The NTVDM CPU has encountered and illegal instruction
Customer PC suddenly shows a black screen (sounds like a power supply problem, or maybe a display/video card issue).
Anyway, I get there, and from what she describes, it sounds like the PSU.
After 45 minutes, I see no evidence of the screen blanking out.
We agree to replace the PSU anyway (just in case).
About 2 weeks later, I’m called back.
I’m told it all ran well for a week, then it started acting up again.
Of course, I get there, and I cannot replicate the problem after trying for 1 hour.
However, I do get 3 other problems:
- At one point, the screen half freezes (the display won’t update, but the mouse pointer can still move, and I can still hear/see disk activity…
- Starting a cmd prompt gives me the following error: “The NTVDM CPU has encountered and illegal instruction”. After that, it just vanishes.
- Regedit refuses to start.
I take the PC back to the office (and leave the customer with a replacement PC (a 600Mhz HP e-PC)).
I eventually find the cause of the NTVDM error: a prior infection has left some files that replace other common windows files. eg cmd.com is placed into the windows folder… typing cmd in the run window means that cmd.com will run before cmd.exe
It also looks like other files are “substituted”:
- regedit.com
- tracert.com
- tasklist.com
- taskkill.com
- ping.com
- netstat.com
But antivir and defender don’t detect anything wrong with these files. I take a peek inside the files, and I see they only have 2 bytes: “MZ”
It looks like the dangerous “payload” within these files never got there (or was removed), but the files remained (causing me some confusion).
I also decide to install Service Pack 3 (and hopefully any odd corrupted file gets fixed in the process)
After that, I do a virus scan, and also look closely at various startup programs, as well as running programs (within task manager).
I find and remove “mirar search” and “funweb products”
A while later, I also notice a service called: secuROM
Research shows that its an annoying copy-protection “enforcer” that stops you from making illegal copies of media… but also seems to cause lots of problems… OK, I disable it.
A while later, while trying to get the PC to “fail” I notice IE7 stops responding whenever I look at a “news clip” (which turns out to use flash).
So I Install the latest flashplayer… and that minor problem goes away.
After running the system non-stop for about 5 days, I find no evidence of the original problem… but I fix up lots of smaller problems along the way.
Once I return the PC to the customer, I don’t hear back for over 2 weeks, so it looks like the problem is gone.