NTVDM and 16 Bit apps not running after install of MWB

[radjr]

Hello, it seems that MWB has changed the settings for NTVDM on my windows 7 machine. Can someone confirm how to reset whatever MWB has done to this machine to harden it?  I uninstalled MWB in an attempt to hopefully reset the configuration but no luck.  Thanks.

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[David H. Lipman]

I am running Windows 7 Ultimate/32 and I have no problem running DOS programs like Quicken v8.0 under Windows NTVDM with MBAM v4.3 in full protection mode.

MBAM specifically targets Windows PE files and does not target legacy DOS and Windows applications.  I have no knowledge of MBAM modifying the NTVDM, the Win32 Virtual DOS emulator, in Win32 based OS' and which is not provided in any Windows Win64 based OS'.

[AdvancedSetup]

Hello @radjr

I've never seen or heard of anyone with this issue before and we a lot of users on Windows 7 still.

Let us get some logs please and we'll see if we can find any issues

Upload Malwarebytes Support Tool logs offline

Thanks

 

[radjr]

When I tried to reply to the email, I get an error message stating that the "Hop count" has been exceeded.

Attached is the report you requested. Thanks for looking into this.  Bottom line is that VBS files are crashing and it could be due to NTVDM being restricted or another reason..but it started after MWB was installed. Thanks!

mbst-grab-results.zip

[radjr]

FYI, the entire email error message below

The original message was received at Tue, 2 Mar 2021 12:53:52 -0800
from m0144480.ppops.net [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
<noreply@malwarebytes.com>
    (reason: 554 5.4.14 Hop count exceeded - possible mail loop ATTR34 [SN1NAM04FT005.eop-NAM04.prod.protection.outlook.com])

   ----- Transcript of session follows -----
... while talking to malwarebytes-com.mail.protection.outlook.com.:
>>> DATA
<<< 554 5.4.14 Hop count exceeded - possible mail loop ATTR34 [SN1NAM04FT005.eop-NAM04.prod.protection.outlook.com]
554 5.0.0 Service unavailable

[radjr]

Also, do you know that Microsoft Security Essentials blocks the download of your MWB diagnostic tool???

[AdvancedSetup]

Why do you have a FIXLOG.txt log file? Who wrote that? Did you seek malware removal assistance from someone recently?

 

[radjr]

I was on bleeping computer and ran the FRST tool per their request. That was the file fix file they came back with. It made no difference. I still cannot run VBS files. The MWB diagnostic run was run after the fix file was run and tested so your diag data is clean. Thanks.

[AdvancedSetup]

Your computer is experiencing many issues.  Please stay with your helper on Bleepingcomputer and they will try to get things cleaned up and working for you.

https://www.bleepingcomputer.com/forums/t/745230/tried-to-help-my-wife-and-got-a-virus/

 

 

Application errors:
==================
Error: (03/02/2021 02:31:17 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (03/02/2021 02:31:17 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} and Name SW_PROV is [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (03/02/2021 02:31:17 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Get Shadow Copy Properties
   Delete Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator
   Execution Context: Coordinator

Error: (03/02/2021 02:31:17 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} and Name SW_PROV is [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Get Shadow Copy Properties
   Delete Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator
   Execution Context: Coordinator

Error: (03/02/2021 02:31:17 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (03/02/2021 02:31:17 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} and Name SW_PROV is [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (03/02/2021 02:31:15 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (03/02/2021 02:31:15 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e4eb5095-f587-4159-a1d8-2710692fd243} and Name SW_PROV is [0x80040154, Class not registered
].

Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {24602736-bed9-4619-91b0-243447c6409c}
   Class ID: {e4eb5095-f587-4159-a1d8-2710692fd243}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

System errors:
=============
Error: (03/02/2021 09:45:03 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Cdr4_xp

Error: (03/02/2021 09:44:28 AM) (Source: APPHOSTSVC) (EventID: 9006) (User: )
Description: The Application Host Helper Service encountered an error trying to process the configuration data for config history.  The feature will be disabled.  To resolve this issue, please confirm that the configuration file is correct, has correct attribute values for config history and recommit the changes.  The feature will be enabled again if the configuration is correct.  The data field contains the error number.

Error: (03/02/2021 09:44:28 AM) (Source: APPHOSTSVC) (EventID: 9000) (User: )
Description: The Application Host Helper Service encountered an error while reading the data for SID mapping.  Please ensure that the application pool name data is correct in the configuration file.  To resolve this issue, please recommit the changes or restart this service.  The data field contains the error number.

Error: (03/02/2021 09:41:56 AM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
An instance of the service is already running.

Error: (03/02/2021 09:41:26 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Realtek Audio Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/02/2021 09:41:26 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) ME Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/02/2021 09:41:26 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (03/02/2021 09:41:26 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD External Events Utility service terminated unexpectedly.  It has done this 1 time(s).

 

 

I'll review and send you a new script to run soon.

 

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks