Jump to content

The NTVDM CPU has encountered an illegal instruction CS:0fe1 IP:0613 OP:63 6b 61 72 64


Recommended Posts

;) I'm suddenly having the below message while I use my pc (XP PRO). It occurs very frequently.

C:\Windows\System32\svchost.exe

The NTVDM CPU has encountered an illegal instruction CS:0fe1 IP:0613 OP:63 6b 61 72 64 Choose 'Close' to terminate the application.

The error is not occurring based on usage or after running a spesific program. It can happen at anytime I use my pc.

I can not give the name of the programs that causes the error becuase it can occur while I use any ckind of program. Beside it says C:\windows\svchost.exe. Most probably , a service or some # of services running at the background , which are trying to use ntvdm somehow throwing that error.

I tried many suggestions on the google and posts but I could not fix it. I scanned with various ANTI malware/spyware tools. I found & fixed some small problems. I reinstalled SP3 as well. But it still comes to my screen suddenly. I'm attaching the screenshot of the window that pops up.

I'm seding HJT log below . I do not wanty to reinstall my pc , Please help.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:04:49, on 20.08.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\PROGRA~1\Sygate\SSA\syg_hp.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Remote tools\msraLinkMonitor.exe

C:\oracle\ora92\bin\omtsreco.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe

C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe

C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\emMon.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\X1\X1FileMonitor.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\X1\X1Systray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\ntvdm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.austin.hp.com:8088

O1 - Hosts: 208.117.236.70 youtube.com

O1 - Hosts: 208.117.236.70 www.youtube.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Oturum A

post-3366-1219181813_thumb.jpg

post-3366-1219181813_thumb.jpg

Link to post
Share on other sites

  • Root Admin

Hello Timur and Welcome to Malwarebytes.

It could very well have nothing to do with Malware, but we can proceed and work on it with the assumption that maybe it does have some type of Malware.

Please follow the instructions from the top of this forum called Pre- HJT Post Instructions and we can then assist you further.

We need the logs from the other requested tasks please.

.

Link to post
Share on other sites

Hi AdvancedSetup,

I did all pre-requisite steps to post HJT logs.

I scanned with Malwarebytes AntiMalware tool , it could not find anything. Please find the log attached.

Then I scanned with PANDA Online Security. It took very long and scanned my 70GB of data. It found very simple problems and files which I never use. Please find the log attached.

I also scanned with SpyBot which did not solve my problem. My system seems clean according many antispy or antivirus programs in the net.

As I stated before, the problem occurs at any time and any kind of program I use my windows. In my oppinion one of the services installed to my windows box is malware. Please analyze my HJT log and try to catch the problem related to svchost.exe

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:04:49, on 20.08.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\PROGRA~1\Sygate\SSA\syg_hp.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Remote tools\msraLinkMonitor.exe

C:\oracle\ora92\bin\omtsreco.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe

C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe

C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\emMon.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\X1\X1FileMonitor.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\X1\X1Systray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\ntvdm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.austin.hp.com:8088

O1 - Hosts: 208.117.236.70 youtube.com

O1 - Hosts: 208.117.236.70 www.youtube.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Oturum A

mbam_log_08_20_2008__17_03_41_.txt

activeScan.txt

uninstall_list.txt

post-3366-1219241467_thumb.jpg

mbam_log_08_20_2008__17_03_41_.txt

activeScan.txt

uninstall_list.txt

post-3366-1219241467_thumb.jpg

Link to post
Share on other sites

  • Root Admin

Hi Timur,

I've moved your post in to the PC Help forum as it appears to be a general PC issue and not Malware related.

Give me some time to review your information and I'll post back some ideas.

In the mean time please provide the following information about your PC

MAKE

MODEL

MFG

CPU

RAM

VIDEO

.

Link to post
Share on other sites

  • Root Admin

Well I was going to look up every single one of your RUN entries and provide feedback on each of them, but that is a LOT of work that might not prove to be that much value.

Let's try this. Click on START - RUN and type in MSCONFIG and then select Diagnostic Startup - load basic devices and services only

Then restart your computer and see how the system works now. If you need something else started then go to the appropriate start menu item and launch it instead of it auto launching.

Try that for a while and see if that gets rid of this error or not. If it does, then slowly start putting back ONLY the items that you need and test it for a while to ensure the item you just put back is not causing an issue.

Let us know how that works out and if you do find the conflict let us know which one it was.

.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.