[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows Error - System32

Posted on 2004-11-17
19
Medium Priority
?
714 Views
Last Modified: 2008-02-01
Hello,

We have a software application that we use for accounting/manufacturing business operations.  It is loaded on the server.  One of the users can no longer access the application.  When she double clicks on the shortcut, the following message is displayed, "C:\windows\system32\autoexec.nt     The system file is not suitable for running MS-DOS and Microsoft Windows applications.  Choose 'Close' to terminate the application."

I have no clue what this means or how to resolve.  Any suggestions?

Thanks for your time!

-dweb937
0
Comment
Question by:dweb937
  • 8
  • 8
  • 2
  • +1
19 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 1000 total points
ID: 12606062
Hello dweb937 =)

Open your C:\Windows\Repair folder, and try to copy two files from there, Config.NT and Autoexec.NT
Then open C:\Windows\System32 folder, move the Config.NT and Autoexec.NT files from here to recycle Bin and paste the files you copied from the Repair folder !!
Restart and now check ??

You can also try to copy these files form another WinXP system which is working fine.... :)
Coz the error u are getting is caused by the corruption of either of these two files, and replacing them with good copies can solve the problem :)

Or u can also manually edit these files,,,, follow the instructions here :)
Error message when you install or start an MS-DOS or 16-bit Windows-based program
http://support.microsoft.com/default.aspx?scid=kb;en-us;324767
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 12606082
0
 

Author Comment

by:dweb937
ID: 12606460
SheharyaarSaahil -

Thanks for your response.  I tried your suggestion about deleting out the 2 files from the System32 folder and copying back in the same files from the Repair Folder.  Unfortunately it didn't work.  Every time after I copied the  Autoexec.NT file and restarted the PC, the Autoexec.NT file disappeared from the System32 folder.  I tried copying it back in several times.  Then I tried copying over the two files from my workstation via the network over to the users System32 folder.  Same thing happened again.  And, I still keep getting the same error.

Any more suggestions?

-dweb937
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12606470
means your system is infected with a worm, most likely the Worm Agobot one =\
plzz run stinger in safemode >> http://vil.nai.com/vil/stinger

If it comes as clean, then Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:dweb937
ID: 12606572
SheharyaarSaahil -

I'll try this and let you know.  Thanks!

-dweb937
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12606831
sure.... :)
0
 

Author Comment

by:dweb937
ID: 12607690
SheharyaarSaahil -

Here's a copy of the log file from HijackThis.  I know I can delete the Web_Rebates folder but I'm unsure of the others.  Would you mind taking a look at it and letting me know what you think I can delete?  Also  Once I delete whichever files I need to, then what do I do - recopy the Autoexec.NT and Config.NT files back into System32, Restart and try to open the application again?

Thanks!

-dweb937



Entry
Logfile of HijackThis v1.98.2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\System32\hpnra.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\PVSW\Bin\W3dbsmgr.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Documents and Settings\ksherk.MIRACLE\Desktop\RepairWorm\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SERVER-1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=5ac0cf9540907f4021cb551458c4f f0e707f7104e1f5b20badc240ef32f8d5cba967ebda7eb52e8bf2798760543433259f12b0c6189cd e96e869b14b02:2cb11e4bee6030cd51943025b31084c7
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com
O17 - HKLM\Software\..\Telephony: DomainName = Admin.MiracleCorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com
0
 

Author Comment

by:dweb937
ID: 12608052
Sorry - didn't copy the analysis part.

  Logfile of HijackThis v1.98.2  
Safe.   Shows the version of HijackThis an. The newest version is: v1.98.2!   This should be the newest version. (v1.98.2)
  Platform: Windows XP SP2 (WinNT 5.01.2600)          
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)  
Safe.   Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!   This should be the newest version. (6.00.2900.2180)
  C:\WINDOWS\System32\smss.exe  
Safe.   running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.    
  C:\WINDOWS\system32\winlogon.exe  
Safe.   running process. (winlogon.exe)
Systemprozess - Windows Login Routine    
  C:\WINDOWS\system32\services.exe  
Safe.   running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste.    
  C:\WINDOWS\system32\lsass.exe  
Safe.   running process. (lsass.exe)
Systemprozess    
  C:\WINDOWS\system32\svchost.exe  
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.    
  C:\WINDOWS\System32\svchost.exe  
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.    
  C:\WINDOWS\system32\spoolsv.exe  
Safe.   running process. (spoolsv.exe)
Systemprozess    
  C:\Program Files\Intel\ASF Agent\ASFAgent.exe  
Unknown   running process. (ASFAgent.exe)
   This is a unknown process.
  C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe  
Safe.   running process. (DefWatch.exe)
   
  C:\Program Files\Dell\OpenManage\Client\Iap.exe  
Unknown   running process. (Iap.exe)
   This is a unknown process.
  C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe  
Safe.   running process. (Rtvscan.exe)
Symantec Corporate Edition    
  C:\WINDOWS\System32\svchost.exe  
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.    
  C:\WINDOWS\System32\DSentry.exe  
Safe.   running process. (DSentry.exe)
Application provided by Dell that is anti-spyware. The application blocks other applications that send vital information to other computers.    
  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe  
Safe.   running process. (DirectCD.exe)
   
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe  
Safe.   running process. (atiptaxx.exe)
ATI Desktop Control Panel from ATI Technologies    
  C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe  
Safe.   running process. (vptray.exe)
   
  C:\WINDOWS\System32\hpnra.exe  
Safe.   running process. (hpnra.exe)
HP Network Registry Agent    
  C:\Program Files\QuickTime\qttask.exe  
Safe.   running process. (qttask.exe)
   
  C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe  
Safe.   running process. (hplamp.exe)
HP Scanner Utility that controls your scanner’s light bulb. Needed if its switched on. Also refer here for troubleshooting    
  C:\Program Files\Web_Rebates\WebRebates0.exe  
Nasty   running process. (WebRebates0.exe)
TrojanDownloader.Win32. Agent.y   This is a nasty process! You should fix it and try to delete it manually!
  C:\Program Files\Windows AdControl\WinAdCtl.exe  
Unknown   running process. (WinAdCtl.exe)
   This is a unknown process.
  C:\Program Files\Messenger\msmsgs.exe  
Safe.   running process. (msmsgs.exe)
MSN Messenger    
  C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe  
Safe.   running process. (AcroTray.exe)
   
  C:\Program Files\Windows AdControl\WinAdAlt.exe  
Unknown   running process. (WinAdAlt.exe)
   This is a unknown process.
  C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE  
Unknown   running process. (ISATRAY.EXE)
   This is a unknown process.
  C:\PVSW\Bin\W3dbsmgr.exe  
Safe.   running process. (W3dbsmgr.exe)
PracticeWorks (Kodak)    
  C:\Program Files\Web_Rebates\WebRebates1.exe  
Nasty   running process. (WebRebates1.exe)
TrojanDownloader.Win32. Agent.y   This is a nasty process! You should fix it and try to delete it manually!
  C:\Program Files\Windows Media Player\wmplayer.exe  
Safe.   running process. (wmplayer.exe)
   
  C:\WINDOWS\explorer.exe  
Safe.   running process. (explorer.exe)
Systemprozess für Desktop und Taskleiste.    
  C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE  
Safe.   running process. (OUTLOOK.EXE)
E-Mail Client für Windows.    
  C:\Program Files\Microsoft Office\Office10\WINWORD.EXE  
Safe.   running process. (WINWORD.EXE)
Microsoft Word    
  C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe  
Safe.   running process. (Photoshop.exe)
Adobe Photoshop    
  C:\Documents and Settings\ksherk.MIRACLE\Desktop\RepairWorm\HijackThis.exe  
Safe.   running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben.   Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/   
Possibly nasty   This page could possibly be nasty.   If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/   
Safe.   This page has been identified as safe.    
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/   
Possibly nasty   This page could possibly be nasty.   If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/   
Possibly nasty   This page could possibly be nasty.   If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SERVER-1:8080  
Safe.   This entry has been identified as safe.    
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx  
Safe.   Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 99 %    
  O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)  
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([83DE62E0-5805-11D8-9B25-00E04C60FAF2] - Result: 83DE62E0-5805-11D8-9B25-00E04C60FAF2) has been checked. Hit rate: 99 %   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)  
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([96DA5BEE-4ACC-476C-B3EC-54C6730C4293] - Result: 96DA5BEE-4ACC-476C-B3EC-54C6730C4293) has been checked. Hit rate: 99 %   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe  
Safe.   The entered application IgfxTray was identified: igfxtray. Hit rate: 82 % (result)   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe  
Safe.   The entered application HotKeysCmds was identified: HotKeysCmds. Hit rate: 99 % (result)    
  O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe  
Safe.   The entered application DVDSentry was identified: DVDSentry. Hit rate: 99 % (result)    
  O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"  
Safe.   The entered application AdaptecDirectCD was identified: AdaptecDirectCD. Hit rate: 99 % (result)    
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe  
Safe.   The entered application ATIPTA was identified: AtiPTA or AtiPTAAA or atiptaxx. Hit rate: 39 % (result)    
  O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe  
Safe.   The entered application vptray was identified: vptray. Hit rate: 94 % (result)    
  O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe  
Safe.   The entered application HP Network Registry Agent was identified: HP Network Registry Agent. Hit rate: 99 % (result)    
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime  
Safe.   The entered application QuickTime Task was identified: QuickTime Task. Hit rate: 99 % (result)   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"  
Safe.   The entered application HP Lamp was identified: HpLamp. Hit rate: 42 % (result)    
  O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"  
Nasty   The entered application WebRebates0 was identified: WebRebates0. Hit rate: 99 % (result)   Must be fixed!
  O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe  
Unknown   The entered application Windows AdControl was identified: Windows Load. Hit rate: 46 % (result)   Unknown application.
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background  
Safe.   The entered application MSMSGS was identified: MSMSGS. Hit rate: 94 % (result)    
  O4 - Startup: PowerReg SchedulerV2.exe  
Safe.   The entered application 'PowerReg SchedulerV2.exe ()' was identified: 'PowerReg SchedulerV2 (PowerReg SchedulerV2.exe )'. Hit rate: 44 % (result)   Not dangerous, but unnecessary.
  O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe  
Safe.   The entered application 'Acrobat Assistant.lnk (AcroTray.exe)' was identified: 'Acrobat Assistant (ACROTRAY.EXE )'. Hit rate: 55 % (result)    
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe  
Safe.   The entered application 'Adobe Gamma Loader.lnk (Adobe Gamma Loader.exe)' was identified: 'Adobe Gamma Loader (Adobe Gamma Loader.exe )'. Hit rate: 91 % (result)    
  O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE  
Safe.   The entered application 'Firewall Client Connectivity Monitor.LNK (ISATRAY.EXE)' was identified: 'MICROSOFT FIREWALL CLIENT (ISATRAY.EXE )'. Hit rate: 52 % (result)    
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE  
Safe.   The entered application 'Microsoft Office.lnk (OSA.EXE)' was identified: 'Microsoft Office or Microsoft Office Startup (Osa.exe Osa9.exe)'. Hit rate: 32 % (result)   Not dangerous, but unnecessary.
  O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe  
Safe.   The entered application 'Pervasive.SQL Workgroup Engine.lnk (W3dbsmgr.exe)' was identified: 'Pervasive.SQL Workgroup Engine (W3dbsmgr.exe)'. Hit rate: 95 % (result)    
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000  
Safe.   The entry E&xport to Microsoft Excel has been identified as safe.   If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm  
Nasty   The entry Web Rebates has been identified as nasty.    
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe  
Safe.   The entry Messenger has been identified as safe.   If the entry 'Messenger ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe  
Safe.   The entry Windows Messenger has been identified as safe.   If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
  O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll  
Safe.   Most of the entries present in this registry area are safe. Only OnFlow adds an unwanted plugins can be found here. OnFlow-Plugins have the following extension *.ofb.    
  O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=5ac0cf9540907f4021cb551458c4f f0e707f7104e1f5b20badc240ef32f8d5cba967ebda7eb52e8bf2798760543433259f12b0c6189cd e96e869b14b02:2cb11e4bee6030cd51943025b31084c7  
Nasty   This entry is possibly nasty.   Should be fixed.
  O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not.
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com  
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
  O17 - HKLM\Software\..\Telephony: DomainName = Admin.MiracleCorp.com  
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com  
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Admin.MiracleCorp.com  
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.


This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12608224
well the log doesn't show any sign of worm dweb, just two BHOs,

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)

So who is deleting the Autoexec.NT file from the Ssystem32 folder :-?
tell is the problem only with this particular user or system ??
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 12609557
how about enabling auditing, and audit the file?
0
 

Expert Comment

by:Affar
ID: 12689570
Hello,

I have a problem similar to yours. And I follow SheharyaarSaahil solution but WITHOUT RESTARTING THE PC, and it worked fine.

hope this will solve yours.
0
 

Author Comment

by:dweb937
ID: 12698478
Hello,

Sorry I haven't responded earlier but I have been out of the office.  That's good to hear that it's not a worm.  What is a BHO?

This is only happening to my knowledge with this particular workstation/user.  She's not able to get into one of our software applications because of this.

How do you enable auditing?  And what would I do?

So, are there any entries in the log file that need to be fixed?

Thanks,

-dweb
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12698570
>> What is a BHO?
BHO = Browser Helper Objects..... means those files which are attached to IE and helps if toperform a certain action.... like Acrobat BHOs help IE to open pdf documents and google BHOs support google toolbar and etc etc!!

>> This is only happening to my knowledge with this particular workstation/user
can you try this,,,,, create another local user account on the system with Administrative rights and check there if the same problem..... coz someitmes the problems are just profile related..... :-?
0
 

Author Comment

by:dweb937
ID: 12756050
I tried doing what Affar suggested - following the steps for deleting the Autoexec.NT and Confit.NT files out of the System32 folder and recopying in good ones.  However, this time I did not restart the computer before trying to open the application.  And it worked!  However, I'm wondering if the fix is just temporary until the computer is shut down or restarted?


-dweb937

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12756115
try this, create a new user account from control panel>user accounts and restart to login with the new user
check there for the problem, if same error, then copy the two files and restart again to check if its disappearing here also?
0
 

Author Comment

by:dweb937
ID: 12877544
SheharyaarSaahil  -

I've tried creating a new user account on the PC - my own and I can get into the software application prior to Restarting and afterwards.  I don't get the System32 error.

Then when I logged back into the other user's account, I could still get into the software application.  I shutdown the PC and tried again with success.  I don't believe that I've done anything permanent to fix the problem.  

Thanks,

-dweb937
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12877935
great news dweb :)

and now as the problem has solved, you can close this question, as you can see the Accept button infront of each comment which you got, you have to hit the button for that comment which solved your problem, and then assign a grade according to the quality of help you got,,, that's all :)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
Thanx & Cheers ^_^
0
 

Author Comment

by:dweb937
ID: 12878074
SheharyaarSaahil -

I'm not so sure that it has been resolved or I would have immediately excepted your response.   I didn't do anything to have resolved it.   I think it's going to be a wait and see over the next few days.  If looking still good, I'll be sure to accept and grade.

Thanks for all your help and not sure if this applies but if it does, Happy Holidays!

-dweb937
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12878147
lol.... no problem at all.... that was just my general tip for closing the questions after a problem is solved.... hope you didn't mind :)

and yes the Happy Holidays is not applied for me as im in middle east.... but yes i do celebrate the New year and its holiday...... so Happy New Year in advance! ^_^
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question