MY pc wont shut down

[LeeroyJenkins]

i cant shut down my pc if i press alt+F4 it hands with a busy icon is i try shuttingdown with ctrl+alt+del it hangs. the only way i was able to shut down was to end 2 svchost.exe process PID 1056 and PID 1076 shown below one of them is roughly 2-3kb the other one goes up to 23kb i dont know why these 2 specific processes are hanging my pc i tried spyware scan virus scan neither solved the problem tried running the scans in safe mode didnt work. i only have this problem running windows in normal mode in safe mode i dont have this problem

Process PID

AHQTBU.EXE 1232
cmd.exe 1224
csrss.exe 644
Explorer.EXE 620
gcasDtServ.exe 1612
gcasServ.exe 1260
iexplore.exe 1180
iexplore.exe 1568
lsass.exe 724
NOTEPAD.EXE 1000
PrcView.exe 1756
services.exe 712
smss.exe 588
spoolsv.exe 1336
svchost.exe 904
svchost.exe 956
svchost.exe 1056
svchost.exe 1076
svchost.exe 1992
taskmgr.exe 1728
wbload.exe 1244
wdfmgr.exe 188
winlogon.exe 668

 

[garebo]

Im not the best at reading results of hijack this but here goes.

First off, the AHQ thing is obviously ok, its part of your creative sound card program.
And there are a number of them like acrobat,excel, java,aim, messenger that are obviously ok.
There is a way to check off the ones you know are ok, on the bottom right, called "add checked to ignore list".
You can check off all the ones you know for sure are ok and then you can run the scan again and only the ones you dont know about will come up.
Right off the top, though, i think there is some concern in the hosts area, cydoor is spyware.

http://www.spywareguide.com/product_show.php?id=7

Good advice + great people = tek-tips

 

[gpalmer711]

Something in your log that troubles me slightly is this entry

C:\WINDOWS\EXPLOREr.EXE

The spelling is correct but the capitalisation is not, if you have not manually changed the files name then an infection has. It might have changed the file completely in the style of a root kit.

The following entries also need to be removed.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

I'm guessing you have some kind of Ad blocking software installed. If this is the case that would explain all of the hosts entries, they all point to some foreign forums.

If you have no joy with any other scanners then personally I would create a Bart PE boot disk, my personal fave at the moment is

http://ubcd4win.com/,

make sure you update all the deffinitions before creating the disk. Then you can scan to your hearts content before any of your Windows XP files are loaded.

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[linney]

The Username "Isak Aronov", it is unusual to have a space in the name and in some situations may lead to errors and other odd behavior in Windows.

In normal circumstances do you have a firewall and virus scanner running as a starting service or application, I can see part of ActiveX for the virus scanners but no running programs from them?

 

[garebo]

There is also the double iexplorer listing in task mgr.


Good advice + great people = tek-tips

 

[LeeroyJenkins]

ok i deleted those 3 items im not sure about the EXPLOREr.exe i dont see 2 files with the same name like that i even showed hidden and system files still only 1

also i am still curious to why when ending the 2 specific svclocalhost.exe processes i can shut down normally

 

[gpalmer711]

Svchost.exe is the file that will run the various services that are installed, these can be part of Windows, Antivirus, firewall, etc.. Or Malware related.

First do a search of your PC for svchost.exe the only place it should find it is c:\windows\system32, if it is found anywhere else then it is likely that you are looking at a virus infection. See

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

as an example.

You can also find out what services are attached with each svchost file.

Click Start, Run and type cmd

Type tasklist /svc > c:\taskList.txt

Here is an example of mine

Image Name                   PID Services                                     
========================= ====== =============================================
System Idle Process            0 N/A                                          
System                         4 N/A                                          
smss.exe                     356 N/A                                          
csrss.exe                    464 N/A                                          
winlogon.exe                 488 N/A                                          
services.exe                 532 Eventlog, PlugPlay                           
lsass.exe                    544 PolicyAgent, ProtectedStorage, SamSs         
svchost.exe                  700 DcomLaunch, TermService                      
svchost.exe                  756 RpcSs                                        
svchost.exe                  844 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, 
                                 ERSvc, EventSystem,                          
                                 FastUserSwitchingCompatibility, helpsvc,     
                                 HidServ, lanmanserver, lanmanworkstation,    
                                 Netman, Nla, RasAuto, RasMan, Schedule,      
                                 seclogon, SENS, SharedAccess,                
                                 ShellHWDetection, srservice, TapiSrv,        
                                 Themes, TrkWks, W32Time, winmgmt, wuauserv,  
                                 WZCSVC                                       
svchost.exe                  892 Dnscache                                     
svchost.exe                  988 Alerter, LmHosts, SSDPSRV, upnphost,         
                                 WebClient

Let us know the services that are attached to each of your problem svchost entries and then we should be able to take this further.

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[LeeroyJenkins]

here are teh results


Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 572 N/A
csrss.exe 628 N/A
winlogon.exe 652 N/A
services.exe 696 Eventlog, PlugPlay
lsass.exe 708 PolicyAgent, ProtectedStorage
svchost.exe 860 DcomLaunch, TermService
svchost.exe 916 RpcSs
svchost.exe 1004 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wuauserv
svchost.exe 1044 Dnscache
svchost.exe 1164 LmHosts, RemoteRegistry, SSDPSRV, WebClient
wbload.exe 1324 N/A
spoolsv.exe 1344 Spooler
scardsvr.exe 1404 SCardSvr
nvsvc32.exe 1980 NVSvc
svchost.exe 2024 stisvc
explorer.exe 1468 N/A
AHQTbU.exe 1588 N/A
gcasServ.exe 1596 N/A
rundll32.exe 1628 N/A
ctfmon.exe 1648 N/A
alg.exe 432 ALG
gcasDtServ.exe 1252 N/A
svchost.exe 824 HTTPFilter
msimn.exe 2376 N/A
msmsgs.exe 2416 N/A
firefox.exe 2772 N/A
cmd.exe 2316 N/A
tasklist.exe 2548 N/A
wmiprvse.exe 2596 N/A


pid 1004 and 1044 are the ones i have to terminate before i can shutdown

 

[garebo]

gpalmer, i did the same, if you want my list for comparison i can add mine. Im not having any probs just wanna help out any way i can.


Good advice + great people = tek-tips

 

[gpalmer711]

garebo,

feel free, it certainly will not hurt


Leeroy,

Finding the services that are causing the problem will be the next task, I was hoping something obvious would be their but all of them appear to be legitimate services.

If you stop the two svchost processes that cause you problems and then repeat the steps above to create the log and post it here, we can then narrow the problem down some more.

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[garebo]

Ok, heres mine, hoping it might somehow help out.

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 652 N/A
csrss.exe 716 N/A
winlogon.exe 748 N/A
services.exe 792 Eventlog, PlugPlay
lsass.exe 804 NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
svchost.exe 968 RpcSs
svchost.exe 1068 AudioSrv, Browser, CryptSvc, Dhcp, dmserver EventSystem, FastUserSwitchingCompatibility,
helpsvc, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, ShellHWDetection, srservice, TapiSrv,TermService, Themes, TrkWks, uploadmgr, W32Time, winmgmt, WZCSVC
svchost.exe 1264 Dnscache
svchost.exe1328 LmHosts,RemoteRegistry,SSDPSRV, WebClient
explorer.exe 1560 N/A
spoolsv.exe 1588 Spooler
avgcc.exe 1824 N/A
avgemc.exe 1832 N/A
zlclient.exe 1840 N/A
iTouch.exe 1848 N/A
gcasServ.exe 1888 N/A
PSFree.exe 1932 N/A
ctfmon.exe 1940 N/A
avgamsvr.exe 2000 Avg7Alrt
avgupsvc.exe 2012 Avg7UpdSvc
GBPoll.exe 180 GBPoll
TeaTimer.exe 224 N/A
gcasDtServ.exe 252 N/A
gearsec.exe 260 GEARSecurity
inetinfo.exe 284 IISADMIN, SMTPSVC, W3SVC
msdtc.exe 428 MSDTC
NSENGINE.exe 456 NsEngine
vsmon.exe 400 vsmon
mqsvc.exe 1276 MSMQ
GBTray.exe 1296 N/A
mqtgsvc.exe 2152 MSMQTriggers
msimn.exe 488 N/A
iexplore.exe 3156 N/A
explorer.exe 2372 N/A
cmd.exe 1716 N/A
tasklist.exe 1748 N/A
wmiprvse.exe 3624 N/A
xxxxxxxxxxxxxxxxxxxxxxxxx

the 4 av files are my antivirus
zl file is zone alarm
itouch = keyboard
GBpoll is goback
teatimer is part of spybot S&D
I believe all my files are accounted for and i run my a\virus \m\soft antispyware, spybot, adaware, etc, etc, and i run a trend micro online scan often, so i should be in good shape.


Good advice + great people = tek-tips

 

[LeeroyJenkins]

ok here is the log after i killed the 2 proccesses



Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 568 N/A
csrss.exe 624 N/A
winlogon.exe 648 N/A
services.exe 692 Eventlog, PlugPlay
lsass.exe 704 PolicyAgent, ProtectedStorage
svchost.exe 856 DcomLaunch, TermService
svchost.exe 912 RpcSs
svchost.exe 1160 LmHosts, RemoteRegistry, SSDPSRV, WebClient
wbload.exe 1280 N/A
spoolsv.exe 1352 Spooler
scardsvr.exe 1400 SCardSvr
nvsvc32.exe 1972 NVSvc
svchost.exe 2016 stisvc
explorer.exe 1456 N/A
AHQTbU.exe 1576 N/A
gcasServ.exe 1584 N/A
rundll32.exe 1616 N/A
ctfmon.exe 1652 N/A
alg.exe 1384 ALG
gcasDtServ.exe 1236 N/A
svchost.exe 596 HTTPFilter
iexplore.exe 2268 N/A
msimn.exe 3816 N/A
msmsgs.exe 2084 N/A
firefox.exe 560 N/A
svchost.exe 3496 EventSystem, helpsvc, Schedule, SENS, winmgmt
cmd.exe 2132 N/A
tasklist.exe 1276 N/A
wmiprvse.exe 4016 N/A

 

[gpalmer711]

Hi Leeroy,

Typically one of the processes was the one that holds the most services. Based on the 2 logs that you have posted one or more of the following services are causing the problem.

AudioSrv
Browser
CryptSvc
Dhcp
dmserver
ERSvc
FastUserSwitchingCompatibility
lanmanserver
lanmanworkstation
Netman
Nla
RasMan
seclogon
SharedAccess
ShellHWDetection
srservice
TapiSrv
Themes
TrkWks
W32Time
wuauserv
Dnscache

Download the User Profile Hive Cleanup Service from

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

- this will make sure that you do not have a problem with one of the services keeping the registry or your profile open.

If that does not solve the problem then I think we will have to tackle this by stopping the profiles one at a time and try shutting down. If it doesn't work then next time stop two services and try shutting down, repeating the process until the machine will shutdown.

To stop a service, Click on Start > Click on Run > Type services.msc > Click OK > Double click on the service you want to stop > Click on the Stop button > Click OK

Start from the top of the list and when you get to the point that you can shutdown let me know what service you got up to.

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[LeeroyJenkins]

ok that hive cleanup didnt work im going to try the other thing u suggested

 

[LeeroyJenkins]

ok i tried to end the services but once i hit shutdown it just stays in busy mode only thing i can do is ctrl+alt+del and end those 2 processes then after about 10 seconds i can shut down

 

[gpalmer711]

Hi Leeroy,

I can't think what it could be in that case, if after stopping all the services attached to those two processes you still can't shutdown it must be a much deeper problem.

As a temporary measure I can give you come code that will close all svchost.exe processes and then shutdown your PC.

Open Notepad > Copy the code from below into it > Save the document as shutdown.vbs on your desktop (Make sure you change the file type to all files in the save dialog) > Close Notepad

Now if you want to shutdown, double click on shutdown.vbs and your PC should shutdown correctly [fingerscrossed]

Dim objWMIService, objProcess, colProcess, OpSysSet
Dim strComputer, strProcessKill

strComputer = "."
strProcessKill = "'svchost.exe'"

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _ 
& strComputer & "\root\cimv2") 

Set colProcess = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = " & strProcessKill )
For Each objProcess in colProcess
  objProcess.Terminate()
Next

Set OpSysSet = GetObject("winmgmts:{(Shutdown)} _
& //" & strComputer & "/root/cimv2").ExecQuery _
& ("select * from Win32_OperatingSystem where _
& Primary=true")

for each OpSys in OpSysSet
	OpSys.Shutdown()
next

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[LeeroyJenkins]

ok i got an error on line 17 char 50 an unterminated string constant code 800a0409

 

[LeeroyJenkins]

also one of the svchost.exe files that is causing the problem is the one for dnscache is it possible there is something in my dns cache thats causing the problem and if so is there any way to completly clear it?

 

[gpalmer711]

To clear the DNS Cache you can do the following

Click Start > Click Run > type cmd > Click ok > type ipconfig /flushdns > Press return

As for the problem with the code you can download it from my site

http://www.palmersoft.co.uk/software/shutdown.zip

Greg Palmer
Freeware Utilities for Windows Administrators.

http://www.palmersoft.co.uk

 

[LeeroyJenkins]

ok i tried flushing my dns that didnt work i also tried using that vbs file that didnt work either i used it and it hung at "shutting down computer

 

[TDun]

Run teh vbs script, then start task manager and see what's left.