PDA

View Full Version : Older windows package now won't open



petermac
26-10-2004, 12:05 PM
doesn't have recently purchased a new computer running WinXP and transferred everything off my old ME system . To my surprise even my older cashbook worked fine on the new system until recently . I hadn't accessed the program for a couple of weeks and now when I try to load the program I get the following error message....

16 Bit sub System


C:\Windows\system32\autoexec.NT . The system file is not suitable for running MS-Dos and Microsoft windows applications. Choose close to teriminate the application.

The program doesn't open at all. The only major chance to the system over the last few weeks was having broadband wireless installed.

Any ideas or suggestions would be appreciated.

johnboy
26-10-2004, 12:19 PM
Have a look at this mskb and see if it applies to you.
Error message when you install or start an MS-DOS or 16-bit Windows-based program
here (http://support.microsoft.com/default.aspx?scid=kb;en-us;324767&Product=winxp)
hth

Pete O\'Neil
26-10-2004, 12:19 PM
Did you do a proper install of cashbook or did you just copy over the previous installation?

petermac
26-10-2004, 12:35 PM
I did a proper install off 3 1/2 disks when i first reloaded on to the new machine and it worked fine . I find now that the same error message comes up when trying to reinstall off the disks. Will look at the options on the first thread.

Thanks Pete

petermac
26-10-2004, 12:40 PM
This looks promising . Will work my way though and see what happens

Thanks

beama
26-10-2004, 01:00 PM
if none of the above works 16 bit access in xp is controlled by c:windows\system32\autoexec.nt replace this file with the backup found in c:\windows\repair copy and paste will do it

petermac
26-10-2004, 01:14 PM
Thanks beama,

went looking in C:\Windows\repair for the missing file but the only file in there is system.bak. Is there anywhere else I could find it

petermac
26-10-2004, 01:16 PM
I also used window seach to try and track down the autoexec.nt file but it found nothing

Mada
26-10-2004, 01:21 PM
You may need to buy a new cashbook program that is 32-bit compatable.

Try MYOB or Cashbook Complete, or if you're a home user, Microsoft Money.
You could also find something for sale at http://www.trademe.co.nz/

CYaBro
26-10-2004, 01:24 PM
Make sure when doing the search for the autoexec.nt file that you have set it to look in hidden and system folders as well.

I had this same error after the PC got a virus so make sure your AV software is up-to-date and run a scan.

Pete O\'Neil
26-10-2004, 01:33 PM
> You could also find something for sale at
> http://www.trademe.co.nz/
I wouldnt buy software from tardme if i was you, the chances of getting something illegal or faulty are pretty high. Plus alot of things sell for far more than they are worth making it difficult to get a bargin.

beama
26-10-2004, 08:19 PM
sorry forgot to say that this is a hidden system file. If you follow CYaBro advice you should find it , CYaBro is also correct about the cause of the corruption virus or spyware

petermac
26-10-2004, 11:41 PM
It seems I have got a problem with a worm or spyware . I have checked and virus definitions are up to date (norton anti-virus) and nothing was detected.... but there is something interfering with Explorer. My homepage has changed and every time I try to put it back it instantly return to bogus one http://easy-search.biz. I have run 'ad-aware' which removed some spyware but hasn't fixed explorer..

Help !!!

drcspy
26-10-2004, 11:45 PM
that one can be a *****.........try this, (it's not as bad as it looks lol):

Extract the "get active services.vbs" - file to a new folder in the desktop.
Doubleclick it to run it. This script will create and open a text file named
Active.txt in the same folder as the script itself. It will then open Active.txt for you.

It will list all active Services. Copy and paste the contents of Active.txt in your next
reply here


OK , the Plug and Play svc service: is your culprit (not to be confused with the
(legitimate) Plug and Play service...)

Please do the following:

Go to Start > Run > Regedit, and drill down to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pnpsvc\
Parameters

Click the 'Parameters' subkey once in order to display its contents in the right pane.
You'll see a value there called ServiceDll.

Doubleclick that ServiceDll line in order to bring up the Edit box, copy its contents,
and paste them into your reply; we need the name and location of the
corresponding file...


The ServiceDll entry hasthe following value:

c:\windows\system32\rhlacbgf.dll


OK, in Hijackthis, click "Config", then click on "Misc Tools". Once at the new
screen click on the "Delete a file on reboot" button.
You will be presented with a dialog asking you to pick a file. Copy and paste
c:\windows\system32\rhlacbgf.dll into the file name field and press the open
button.

You'll be notified that the file in question will be deleted on reboot, when asked
whether you want to restart your computer, click Yes.
After a reboot the file should be gone


Next:

- Find and delete the file c:\windows\system32\pnpsvc.inf

- Subsequently, copy the text in the 'Quote' box below to Notepad, and save it
on your Desktop as fix.reg (Make sure to save as file type: 'All files (*.*)')

************************************************** **************

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeB oot\Minimal\pnpsvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeB oot\Network\pnpsvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\PNPSVC]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\EventLog\Application\PNPSVC]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\P NPSVC]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Minimal\pnpsvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Sa feBoot\Network\pnpsvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Ser vices\EventLog\Application\PNPSVC]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\P NPSVC]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Minimal\pnpsvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Sa feBoot\Network\pnpsvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Ser vices\EventLog\Application\PNPSVC]

************************************************** ***************


Now double-click on the fixme.reg file you just saved; say yes when asked to
add the contents of Fixme.reg to the Registry.

At this point I suggest you create a fresh System Restore Point.

Next, launch Regedit again and navigate to each of the following addresses:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_PNPSVC

At each location delete the LEGACY_PNPSVC subkey (subfolder). If you have
trouble deleting one of these, right click on that particular LEGACY_PNPSVC
subkey, and choose 'Permissions'; make sure you have 'full control' set. Then
try to delete it again.


Reboot your computer, post a new hijackthis log and let us know how everything
is working.
_________________


Well, there's one more thing:

O4 - HKLM\..\Run: [nstat] C:\WINDOWS\netstat.exe

Your legitimate Netstat.exe file is located in System32, and this one is sure to be
viral in nature.

Have Hijack This fix that line, then restart your computer.

Now find that Netstat.exe file (the one in C:\Windows, not the one in
C:\Windows\System32), and upload it to these two excellent on line file
scanners in order to be tested :


Trojan.Win32.Dialer.cy

drcspy
26-10-2004, 11:47 PM
sorry copied adn pastey that from somwhere just ignore the first couple of paras.........i have run thru this on a pc and it was the ONLY way to get rid of that nasty search page......it works on xp only tho.....

petermac
27-10-2004, 12:00 AM
Thanks heaps .... will give it a go , but it sounds like the problem alright ......

petermac
27-10-2004, 12:19 AM
Oops.

Didn't get far . Got stuck at the following line


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pnpsvc\
Paramet ers

Went into regedit and drilled down until Sevices\ .... but there was no pnpsvc...


Will try again in am ..


cheers Pete

petermac
28-10-2004, 09:43 PM
Hi all,


I still haven't managed to remove the highjackers etc that its seems keep changing my homepage and redirecting the IE browser.

There are a few other strange things happening too. I am unable to open notepad ...

I have run ad-aware and spybot which seems to have improved things slightly and have decided to use Firefox in the meantime , IE is driving me mad .

I also run hijackthis , but haven't got a clue which lines to remove so have posted the report below.....

any help would be appreciated

Logfile of HijackThis v1.97.7
Scan saved at 8:43:35 p.m., on 27/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\mfccj.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\syshl32.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Win Comm\WinComm.exe
C:\WINDOWS\System32\klswac.exe
C:\Program Files\Win Comm\WinLock.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PETER MACDONALD\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B1DE489E-B535-4538-EB55-9D77A96D029D} - C:\WINDOWS\system32\sysol.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [syshl32.exe] C:\WINDOWS\syshl32.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [ifjlmhpo] C:\WINDOWS\System32\klswac.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ugopznvv.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/420/online.chm::/on-line.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bc f1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b 37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{523D5D3D-8838-48B3-9C16-81346EA94A29}: NameServer = 202.27.184.3 202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{523D5D3D-8838-48B3-9C16-81346EA94A29}: NameServer = 202.27.184.3 202.27.184.5

Susan B
29-10-2004, 11:09 AM
I don't have time to go through all your list for you but you can get rid of these for a start:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jsdiz.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jsdiz.dll/sp.html#29126


Make sure all other windows are closed, especially IE and Explorer and have HijackThis fix them.

The following one could be a trojan but if not, it is not required anyway so could also be fixed.

O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe


There are others I am not sure about but go to the Spyware FAQ (link to FAQs top right of this page) and go to the HijackThis tutorial link. Basically you just need to look up all those entries to see what they are and if they are dodgy get HJT to fix them.

I would run a trojan removal program first, if you haven't already done so. There is a link in the Spyware FAQ to an online one if you want to try that.

Just be very careful with HJT because if you remove something critical then your computer will stop working.

You could also get rid of FindFast via Add/Remove Programs or remove it out of the Start Menu's Startup folder as it isn't necessary. There are other services that could possibly be removed - the FAQs have links to places to find out these things.

godfather
29-10-2004, 12:11 PM
Ouch.

That PC is full of nasties.

In addition to the above:

Have Hijack deal to these, then delete the actual exe files using Windows Exploerer (in safe mode if needed).


O4 - HKLM\..\Run: [syshl32.exe] C:\WINDOWS\syshl32.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [ifjlmhpo] C:\WINDOWS\System32\klswac.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

They are all very nasty as far as I can see.

If you are unsure of any of them, just try the file name into Google. No results means its a "morphing" variant that creates a random file name usually.

godfather
29-10-2004, 12:14 PM
And:
fix these with Hijack This

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ugopznvv.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!