Startup Delay

[Pete]

I'm trying to help someone track down the reason why her XP Pro system
takes about 7 minutes from the Welcome screen to a usable desktop.

McAfee (corporate) is installed and uptodate. Scans with MBAM and Spybot
S&D found a few things and were able to remove them. Although it is
certainly possible that there is still malware on the machine, the
following behavior seems a bit odd, even for malware.

The delay only happens the first time the user logs on after boot up.
That is, if you boot to the Welcome screen, log on to the user desktop
and wait the 7 minutes for things to settle down (lots of hard disk
activity) and then log off back to the Welcome screen, subsequent log
ons only take 30-45 seconds.

That is, whatever is causing all the disk activity and delay only
happens on the first log on after boot up and not on subsequent log ons.
Any suggestions on which tab in Autoruns I ought to focus on?

Disabling all entries in msconfig had little to no effect (McAfee
prevented itself from being disabled, and undoubtedly the startup scan
causes some delay, but not the entire 7 minutes worth).

Disk Indexing service was running and has been disabled.

Obviously, there is a lot more investigating to be done, but one thing
that probably causes a (small?) part of the delay is looking for a
network drive that isn't there. What is the default timeout for looking
for network resources, can it be configured, and if so, how?

 

[JoeSpareBedroom]

I'm trying to help someone track down the reason why her XP Pro system
takes about 7 minutes from the Welcome screen to a usable desktop.

McAfee (corporate) is installed and uptodate. Scans with MBAM and Spybot
S&D found a few things and were able to remove them. Although it is
certainly possible that there is still malware on the machine, the
following behavior seems a bit odd, even for malware.

The delay only happens the first time the user logs on after boot up. That
is, if you boot to the Welcome screen, log on to the user desktop and wait
the 7 minutes for things to settle down (lots of hard disk activity) and
then log off back to the Welcome screen, subsequent log ons only take
30-45 seconds.

That is, whatever is causing all the disk activity and delay only happens
on the first log on after boot up and not on subsequent log ons. Any
suggestions on which tab in Autoruns I ought to focus on?

Disabling all entries in msconfig had little to no effect (McAfee
prevented itself from being disabled, and undoubtedly the startup scan
causes some delay, but not the entire 7 minutes worth).

Disk Indexing service was running and has been disabled.

Obviously, there is a lot more investigating to be done, but one thing
that probably causes a (small?) part of the delay is looking for a network
drive that isn't there. What is the default timeout for looking for
network resources, can it be configured, and if so, how?

Did this problem develop suddenly, or gradually? How big's the hard disk and
how much room is left?

 

[1PW]

I'm trying to help someone track down the reason why her XP Pro system
takes about 7 minutes from the Welcome screen to a usable desktop.

McAfee (corporate) is installed and up to date. Scans with MBAM and Spybot
S&D found a few things and were able to remove them. Although it is
certainly possible that there is still malware on the machine, the
following behavior seems a bit odd, even for malware.

Exactly what "few things" were found?

Please be very precise. The logs will tell all.

The delay only happens the first time the user logs on after boot up.
That is, if you boot to the Welcome screen, log on to the user desktop
and wait the 7 minutes for things to settle down (lots of hard disk
activity) and then log off back to the Welcome screen, subsequent log
ons only take 30-45 seconds.

That is, whatever is causing all the disk activity and delay only
happens on the first log on after boot up and not on subsequent log ons.
Any suggestions on which tab in Autoruns I ought to focus on?

Boot Execute, Scheduled Tasks, Winlogon, Logon. The other tabs may
show interesting things later.

Disabling all entries in msconfig had little to no effect (McAfee
prevented itself from being disabled, and undoubtedly the startup scan
causes some delay, but not the entire 7 minutes worth).

Some applications avoid listing themselves in this manner, therefore
avoiding that action.

Disk Indexing service was running and has been disabled.
OK

Obviously, there is a lot more investigating to be done, but one thing
that probably causes a (small?) part of the delay is looking for a
network drive that isn't there. What is the default timeout for looking
for network resources, can it be configured, and if so, how?

Hello Pete:

The HDD activity you relate, is unconnected with any possible network
drive timeout.

At what service pack level is the XP Pro?

How much RAM is installed?

Again - please be very precise. The "winver" command is very helpful
with both of the above..

Are multiple 'visible' partitions installed on this system?

Are any USB connected HDDs present?

It is quite possible that multiple start-up antimalware scans are
running at the same time. Even innocent/good utilities like CCleaner
can be set to do a start-up scan too. Checking "Scheduled Tasks" will
verify this. Event logs could even be helpful.

Interspersing your answers above, is strongly encouraged.

 

[Jose]

I'm trying to help someone track down the reason why her XP Pro system
takes about 7 minutes from the Welcome screen to a usable desktop.

McAfee (corporate) is installed and uptodate. Scans with MBAM and Spybot
S&D found a few things and were able to remove them. Although it is
certainly possible that there is still malware on the machine, the
following behavior seems a bit odd, even for malware.

Answer many system environment questions easily in one fell swoop:

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste

There will be some personal information (like System Name and User
Name), and whatever appears to
be private information to you, just delete from the pasted
information.

Run these scans:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

These can be uninstalled later if desired.

After we have info and reduced the possibility of common malware we
can easily see where the 7 minutes is going down to the tenths of a
second, and determine the best options (unless you like trial and
error).

Be prepared to be open minded and rethink (replace/ditch) the McAfee
strategy.

Try not to spend too much time trying things that might work maybe.
Do things that will work.

 

[Pete]

Exactly what "few things" were found?

Please be very precise. The logs will tell all.

I don't have access to the problem machine now, but as I recall, MBAM
didn't find anything but Spybot found one item it characterized as
malware (the Spybot name started with Fraud.xxx).

Boot Execute, Scheduled Tasks, Winlogon, Logon. The other tabs may
show interesting things later.

I expect Boot Execute and Winlogon will be the likeliest places. Logon
is essentially the same as what shows in msconfig.

Some applications avoid listing themselves in this manner, therefore
avoiding that action.

Hopefully, Autoruns will find them.

Hello Pete:

The HDD activity you relate, is unconnected with any possible network
drive timeout.

Now that you mention it, of course. Network timeout would cause some
delay (but not *that* long), but it wouldn't be thrashing the disk.

At what service pack level is the XP Pro?
sp3

How much RAM is installed?

512 MB

Again - please be very precise. The "winver" command is very helpful
with both of the above..

Are multiple 'visible' partitions installed on this system?
No

Are any USB connected HDDs present?
No

It is quite possible that multiple start-up antimalware scans are
running at the same time. Even innocent/good utilities like CCleaner
can be set to do a start-up scan too. Checking "Scheduled Tasks" will
verify this. Event logs could even be helpful.

I'll take a look.

Interspersing your answers above, is strongly encouraged.

Thanks for the suggestions. It make be a day or so before I get back to
look at it.

 

[Pete]

Did this problem develop suddenly, or gradually? How big's the hard disk and
how much room is left?

I'm not at the problem machine now, but from the answers I got, it
sounded as if the problem has been around for a while, but whether it
started abruptly or not I don't know.

The disk is about 40 GB with about 15-20% used (I don't remember
precisely, but I did look at the properties of the hard drive and the
pie chart indicated considerably less than 25% used).

 

[Pete]

Answer many system environment questions easily in one fell swoop:

Click Start, Run and in the box enter:

msinfo32

Next time I'm there. (XP Pro sp3; 512 MB RAM; disk space about 15-20% used.)

Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste

There will be some personal information (like System Name and User
Name), and whatever appears to
be private information to you, just delete from the pasted
information.

Run these scans:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

MBAM showed no issues; Spybot S&D showed a few cookies and one "malware"
item which it removed; I can do SAS next time, but I don't expect it to
show anything.

These can be uninstalled later if desired.

After we have info and reduced the possibility of common malware we
can easily see where the 7 minutes is going down to the tenths of a
second, and determine the best options (unless you like trial and
error).

Be prepared to be open minded and rethink (replace/ditch) the McAfee
strategy.

I'd love to, but can't (see below).

Try not to spend too much time trying things that might work maybe.
Do things that will work.

I'm looking for something that runs on a first user log on only but
doesn't appear in msconfig. Or maybe after all it *is* the McAfee
startup scan. On the other hand, another laptop of similar vintage but
with a larger hard drive doesn't take nearly as long to complete its
McAfee startup scan.

The problem is that it is very difficult (but not impossible) to disable
McAfee. This is a personal laptop that is allowed to connect to a
corporate network (but not as a domain member). The "price" for being
allowed to connect to the network was that corporate IT installed McAfee
and locked it down. McAfee's anti-tamper "safeguards" are pretty good.
The last time I managed to disable McAfee, I had to start in Safe Mode
and rename several McAfee exe and/or dll files.

 

[sandy58]

I don't have access to the problem machine now, but as I recall, MBAM
didn't find anything but Spybot found one item it characterized as
malware (the Spybot name started with Fraud.xxx).





I expect Boot Execute and Winlogon will be the likeliest places. Logon
is essentially the same as what shows in msconfig.





Hopefully, Autoruns will find them.






Now that you mention it, of course.  Network timeout would cause some
delay (but not *that* long), but it wouldn't be thrashing the disk.




512 MB





I'll take a look.




Thanks for the suggestions. It make be a day or so before I get back to
look at it.

http://siri.geekstogo.com/SmitfraudFix.php

 

[Daave]

Next time I'm there. (XP Pro sp3; 512 MB RAM; disk space about 15-20%
used.)

MBAM showed no issues; Spybot S&D showed a few cookies and one
"malware" item which it removed; I can do SAS next time, but I don't
expect it to show anything.

I'd love to, but can't (see below).

I'm looking for something that runs on a first user log on only but
doesn't appear in msconfig. Or maybe after all it *is* the McAfee
startup scan. On the other hand, another laptop of similar vintage but
with a larger hard drive doesn't take nearly as long to complete its
McAfee startup scan.

The problem is that it is very difficult (but not impossible) to
disable McAfee. This is a personal laptop that is allowed to connect
to a corporate network (but not as a domain member). The "price" for
being
allowed to connect to the network was that corporate IT installed
McAfee and locked it down. McAfee's anti-tamper "safeguards" are
pretty good. The last time I managed to disable McAfee, I had to start
in Safe Mode
and rename several McAfee exe and/or dll files.

I would be tempted to uninstall McAfee altogether and use their removal
tool also if necessary (I've seen systems that exhibit the same behavior
and McAfee *was* the culprit). Before doing this, image the drive, of
course. This might be the only way to determine if McAfee is 100% of the
problem or not!

 

[Pete]

Jose, here is the info you requested:

MBAM - clean
SAS 1 "Adware.IEPlugin" (dsktb) -- removed by SAS
14 "Adware.Cookies" -- removed by SAS

msinfo32 (I was wrong - it's XP Home, not Pro):
OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name LAPTOP
System Manufacturer Dell Computer Corporation
System Model Inspiron 600m
System Type X86-based PC
Processor x86 Family 6 Model 9 Stepping 5 GenuineIntel ~1395 Mhz
BIOS Version/Date Dell Computer Corporation A08, 10/29/2003
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name LAPTOP\xxxxxxx
Time Zone Eastern Daylight Time
Total Physical Memory 512.00 MB
Available Physical Memory 198.72 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.22 GB
Page File C:\pagefile.sys

Only scheduled task: Apple S/W Update every Mon @ 11:24 pm

It really seems that the bulk of the delay and disk activity is caused
by McAfee. I started in Safe Mode and renamed several McAfee-related
exe and dll files. When I restarted, things were faster, but Windows
Automatic Update was also doing its thing. So here are comparison times
between the system in its "normal" configuration and the system with
both McAfee and WU disabled.

Windows startup music plays: 42 sec 48 sec
Desktop and icons appear: 1:15 1:34
Task bar usable and notification
area icons populated 1:50 5:30
Disk activity stops 2:35 >8:00

I stopped waiting for the disk activity to end after I restored McAfee.
This was longer than it had been (around 7:00) because McAfee was
updating its virus signatures in addition to everything else it was doing.

Perhaps you can think of something else, but as far as I'm concerned, my
friend can either uninstall McAfee and not use her laptop on her
company's network, ask her company IT person to reconfigure McAfee to
not do such an extensive startup scan, or live with the startup delay.

Even 2:30 minutes is longer than it ought to be, but this is a 6-year
old laptop, so it probably can't do much better.