What's wrong with this system?

[The Computer Valet]

Hi folks,

I have here a Dell Dimension 8300 that is severely screwed ... but I've no idea why.

Here's the story.

Yesterday, I ran Spybot on this machine and removed a number of entries. I ran it from Safe Mode in the Administrator account. I've run Spybot on dozens of machines, no problem, although I have to say that I've not run it from Safe Mode before. It seemed an easier thing to do.

Anyway, after I removed the entries, TCP/IP was broken. It was unable to pull an address from DHCP. I figured this was the old NewDOTNet thing and checked out the LSP stack. No New.Net, but there was a number of entries in there regarding McAfee's Firewall.

I uninstalled McAfee's parts.

During the next boot, the system came up EXTREMELY slowly. I mean, we sat at that "Windows is Starting UP" screen for five minutes. Then, after login, we sat at the desktop while "Radio @ Netscape" tried to contact it's service. Most items were open, but the Start bar was not visible and, although explorer.exe was running, it's parts could only be accessed through keyboard shortcuts (like WINDOWS-E for Explorer).

I rebooted into Safe Mode and it took the same amount of time to boot and System Restore reported that it couldn't start and to reboot.

So, I did a repair install. This took overlong, but it finally did go through.

Unfortunately, it did not solve the problem.

I asked Dell what they would do since the system is in warranty. They told me to nuke it.

I don't want to nuke it.

How can I find out more about why the system is booting so slowly? I have found that disabling the Ethernet adapter will allow the system to boot into Windows fine, albeit very slowly. Event viewer shows no errors. I don't see any odd entries in Services.

I'm stumped.

What's wrong with this system?

Cheers,

Mike Whalen

[TripleRLtd]

More details on the original problem would help.
What was wrong when you ran SpyBot?
Was it real slow then as well?
Once it is in Windows, does it react at normal speed?
First thing I would do is run a disk drive diag for the hard drive.
Do the full scan and not the quick test.
Let us eliminate one thing at a time as the problem.
Hardware or software is the question.
Dell wants you to format and start fresh because it is the easy way out.

[The Computer Valet]

Hey,

First, a quick update: It's something in services. If I leave Services off via MSCONFIG, the system boots normally.

As to the original problem, all they complained about was pop-ups, which I saw. To be honest, I made a rookie mistake and did not look through the list. I do this every time ... except this time.

So, I can't answer your question re: Spybot's findings.

As to your next question re: hard drive diags, I did run all the extensive tests and they turn up nothing...

Thanks,

Mike...

[The Computer Valet]

More...

There are a number of services set for Automatic Startup that do NOT start up.

m

[TripleRLtd]

More...

There are a number of services set for Automatic Startup that do NOT start up.

m

Well this doen't make sense M.
Why would something in Services cause a REALLLLL slow Repair install????
Do you have the log of SpyBot?
Do you know about HijackThis?
http://mjc1.com/mirror/hjt/
Post the log of HJ here so we can all have a look see.

[The Computer Valet]

Well, to be sure, "slow" is my word. I should have said, "slow, relative to what I've seen before." The MSKB notes that at times XP setup may pause up to 15 minutes between sections.

I will post the log shortly. I do find it very curious that shutting off all services allows the system to boot at rate one would expect of a brand new, mid-level Dell system. I also find it curious that there are so many service entries that are "Automatic," but not "Started."

Thanks,

Mike...

[The Computer Valet]

Logfile of HijackThis v1.97.7
Scan saved at 11:00:09 PM, on 12/3/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\shared\mcinfo.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jesse A\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [msci] C:\PROGRA~1\mcafee.com\shared\mcinfo.exe /insfin
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOf...1/Ud3rT0n5.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/sh...2/mcinsctl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A3852FBD-AC5C-88C0-3AEC-B8B0AD7EE3A9} (DownloadUL Class) - http://public.searchbarcash.com/cab/348/rpuxgbdz.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[confus-ed]

Hijack this seems to be revealing

This is gonna be a long post ... ok from the top - if I miss any please feel free to add

Running processes :

First 5 entries ought to be there & are ok to be there.
userinit.exe oughtn't to keep running & when it is, it may be a sign of viral/trojan/malware activity, which you'll se from later on, we sure do have!
mcinfo.exe - i thought we got rid of this ? if so - zap!
urlmap -

URLMAP is a program which gets installed with all versions of Microsoft Money 2002. URLMAP runs in the background and works with Internet Explorer and the MoneySide applet from Microsoft Money. URLMAP monitors the web pages you visit and if you come to a page with financial information which may be relevant to the sort of personal financial information you keep in Microsoft Money, URLMAP then brings up the MoneySide toolbar which enables you to access, from within Internet Explorer, data that you keep in Microsoft Money.

Recommendation :
This is a matter of personal preference. If you want to disable MoneySide, and URLMAP in the process, start MoneySide by clicking the MoneySide icon in Internet Explorer, then go to the "Help \ Settings" menu option, then choose Never under Open MoneySide (you can always start MoneySide manually).

& hijack this I suppose ought to be there

Keys etc
Crikey how longs this gonna take !? ... man I can't be bothered with all these - for now disable the lot, the only one I'd want there is the spybot helper

Sorry got tired !

The resaon why disabling services automatically starting so radically improves the boot time, is that all these 'nasties' above don't get fired up !

[The Computer Valet]

The resaon why disabling services automatically starting so radically improves the boot time, is that all these 'nasties' above don't get fired up !

Thanks. I feel a bit of a dolt.

Anyway, these items are starting at that point in the boot process? While the system is producing the "Windows is Starting Up..." message?

I also found another interesting item in the LOG: Note the LSP.DLL entry.

Thanks again. Lifesavers as always!

m

[confus-ed]

Thanks. I feel a bit of a dolt.

don't feel bad ! My 'significant other' says that every time she gives me a hug ! (& she don't mean 'her')

[TripleRLtd]

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll


Unneeded!!
Kontiki:

Kontiki enhances content delivery network
System combines, file-sharing, peer-to-peer technology

Did you install this on purpose, or use any p2p software??

O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
New.net ever on this PC if you can remember?
Can it access the internet with no problem?


O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A3852FBD-AC5C-88C0-3AEC-B8B0AD7EE3A9} (DownloadUL Class) - http://public.searchbarcash.com/cab/348/rpuxgbdz.cab

Get rid of these as well.
After you do all of this, post a new log.

[TripleRLtd]

For the lsp.dll fix go here:
http://www.cexx.org/lspfix.htm

[The Computer Valet]

Wow.

I am amazed. I never, ever would have thought spyware was to blame for the problems.

HiJackThis cleared it all right up. The LSP fix is MUCH better than the SPORDER utility I had been using.

There are still a LOT of Spyware elements on the system. Lots. I am cleaning up now.

Wow. Thank you again. Now I know why I keep paying for my membership!!

m

[confus-ed]

Wow. Thank you again. Now I know why I keep paying for my membership!!

Would you like to send me or TripleR a cheque ?

I'd just like to clear you of a mis-understanding (& I think its so important I'll go 'crazy' with colours & big letters to make it clear) -

The activities of forum members is in NO WAY connected to Windrivers Subscriptions, Folk here provide help & advice
ABSOLUTELY FREE
& long may it stay that way !

[TripleRLtd]

Would you like to send me or TripleR a cheque ?

I'd just like to clear you of a mis-understanding (& I think its so important I'll go 'crazy' with colours & big letters to make it clear) -

The activities of forum members is in NO WAY connected to Windrivers Subscriptions, Folk here provide help & advice
ABSOLUTELY FREE
& long may it stay that way !

HEAR HEAR!!!!!
And please don't be giving those Corporate types any bright $ ideas, thank you.


PS
Post the fresh log if you still have problems.