NTVDM and error C0H

[Mario - Roma]

Last week I had several Windows XP based PCs that stopped running 16 bit
aplications.
NTVDM reports and error "C0H", but I was unable to troubleshoot the meaning
of the error.
The problem occurred at some different sites, so I suspecred a virus or some
other kind of malware.
On the other hand, I looked at the main antivirus sites and none reported
the symptoms I found, so I can imagine a different cause as well.
I used Google to perform a search, and I found a post in a forum based in
the Czech Republic that looks to report a problem similar to mine, but I
can't understand the complete meaning of the message.
Can anybody please tell me if they ever faced a problem similar to mine and
how can I troubleshoot code C0H for NTVDM?
Regards
Mario
Roma - Italy

 

[Andrew McLaren]

Last week I had several Windows XP based PCs that stopped running 16 bit
aplications.
NTVDM reports and error "C0H", but I was unable to troubleshoot the meaning
of the error.

Bongiorno, Mario

This is just a guess - but C0H sounds like "C0" in hexadecimal format,
which is equal to 192 in decimal.

Windows error code 192 is defined in Winerror.h as
ERROR_EXE_MARKED_INVALID, "The operating system cannot run %1"

If so, then an EXE file image is damaged or invalid - maybe NTVDM
itself, or the 16-bit EXE you're trying to run within the NTVDM.

Do you have the exact text of the error message? What does the error
look like?

And, do *all" 16-bit apps refuse to run? Or only some of them? What
happens if you run, say "edit" (EDIT.COM) or "command" (COMMAND.COM)?

A piu tarde,
Andrew

 

[NikosKek]

Last week I had several Windows XP based PCs that stopped running 16 bit
aplications.
NTVDM reports and error "C0H", but I was unable to troubleshoot the meaning
of the error.
The problem occurred at some different sites, so I suspecred a virus or some
other kind of malware.
On the other hand, I looked at the main antivirus sites and none reported
the symptoms I found, so I can imagine a different cause as well.
I used Google to perform a search, and I found a post in a forum based in
the Czech Republic that looks to report a problem similar to mine, but I
can't understand the complete meaning of the message.
Can anybody please tell me if they ever faced a problem similar to mine and
how can I troubleshoot code C0H for NTVDM?
Regards
Mario
Roma - Italy

I have the same problem that started some days ago.

2 different Workastations .. running Windows XP Pro SP2
They run several windows 16bit apps from network drive.
1 PC is still running ok (so apps have no problem)
The other PC refuses to open them showing NTVDM error c0h
This PC also doesn't open Edit.com orCommand.com, showing the same error
message.

Haver tried system restore about 15days back, have tried sfc checking, disk
checking (even from recovery console) with no succesful results.

I even copied the ntvdm.exe, ntvdm.dll from the one PC that Windows 16bit
apps still worked ...no succes.

Any help would be greatly welcome.

 

[SC Tom]

Last week I had several Windows XP based PCs that stopped running 16 bit
aplications.
NTVDM reports and error "C0H", but I was unable to troubleshoot the
meaning of the error.
The problem occurred at some different sites, so I suspecred a virus or
some other kind of malware.
On the other hand, I looked at the main antivirus sites and none reported
the symptoms I found, so I can imagine a different cause as well.
I used Google to perform a search, and I found a post in a forum based in
the Czech Republic that looks to report a problem similar to mine, but I
can't understand the complete meaning of the message.
Can anybody please tell me if they ever faced a problem similar to mine
and how can I troubleshoot code C0H for NTVDM?
Regards
Mario
Roma - Italy

Start here http://support.microsoft.com/kb/220155 and see if it's any
solution.

SC Tom

 

[Astrohound]

Tried everything. Tried restoring autoexec.nt and config.net. Tried system
file checker (sfc.exe). Tried replacing all ntvdmfiles and all 16bit files
with the ones from the working Win XP installation. Tried messing with the
environment variables. But nothing...

 

[frantisek]

Start herehttp://support.microsoft.com/kb/220155and see if it's any
solution.

SC Tom- Skrýt citovaný text -

- Zobrazit citovaný text -

I had exactly the same issue on the WinXP SP3 box. I was successful to
clean it rewriting both MasterBoot and PartitionBoot programs with
their default instalation versions. I used Paragon Hard Disk Manager
2009 Linux boot CD Boot Repair option, but I beleive, that the same
should work with different tools too. I suppose, there is a chance to
be successful even with WinXP Recovery console fixboot and fixmbr.

Frank
Prague, CR

 

[mercurialuser]

I had this error on one networked pc in Italy (Rome). The pc started
to freeze randomly. A clone of the disk was done. Motherboard was
changed with an exact replacement and at first boot it gave a BSOD. At
the next boot it started ok, but showed this ntvdm/keyboard problem.

I coordinated all the changing remotely. I then went on site and I
discovered that the local firewall showed 2 connections from/to very
non-standard ports to two italian ip addresses. THESE CONNECTIONS WERE
NOT LISTED AT "netstat -na" !!!!

I tried several anti-rootkit scanner with no success.

Restoring the image did not solve the problem but a full install from
the original windows xp cd solved...

The problem started about at the time the original poster called. And
it's about the time my sister called saying her pc started to
freeze... today I checked her pc and it has the same keyboard lockup
problem !!!



If the problem disappears resetting the MBR, I strongly feel something
wrong is going on.... (probably installing xp from cd reset the mbr)

I'm now trying to create a VM with that drive image and scan it
"externally" with a linux boot disk.

I'm also going to alert my AV vendor.

Francesco

(e-mail address removed) ha scritto:

 

[mercurialuser]

I performed a scan with a linux boot disk (trk) and it found SINOWAL.S
virus

Sinowal is a virus that modifies the MBR !

Have a look here for cleaning (in italian):
http://www.hwupgrade.it/forum/showthread.php?t=1715546

The worst part is: if a 2008 virus can enter a fully protected, fully
patched windows xp... there should be some other 0-day exploit in the
wild.

 

[Bruce Chambers]

The worst part is: if a 2008 virus can enter a fully protected, fully
patched windows xp... there should be some other 0-day exploit in the
wild.

Actually, the real "worst" part is that you thought your system was
"fully protected" when it very clearly wasn't even marginally protected.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

 

[mercurialuser]

Hi Bruce,
you are very nice

Actually, the real "worst" part is that you thought your system was
"fully protected" when it very clearly wasn't even marginally protected.

There have been several computers (mine 2 were fully patched and with
1 or 2 anti-malware) that were infected at about the same time in
Italy with the same malware (symptoms are the same).

Of course they were SUPPOSED to be protected... and infact I'm
cooperating with my av vendor to try to understand HOW they got
infected, if by a 0-day exploit or by a "hole" in my setup....

I believe it's a big difference....

 

[Andrew McLaren]

HI. I have the same virus. When I type in "mtest" (no quations) I get
the following.I am trying to follow the directions as outlined by pp64

Is not a reconized Internal ot external command, opperabe program or
batch File.

Did you rename the mbr.exe file to mtest.exe, as described in pp64's
instructions?

Or else, just use the steps from the GMER website:

http://www.gmer.net


Andrew