?
Solved

System Errors

Posted on 2008-11-16
10
Medium Priority
?
1,276 Views
Last Modified: 2013-12-01
I am having the following system issues.  At first glance, it appearrs that my PC is infected with the msblast worm.  However, none of the standard remedies have removed the isues I am experiencing.  Any ideas?  I have noted errors and issues below.

Services error:  (discovered when I was trying to verify wibows firewall was working)
Could not start Security Center Service on Local Computer
Error 1899:  The endpoint mapper Database entyry could not be created

Windows Shut down: (right after a restart this appears)
Shutdown Initiated by NT Authority\System- RPC services terminated unexpectedly;
System will shutdown in XX seconds

Notes:
 1.) Have rolled back to prior system configuration: back to SP2 from SP3        
 Seemed to work for a while, then uninstalled some IDE/SATA card drivers
and got shudown message again
      
2.) Other problems include Windows Explorer freezing, MS services not loading,
copy/paste/move does not work, recycle bin un-responsive.

3.) Have tried several steps to remove the Blaster worm- Ran AVG in Safe mode,
Ran the Symantec tool on primary drive, tried another tool from safe mode.

4.) SYSTEM IS NOT currently connected to the net, however, I can download and transfer
any tools from another working PC with flash drive.

5.) This issue appears to be associated with a specific user profile.  The administrator
profile does not appear to have the problem.
0
Comment
Question by:OrvHaugen
  • 5
  • 4
9 Comments
 
LVL 22

Expert Comment

by:orangutang
ID: 22977514
Scan with Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) and send us your HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) log.
0
 

Author Comment

by:OrvHaugen
ID: 22978059
No Malware found with Malware Bytes:  
Hijack this log below.  Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:40 AM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\SK9910DM.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Documents and Settings\Orv\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://b6.mail.yahoo.com/ym/epiphanyservices.com/Login?YY=95063&y5beta=yes
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PxDotNetLoader] "D:\Fidelity ATP\Fidelity Active Trader\Fidelity Active Trader\System\ATPStartupAssistant.exe"
O4 - HKUS\S-1-5-21-1123561945-602609370-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1123561945-602609370-1801674531-1003\..\Run: [PxDotNetLoader] "D:\Fidelity ATP\Fidelity Active Trader\Fidelity Active Trader\System\ATPStartupAssistant.exe" (User '?')
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182100833046
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,avgrsstx.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Unknown owner - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Unknown owner - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (file missing)
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 8789 bytes
0
 
LVL 22

Accepted Solution

by:
orangutang earned 1000 total points
ID: 22978143
Your log seems clean except this line seems suspicious:
O20 - AppInit_DLLs: nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,avgrsstx.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll
Why are there so many nvdesk32.dlls? Can you open regedit to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
and paste the AppInit_DLLs value here?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:OrvHaugen
ID: 22978498
I noticed this but thought I should leave since it was not flagged in HJT.  The App_init follows:

Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Class Name:        <NO CLASS>
Last Write Time:   11/17/2008 - 11:03 AM
Value 0
  Name:            AppInit_DLLs
  Type:            REG_SZ
  Data:            nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,nvdesk32.dll,avgrsstx.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll nvdesk32.dll

Value 1
  Name:            DeviceNotSelectedTimeout
  Type:            REG_SZ
  Data:            15

Value 2
  Name:            GDIProcessHandleQuota
  Type:            REG_DWORD
  Data:            0x2710

Value 3
  Name:            Spooler
  Type:            REG_SZ
  Data:            yes

Value 4
  Name:            swapdisk
  Type:            REG_SZ
  Data:            

Value 5
  Name:            TransmissionRetryTimeout
  Type:            REG_SZ
  Data:            90

Value 6
  Name:            USERProcessHandleQuota
  Type:            REG_DWORD
  Data:            0x2710

Value 7
  Name:            LoadAppInit_DLLs
  Type:            REG_DWORD
  Data:            0x1


0
 

Author Comment

by:OrvHaugen
ID: 22979655
nvdesk32.dll is from Nvidia, used for desktop screen management, I believe.  Using Autoruns, I disabled the reg key and restarted.  Did not get the RPC shutdown and Security center is working again.  Have uninstalled the Nvidia twin view app that uses the nvdesk.dll and am using the generic card driver.  I suspect the  windows key became corrupt during install/removal we operations.  I have exported the key and am going to fix it with HJT.
0
 

Author Comment

by:OrvHaugen
ID: 22980702
Key was corrupt.  Editrd key, uninstalled and reinstalled software, all is well again. Thank You!  Good call
0
 

Author Closing Comment

by:OrvHaugen
ID: 31517308
Geat call.  Thanks!
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22981485
Oh, sorry, I didn't get back to you soon enough. I was just going to say to change the value to:
nvdesk32.dll,avgrsstx.dll
but I guess that works, too :)
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22981886
Oh, yeah, make sure to reinstall AVG too or add ",avgrsstx.dll" to that value because I think that's required.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question