Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTVDM CPU has encountered an illegal instruction


  • This topic is locked This topic is locked
11 replies to this topic

#1 TCKW

TCKW

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 27 November 2008 - 02:03 AM

Hi Folks,

Just today is the first time it happens - my laptop displayed this message :

16 bit MSDOS Subsystem
C:\WINDOWS\INSTAL - 1{747A6-1\SHORTC-3.EXE
The NTVDM CPU has encountered an illegal instruction.
CS:0dd0 IP:017b OP:ff ff 00 ff 00

Can anyone kindly advise me whats the problem with my computer ? Its a a Dell Inspiron running WIN XP SP3.

Thank you so much

Below is my HJK this Log:

Attached Files



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:47 PM

Posted 14 December 2008 - 12:58 PM

Hello and :thumbsup: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 15 December 2008 - 01:09 AM

Dear Mr O Neal
Hi. Thank you very for your reply. Its really nice to hear from you. May I have a coupe of days to do as what you said as I am quite bz with work this 1-2 days.
In the mean time, since my last attached HJT post, there were some changes already in my using of the computer. Do u still need me to post a new HJT log?
Thank you.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:47 PM

Posted 15 December 2008 - 07:36 PM

Hello, TCKW
Okie Dokie :thumbsup:

Good luck!

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 16 December 2008 - 02:32 AM

Hi Bill,
Here are the 2 files -
Thanks for your help.

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:47 PM

Posted 16 December 2008 - 08:16 PM

Hello, TCKW
We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    LKMSW
    MEMSWEEP2
    QLTYM
    Us2itt
    :commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • OTMoveIt3's Log
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 17 December 2008 - 11:27 AM

Hi Good morning to you.
Just before I begin to inform you the results of those things you asked me to do, I disabled the system restore when the Eset online scanner began to scan, and also disabled my up-to-date-paid Eset Nod 32 installed on my computer.

I hope here are all the info that u need of me, in case I left out any please re-assit me and I apologise as I think I'm not that efficient in 'obeying orders' to do this and do that per your assistance post.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3699 (20081217)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=97a16e63034a7a4db1570ecc106e687a
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-17 04:18:51
# local_time=2008-12-18 12:18:51 (+0800, Malay Peninsula Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=443953
# found=0
# scan_time=2861
# nod_component=V3 Build:0x30000000 ()

And below is the OTMoveIT3's log-
========== SERVICES/DRIVERS ==========
Service LKMSW stopped successfully.
Service LKMSW deleted successfully.
Service MEMSWEEP2 stopped successfully.
Service MEMSWEEP2 deleted successfully.
Service QLTYM stopped successfully.
Service QLTYM deleted successfully.
Service Us2itt stopped successfully.
Service Us2itt deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_27c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12172008_231200

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_27c.dat not found!

Take care. Good day to you.
Gonna sleep now, its 30 mins passed midnite.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:47 PM

Posted 17 December 2008 - 08:35 PM

Hello, TCKW
That looks good. Are you still having problems?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 18 December 2008 - 12:02 AM

Yea, Bill thanks.
It does working as usual. But I omitted to point out at the beginning, that this problem was intermittent.
So I really look forward that its really vanished for good.
To let you in, I was suspicious all along of this LKMS and QLTYM, not the others, since I looked at the HJT results.
Doing a google search turn up an entire blank, same as other tech forums. Cant find any clue what is this LKMS and QLTYM thing.
Anything you can educate me is highly appreciated.
Thanks again.

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:47 PM

Posted 18 December 2008 - 06:59 PM

Hello, TCKW

LKMS and QLTYM

I have no idea what these mean/are.

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware


We Need to Clean Up Our Mess
  • Please reopen Posted Image on your desktop.
  • Push the large "Cleanup" button
  • Allow your system to reboot
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 TCKW

TCKW
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 18 December 2008 - 11:39 PM

Thanks again for the comprehensive suggesstions/advice.

I have always been trying my best to practise good safe habits and I am still doing fully aware of all these nasty chaps lurking around to devour the unprotected.

If you ever have any updates of these LKMSW and QLTYM stuff which the OTMove removed, please do let me know.

May I wish you a very Merry Christmas and a great Happy New Year 2009.

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:47 PM

Posted 20 December 2008 - 10:06 AM

Hello, TCKW
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users