have Windows set to show hidden files and folders.

 

For those wondering about the G: drive, I emailed the author...

> I tried out your BootLogXP software, and it worked great. However, I noticed that in the logs, it keeps referring to G:\Windows. Is this normal? I do not even have a G: drive.


The problem is that often Bootlog XP receives the file without path , for example:
\program files\test.exe
In this case Bootlog XP tries to detect it but sometimes it's not correct.
Can you send me xpbootlog.txt file for testing?

Best regrds,
Dmitry Sokolov
Greatis Software

 

Good to hear it from the author. Thanks electronerdz!

Did you get any closer to a resolution on the machine you're working on?