Results 1 to 4 of 4
  1. #1
    Member
    Join Date
    Jan 2006
    Posts
    5
    Points
    0

    Default Startup Error - NTVDM CPU

    Recently I began getting an error message on Startup: NTVDM CPU has encountered an illegal instruction. The error application is something called ADSHELL.lnk in a startup routine.

    I have run AdAware SE, Spybot and SpyWare Doctor with no resolution.
    Here is a HijackThis Log, just in case it's of use:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:25:02 PM, on 2/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\spyware\airdefense\airdefense.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ClipCache\clipc.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Spyware\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Spyware\Spyware Doctor\Spyware Doctor\sdhelp.exe
    C:\Program Files\Spyware\Spyware Guard\SpywareGuard\sgmain.exe
    C:\Program Files\Spyware\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Spyware\Spyware Guard\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Spyware\HijackThis\HijackThis.exe

    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Spyware\Spyware Guard\SpywareGuard\dlprotect.dll
    O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spyware\Spybot\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware\SPYWAR~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [QCWLIcon] "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE"
    O4 - HKLM\..\Run: [QCTray] "C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE"
    O4 - HKLM\..\Run: [ACU] "C:\Program Files\IBM\IBM-11abg-Wireless\ACU.exe"
    O4 - HKLM\..\Run: [avast!] "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
    O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 EPSON Stylus Photo R300 Series /O16 IP_192.168.0.5P1 /M Stylus Photo R300
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
    O4 - HKLM\..\Run: [TP4EX] "tp4ex.exe"
    O4 - HKLM\..\Run: [TPHOTKEY] "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe"
    O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
    O4 - HKLM\..\Run: [TpShocks] "TpShocks.exe"
    O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
    O4 - Startup: ADShell.lnk = C:\Documents and Settings\Jerome Lane\Application Data\Microsoft\Installer\{D8F2A173-D6CC-4835-BA6A-FD8BB40A96E6}\_69525f90.exe
    O4 - Startup: SpySweeper.exe.lnk = C:\Program Files\Spyware\Webroot\Spy Sweeper\SpySweeper.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware\Spyware Guard\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131320122406
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
    O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AirDefense Personal Service (ADFirewall) - AirDefense - c:\program files\spyware\airdefense\airdefense.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware\Spyware Doctor\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Spyware\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

    Thanks in advance,
    Jerry

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    I've done a little research on this and there appears to be several posibilities... it can be caused if you are trying to run a 16bit file on a 32bit system, some say it's malware related and some put it down to corrupt files, of course the actual reason for the error could be different in all cases and they may all be right...

    This is what conclusions I have come to, But I stress I am only guessing...

    I believe these entries in your log are connected...

    O4 - Startup: ADShell.lnk = C:\Documents and Settings\Jerome Lane\Application Data\Microsoft\Installer\{D8F2A173-D6CC-4835-BA6A-FD8BB40A96E6}\_69525f90.exe

    c:\program files\spyware\airdefense\airdefense.exe

    O23 - Service: AirDefense Personal Service (ADFirewall) - AirDefense - c:\program files\spyware\airdefense\airdefense.exe


    Because the only other instance of O4 - Startup: ADShell.lnk that i could find was this :-

    O4 - Startup: ADShell.lnk = C:\Program Files\AirDefense\AirDefense Personal Enterprise Agent\ADShell.exe


    Regards this startup entry :-

    O4 - Startup: ADShell.lnk = C:\Documents and Settings\Jerome Lane\Application Data\Microsoft\Installer\{D8F2A173-D6CC-4835-BA6A-FD8BB40A96E6}\_69525f90.exe

    It is logical to me that you could be getting the error because this file _69525f90.exe is trying to run ... but is non-existent, and the error is telling you this...

    There are 2 things you could try...

    first...

    tick this entry in hijackthis and click "fix checked"

    O4 - Startup: ADShell.lnk = C:\Documents and Settings\Jerome Lane\Application Data\Microsoft\Installer\{D8F2A173-D6CC-4835-BA6A-FD8BB40A96E6}\_69525f90.exe


    Reboot and see if you still get the error...

    If you do, and you think it may have caused more problems by removing it, (I doubt that it will) but you can replace the entry from a backup in hijackthis...

    Run hijackthis

    click Open the Misc tools section

    click backups

    now highlight this line :-

    O4 - Startup: ADShell.lnk = C:\Documents and Settings\Jerome Lane\Application Data\Microsoft\Installer\{D8F2A173-D6CC-4835-BA6A-FD8BB40A96E6}\_69525f90.exe

    and click the restore button

    second....

    You need to reinstall "AirDefense" ... I know nothing about this program, so i can't help you on that.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member
    Join Date
    Jan 2006
    Posts
    5
    Points
    0

    Default Startup Error - NTVDM CPU

    That did the trick, THANKS.
    I HJT "fixed" the Startup ADSHELL entry, un-installed Air Defense and re-booted. No more error message.

    FYI, Air Defense was recommended on a New York City TV station a few months ago as a defense against hacking at wireless hotspots. Supposedly it can sense if someone is attempting to use your connection or even spoof you into using their connection allowing them to hack your keystrokes and/or monitor your internet activities. More info here: http://www.airdefense.net/products/adpersonal/index

    Again, thanks for the quick response and insightful recommendations. Much appreciated.
    Jerry

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    You're very welcome

    Thanks for the informatin and link about that program ... sounds interesting as I run a wireless network myself ... I'll have to have a look at it :wink:


    I'll lock this thread now that it is resolved...

    Should the original poster require it re-opening, please PM a moderator ... thanks

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -