probs turning pc off

[enchanted willow]

Hi everyone...

 

Could really do with some help. my pc is set up so that i have my part then the kids have their part. im the only one with admin rights... now when the kids try to log of on turn pc off it just freezes!!! any idea why this is.. ive not downloaded anything new... or changed anything...

 

Help please

[Seth]

Hello again Enchanted.

 

That issue is normally caused by a program that is unable to shut down. That "program" may be legitimate or some form of infection.

 

We need to see a log from a program called HijackThis. It's installer can be downloaded from http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download.

 

You'll also need to temporarily change that particular account to an Admin account by going into your account then Start>Control Panel>User accounts.

 

Log back into the kids account and download HijackThis. Run the program and click Scan Only. Please copy and paste that log back here.

[enchanted willow]

ok will do... thankyou...

[AdvancedSetup]

I highly recommend taking a look at this article and then

downloading and installing the Microsoft User Profile Hive Cleanup Service (UPHClean)

 

Troubleshooting profile unload issues

Microsoft Technical Artical

 

To download and install UPHClean, visit the following Microsoft Web site:

UPHClean Download

[enchanted willow]

right i have done what u asked.... now are u sure u want me to copy the log to here...

[Guest Wolfeymole]

Yes please willow.

[enchanted willow]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:04:02 PM, on 2/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Program Files\Instant Buzz\IBDaemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Grisoft\AVG7\avginet.exe

C:\WINDOWS\system32\WgaTray.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Documents and Settings\kids\Local Settings\Temporary Internet Files\Content.IE5\25RK1SQG\HiJackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: XBTP09890 - {748941C4-5D50-4363-8E9F-25596FE129F1} - C:\PROGRA~1\LYCOSI~1\LYCOSI~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\ojqwlasx.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {9254a721-42bb-4a66-98b8-14f4208374f1} - C:\WINDOWS\system32\inetmon.dll (file missing)

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fmlzbcyz.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll

O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\PROGRA~1\CONTRO~1\zeropop.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fmlzbcyz.dll (file missing)

O3 - Toolbar: Lycos iQ Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\Lycos iQ Toolbar\LycosIQToolBar.dll

O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll

O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [Control Kids] C:\Program Files\Control Kids\Control kids.exe

O4 - HKLM\..\Run: [instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [DDC] C:\Documents and Settings\kids\Application Data\tmp3.tmp.exe

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINDOWS\System32\vtuts.dll,c

O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm479YYGB

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\System32\GPhotos.scr/200

O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra button: Lycos iQ Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra 'Tools' menuitem: Lycos iQ Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\inetmon.dll (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193223426218

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/cinematycoon.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab

O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0383D286-F122-4B5E-8247-4075AB8F1147}: NameServer = 192.168.2.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{0383D286-F122-4B5E-8247-4075AB8F1147}: NameServer = 192.168.2.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{0383D286-F122-4B5E-8247-4075AB8F1147}: NameServer = 192.168.2.1

O17 - HKLM\System\CS3\Services\Tcpip\..\{0383D286-F122-4B5E-8247-4075AB8F1147}: NameServer = 192.168.2.1

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Filter hijack: text/html - {C6F62B7A-5450-4A2F-8687-6CEEC3AEB055} - C:\WINDOWS\system32\controlkids2.dll

O20 - Winlogon Notify: fmlzbcyz - fmlzbcyz.dll (file missing)

O20 - Winlogon Notify: inetmon - inetmon.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxda_device - - C:\WINDOWS\system32\lxdacoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 11827 bytes

[enchanted willow]

its a big log...lol

[enchanted willow]

thx for this Wolfeymole

[enchanted willow]

Does it help any??? what should i do now?

[Guest Wolfeymole]

Please bear with us while Seth examines the log and gets back to you.

He is our resident HJT expert.

He will give you full instructions on what to do.

[enchanted willow]

ok thx.... will go work on my site while i wait.. cheers for all the help

[Seth]

Enchanted,

 

The log shows that your computer is infected. In addition, you have numerous programs that are automatically starting when your computer starts. Those programs are needless for startup and should be disabled.

 

Stay in the kids account and do the following:

 

Go to Start, Run, type in msconfig and press ok. Put a dot on Selective Startup, then click the "Startup" tab. Scroll through the list and uncheck everything but the following:

 

Systray.exe

Anything referring to AVG

jusched.exe

controlkids.exe

 

 

Click Apply then ok. Reboot when prompted. You'll know you did it right as a message will appear that "You've used the System Startup utility" (just put a check in "Don't show me this again"

 

In the kid's account, Install and run the free trial Professional version of SuperAntiSpyware from http://www.superantispyware.com. Accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

 

Once installed, it will likely pop up with a message saying that "SuperAntiSpyware has blocked dangerous programs from running" Simply close that Window and double click the yellow "bug"icon near the time. Click on "Scan Your Computer". Make sure there is a dot on C:\Fixed Drive, and click Perform a Complete Scan. Click Next and reboot the computer. After the scan, make sure their is a check in all the infections it shows, then click next. Restart when you're prompted to do so.

 

The kid's account should shut down correctly now. If not, download and run the utility that Advanced Setup has posted, and post back with a new HijackThis log please.

[Seth]

I have to leave for a couple of hours Enchanted.

 

I'll check out your new HT log when I return.

[enchanted willow]

ok...

[enchanted willow]

its not letting me do it... ive changed account to admin rights and its still saying to change over to admin...???

[enchanted willow]

its saying access denied error was returned while attempting to change a service. u may need to log on using a account administrator account to make specified changes

[enchanted willow]

its driving me crazy... should i try it in my account instead??? or would that not work

[Guest Wolfeymole]

Are you sure your typing the correct password Willow?

Do exactly what you did the first time you got into the kids account as admin.

[enchanted willow]

yes... i wrote it down how u did... msconfig

[enchanted willow]

would it work if i did it in my account instead of kids?? ive got a nvq2 in IT.. all the good its done me..lol

[enchanted willow]

right ive typed it in on my account and the selective startup menu has popped up...

[enchanted willow]

???

[Guest Wolfeymole]

Willow

 

Please be patient while Seth returns.

I would not wish to offer incorrect advice to you regarding this issue.

 

Please try not to panic and he will help you as soon as he returns.

[enchanted willow]

ok.... no probs....