16-BiT MS-DOS Subsystem Problem

September 8, 2012 at 21:16:21
Specs: Windows XP, 3072 mb
hello everyone..
i always get an messagebox while i am doing something like browsing and so on
the message entitled:

16-BiT MS-DOS Subsystem

there heres the message
The NTVDM CPU has encountered an illegal operation
CS:055f IP:02ef OP: 63 73 73 22 20 Choose close to terminate the application
the message box has 2 command button

im running windows xp pro sp3

i doubt this is not a virus because my pc is newly formatted.

See More: 16-BiT MS-DOS Subsystem Problem

Report •

September 8, 2012 at 22:03:55
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Report •

September 9, 2012 at 03:55:19
sir i have been using TFC but the problem still go back even if i delete the .exe file in the temp directory

Report •

September 9, 2012 at 04:13:57
Please copy & paste instructions into a text file, print steps & info. You will need them as they are hard to remember & for when you are offline.

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.
Some infections are unremoveable.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc.
The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
How to report ID theft, fraud, drive-by installs, hijacking and malware?

If any program won't run, let me know. Post the log/logs after each run.

After each fix or change we make, let me know how the comp is running. Example: Still cannot boot into Normal mode.

1: Download & run Unhide
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Download Security Check by screen317 from one of the following links and save it to your desktop.

4: Run ESET & post the log please.
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.

Report •

Related Solutions

September 9, 2012 at 04:34:59
i am pretty sure that this is not a virus/spyware issue..
my computer is newly formatted i didnt connect any external devices
though i browse the web but just only in this trusted sites
i havent do download because my connection is to slow
1-5kbps using my Internet download manager.
the antivirus i am using is the Kaspersky
this is my log file using hijackthis because the online scanner wont work for me because of my slow connection

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:07 PM, on 9/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Program Files\SMART BRO\AssistantServices.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\SMART BRO\UIMain.exe
C:\Program Files\SMART BRO\CMUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office14\EXCEL.EXE/3000
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DC85CEA-1AE0-4FDB-B28B-90AD6F5168D7}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{20BC42FB-1E84-4E4F-B537-0888CD514F67}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{28BEFD15-A8D7-4FDE-A3F3-6EBE1EAD81BF}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CC6916F-D488-433E-9F04-AFA3F6819BC1}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{93EECFA2-2FB5-40FC-8347-14A8F4270193}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BCA9CFD-B9D9-4532-B239-BF8CF635FA6D}: NameServer =,
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: ArcSoft Exchange Service (ADExchange) - ArcSoft, Inc. - C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: VIA Karaoke digital mixer Service (KaraokeService) - VIA Technologies, Inc. - C:\WINDOWS\system32\KaraokeSer.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
O23 - Service: UI Assistant Service - Unknown owner - C:\Program Files\SMART BRO\AssistantServices.exe

End of file - 6855 bytes

Report •

September 9, 2012 at 04:41:17
You are infected, maybe download the ESET program from a normal comp & put it on a thumb drive.



I shall go through the HJT log now.

Report •

September 9, 2012 at 04:57:36
HJT log is Ok, but modern infections can hide very efficiently.

Here are some basic methods to check for infections & slowness.
See if they fix your problem, if not, shall have to dig further.




Report •

September 9, 2012 at 15:31:26
is this realy an infection?


Report •

September 9, 2012 at 15:58:43
"is this realy an infection?"
That is what I have been trying to eliminate, everything now points to you being clean, an ESET scan would have confirmed.

I was going down the infection path in case there was a typo here > C:\Windows\Temp\2.exe

Shall now go down a different path, run SFC please.

Click Start and then click Run.
In the Open box, copy & paste > sfc /scannow, and then click OK. Note that you may be prompted to insert the Windows XP installation CD-ROM.

Report •

September 9, 2012 at 16:29:21
If SFC dos'nt fix the problem, more googling gets this as a possible, it is the only 2.exe in your HJT log.

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

How to Disable and Uninstall Protexis Licensing Service (PSIService.exe)

NTVDM is the NT virtual DOS machine
Troubleshooting MS-DOS-based programs in Windows XP

Revo in Advanced mode will uninstall everything, including registry entries.

Revo Uninstaller
Open Revo, double click on a program logo, click > Yes & then you get your options, with Advanced down the bottom.
If you have partially uninstalled your program, you get a message from Revo, that it can't find the uninstaller, hit Cancel & let Revo continue on, to search for the remnants.
If you get a reboot message, ignore it & do it after Revo has finished.
I use Advanced Mode. Screenshots of how to use.

Report •

September 9, 2012 at 18:51:41
when i run sfc
i says that i put the wrong cd even if it is the original

Report •

September 9, 2012 at 19:22:01
"when i run sfc"
Where did you run it from?

Report •

September 9, 2012 at 19:54:54
i put the cd and open command prompt
sfc=system file checker
sfc /scannow

Report •

September 9, 2012 at 19:59:49
Run SFC & if prompted, then put the CD in.

Report •

Ask Question