Solved

Virus-like activity - fake ntvdm.exe process - any handlings?

Posted on 2008-10-18
13
3,049 Views
Last Modified: 2013-11-22
I'm fixing a friend's computer.
Win XP Home

On boot up, the process ntvdm.exe runs, and uses 90-99% of CPU (mostly 99) and slows up system.

When I kill the process the system runs fine.

I renamed ntvdm.exe in WINDOWS/system32/ and rebooted and there is still a 'ntvdm.exe" process on start-up.

I tested system with AVG antivirus 8, Spybot, Ad-Aware and Spyware Doctor but nothing found. I also ran CleanUp.

I've been looking on Google for days now trying to figure this out but no solution yet.

I also ran regedit.exe and looked for instances of 'regedit.exe' and compared the results to my own computer's registry (that one is clean) and they were the same - i.e. there wasn't something planted in the registry in visible format that would give a clue.

As this is my friend's computer I don't have data on usage history but he seems to have downloaded/installed "shady" programs which I made him get rid of, but this could have introduced some cr*pware...

Anybody have an idea how to fix this/where to look - I am trying to do this without wiping the hard drive as then I have to re-install a bunch of other stuff...

Thanks in advance.

Z
0
Comment
Question by:coolcatcreative
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 2

Accepted Solution

by:
WebSvrPro earned 500 total points
Comment Utility
ntvdm.exe tends to multiply files,

I beleive my friend had this, the reason for it taking up so much CPU is that copying files over and over again, it each file takes up under 1k but because it does it so fast it just rapes your processor.
The only way around this would be a rebuild of your mates PC.

Either that or you could call Microsoft up at 50p a minuet to try and remove it, but the end solution will be with them, copy your files to a external hard drive or CD/DVD (Depending on how much information you have got to back up) and then run a rebuild of the opperating system,
0
 
LVL 2

Expert Comment

by:WebSvrPro
Comment Utility
Good luck !
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Hi,

ntvdm.exe is a valid process (though that doesn't mean that it still couldn't be malware). Is your friend running some older hardware on here that requires 16 bit dos drivers? Here is a description of this process...

Windows NT Virtual DOS Machine (NTVDM) for running 16-bit tasks on the 32-bit OS's (Windows NT, 2K and XP). Required if hardware on a machine with these OS's needs 16-bit DOS drivers.

Resource link: http://www.bleepingcomputer.com/startups/NTVDM.EXE-3796.html

Also post a HijackThis log.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

0
 
LVL 2

Expert Comment

by:WebSvrPro
Comment Utility
Well the process it legit, but there is malware that attaches it to the process, I dont know if thats any help for you!
0
 

Author Comment

by:coolcatcreative
Comment Utility
As I have said, I did rename the file (added a '0' at the end) and then after restarting the computer, the process still was running and had 'ntvdm.exe' for its name.

That made me think some other process was pretending to be 'ntvdm.exe' (as the original one might not even have been able to start as it wouldn't have been found under the name 'ntvdm.exe'). Also, wouldn't it be listed as 'ntvdm0.exe' under processes, if that was THE one running, since I renamed it?

Is my logic off in any way?
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Can you get a HijackThis log?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 18

Expert Comment

by:sk_raja_raja
Comment Utility
1.http://www.liutilities.com/products/wintaskspro/processlibrary/ntvdm/
-----------------------------------------------------------------------------
Process File: ntvdm or ntvdm.exe
Process Name: Windows 16-bit Virtual Machine
Description: The Windows Virtual Machine for 16-bit Windows and Dos programs is used to run dos programs and old Windows programs inside a virtual machine
Common Errors: N/A
System Process: No
-----------------------------------------------------------------------------

So if you don't run any 16-bit programs, you can safely disable it from the startuplist

2.16 bit programs are dos programs, old games (win95 and lower) so if you don't use any of them, just disable them.
Check this one
http://www.tamedos.com/
0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Yeah, a HijackThis log would be good and Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) might help you to figure out more about the problem.
0
 

Author Comment

by:coolcatcreative
Comment Utility
Thanks for everybody's help - as I was in a real time crunch to get this computer up and running, I just ended up running a system restore form the factory HP disk.

0
 
LVL 2

Expert Comment

by:WebSvrPro
Comment Utility
Yeah hope I helped, Restore normally fixes most things like this, it is just a case of weither you want to lose data or not...
0
 

Author Closing Comment

by:coolcatcreative
Comment Utility
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 

Author Comment

by:coolcatcreative
Comment Utility
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 
LVL 2

Expert Comment

by:WebSvrPro
Comment Utility
Good to hear!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now