ntvdm, wowexec and command.com

[Gerard Stutje]

Dear All,



Running XP Home SP2, fully updated on a Mobile AMD Athlon 64 3000+ with 1
giga RAM.



Lately I'm having two problems which (I think) seem to be related.



The first is that for no apparent reason NTVDM.EXE starts up and uses just
about all of the cpu-time. Mind you, all by itself, no instance of WOWEXEC
related to it. If I start a 16 bit program there will be _another_ instance
of NTVDM, this time with WOWEXEC and the 16bit program listed in the process
list.



The other problem is that when I run COMMAND, no keystrokes are transferred
to the command prompt. I don't know if it is normal behaviour that the path
is shown in the 8.3 format. If I start CMD, the command prompt shows long
names and does accept commands (dir, exit, etc.) but if I run EDIT.COM it
starts the editor and then stalls and doesn't respond to the keyboard any
more.



No viruses found by Symantec nor AntiVir Guard.



I've been looking all over the internet but didn't find any solution.



I thought I'd ask again before doing a complete reinstall. ;-)




Thank you for your attention.

 

[Wesley Vogel]

Update your antivirus software and run a full system scan.

Update whatever anti-spyware applications that you have and run a full
system scan with each one.

System File Checker (sfc.exe) replaces screwed up system files.

Load your XP CD in your CD drive.

Start | Run | Type or paste: sfc /scannow | Click OK

If you have XP Home and it asks for your XP Pro CD, see this KB article...

You may be prompted to insert a Windows XP Professional CD when you run the
System File Checker tool in Windows XP Home Edition
http://support.microsoft.com/default.aspx?scid=kb;en-us;897128

If SFC.EXE did anything it will be in the Event Viewer.

Open the Event Viewer...
Start | Run | Type: eventvwr | Click OK |
Click System | Look at any Windows File Protection
entries

Explains a whole bunch about sfc.exe.
scannow sfc (sfc.exe)
http://www.updatexp.com/scannow-sfc.html

Description of Windows XP and Windows Server 2003 System File Checker
(Sfc.exe)
http://support.microsoft.com/?kbid=310747

HOW TO Verify That Windows File Protection Is Running
http://support.microsoft.com/default.aspx?scid=kb;en-us;814597

Description of the Windows File Protection Feature
http://support.microsoft.com/default.aspx?scid=kb;en-us;222193

It sounds like command.com, which runs under ntvdm.exe, EDIT.COM, and
ntvdm.exe may be corrupted, *IF* there is no malware present on your
machine.

You will not see command.com listed in the Task Manager under the Processes
tab if it is running, ntvdm.exe is listed instead. You can see command.com
(MS-DOS Prompt) listed under Applications, but if you right click
command.com and select Go To Process, ntvdm.exe will appear highlighted
under the Processes tab.

Keystrokes should be seen in command.com, but the actual commands are
executed by cmd.exe.

If there is no malware present and if System File Checker does not fix
things, new copies of command.com, EDIT.COM and ntvdm.exe can be expanded
from your XP CD.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Gerard Stutje]

Hello Wesley

Update your antivirus software and run a full system scan.

Already done, no avail.

Update whatever anti-spyware applications that you have and run a full
system scan with each one.

Done with Spybot and PestPatrol, nothing found.

System File Checker (sfc.exe) replaces screwed up system files.
Load your XP CD in your CD drive.
Start | Run | Type or paste: sfc /scannow | Click OK
If you have XP Home and it asks for your XP Pro CD, see this KB article...

You may be prompted to insert a Windows XP Professional CD when you run
the
System File Checker tool in Windows XP Home Edition
http://support.microsoft.com/default.aspx?scid=kb;en-us;897128

The label on my XP-Home CD is VRMHOEM_ES. That didn't do the trick. I tried
with an XP-Pro CD (with a slipstreamed SP2), but as I expected XP Home was
smart enough to see that this wasn't the right CD.

It sounds like command.com, which runs under ntvdm.exe, EDIT.COM, and
ntvdm.exe may be corrupted, *IF* there is no malware present on your
machine.

As I can't find any malware, I first added ".bak" to the three mentioned
files and manually expanded those files from the XP Home CD and ran "fc /b
command.com command.com.bak" (and EDIT and NTVDM), the files are identical.
:-(

You will not see command.com listed in the Task Manager under the
Processes
tab if it is running, ntvdm.exe is listed instead. You can see
command.com
(MS-DOS Prompt) listed under Applications, but if you right click
command.com and select Go To Process, ntvdm.exe will appear highlighted
under the Processes tab.
OK.

Keystrokes should be seen in command.com, but the actual commands are
executed by cmd.exe.

No keystrokes are reflected at the command prompt.

If there is no malware present and if System File Checker does not fix
things, new copies of command.com, EDIT.COM and ntvdm.exe can be expanded
from your XP CD.

As I mentioned before, no fix. :-(

 

[Wesley Vogel]

Hi Gerard,

The label on my XP-Home CD is VRMHOEM_ES

Windows XP Home (SP2) OEM Espanol.

Maybe the Spanish version of XP has something to do with it. <shrug>

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In