Author Topic: 16 bit programs won't work after malware  (Read 11467 times)

0 Members and 1 Guest are viewing this topic.

threedoves

  • Guest
16 bit programs won't work after malware
« on: January 08, 2005, 11:53:14 PM »
Hi. While doing a search on something on the net I got hijacked to a site and a virus or malware slipped in. Avast caught it right away and it was moved into the chest.
I deleted the infection from the chest and rescanned. All came back clean and fine. But.......
now, my 16 bit games won't run on the computer.
This is a 2.2 gig computer running a very good graphics card and running XP home with SP1 but not SP2. The games worked as of this morning. There have been no other changes to the computer. When this happened once before, out of frustration I reformatted the computer. Can someone please tell me that there is a much easier fix than that for this problem?
I really like the Avast program and have already recommended it to others.
Is there a file or log that I could share with you to let you see what it found?
Thank you so much in advance,
Kathy
 ???

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: 16 bit programs won't work after malware
« Reply #1 on: January 08, 2005, 11:56:44 PM »
What exactly was detected as being infected?
What was its original location?
(see avast's log file)

What error do you get when trying to run a 16 bit application?

I very strongly recommend to install SP2 (as well as all other security updates/patches). If you don't you will miss a lot of security, leaving your system vulnerable to infections and hackings. Security should be your main concern if you want to be on the net.

threedoves

  • Guest
Re: 16 bit programs won't work after malware
« Reply #2 on: January 09, 2005, 12:08:12 AM »
Thank you for the quick response and for your suggestion. I have heard horror stories about SP 2 but I believe this stuff is worse!  :-\
The log says exactly this: (I apologize if it's too much information, but I'm not sure what you can use :-[)

Time:1/8/2005 12:40  System
Application: 1276
Description: Sign of "Win32:Exdl [Adw]" has been found in "C:\Windows\exdl.exe" file.

That's the entire text. Does this help any? I will apply the service pak after I'm sure there is nothing seriously wrong with this computer.
Also, I have run an online virus scan and it comes up clean as well. That was done after Avast took care of it initially.
Seems to contain a problem and correct it well.
Thank you for helping me with the rest of it.
Kathy

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: 16 bit programs won't work after malware
« Reply #3 on: January 09, 2005, 12:12:47 AM »
What happens if you try to run a 16bit application?
Getting an error?
If so, which one?

Also let us know if this is a preinstalled OS or not.

threedoves

  • Guest
Re: 16 bit programs won't work after malware
« Reply #4 on: January 09, 2005, 12:23:04 AM »
Not a pre-installed OS. I installed it using my own disk (legal, by the way). The error is:

C:\Windows\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to terminate the application.

With so much gratitude....
Kathy

PS... I have NOT restarted computer since the discovery Avast made and haven't yet done a system restore as I thought I would try to understand what happened and ask someone much more knowledgeable than me!
Thank you!!!!
Kathy :)

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: 16 bit programs won't work after malware
« Reply #5 on: January 09, 2005, 12:31:23 AM »
http://212.204.166.18/index1.htm > download section > get the HijackThis Log Analyzer.

It comes with a fix for this problem.
Read the readme.txt file to see how to apply it.

Let us know if it solved the problem.

threedoves

  • Guest
Re: 16 bit programs won't work after malware
« Reply #6 on: January 09, 2005, 01:01:17 AM »
 ??? :-\

Ok, I didn't think I was this stupid. And I do see the need for the SP2. That being said, I have the Hijack this program downloaded, I ran it and have the log it generated. I didn't see a text file, it just downloaded an .exe file.
I don't understand what to do with it and I see somethings that are marked as unknown, some are nasty, and I see no way to correc this. Will I need another program to take care of this?
I'm so sorry if I sound stupid. I'm really not that bad with computers. This is just a new wrinkle and I have NO iron! lol
If you have a few minutes, could you continue to help me?
 :-\
Kathy

galooma

  • Guest
Re: 16 bit programs won't work after malware
« Reply #7 on: January 09, 2005, 01:05:50 AM »
here`s a tutorial on HJT http://www.netstar.me.uk/hjt/hjt.html

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: 16 bit programs won't work after malware
« Reply #8 on: January 09, 2005, 01:07:38 AM »
No, NOT HijackThis, I said HijackThis Log Analyzer ;)
(Click here to download)

And if you wish, you can post the HijackThis log here and I (or someone else) will have a look at it ofcourse.

threedoves

  • Guest
Re: 16 bit programs won't work after malware
« Reply #9 on: January 09, 2005, 01:25:38 AM »
Ah! I understand now. I apologize for the mistake. They looked very similar on the page. I did what you said, saving the log file to the same folder as the analyzer, but when I tried to run it as they said, I got the error message:
C:Windows\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose close to terminate the application.

I'm beginning to suspect my autoexec file is corrupted.
Any ideas?
Meanwhile I will paste the file the program generated.

Logfile of HijackThis v1.99.0
Scan saved at 7:16:22 PM, on 1/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJTanalyzer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.lycos.com/default.asp?donemaya=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wmiprv] wmiprv.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Jerry\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\RunServices: [wmiprv] wmiprv.exe
O4 - HKCU\..\Run: [wmiprv] wmiprv.exe
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c14.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103233288584
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?325
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: 16 bit programs won't work after malware
« Reply #10 on: January 09, 2005, 01:29:24 AM »
You almost got it right this time. As stated in the readme.txt:
Quote
You could get the following message:
   "C:windows\system32\autoexec.nt  not able to run ms-dos or windows programs ...."
   In order to solve this, unpack the files in winrep.zip to the \windows\system32 folder
   on your system, overwriting excisting ones. This will solve it.

