Messages keep popping up saying a certain file and then saying the system file is not suitable for running MS-DOS and Microsoft windows applications. Choose 'close' to terminate the application. The file is always c:/WINDOWS/system32/(different name everytime).exe
C:/WINDOWS/SYSTEM32/AUTOEXEC.NT.

Not sure what all this means. it has only just started happening. It is just annoying because it interupts stuff like games about every 4 or 5 mins so makes it impossible to get on and do stuff. Please help

Nick

Welcome to SAF, Nick.

Do the files that produce that message look legitimate?

Does the AUTOEXEC.NT error message refer to '16-bit Subsystem'? If so, install XP Fix and let us know how it goes.

I have done that ind think it has stopped the autoexec.nt. messages. However now similar messages saying The NTVDM CPU has encountered an illegal instruction. CS:0f2f IP:0127 OP:c5 12 16 d2 Choose 'close' to terminate this application. The big long number changes. Above it says thingsa such as
C:/WINDOWS/ipfs.exe
or
C:/WINDOWS/system32/mssi32.exe
or
C:/WINDOWS/netdt32.exe
or
C:/WINDOWS/iplz.exe
etc etc.

Those files dont sound very ligit do they?

Cheers

Nick

You're right...those are malware.

Let's see what's running on that system. Download HijackThis and follow the instructions to post a log from it.

Ok here you go.

Logfile of HijackThis v1.99.1
Scan saved at 13:17:41, on 13/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\mfcbs32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sports Interactive\Football Manager 2005\fm2005.exe
C:\DOCUME~1\NICKS~1.NIC\LOCALS~1\Temp\~e5.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\apiup32.exe
C:\Documents and Settings\Nicks.NICK\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zaptj.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zaptj.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zaptj.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zaptj.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zaptj.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zaptj.dll/sp.html#83556
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {61CD4FCC-2FDF-DD1C-7FC8-9C8750F1B5F9} - C:\WINDOWS\ipbt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mfcpl32.exe] C:\WINDOWS\system32\mfcpl32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [apiup32.exe] C:\WINDOWS\apiup32.exe
O4 - HKLM\..\RunOnce: [mfcbs32.exe] C:\WINDOWS\mfcbs32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06dd2bd2c6df8b...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{180258A4-E352-4C38-9782-092068DBCC54}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{180258A4-E352-4C38-9782-092068DBCC54}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Workstation NetLogon Service (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\sdkmx32.exe (file missing)

hope it helps. ive realised that long number stays the same its just the files that change.

Nick

That's a nasty CoolWebSearch infection you have there, Nick. You'll need a few tools to deal with it.

You didn't follow the instructions for installing HijackThis (HJT). It's in a Temp folder, whereas it needs a dedicated folder. Make a new folder in C:, call it HJT and move the file from the temp folder to the HJT folder.

Save these instructions to a text file or print them out. You won't be able to access the internet while in safe mode.

Get the standalone version of CWShredder. Download it to the desktop.

Download About:Buster.

Download AdAware SE Personal. Update it after installation.

As you've noticed, the file name in the R0 and R1 fields changes each time you reboot, but the number stays the same. This is typical of CWS. In the HJT fix (below) , don't worry if the file name is different. Just follow the instructions as if the file name were the same.

Now go to Start > Run > type services.msc and OK it. Scroll down to this:

Workstation NetLogon Service (� 6QÔõ'ª´ÆÐ8)

Double-click on it and stop it (if it's not already stopped) and set the 'Startup Type' to Disabled.

Run a HJT scan and put checks in the boxes next to each of these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zaptj.dll/sp.html#83556

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zaptj.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zaptj.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zaptj.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zaptj.dll/sp.html#83556

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zaptj.dll/sp.html#83556

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {61CD4FCC-2FDF-DD1C-7FC8-9C8750F1B5F9} - C:\WINDOWS\ipbt.dll

O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe

O4 - HKLM\..\Run: [mfcpl32.exe] C:\WINDOWS\system32\mfcpl32.exe

O4 - HKLM\..\Run: [apiup32.exe] C:\WINDOWS\apiup32.exe

O4 - HKLM\..\RunOnce: [mfcbs32.exe] C:\WINDOWS\mfcbs32.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06dd2bd2c6df8b...ip/RdxIE601.cab

O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab

O23 - Service: Workstation NetLogon Service (� 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\sdkmx32.exe (file missing)

Close all open windows except HJT and click on 'Fix checked'. Close HJT.

Boot to safe mode - go to Start > Run > type msconfig and OK it. Click on the Boot.ini tab, then check the /SAFEBOOT option. Click Apply and OK, then reboot. You will be in safe mode.

Run About:Buster. It will prompt for a second run after the first so OK that, Save the log it generates after the scan.

Run CWShredder and click on 'Fix'.

Run a full system scan with AdAware and have it delete everything detected.

Undo the change in Msconfig so you reboot to normal mode.

Run another HJT scan and post a fresh log along with the log from About:Buster.

Please follow all instructions to the letter, otherwise we'll be back to square one.

I'll move this over to the Malicious Code forum.