System Errors

Posted on 2008-11-16
Last Modified: 2013-12-01
I am having the following system issues.  At first glance, it appearrs that my PC is infected with the msblast worm.  However, none of the standard remedies have removed the isues I am experiencing.  Any ideas?  I have noted errors and issues below.

Services error:  (discovered when I was trying to verify wibows firewall was working)
Could not start Security Center Service on Local Computer
Error 1899:  The endpoint mapper Database entyry could not be created

Windows Shut down: (right after a restart this appears)
Shutdown Initiated by NT Authority\System- RPC services terminated unexpectedly;
System will shutdown in XX seconds

 1.) Have rolled back to prior system configuration: back to SP2 from SP3        
 Seemed to work for a while, then uninstalled some IDE/SATA card drivers
and got shudown message again
2.) Other problems include Windows Explorer freezing, MS services not loading,
copy/paste/move does not work, recycle bin un-responsive.

3.) Have tried several steps to remove the Blaster worm- Ran AVG in Safe mode,
Ran the Symantec tool on primary drive, tried another tool from safe mode.

4.) SYSTEM IS NOT currently connected to the net, however, I can download and transfer
any tools from another working PC with flash drive.

5.) This issue appears to be associated with a specific user profile.  The administrator
profile does not appear to have the problem.
Question by:OrvHaugen
    LVL 22

    Expert Comment

    Scan with Malwarebytes' Anti-Malware ( and send us your HijackThis ( log.

    Author Comment

    No Malware found with Malware Bytes:  
    Hijack this log below.  Thank you

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:47:40 AM, on 11/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Documents and Settings\Orv\My Documents\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PxDotNetLoader] "D:\Fidelity ATP\Fidelity Active Trader\Fidelity Active Trader\System\ATPStartupAssistant.exe"
    O4 - HKUS\S-1-5-21-1123561945-602609370-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-1123561945-602609370-1801674531-1003\..\Run: [PxDotNetLoader] "D:\Fidelity ATP\Fidelity Active Trader\Fidelity Active Trader\System\ATPStartupAssistant.exe" (User '?')
    O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
    O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (file missing)
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O20 - AppInit_DLLs: nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,avgrsstx.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: QBCFMonitorService - Unknown owner - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (file missing)
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Unknown owner - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (file missing)
    O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

    End of file - 8789 bytes
    LVL 22

    Accepted Solution

    Your log seems clean except this line seems suspicious:
    O20 - AppInit_DLLs: nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,avgrsstx.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll
    Why are there so many nvdesk32.dlls? Can you open regedit to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    and paste the AppInit_DLLs value here?

    Author Comment

    I noticed this but thought I should leave since it was not flagged in HJT.  The App_init follows:

    Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    Class Name:        <NO CLASS>
    Last Write Time:   11/17/2008 - 11:03 AM
    Value 0
      Name:            AppInit_DLLs
      Type:            REG_SZ
      Data:            nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,avgrsstx.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll

    Value 1
      Name:            DeviceNotSelectedTimeout
      Type:            REG_SZ
      Data:            15

    Value 2
      Name:            GDIProcessHandleQuota
      Type:            REG_DWORD
      Data:            0x2710

    Value 3
      Name:            Spooler
      Type:            REG_SZ
      Data:            yes

    Value 4
      Name:            swapdisk
      Type:            REG_SZ

    Value 5
      Name:            TransmissionRetryTimeout
      Type:            REG_SZ
      Data:            90

    Value 6
      Name:            USERProcessHandleQuota
      Type:            REG_DWORD
      Data:            0x2710

    Value 7
      Name:            LoadAppInit_DLLs
      Type:            REG_DWORD
      Data:            0x1


    Author Comment

    nvdesk32.dll is from Nvidia, used for desktop screen management, I believe.  Using Autoruns, I disabled the reg key and restarted.  Did not get the RPC shutdown and Security center is working again.  Have uninstalled the Nvidia twin view app that uses the nvdesk.dll and am using the generic card driver.  I suspect the  windows key became corrupt during install/removal we operations.  I have exported the key and am going to fix it with HJT.

    Author Comment

    Key was corrupt.  Editrd key, uninstalled and reinstalled software, all is well again. Thank You!  Good call

    Author Closing Comment

    Geat call.  Thanks!
    LVL 22

    Expert Comment

    Oh, sorry, I didn't get back to you soon enough. I was just going to say to change the value to:
    but I guess that works, too :)
    LVL 22

    Expert Comment

    Oh, yeah, make sure to reinstall AVG too or add ",avgrsstx.dll" to that value because I think that's required.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article ( first and run the tool TDSSKiller ( to get rid of the infection. Once done, and if the …
    Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now