Series of 16 bit MS DOS Subsystem and Bad Image errors

One of my customers has an XP machine that has hosed up over the weekend. I’m hoping someone on here might at least help me to identify the problem.

Here’s the rundown:

On startup I get the following error:

SQL Server: Your SQL Server installation is either corrupt or has been tampered with (unable to load SQLBOOT.DLL). Please uninstall then re-run setup to correct this problem.

Also, several Command Prompt Windows open that appear to be running programs that are supposed to run on startup (i.e. hphupd05.exe, AOL.exe, Backup~1.exe)

I get errors similar to the following for each file it’s trying to run:

16 bit MS-DOS Subsystem: C:\Progra~1\HP\{45B61~1\hphupd05.exe The NTVDM CPU has encountered an illegal instruction. CS:0df9: IP:0212 OP:2e 63 61 74 2c Choose ‘Close’ to terminate the application.

Also get bad image errors for several programs that also look like startup programs (i.e. hpcmpmgr.exe; realplay.exe; AOLSoftware.exe). They read similar to the following:

Hpcmpmgr.exe – Bad Image: The application or DLL C:\Program Files\HP\hpcoretech\HPCmpMgr.dll is not a valid Windows image. Please check this against your installation disk.

Additionally, most of the start menu and desktop shortcuts are either completely broken (the ‘target’ has been completely removed from the properties of the icon) or point to another program (i.e. Internet Explorer and Outlook Express icons now point to the Real Player executable. Other icons point to Weatherbug or Ages of Empire 2)

If I try and navigate to the executable and run them directly, I get another ‘Bad Image’ error for the executable, similar to the one above. In a couple of cases, I don’t even get that much. The hourglass pops up for a second, and then absolutely nothing happens.

I ran a complete Disk Check to ensure there are no problems with the physical disk. It came back clean.

I’m not able to run any of the antivirus or antispyware software that was already on the computer. I tried installing the free version of AVG to see if it would work for me, but as soon as the installation was finished and I tried to run the program, I got the same ‘Bad Image’ error.

I tried System Restore and booting to Safe Mode, but System Restore fails and the problems still occur in Safe Mode.

The computer didn’t have HT on it, and I’m guessing installing it wouldn’t get me anywhere (because I wouldn’t be able to run the program).

I’m assuming, with such a bizarre set of problems, the damage is viral, although my client swears that he didn’t open any emails or run any unusual programs between Thursday, when I last stopped by his shop, and Saturday when he called. He’s in a time-crunch since this is his main POS system, so I think I’m just going to recover the machine so I can get him up and running, but I thought I’d post this just to see if anyone had any ideas or, at the very least, could identify if this is, in fact, a virus.

Thanks for your help.

Kyle

 

Yes, I read the Read and Run This First post. Unfortunately, I'm running into the same wall with SpyBot and CCleaner (which was already on the machine). They error out with "Bad Images" too. I tried uninstalling WeatherBug, but it seems the Uninstall programs don't want to run either. I've never seen a computer locked down this tightly. I'm reinstalling XP system files now. I'll update when it's finished.

Kyle

 

That's Vundo, isn't it Tim..........maybe?

Steve

 

Of course, that's kind of like a patient telling the doctor "Of course I work out and eat right. That can't possibly be why I'm sick." ;-)

In any case, I did an in-place reinstall of the system files. Things certainly work better now, but I'm a little suprised. I've run Ad-Aware, ClamWin, and AVG and so far none of them have come back with much of anything (a few tracking cookies in Ad-Aware, but that's it). What in the world could have caused those problems if not a virus or spyware? I certainly don't want this to happen to him again, but I'm a little stumped. Any ideas?

 

I would still continue the steps in the malware section, just to be sure.

Steve