Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

16bit ms-dos subsystem


  • Please log in to reply

#1
dgpro

dgpro

    New Member

  • Member
  • Pip
  • 1 posts
Hi

Wonder if anyone can help me here.

Keep getting this message every 3-5 mins while surfing the net.

16 bit ms dos subsystem
c:\window\system32\wxpsetup.exe
the ntvdm cpu has encountered an illegal instruction
cs:0523:e IP:fffe OP:ff ff ff 00 choose 'close' to terminate the application

Read from previous threads which recommended combofix. Combofix.txt is as follows:

................................................................................
..................................................


ComboFix 08-08-24.03 - yiming 2008-08-30 22:14:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.622 [GMT 8:00]
Running from: C:\Documents and Settings\yiming\My Documents\downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wxpSetup.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-24 09:36 . 2008-08-30 22:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 09:35 . 2008-08-30 21:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-24 09:35 . 2008-08-24 09:35 <DIR> d-------- C:\Documents and Settings\yiming\Application Data\PC Tools
2008-08-24 09:35 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-24 09:35 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-24 09:35 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-24 09:35 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-23 17:57 . 2001-08-17 13:32 50,620 --a------ C:\WINDOWS\system32\command.nt
2008-08-18 21:43 . 2008-08-18 21:43 <DIR> d-------- C:\!KillBox
2008-08-17 09:56 . 2008-08-17 09:56 <DIR> d-------- C:\NECSOFT
2008-08-14 15:59 . 2008-04-14 08:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-08-14 15:59 . 2008-04-14 08:11 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-08-13 22:28 . 2008-08-13 22:28 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-13 22:00 . 2008-05-01 22:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 21:45 . 2008-04-12 03:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 21:33 . 2008-08-30 21:40 25 --a------ C:\WINDOWS\system32\vwndvtb60.dat
2008-08-13 21:32 . 2008-08-13 21:32 589,312 --a------ C:\WINDOWS\system32\rtmbufdx.exe
2008-08-09 23:21 . 2008-08-09 23:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 19:24 . 2008-08-12 20:56 95 --a------ C:\WINDOWS\system32\tebiurecs.ve
2008-08-06 16:29 . 2008-08-27 21:07 366 --a------ C:\WINDOWS\PPSMediaList.ini
2008-08-06 14:22 . 2008-08-14 11:00 80 --a------ C:\WINDOWS\system32\cfl_Info.nt
2008-08-04 18:32 . 2008-08-06 11:59 <DIR> d-------- C:\Program Files\pipi
2008-08-04 18:31 . 2008-08-04 18:31 3,891,555 --a------ C:\WINDOWS\ppfilm.exe
2008-08-04 18:30 . 2008-08-04 19:17 <DIR> d-------- C:\Program Files\Funshion Online
2008-08-04 18:30 . 2008-08-04 18:45 <DIR> d-------- C:\Program Files\Coopen
2008-08-04 18:30 . 2008-08-04 19:17 <DIR> d-------- C:\Documents and Settings\yiming\funshion
2008-08-04 18:30 . 2008-08-04 18:45 <DIR> d-------- C:\Documents and Settings\yiming\Application Data\Coopen
2008-08-04 18:30 . 2008-08-04 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Coopen
2008-08-04 18:30 . 2008-08-04 18:30 418,304 --a------ C:\WINDOWS\system32\jspplay.exe
2008-08-04 18:30 . 2008-08-04 18:30 418,304 --a------ C:\WINDOWS\system32\drivers\jspplay.sys
2008-08-04 18:30 . 2008-08-04 18:30 375,808 --a------ C:\WINDOWS\system32\drivers\jsphelp.sys
2008-08-04 18:30 . 2008-08-10 11:19 371,200 --a------ C:\WINDOWS\system32\jsphelp.exe
2008-08-04 18:28 . 2008-05-16 10:10 4,020,368 --------- C:\WINDOWS\system32\FunshionInstall_C6529.exe
2008-08-04 18:28 . 2008-05-29 12:45 936,176 --a------ C:\WINDOWS\system32\coopen_setup_100068.exe
2008-08-04 18:28 . 2008-05-28 14:27 257,693 --------- C:\WINDOWS\system32\pp139.exe
2008-08-04 18:28 . 2008-05-29 17:13 256,267 --------- C:\WINDOWS\system32\coop.exe
2008-08-04 18:28 . 2008-06-03 16:23 173,946 --a------ C:\WINDOWS\system32\msn013.exe
2008-08-04 18:28 . 2005-04-13 06:10 19,518 --a------ C:\WINDOWS\system32\66.ICO
2008-08-04 18:28 . 2008-07-24 13:48 4,272 --a------ C:\WINDOWS\system32\66.reg
2008-08-04 18:28 . 2008-03-24 09:22 35 --a------ C:\WINDOWS\system32\66.bat
2008-08-04 18:20 . 2008-08-04 18:43 <DIR> d-------- C:\Zcom
2008-08-04 18:20 . 2008-08-04 18:22 <DIR> d-------- C:\Magazine
2008-08-02 22:31 . 2008-08-02 22:31 92,288 --a------ C:\Documents and Settings\yiming\Application Data\GDIPFONTCACHEV1.DAT
2008-07-15 21:17 . 2001-08-17 22:36 171,008 --a------ C:\WINDOWS\system32\LXAESUI.DLL
2008-07-08 04:26 . 2008-07-08 04:26 253,952 --------- C:\WINDOWS\system32\dllcache\es.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 14:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-28 12:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-28 12:20 --------- d-----w C:\Program Files\StormII
