My major problem is that I have two user accounts and I can't get rid of one of them. On startup my screen shows the icon of the sunflower and underneath that the words :
toshiba
Locked
And then the option to 'Switch user'.
I have been unable to delete the extra user account : when I go to 'Add or remove user accounts' in the Control Panel and try to remove, I get a message saying :
Windows needs your permission to do this
If you started this action, continue
User accounts Control Panel
Microsoft Windows
When I click on the 'Details' option in this window I get the following :
{86D5EB8A-859F-4C7B-A76B-2BD819B7A850}
and then the options to 'Continue' or 'Cancel'
At the bottom of the window are the words : 'User account control helps stop unauthorized changes to your computer'
When I click on 'Continue' I get a screen indicating that I have two accounts : 'toshiba Administrator' and a 'Guest' with an option to turn it on. So far I have been unable to delete this 'Guest account'.
I have also been unable to delete a program : 'ARO 2012'. I get similar results to the above when I try to delete the unwanted program using the Uninstall procedure in the Control Panel, except the 'Details' option brings up :
{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
I have performed the procedures recommended at the beginning of this forum and the requested logs/reports have been pasted below under my signoff.
If someone can help me with these problems I would appreciate it.
Thank you,
Robert
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:12:31 PM, on 8/27/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
C:\Users\toshiba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B24GAMOH\HijackThis[1].exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Users\toshiba\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: blekko search bar - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll (file missing)
O3 - Toolbar: blekko search bar - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2012\ARO.exe -rem
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
--
End of file - 3392 bytes
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/9/2012 8:19:57 PM
System Uptime: 9/1/2012 11:27:04 AM (0 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 2000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 148 GiB total, 118.854 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&2
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&2
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
ARO 2012
Avira Free Antivirus
Camera Assistant Software for Toshiba
Free Window Registry Repair
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Nero 8 Micro 8.3.2.1
.
==== Event Viewer Messages From Past Week ========
.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
8/26/2012 5:00:03 PM, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 306 (0x132).
.
==== End Of File ===========================
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/9/2012 8:19:57 PM
System Uptime: 9/1/2012 11:27:04 AM (0 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 2000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 148 GiB total, 118.854 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&2
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&2
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
ARO 2012
Avira Free Antivirus
Camera Assistant Software for Toshiba
Free Window Registry Repair
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Nero 8 Micro 8.3.2.1
.
==== Event Viewer Messages From Past Week ========
.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
8/26/2012 5:00:03 PM, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 306 (0x132).
.
==== End Of File ===========================
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-01 12:29:10
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHY2160BH rev.0040020B
Running: 93lyhbr3.exe; Driver: C:\Users\toshiba\AppData\Local\Temp\pwlirfow.sys
---- System - GMER 1.0.15 ----
SSDT 890A722E ZwCreateSection
SSDT 890A7238 ZwRequestWaitReplyPort
SSDT 890A7233 ZwSetContextThread
SSDT 890A723D ZwSetSecurityObject
SSDT 890A7242 ZwSystemDebugControl
SSDT 890A71CF ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetTimerEx + 448 81AD1A6C 4 Bytes [2E, 72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 76C 81AD1D90 4 Bytes [38, 72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 7A1 81AD1DC5 3 Bytes [72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 804 81AD1E28 4 Bytes [3D, 72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 84C 81AD1E70 4 Bytes [42, 72, 0A, 89]
.text ...
? C:\Users\toshiba\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
---- EOF - GMER 1.0.15 ----
If you can help me resolve thses problems, I would appreciate it.
Thank you,
Robert
toshiba
Locked
And then the option to 'Switch user'.
I have been unable to delete the extra user account : when I go to 'Add or remove user accounts' in the Control Panel and try to remove, I get a message saying :
Windows needs your permission to do this
If you started this action, continue
User accounts Control Panel
Microsoft Windows
When I click on the 'Details' option in this window I get the following :
{86D5EB8A-859F-4C7B-A76B-2BD819B7A850}
and then the options to 'Continue' or 'Cancel'
At the bottom of the window are the words : 'User account control helps stop unauthorized changes to your computer'
When I click on 'Continue' I get a screen indicating that I have two accounts : 'toshiba Administrator' and a 'Guest' with an option to turn it on. So far I have been unable to delete this 'Guest account'.
I have also been unable to delete a program : 'ARO 2012'. I get similar results to the above when I try to delete the unwanted program using the Uninstall procedure in the Control Panel, except the 'Details' option brings up :
{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
I have performed the procedures recommended at the beginning of this forum and the requested logs/reports have been pasted below under my signoff.
If someone can help me with these problems I would appreciate it.
Thank you,
Robert
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:12:31 PM, on 8/27/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
C:\Users\toshiba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B24GAMOH\HijackThis[1].exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Users\toshiba\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: blekko search bar - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll (file missing)
O3 - Toolbar: blekko search bar - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files\blekkotb_031\blekkotb_019X.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\ARO 2012\ARO.exe -rem
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
--
End of file - 3392 bytes
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/9/2012 8:19:57 PM
System Uptime: 9/1/2012 11:27:04 AM (0 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 2000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 148 GiB total, 118.854 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&2
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&2
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
ARO 2012
Avira Free Antivirus
Camera Assistant Software for Toshiba
Free Window Registry Repair
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Nero 8 Micro 8.3.2.1
.
==== Event Viewer Messages From Past Week ========
.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
8/26/2012 5:00:03 PM, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 306 (0x132).
.
==== End Of File ===========================
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/9/2012 8:19:57 PM
System Uptime: 9/1/2012 11:27:04 AM (0 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 2000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 148 GiB total, 118.854 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&2
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&2
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
ARO 2012
Avira Free Antivirus
Camera Assistant Software for Toshiba
Free Window Registry Repair
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Nero 8 Micro 8.3.2.1
.
==== Event Viewer Messages From Past Week ========
.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/27/2012 4:04:58 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
8/26/2012 5:00:03 PM, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 306 (0x132).
.
==== End Of File ===========================
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-01 12:29:10
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHY2160BH rev.0040020B
Running: 93lyhbr3.exe; Driver: C:\Users\toshiba\AppData\Local\Temp\pwlirfow.sys
---- System - GMER 1.0.15 ----
SSDT 890A722E ZwCreateSection
SSDT 890A7238 ZwRequestWaitReplyPort
SSDT 890A7233 ZwSetContextThread
SSDT 890A723D ZwSetSecurityObject
SSDT 890A7242 ZwSystemDebugControl
SSDT 890A71CF ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetTimerEx + 448 81AD1A6C 4 Bytes [2E, 72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 76C 81AD1D90 4 Bytes [38, 72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 7A1 81AD1DC5 3 Bytes [72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 804 81AD1E28 4 Bytes [3D, 72, 0A, 89]
.text ntkrnlpa.exe!KeSetTimerEx + 84C 81AD1E70 4 Bytes [42, 72, 0A, 89]
.text ...
? C:\Users\toshiba\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
---- EOF - GMER 1.0.15 ----
If you can help me resolve thses problems, I would appreciate it.
Thank you,
Robert