# Solved: Computer using Windows XP hangs during shut down process



## cangri76

My computer with *Windows XP* will not shutdown it hangs at "Windows is Shutting Down". Computer doesnt power down. Im forced to manually press the power button to turn off the computer.

Any ideas?


----------



## Firah

Try this:

Control Panel> Sound and Audio Devices> Sound

Scroll down to 'Exit Windows'

Choose 'None'.

Also clear all unnecessay startup programs in msconfig.


----------



## RAM-PAGE

Take a look at Tuning Windows XP on the links below.


----------



## cangri76

I tried Firah suggestion but I'm still having the same problem.

I looked at Tuning Windows XP on the links provided by RAM-PAGE but it does not explain how to do those things to speed up my computer's performance and to make my computer to shut down properly.


----------



## Dr Dave

Go to your error log and see what your problem is.
For those who don't know where the error log is located.
[1] Start Menu
[2] Help and Support
[3] Pick a Task
[4] Tools
[5] Advanced System Information
[6] View the Error Log


----------



## cangri76

Here is the output from my error log:

Wednesday, December 01, 2004	Applicatio n Hang	Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Wednesday, December 01, 2004	Applicatio n Hang	Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Wednesday, December 01, 2004	Applicatio n Hang	Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Wednesday, December 01, 2004	Applicatio n Hang	Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Wednesday, December 08, 2004	Perflib	The timeout waiting for the performance data collection function ".NET CLR Data" in the "C:\WINDOWS\System32\netfxperf .dll" Library to finish has expired. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted. 

Wednesday, December 08, 2004	Perflib	The timeout waiting for the performance data collection function "TapiSrv" in the "C:\WINDOWS\System32\tapiperf. dll" Library to finish has expired. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted. 
Friday, December 10, 2004	Applicatio n Hang	Hanging application YPager.exe, version 6.0.0.1750, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Monday, December 13, 2004	Applicatio n Hang	Hanging application narrator.exe, version 5.1.2600.1143, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Thursday, January 20, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Saturday, January 22, 2005	Ci	Content index on c:\system volume information\catalog.wci is corrupt. Please shutdown and restart the Indexing Service (cisvc). 

Saturday, January 22, 2005	Ci	Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci. Index will be automatically restored by refiltering all documents. 

Thursday, February 03, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Sunday, February 06, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Friday, February 11, 2005	Perflib	The open procedure for service "PerfDisk" in DLL "C:\WINDOWS\System32\perfdisk. dll" has taken longer than the established wait time to complete. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted. 

Friday, February 11, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Saturday, February 12, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Monday, February 14, 2005	Applicatio n Error	Faulting application picture.exe, version 1.0.0.6253, faulting module pictrls.dll, version 1.0.0.6253, fault address 0x0002a470. 

Monday, February 14, 2005	Applicatio n Error	Faulting application picture.exe, version 1.0.0.6253, faulting module unknown, version 0.0.0.0, fault address 0x65637845. 

Thursday, February 17, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Thursday, February 17, 2005	Applicatio n Hang	Hanging application SpybotSD.exe, version 1.3.0.12, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Thursday, February 17, 2005	Applicatio n Hang	Hanging application SpybotSD.exe, version 1.3.0.12, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Thursday, February 17, 2005	Applicatio n Error	Faulting application cwshredder.exe, version 2.12.0.0, faulting module cwshredder.exe, version 2.12.0.0, fault address 0x00003373. 
Thursday, February 17, 2005	Applicatio n Hang	Hanging application MCC Monitor.exe, version 1.0.0.25, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Thursday, February 17, 2005	Applicatio n Hang	Hanging application MCC Monitor.exe, version 1.0.0.25, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Thursday, February 17, 2005	Applicatio n Hang	Hanging application MCC Monitor.exe, version 1.0.0.25, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Thursday, February 17, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Sunday, February 20, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0. 

Monday, February 21, 2005	PerfNet	Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.


----------



## cangri76

Any Suggestions? Help Please


----------



## cangri76

Original problem:

My computer with Windows XP will not shutdown it hangs at "Windows is Shutting Down". Computer doesnt power down. Im forced to manually press the power button to turn off the computer.

Can anybody tell me what to do to solve this? Help Please.

Thanks


----------



## RAM-PAGE

I see that SpyBot has hung a couple of times. Have you tried using AdAware SE?

Run AdAware first then download Hijack This, scan and save a log and post the log to the Security Forum.


----------



## bradly

1. Try Start - Run - type in "msconfig", and click the Startup Tab.
2. Bottom Right, click "disable all", then apply, then close and have it reboot (it will probably still hang on shutdown right now).
3. After you have it restarted, put a check in the checkbox of the system config utility window, and then hit OK. Now shutdown again.

Did it hang again? If not, then there's something in the startup menu that is causing your machine to hang when it shutsdown. Now you can go back into msconfig, and start re-checking [one-by-one, and rebooting] the important ones (usually you will only need your antivirus, firewall, and sometimes ISP software running).

See if this helps - you really want to keep your startup items to a minimum anyways.


----------



## cangri76

Problem solved !!!

Thanks Bradly. :up:


----------



## WhitPhil

cangri76 said:


> Problem solved !!!
> 
> Thanks Bradly. :up:


Out of interest,which program was it that was causing the hangup?


----------



## bradly

cangri76 said:


> Problem solved !!!
> 
> Thanks Bradly. :up:


Your welcome


----------



## cangri76

Bradly,

I did what you suggested and it seems to work fine but I found out something that I do not know how to explain. When I used my computer for a short period of time it shutdown perfect but If I used for a long period of time it still hanging at "Windows is Shutting Down". Computer doesnt power down. Im forced to manually press the power button to turn off the computer. This is bizzard !!!!  

Any ideas? Please help


----------



## WhitPhil

Download, install and run HiJackThis

Copy/paste the log that is created into a reply post.


----------



## cangri76

Logfile of HijackThis v1.99.0
Scan saved at 11:19:04 AM, on 3/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\umonit.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\System32\YzvM8.exe
C:\WINDOWS\System32\AdbQ0.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\825a443379eda05acc2690b8c47d5d95\update\update.exe
c:\windows\softwaredistribution\download\825a443379eda05acc2690b8c47d5d95\spuninst.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://mail.yahoo.com/?.intl=us"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {1DC82F19-D08C-43AC-89B6-25426FE7AC50} - C:\WINDOWS\vnocp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KtsA.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {4BFB1D84-F695-489A-8765-06AA5D66C57C} (IObjSafety.DemoCtl) - http://mmm.roings.com/cabs/clickyes.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1706c410d06f16c78a14/netzip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetingcenter1.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8373226-2CDE-4830-B088-C0B4E194447F}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe


----------



## Flrman1

*Click here* to download the PeperFix.exe tool to get rid of the peper trojan:

Click on the PeperFix.exe to launch it.

Click the *Find and Fix* button.

It will scan the %systemroot% folder and locate all the peper files. You will be prompted to restart your computer. Restart and it will delete the peper files.

Go *here* and download Ad-Aware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files.

From main window :Click *Start* then under *Select a scan Mode* tick *Perform full system scan*.

Next deselect *Search for negligible risk entries*.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Go *here* and download Microsoft Antispyware Beta. First press file and check for updates and then run it.

Let it fix anything that it finds (have it quarantine them rather than delete just in case. It is a beta program and there may be false positives)

Come back here and post another Hijack This log and we'll get rid of what's left.


----------



## ~Candy~

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KtsA.exe

I think that is indication of the pepper trojan.

I'm going to move you to security.

 Flrman1 beat me. Took too much time typing I guess


----------



## cangri76

Done,

Here is the new log file. I'm still having the same problem. 

Logfile of HijackThis v1.99.0
Scan saved at 6:25:42 PM, on 3/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\umonit.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://mail.yahoo.com/?.intl=us"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {1DC82F19-D08C-43AC-89B6-25426FE7AC50} - C:\WINDOWS\vnocp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KtsA.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {4BFB1D84-F695-489A-8765-06AA5D66C57C} (IObjSafety.DemoCtl) - http://mmm.roings.com/cabs/clickyes.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1706c410d06f16c78a14/netzip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetingcenter1.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe


----------



## Flrman1

I see you are running Hijack This from a temp folder now. It will not function properly from there and it cannot create and restore backups from there. You need to create a new folder in My Documents and name it Hijack This. Now *Click here* to download Hijack This again. Download it and click "Save". Save it to the Hijack This folder you just created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.

After doing that post a new log.


----------



## cangri76

Done, Here is the new log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:32 PM, on 3/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\umonit.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Carlos Rivera\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://mail.yahoo.com/?.intl=us"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {1DC82F19-D08C-43AC-89B6-25426FE7AC50} - C:\WINDOWS\vnocp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KtsA.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {4BFB1D84-F695-489A-8765-06AA5D66C57C} (IObjSafety.DemoCtl) - http://mmm.roings.com/cabs/clickyes.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1706c410d06f16c78a14/netzip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetingcenter1.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8373226-2CDE-4830-B088-C0B4E194447F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe


----------



## Flrman1

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: jimmyhelp.CBrowserHelper - {1DC82F19-D08C-43AC-89B6-25426FE7AC50} - C:\WINDOWS\vnocp.dll

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KtsA.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab

O16 - DPF: {4BFB1D84-F695-489A-8765-06AA5D66C57C} (IObjSafety.DemoCtl) - http://mmm.roings.com/cabs/clickyes.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1706c41...ip/RdxIE601.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab*

Restart to safe mode.

*How to start your computer in safe mode*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin


----------



## cangri76

flrman1,

I did everything you suggested but the problem continues ...

What else can I try to resolve this?


----------



## ~Candy~

Can you post a new scanlog?


----------



## cangri76

AcaCandy,

Here is a new scanlog:

Logfile of HijackThis v1.99.1
Scan saved at 8:57:32 PM, on 3/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\umonit.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Carlos Rivera\My Documents\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://mail.yahoo.com/?.intl=us"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Carlos Rivera\Application Data\Mozilla\Profiles\default\kq4y03gh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetingcenter1.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8373226-2CDE-4830-B088-C0B4E194447F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe


----------



## ~Candy~

Can you shut down normally from safe mode?


----------



## cangri76

Yes, It works the other day when I shutdown from safe mode while I was implementing flrman1 suggestions listed on the March 05 message above.


----------



## ~Candy~

The list of programs that you have running, the (04) items....when you try to shutdown, take a look at those items and see if you have anything else running when you try to shutdown normally.


----------



## cangri76

Nope!!, Those are the only ones running. I disable everything else.


----------



## ~Candy~

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe

Just for fun, turn those off via start, run, msconfig, startup tab and test shutdown again.


----------



## Java_Man

I was troubled by a similar situation, I hunted it for the past 8 months. I think I found my solution just tonight on a web page.

here is the exerpt of the fix

Correspondent Graeme J.W. Smith reported a more obscure cause of slow shutdown: In Win XP Professional, the Group Policy Editor has a security option to clear the pagefile at system shutdown. The same setting also forces the hibernation file to be wiped at shutdown. These processes take long enough that users may think that shutdown has hung. To change the setting, click Start | Run, type GPEDIT.MSC, click OK. Drill down to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options. In the right pane, find Shutdown: Clear virtual memory pagefile. NOTE: Since someone actually has to have set this policy, the problem will be pretty rare, but is worth mentioning. However, Forum participant roadrunner reported that the personal security app Privacy Eraser automatically enables Clear virtual memory pagefile, and, therefore, may be the cause of a slow shutdown.

I found this on a web page (http://aumha.org/win5/a/shtdwnxp.php)

I hope this will help you.

Cheers!


----------



## cangri76

AcaCandy,

I turned off the O4 messages listed below via start, run, msconfig, startup tab.

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe

I tested shutdown again, but the problem remains....


----------



## ~Candy~

Ok, I'm trying to rule out software, so uncheck these, test shutdown again, if the problem persists, put these back:

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"


----------



## cangri76

AcaCandy,

Problem solved. Thanks

It is working Ok now. I only kept the following on my startup:

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Thanks for all yuor help !!!


----------



## ~Candy~

So, the MS anti-spyware program is causing the hang?


----------

