1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: NTVDM CPU Error

Discussion in 'Windows XP' started by Weezie12, May 6, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Weezie12

    Weezie12 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    307
    Logfile of HijackThis v1.99.1
    Scan saved at 11:28:00 AM, on 5/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\Brian\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\CenturyTel FastLine Accelerator\prpl_IePopupBlocker.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVGFRE~1\avgregcl.exe /BOOT
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145396585531
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E84422B6-9FB5-4028-8691-4776C8E296FC}: NameServer = 209.142.182.250 209.142.136.85
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    What action precedes the error?

    When did it begin happening?

    There is nothing in the scanlog that should cause it. I believe it is typically associated with incompatibilities with 16 bit programs -- (NT - Virtual DOS - Machine) and I don't think there are any in that log.
     
  3. bearone2

    bearone2 Banned

    Joined:
    Jun 4, 2004
    Messages:
    5,809
    when i had it on xppro i lost fuctionality of defrag, a good part of control panel, showed nothing in network connections but internet/email worked.

    ended up reloading xp.
     
  4. Weezie12

    Weezie12 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    307
    C:\Windows\system32\cmd.com
    The NTVDM CPU has encountered an illegal instruction C 5:054F IP:0102 OP:07 13.87 fa e8. Choose close to terminate the application.
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Cmd.com?

    There is no legitimate "cmd.com" in Windows XP.

    There is command.com and there is cmd.exe.

    Verify when you get this message -- and if you have a file called cmd.com -- delete it.
     
  6. Weezie12

    Weezie12 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    307
    Am I supposed to have a command.com and a regedit.com in Windows sysytem 32 folder? Thanks.
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    No, both of these are malware intrusions.

    While you could rename cmd.exe and regedit.exe with .com extensions and they would run -- the ones you are seeing were created maliciously and are taking priority over the normal executables.

    You need regedit.exe and cmd.exe. Cmd.exe should be in the System32 folder, and regedit.exe in c:\Windows

    If you mouse over or select the properties > version tab on these, they should have Microsoft copyrights.
     
  8. Weezie12

    Weezie12 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    307
    C:Windows\system32\regedit.com C S:054f IP:0102 OPc7 fa e8 The NTVDM CPU has encountered an illegal instruction . Choose close to terminate the application.
     
  9. Weezie12

    Weezie12 Thread Starter

    Joined:
    Nov 4, 2003
    Messages:
    307
    Thank you so much. I deleted these two and everything seems to be working again.
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    :) (y)

    Great, feel free to use the Thread Tools tab to mark the problem "Solved" if you like.

    You're most welcome for the help.
     
  11. bearone2

    bearone2 Banned

    Joined:
    Jun 4, 2004
    Messages:
    5,809
    Thank you so much. I deleted these two and everything seems to be working again.

    glad it worked out.

    as i recall i removed the same files but never recovered what was lost so i reloaded xppro.:cool:
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Don't know what happened to you -- but neither of those two files belongs in Windows.

    It's possible you had other unresolved infection issues. It is possible to make Windows executables dependent on malicious files -- but this can be fixed with registry patches when it is known.
     
  13. bearone2

    bearone2 Banned

    Joined:
    Jun 4, 2004
    Messages:
    5,809
    it's magic.
     
  14. trebor46

    trebor46

    Joined:
    Mar 20, 2008
    Messages:
    1
    I was just cruising reading your answers. And bingo that one answer led me to where the problem was living. The evil one was: " backdoor.leg.bz"; Chinese origin I believe. Living with it for 2 weeks. A big thank you.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/465214

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice