Help With CMD Please!!!

Toggle sidebar Toggle sidebar
R

royalk4

Member
Dec 2, 2005
184
0
0
When i try to get into CMD in windows I get the message C:\WINDOWS\System32\cmd.com THE NTVDM CPU has encountered an illegal instruction.
CS:b701 IP:ecf7 OP:ff fe ff ff -- Choose 'Close' to terminate the application.

I have no idea what to do about this but any help would be great.
 
K

kylef

Golden Member
Jan 25, 2000
1,430
0
0
NTVDM is the 16-bit DOS virtual machine that allows you to run ancient 16-bit DOS applications in Windows NT, Windows 2000, or Windows XP. Normally NTVDM is not ever loaded unless you try to run a 16-bit DOS program. (Or some application tries to run one on your behalf.)

If you can't go to start->run and type "c:\windows\system32\cmd.exe" and have it start up without that error, then somehow your cmd.exe binary seems to have gotten corrupted. Can you post the size and version info of your cmd.exe file?

You can get this error message rarely if the system loader thinks the binary is in the old DOS executable format, possibly because the PE headers are corrupt or missing. (Every Windows PE executable contains a standard DOS executable at the beginning to print out a stub message on non-Windows systems that says "This program requires Microsoft Windows.") But then when the NTVDM tries to execute the binary as 16-bit instructions, it throws an error when it gets to the corrupt part of the file.

I would run chkdsk at your earliest convenience.

Incidentally, is this on Windows 2000? If you were on XP, System File Protection should have caught this problem already.
 
R

royalk4

Member
Dec 2, 2005
184
0
0
I was able to get into CMD wit the method listed by Kylef but whenever I tried to do anything inside of CMD32 the same message comes up. This is on XP BTW, this is weird because I used to get into CMD and ping other sites or whatever I need to do.
 
K

kylef

Golden Member
Jan 25, 2000
1,430
0
0
I was able to get into CMD wit the method listed by Kylef but whenever I tried to do anything inside of CMD32 the same message comes up.
Click to expand...
What are you trying to do, specifically? Can you give me an example of a command you tried to run that caused the failure? Does *anything* work?

I'm starting to think that maybe your executable path is somehow pointing to an invalid set of binaries with 16-bit headers...

If you type "echo %path%", do you see any directories listed in your path which look suspicious?

Also, try the steps suggested by RBBRMADE, in case he/she turns up a different explanation.
 
R

royalk4

Member
Dec 2, 2005
184
0
0
I tried regedit and got the same message but regedit.exe brought me to the registry editor. What I was trying to do was ping google because our internet had become sh**** and my roommate said that packets would go missing. I wanted to check this myself. So I would go to cmd and C:\ ping google.com then the same message would come up
 
R

RBBRMADE

Senior member
Oct 28, 2003
491
0
0
I am on the road right now.....but, if you'll Google these terms, you may find your answer...
killbox.exe cmd.com regedit.com
if you have a cmd.com then this should fix your PC.
i'll check back later......
Ron
 
R

Robor

Elite Member
Oct 9, 1999
16,979
0
76
In my previous job we had a user with a trojan/worm/virus that experienced this same issue. I don't remember the name of it but I think if you search on Google a bit as RBBRMADE suggested you'll find your answer.

Here's a free (albeit slow) online scanner: http://housecall.trendmicro.com
 
R

RBBRMADE

Senior member
Oct 28, 2003
491
0
0
No guarantees, but try this....

Download killbox.exe, install and run it.

killbox.exe


*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

You may not even have some of these files. No big deal...

I have had to deal with this a half a dozen times over the last few months. This has fixed it every time. It is malware related, but a couple of the machines I repaired with this had no other signs of an infection.

If this does not do the trick, I would suggest making necessary backups, and perform a XP repair install.

Hope this helps,
Ron
 
K

kylef

Golden Member
Jan 25, 2000
1,430
0
0
Trojan apps would certainly explain why NTVDM was being loaded.

Are you not using a virus scanner?

You can also try out Microsoft's anti-spyware called Windows Defender, which is free right now while it's in Beta.
 
R

RBBRMADE

Senior member
Oct 28, 2003
491
0
0
Originally posted by: kylef
Trojan apps would certainly explain why NTVDM was being loaded.
Click to expand...



When he types CMD, it will check for cmd.com first. If there is one available, that is what tries to run. CMD.com is created when some malware installs itself. I want to say ALCAN was one of the worms that cause this. When he types cmd.exe it runs the correct executable, same as regedit. This may not be the problem, but it sure is similar to what I have seen!

Ron
 
K

kylef

Golden Member
Jan 25, 2000
1,430
0
0
Originally posted by: RBBRMADE
When he types CMD, it will check for cmd.com first. If there is one available, that is what tries to run. CMD.com is created when some malware installs itself.
Click to expand...

I'm actually a bit amazed that malware still uses this technique, because it doesn't even do a very good job of hiding cmd.exe. The trick would only affect people who launch cmd consoles without specifying the file extension ".exe".

Smarter malware would install a kernel-mode service to do all kinds of nasty stuff, like preventing the malware from showing up at all in the filesystem or the system process list. You'd never even know it was there. :)

This one, on the other hand, makes it painfully obvious that something is wrong. Thank goodness for dumb malware, eh?
 
R

royalk4

Member
Dec 2, 2005
184
0
0
Thx for the help everyone I installed Killbot and it deleted the said files and command prompt works now
 
gsellis

gsellis

Diamond Member
Dec 4, 2003
6,061
0
0
Originally posted by: RBBRMADE
Originally posted by: kylef
Trojan apps would certainly explain why NTVDM was being loaded.
Click to expand...



When he types CMD, it will check for cmd.com first. If there is one available, that is what tries to run. CMD.com is created when some malware installs itself. I want to say ALCAN was one of the worms that cause this. When he types cmd.exe it runs the correct executable, same as regedit. This may not be the problem, but it sure is similar to what I have seen!

Ron
Click to expand...
Thanks Ron. I was looking at a CSA log yesterday and wondering why the heck I saw IE call NTVDM (it was stopped.) It seemed really suspicious, so now I will add it to our trouble report. :D

 
R

RBBRMADE

Senior member
Oct 28, 2003
491
0
0
I am on the road right now.....but, if you'll Google these terms, you may find your answer...
killbox.exe cmd.com regedit.com
if you have a cmd.com then this should fix your PC.
i'll check back later......
Ron
 
R

RBBRMADE

Senior member
Oct 28, 2003
491
0
0
I am on the road right now.....but, if you'll Google these terms, you may find your answer...
killbox.exe cmd.com regedit.com
if you have a cmd.com then this should fix your PC.
i'll check back later......
Ron
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom