Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NTVDM hard error on Windows 2003 Server SP1

714 views
Skip to first unread message

BitBucket

unread,
Feb 18, 2006, 2:21:59 AM2/18/06
to
Hello:

PROBLEM

When executing various commands in a DOS window or via Start | Run on a
Windows 2003 Server SP1 platform, there is a pop-up box with the error
message:

Title bar: ntvdm.exe - System error
Message: NTVDM encountered a hard error.
Options: Close | Ignore


In the System error log, there is an application pop information
message, as follows:
..................................................
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 2/17/2006
Time: 10:28:03 PM
User: N/A
Computer: MPX
Description:
Application popup: ntvdm.exe - System Error : NTVDM encountered a hard
error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
..............................................

This problem was orginally encountered yesterday trying to run
regedit.exe from the Start | Run box. It was also confirmed trying to
run regedit.exe from a DOS window command prompt. However, regedit.exe
executed as espected when double-clicked with Windows Explorer from
C:\WINDOWS\regedit.exe. In addition, regedt32.exe executed as expected
without error from all three launch situations (Start | Run, DOS
command line and Windows Explorer).

I tested this with some neutral external DOS programs, like ping. I've
found that 'ping' and 'ping /?' and "ping www.yahoo.com" all generate
this error as well, when executed from the DOS command line. and from
Start | Run. The file "command" executes from the DOS command line,
but 'cmd' does not (it generates this error).

But it appears that when the offending command is enveloped in the
command environment, the program works. e.g., the command "command /c
ping www.yahoo.com" executes normally. So there appears to be
something wrong with the DOS environment, but I can't figure out what
it is

I have run the Windows File Protection Scan sfc.exe /scannow on the
system and all the files conform to the required versions (either
regular 2003 or SP1 2005).

The server is not a domain controller, and is on a LAN with a Windows
2000 Server. No Windows Terminal Services are running (that I know of),
and all anti-virus programs have been removed. I suspect this problem
is connected to a recent trial version of Kaspersky Anti-Virus for
Windows Servers v5 (trial version), but I don't have any direct
evidence of this, and I have subsequently uninstalled this program.
Autoexec.nt was modified, but has been restored to its original
condition. Autoexec.bat is zero-bytes.

I've pretty much exhausted all web-based resources with this one, so
any help would be appreciated.

-- Roy Zider

Pegasus (MVP)

unread,
Feb 18, 2006, 6:15:02 AM2/18/06
to

"BitBucket" <file...@cyberonic.com> wrote in message
news:1140247319.6...@g14g2000cwa.googlegroups.com...

You may have a corrupt command processor, cmd.exe.
I recommend you replace it with the one found on your
server installation CD.

BTW, there is no DOS under Windows server. DOS is
an operating system of its own. You probably meant the
"Command Prompt" when you said "DOS environment".

Windows server largely ignores c:\autoexec.bat. The file
Autoexec.nt is processed when you start a 16-bit
application such as debug.exe. However, regedit.exe and
ping.exe are 32-bit applications.


BitBucket

unread,
Feb 18, 2006, 2:58:48 PM2/18/06
to
Pegasus:

Thanks for the suggestion, but cmd.exe does check against the SP1
source files. (This is part of the sfc./scannow validity check in any
case).

I realize DOS is a bit of an anachronism, even archaic in internet
time, but as you probably know most programs still refer to it, even
cmd.exe: "This program cannot be run in DOS mode." W2K3 refers to it
with the environment string "SESSIONNAME=Console". So there's some
leeway here, I guess.

Thanks again.

Pegasus (MVP)

unread,
Feb 18, 2006, 3:58:21 PM2/18/06
to

"BitBucket" <file...@cyberonic.com> wrote in message
news:1140292728.7...@o13g2000cwo.googlegroups.com...

I recently dealt with a similar post that had a corrupted
command processor. The OP claimed that sfc.exe failed
to identify the corruption, and that he fixed the problem
by copying the file from his CD.


BitBucket

unread,
Feb 18, 2006, 9:38:45 PM2/18/06
to
Additional troubleshooting information on this problem.

1. sysedit works.

Troubleshooting NTVDM and WOW Startup Errors
http://support.microsoft.com/?id=220155

Start | Run sysedit opens all files OK.

Also OK from the command prompt. This validates the ntvdm.exe
function.

2. Renaming file allows proper execution.

Renaming cmd.exe to xcmd.exe, or regedit to xregedit.exe, allows
proper execution.

This appears to indicate that these files are being monitored by
name, possibly by an installed daemon.

3. Reboot in safe mode fails to solve the error.

ping - NTVDM hard error
sfc - OK
regedit - NTVDM hard error
regedt32 - OK.
xregedit - OK (copy regedit.exe xregedit.exe)

So specific files are still being monitored, and drivers or programs
must still be running.

Looking for other programs that may be intercepted:

TASKLIST NTVDM hard error
TASKKILL NTVDM hard error
SYSTEMINFO OK
SC OK, SC QUERY OK
DRIVERQUERY OK
CACLS OK
IPCONFIG OK

Still get the same NTVDM hard errors when in Safe Mode. So if it's a
resident driver, the driver is part of the base installed system.

4. Check for rootkit

Installed and ran RooKitRevealer 1.60 -- nothing suspicious found.

5. Reboot in normal mode, Google the web for possible clues.

Google terms
"NTVDM hard error" regedit tasklist taskkill 0 hits
"NTVDM hard error" regedit.exe 0 hits
"NTVDM hard error" regedit 1 hit
http://ntvdm-hard-error.2fixerror.info/
ads for spyware removal kits

"NTVDM hard error" taskkill 0 hits
"NTVDM hard error" tasklist 0 hits
"NTVDM hard error" ping 2 hits

http://www.eggheadcafe.com/forumarchives/windowsservergeneral/sep2005
/post24222614.asp
relevant (no ref to ping) but no answer to same problem

virus NTVDM hard error 100+/17,800
virus NTVDM hard error regedit 100+/635
virus NTVDM hard error tasklist 100+/150
virus NTVDM hard error tasklist regedit 100+/391
worm regedit ping taskkill tasklist tracert 100+/525


SOLUTION

The cause of the NTVDM error turned out to be due to a worm
infection. The infection included dropping seven files with
system/hidden attributes in the C:\WINDOWS\system32 folder with the
same names as regular Windows files, but with .com rather than .exe
filename extensions.

DISCUSSION

Due to the priority of .com over .exe in program execution, a .com
file (regedit.com) will get executed before a .exe file
(regedit.exe). In this case, the files in question were only
two-byte files containing "MZ", the length of which is displayed as
1K in Windows Explorer and is more or less easily overlooked in a
folder with hundreds of files, even if the folder is set to view
system and hidden files and folders (which many systems will not be
set up to do).

The behavior under Windows 2003 Server is apparently different than
under Windows 2000 Server. Executing a two-byte file (i.e., tt.com)
under Windows 2000 Server from Windows Explorer by double clicking on
it will bring up a screen full of garbage, apparently a display
overflow in the code. Execute the same tt.com from the console
(command window) and the error message comes back as "Wrong DOS
version". In Windows 2003 Server, by contrast, in both cases Windows
displays a popup window with the NTVDM Hard error error message.

This error has appeared in several posts on the www in the past nine
months, but without resolution as far as I can see. Using "NTVDM" as
a key term therefore was not as useful as it might have been
otherwise. In my diagnostic notes above, I also overlooked the
possiblity that there was an execution-order preference possiblity
here that would have explained the successful execution of the
renamed files, rather than a resident daemon or some defect in
Windows File Protection.

Some links to this worm description and removal tools from several
anti-virus vendors are included below.

-- Roy Zider


http://www.clairelee.net/ (first hooked into possible solution here)
Google cache:
http://64.233.179.104/search?
q=cache:Hv_TN9S-kCMJ:www.clairelee.net/+virus+NTVDM+hard+error+taskli
st+regedit&hl=en&gl=us&ct=clnk&cd=63

Also:
TRACERT ERROR
NETSTAT ERROR
CMD.COM ERROR

Worm.Alcan.A
http://www.k7computing.com/virusinfo/WormAlcanA.htm
1. Creates the following files in the Windows System folder with

hidden and system attributes set:

cmd.com
ping.com
regedit.com
taskmgr.exe
tasklist.com
taskkill.com
netstat.com
tracert.com

Seven of the above eight are in C:\WINDOWS\system32, not ..\system,
and all have hidden and system attributes. Taskmgr.exe is there, but
as normal attributes. The seven have timestamps of 2/16/2006 4:29
PM, plus bszip.dll.

W32.Alcra.D
http://www.symantec.com/avcenter/venc/data/w32.alcra.d.html
Some minor variations on earlier details from k7.
Not a great set of recomendations, esp since regedit is preempted.

W32/Alcan.worm!p2p
http://vil.mcafeesecurity.com/vil/content/v_133690.htm

W32/Alcra-B
http://www.sophos.com/virusinfo/analyses/w32alcrab.html
aliases: Worm.Win32.VB.an W32/Alcan.worm!p2p

Run Sophos from web to do the scan -- after having removed the files
from C:\WINDOWS\system32. Found and deleted the 7 files I had left
in C:\WINDOWS\system32. Didn't detect the copies in H:. Report file
is at C:\reslove.log, moved to H:.

Pegasus (MVP)

unread,
Feb 18, 2006, 10:06:32 PM2/18/06
to

"BitBucket" <file...@cyberonic.com> wrote in message
news:1140316725....@g43g2000cwa.googlegroups.com...

Very nice job in tracking this one down - congratulations!
What worries me is how the virus could establish itself in
the server. Presumable you have a good virus scanner,
presumably you keep it up-to-date, and presumably the
server is not used as a workstation where all sorts of
rubbish could be downloaded from various Internet sites.
So how could it happen?


BitBucket

unread,
Feb 19, 2006, 4:53:49 PM2/19/06
to
Pegasus:

How could this happen? Good question.

Yes, the server was protected, but not at the time I allowed the virus
in. I had been using Symantec, and have been very dissastisfied, first
with its false positives using its heuristics ("Bloodhound') detection.
And then with its failure to open or identify some poorly-formed zip
and rar files. So I went looking for a substitute.

And you know what the first recommendation is when installing another
AV product: remove or disable your existing AV product, if any. So I
uninstalled Symantec AV when I was wrestling with Kaspersky Anti-Virus
for Windows Servers 5. Not a pretty process, and I eventually
uninstalled it due to it not having a "scan for viruses" option
attached to the context menu of Windows Explorer (Servers version
doesn't have a GUI, as the tech support people characterize it) and too
many unanswered questions from tech support.

So as you might guess, somewhere during this messing around and testing
I stepped on this worm. It may actually have been caught by KAV, but
if it was its removal was incomplete and I never got a post about it
since the error and detection logs were either empty or non-functional
at the time. But I did trace it back, using various timelogs and such,
and did find the file -- something I had downloaded with eMule.

I'd like to fix this process once and for all, but as long as Symantec
gets beat in the ratings by KAV and others, and fails to update,
correct and enhance their products, I'll be switching until I get this
right.

BitBucket

unread,
Feb 19, 2006, 4:56:18 PM2/19/06
to
... and presumably the server is not used as a workstation where all

sorts of rubbish could be downloaded from various Internet sites

Yes, have been known to do that -- am working my way off that practice
as I establish different roles for the various systems I've been using.
That was the main problem here.

0 new messages