TechSpot

xp 5 minute boot problem (see this log!)

By theo.aku
Feb 12, 2007
  1. My XP SP2 is taking 275 seconds to boot. It gets through the bios checks ok and the windows slash logo runs as normal but straight after it all goes quiet - no disks moving, no image on the screen, nothing. Then after after a few minutes (see log for precise timing) windows boots and everything seems to run as normal.

    Running bootvis on the system to see where the pause is occuring shows that there are two pauses during boot (see log). Running the optimise option from bootvis doesn't help.

    If someone can offer some suggestions I'd be very grateful. If more logs would help then let me know.

    P4 2.6MHz
    1GB 2700 DDR
    Radeon 9600TX
    SIS 648 Chipset

    [​IMG]
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is infected with at least one worm/trojan. I have therefore moved your thread to our Security forum.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, Combofix and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    thanks for pointing out the trojan. I take it you mean the DirectZizx reference. I am fairly sure this is under control and the ref is all that remains of it. Pls advise if I am wrong. (Googling DirectZizx only brings up posts by myself so I am very confused about this one)

    AVG, ad-aware, spybot, prevx & housecall all list system as clean.

    I am pretty much certain that the system has (at some stage) been clean of malware/viruses/trojans etc since this boot problem appeared and so I thought that it was more likely not a security issue.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    This is the nasty entry in your HJT log.

    O23 - Service: DirectX Service (DirectZizx) - Unknown owner - c:\windows\system32\directx.exe (file missing)

    Don`t be fooled by the file missing at the end, it`s still running on your system.

    The chances are, your system will also be infected with other malware.

    I strongly urge you to follow the instructions I gave you. Once your system is clean, if you slow boot problems continue, then other possible causes will need to be looked at.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    ok, I did everything you suggested but still the nasty entry remains. Most of the checks were negative altho the spybot picked out a smitfraud keylogger log with lots of juicy info on. b@$¦*rds! and i thought i was clean (lesson learned). why the nasty ref still there tho?

    Good cleanup advice Howard. What shall I do now? doing a proper clean was a good idea, I never bother going into safe mode and enabling system files but my suspicion is my boot delay problem is not malware related.

    Someone suggested i clean and defrag registry. I use tune up utilities. I cleaned all the ATI drivers out from the system in case something was corrupted and tried reinstalling but still doesn't work

    I at a complete lost end. Its really annoying problem to try and fix too coz everytime you want to test if a method has worked you have to wait 5 mins!

    I really can't be arsed with an xp reinstall. I've got so many nice little tweaks and progs running that it would take for ever to get back.

    There are a few things i've been considering... Could it be hardware on the way out? I don't like to think so and besides it works fine all the other time. Could it be something wrong in the bios? I know next to nothing about bios settings. Could it be to do with the chipset drivers not talking to the ati ones... i dont think so, SIS-ATI incompatibility is unlikely. Could it be the fact that my PC is a medion pc and there is a conflict somewhere coz i not using it like they intended (don't they sometimes customise drivers and chipsets?). I have added new sound cards and removed old tv cards. Or could it be from a past virus of some sort which created the problem and then deleted itself/got deleted? I don't understand antivirus software enough to know if thats possible.

    Sorry to keep going on here but i'm sure that someone somewhere has the info

    Will post up some more logs in a bit if helpful
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There`s no point in trying to fix your slow bootup problem while there is a worm/trojan on your system.

    Post the log files requested after following the instructions. Once your system is clean, if your slow bootup continues, then we can look at other possibilities.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    there is not point showing avg log as it is clean, nothing on it. The HJT log is below
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Log files need to be posted as attachments. You need to rename HijkThis.exe as per the instructions. Neither have you posted a Combofix log. The worm is still on your system.

    I`m sorry, but I can`t help you if you don`t follow the instructions.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. tomrca

    tomrca TS Rookie Posts: 1,000

    Description:
    directx.exe have been documented to be BLAXE and LOGPOLE Viruses. This file should be terminated and removed immediately.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re quite right tomrca and as a result, other malware may well have been installed on theo.aku`s system. Once I have the Combofix and renamed HJT logs, I`ll be in a better position to try and clean the system.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    logs attached. have followed instructions to the letter
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    DirectX Service (DirectZizx)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    directx.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: DirectX Service (DirectZizx) - Unknown owner - c:\windows\system32\directx.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    c:\windows\system32\directx.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    Log Files Must Be Posted As Attachments And Not Copy And Pasted.
     
  14. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    I get you know! Thanks. Can we look at the boot issue please? It is still happening.

    My bios is also hanging for a minute or so, there is a splash screen and it hangs on that. Then Windows loads but as soon as the Windows splash disappears, there is still a pause.

    ps. why are there so many hjt entries that say (file missing)?
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Next thing to do is to check your hard drive for faults.

    Download the hard drive utility from your hard drive manufacturers website. If you have and difficulty in finding it, take a look at this thread HERE.

    The file missing entries in HJT are caused by a small bug in the programme.

    Regards Howard :)
     
  16. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    No hd problems, have done thorough checks using tune up utilities 2007, all comes up as clean
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Does the slow bootup happen in safe mode as well?

    Temporarily uninstall your graphics card drivers and see what difference that makes.

    Disconnect any peripheral devices, including any card readers you may have.

    Let me know the results.

    Regards Howard :)
     
  18. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    thanks, call me defeatest but i'm getting to the stage where I'm thinking a reinstall might just be the better option. found a keylogger with all sorts of personal information stored and hopefully not sent somewhere. I really can't decide what to do. Will image the drive first incase I get cold feet half way in! Thanks for all your help, I will post back here with my final decision.
     
  19. tomrca

    tomrca TS Rookie Posts: 1,000

    when things just can't get put back to normal and continue to find other problems, it is usually time for the big 'F'. you will feel much happier and have all the fun of re-install. everyone has to do it sometime. good luck!

    should have asked which keylogger. do you use p2p?
     
  20. theo.aku

    theo.aku TS Rookie Topic Starter Posts: 25

    Here is my latest hjt log
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    A reformat, is probably the right thing to do given the circumstances. Whatever you decide to do, please delete Combofix from your system. This is due to a newly discovered rootkit`s interaction with Combofix. See HERE for details.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. tomrca

    tomrca TS Rookie Posts: 1,000

    although i found that the basic names of these entries were legit, but some information describes it as bad. Quote:"if you did not install this yourself, you are in trouble". referrs to WinVNC4.exe.
    what is the path given for the logger?

    looking through your log these entries are what attracted me.
    did you install this ? d:\RealVNC\VNC4\WinVNC4.exe

    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - d:\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


    these are usually run from C.
    d:\RealVNC\VNC4\WinVNC4.exe
    d:\AVGFRE~1\avgamsvr.exe
    d:\AVGFRE~1\avgupsvc.exe
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    They are all perfectly legit applications.

    Obviously theo.aku has installed some stuff to his D: drive, so that`s why the filepaths are not what`s usually found. ;)

    You are of course right about the WinVNC4.exe being a possible baddie if it`s wasn`t installed deliberately by theo.aku. However, none of that, would account for the extremely slow bootup.

    Regards Howard :)

    This thread is for the use of theo.aku only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. tomrca

    tomrca TS Rookie Posts: 1,000

    only other alternative is excessive running processes maybe. after all that, i think i would flatten it.
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I had a similar situation myself some months back and after trying everything I could think of, including a Windows repair, it was still slow as hell on bootup. In the end I got fed up and zero filled the hard drive, then reinstalled everything from scratch. I`ve had no further slow bootup problems since.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...