2008-08-27 12:32 --------- d-----w C:\Program Files\PPStream
2008-08-14 03:01 --------- d-----w C:\Documents and Settings\yiming\Application Data\AdobeUM
2008-08-09 15:27 --------- d-----w C:\Program Files\Lavasoft
2008-08-09 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-09 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 15:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-06 08:29 --------- d-----w C:\Documents and Settings\yiming\Application Data\ppstream
2008-08-04 10:46 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-07-30 09:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 09:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 09:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 02:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 06:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 06:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-08 03:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-16 03:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-09 09:04 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050920080510\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:12 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:35 5724184]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-08-04 16:37 165240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 09:47 51048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-25 21:17 180269]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-09-26 11:01 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-09-26 11:01 503808]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-25 21:17 98304]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 14:00 455168]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2004-10-08 03:14 81920]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 14:49 718704]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 14:00 208952]
"Icon"="C:\WINDOWS\system32\drivers\Icon.exe" [2004-04-19 15:23 221184]
"BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 15:37 40960]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:10 339968]
"SoundMan"="SOUNDMAN.EXE" [2004-04-28 17:19 66048 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Utility\\hall\\hall\\frame.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\StormII\\Storm.exe"=
"C:\\Program Files\\StormII\\stormliv.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R2 ccosm;Contrl Center of Storm Media;C:\Program Files\StormII\stormliv.exe [2008-05-28 16:40]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-26 09:47]
R2 MTC0005_MTCDIO;Wireless HotKey Driver;C:\WINDOWS\system32\drivers\MTCDIO.sys [2003-09-22 11:04]
R2 rtpPStream;SNS PSP Media Buffer for Windows;C:\WINDOWS\system32\rtmbufdx.exe [2008-08-13 21:32]
R2 Servicejsphelp;Servicejsphelp;C:\WINDOWS\system32\jspplay.exe [2008-08-04 18:30]
S2 MTCDIO;MTCDIO;C:\WINDOWS\system32\DRIVERS\MTCDIO.sys [2003-09-22 11:04]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 ZSMC302;VIMICRO USB PC Camera;C:\WINDOWS\system32\Drivers\usbVM31b.sys [2004-09-14 17:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aa41f90-36c9-11da-9951-0040d074a81c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL delautorun.bat
\Shell\杀毒(&K)\command - D:\delautorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ccafcb0-c74f-11dc-9b01-0040d074a81c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL delautorun.bat
\Shell\杀毒(&K)\command - E:\delautorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91955ac0-7928-11dc-9aa1-0040d074a81c}]
\Shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3bd68a0-69d6-11dd-9bb5-0040d074a81c}]
\Shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca259ce0-1ea4-11dd-9b4f-0040d074a81c}]
\Shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca259ce1-1ea4-11dd-9b4f-0040d074a81c}]
\Shell\AutoRun\command - D:\AutoRun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-11 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - yiming.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 22:05]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
R0 -: HKCU-Main,Start Page = hxxp://sg.yahoo.com/
O9 -: {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.vodcn.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 22:16:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-30 22:18:58
ComboFix-quarantined-files.txt 2008-08-30 14:18:10
ComboFix2.txt 2008-08-28 12:03:52
ComboFix3.txt 2008-08-26 09:20:35
ComboFix4.txt 2008-08-26 08:15:24

Pre-Run: 14,387,064,832 bytes free
Post-Run: 14,391,066,624 bytes free

241 --- E O F --- 2008-08-13 14:12:32
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP