?
Solved

Virus-like activity - fake ntvdm.exe process - any handlings?

Posted on 2008-10-18
13
Medium Priority
?
3,108 Views
Last Modified: 2013-11-22
I'm fixing a friend's computer.
Win XP Home

On boot up, the process ntvdm.exe runs, and uses 90-99% of CPU (mostly 99) and slows up system.

When I kill the process the system runs fine.

I renamed ntvdm.exe in WINDOWS/system32/ and rebooted and there is still a 'ntvdm.exe" process on start-up.

I tested system with AVG antivirus 8, Spybot, Ad-Aware and Spyware Doctor but nothing found. I also ran CleanUp.

I've been looking on Google for days now trying to figure this out but no solution yet.

I also ran regedit.exe and looked for instances of 'regedit.exe' and compared the results to my own computer's registry (that one is clean) and they were the same - i.e. there wasn't something planted in the registry in visible format that would give a clue.

As this is my friend's computer I don't have data on usage history but he seems to have downloaded/installed "shady" programs which I made him get rid of, but this could have introduced some cr*pware...

Anybody have an idea how to fix this/where to look - I am trying to do this without wiping the hard drive as then I have to re-install a bunch of other stuff...

Thanks in advance.

Z
0
Comment
Question by:coolcatcreative
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 2

Accepted Solution

by:
WebSvrPro earned 1500 total points
ID: 22748991
ntvdm.exe tends to multiply files,

I beleive my friend had this, the reason for it taking up so much CPU is that copying files over and over again, it each file takes up under 1k but because it does it so fast it just rapes your processor.
The only way around this would be a rebuild of your mates PC.

Either that or you could call Microsoft up at 50p a minuet to try and remove it, but the end solution will be with them, copy your files to a external hard drive or CD/DVD (Depending on how much information you have got to back up) and then run a rebuild of the opperating system,
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22748994
Good luck !
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22748996
Hi,

ntvdm.exe is a valid process (though that doesn't mean that it still couldn't be malware). Is your friend running some older hardware on here that requires 16 bit dos drivers? Here is a description of this process...

Windows NT Virtual DOS Machine (NTVDM) for running 16-bit tasks on the 32-bit OS's (Windows NT, 2K and XP). Required if hardware on a machine with these OS's needs 16-bit DOS drivers.

Resource link: http://www.bleepingcomputer.com/startups/NTVDM.EXE-3796.html

Also post a HijackThis log.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22749009
Well the process it legit, but there is malware that attaches it to the process, I dont know if thats any help for you!
0
 

Author Comment

by:coolcatcreative
ID: 22749058
As I have said, I did rename the file (added a '0' at the end) and then after restarting the computer, the process still was running and had 'ntvdm.exe' for its name.

That made me think some other process was pretending to be 'ntvdm.exe' (as the original one might not even have been able to start as it wouldn't have been found under the name 'ntvdm.exe'). Also, wouldn't it be listed as 'ntvdm0.exe' under processes, if that was THE one running, since I renamed it?

Is my logic off in any way?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22749316
Can you get a HijackThis log?
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22749826
1.http://www.liutilities.com/products/wintaskspro/processlibrary/ntvdm/
-----------------------------------------------------------------------------
Process File: ntvdm or ntvdm.exe
Process Name: Windows 16-bit Virtual Machine
Description: The Windows Virtual Machine for 16-bit Windows and Dos programs is used to run dos programs and old Windows programs inside a virtual machine
Common Errors: N/A
System Process: No
-----------------------------------------------------------------------------

So if you don't run any 16-bit programs, you can safely disable it from the startuplist

2.16 bit programs are dos programs, old games (win95 and lower) so if you don't use any of them, just disable them.
Check this one
http://www.tamedos.com/
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22751093
Yeah, a HijackThis log would be good and Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) might help you to figure out more about the problem.
0
 

Author Comment

by:coolcatcreative
ID: 22753570
Thanks for everybody's help - as I was in a real time crunch to get this computer up and running, I just ended up running a system restore form the factory HP disk.

0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22756328
Yeah hope I helped, Restore normally fixes most things like this, it is just a case of weither you want to lose data or not...
0
 

Author Closing Comment

by:coolcatcreative
ID: 31507422
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 

Author Comment

by:coolcatcreative
ID: 22766172
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22766473
Good to hear!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question