And I will come back for the HJT log you posted a bit later on.
« Last Edit: January 09, 2005, 01:31:04 AM by Eddy »

threedoves

  • Guest
Re: 16 bit programs won't work after malware
« Reply #11 on: January 09, 2005, 01:40:49 AM »
My goodness!! I worked!!!!!!!!!!!!!!!!!!! Perfectly!
Much much much easier fix than I had done before. I was smart enough to set a restore point for this, but I'll make sure I keep this correction and the zip file containing them handy!
I don't know how to than you enough!!!
But please, when you have time, I would appreciate your suggestion on that log.
Thank you from my heart!
Kathy  :D :D :D

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: 16 bit programs won't work after malware
« Reply #12 on: January 09, 2005, 01:49:35 AM »
This is the result my HJT Log Analyzer is giving :

--------------------------------------------------------------------------------
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
--------------------------------------------------------------------------------
You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
Software firewall detected.

--------------------------------------------------------------------------------
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
\program files\deskad service\deskadserv.exe
\program files\bullseye network\bin\bargains.exe
\program files\internet optimizer\optimize.exe
\program files\deskad service\deskadkeep.exe
r1 - hkcu\software\microsoft\windows\currentversion\internet settings,proxyoverride = 127.0.0.1
o2 - bho: search relevancy - {1d7e3b41-23ce-469b-be1b-a64b877923e1} - c:\progra~1\search~1\search~2.dll
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o4 - hklm\..\run: [wmiprv] wmiprv.exe
o4 - hklm\..\run: [deskad service] c:\program files\deskad service\deskadserv.exe
o4 - hklm\..\run: [bullseye network] c:\program files\bullseye network\bin\bargains.exe
o4 - hklm\..\run: [sahbundle] c:\docume~1\jerry\locals~1\temp\bundle.exe
o4 - hklm\..\runservices: [wmiprv] wmiprv.exe
o4 - hkcu\..\run: [wmiprv] wmiprv.exe
o4 - hkcu\..\run: [start uploading] crsss.exe
o4 - hkcu\..\run: [weather] c:\program files\aws\weatherbug\weather.exe 1
o4 - hkcu\..\runservices: [start uploading] crsss.exe
o4 - global startup: microsoft works calendar reminders.lnk = ?
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra button: weatherbug - {af6cabab-61f9-4f12-a198-b7d41ef1cb52} - c:\progra~1\aws\weathe~1\weather.exe (hkcu)
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://static.windupdates.com/cab/clickyestocontinue/ie/bridge-c14.cab
o16 - dpf: {1f2f4c9e-6f09-47bc-970d-3c54734667fe} (lssupctl class) - http://www.symantec.com/techsupp/asa/lssupctl.cab
o16 - dpf: {2bc66f54-93a8-11d3-beb6-00105aa9b6ae} (symantec antivirus scanner) - http://security.symantec.com/sscv6/sharedcontent/vc/bin/avsniff.cab
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1103233288584
o16 - dpf: {644e432f-49d3-41a1-8dd5-e099162eeec5} (symantec rufsi utility class) - http://security.symantec.com/sscv6/sharedcontent/common/bin/cabsa.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {99b6e512-3893-4155-9964-8eb8e06099cb} (webspywarekiller class) - http://download.zonelabs.com/bin/promotions/spywaredetector/webswk.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o16 - dpf: {ce28d5d2-60cf-4c7d-9fe8-0f47a3308078} (activedatainfo class) - https://www-secure.symantec.com/techsupp/asa/symadata.cab
o16 - dpf: {eb387d2f-e27b-4d36-979e-847d1036c65d} (qdiaghupdateobj class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?325
o23 - service: zesoft - unknown - c:\windows\zeta.exe

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
--------------------------------------------------------------------------------
o4 - hklm\..\run: [internet optimizer] "c:\program files\internet optimizer\optimize.exe"
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe

threedoves

  • Guest
Re: 16 bit programs won't work after malware
« Reply #13 on: January 09, 2005, 04:57:22 PM »
Thank you most kindly for your help. Some of the corrections of the offending software I will have not much if any trouble removing. But some I'm unclear of. Would the best course of action be to use a program like Ad Aware or one of its kin to remove these? Or is it better to just get in there and dig this stuff out?
Thank you for the other recommendations. I intend to take your advice as soon as I get rid of the rest of this garbage.
In your opinion, is Zone Alarm a decent program and working to the best you can see? If not, I can always do something else. I put it on because I do NOT trust windows home grown version of a firewall. Though I may not have much choice when I upgrade to SP2....
Thank you again for all of your help! I would trust this program and your tech people completely.
Respectfully,
Kathy :D

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: 16 bit programs won't work after malware
« Reply #14 on: January 09, 2005, 05:29:05 PM »
I recommend to use at least the applications I mention in the first table on my malware removal page.

ZA is a decent application, but personally I prefer a router with build in hardware firewall.