?
Solved

Virus-like activity - fake ntvdm.exe process - any handlings?

Posted on 2008-10-18
13
Medium Priority
?
3,117 Views
Last Modified: 2013-11-22
I'm fixing a friend's computer.
Win XP Home

On boot up, the process ntvdm.exe runs, and uses 90-99% of CPU (mostly 99) and slows up system.

When I kill the process the system runs fine.

I renamed ntvdm.exe in WINDOWS/system32/ and rebooted and there is still a 'ntvdm.exe" process on start-up.

I tested system with AVG antivirus 8, Spybot, Ad-Aware and Spyware Doctor but nothing found. I also ran CleanUp.

I've been looking on Google for days now trying to figure this out but no solution yet.

I also ran regedit.exe and looked for instances of 'regedit.exe' and compared the results to my own computer's registry (that one is clean) and they were the same - i.e. there wasn't something planted in the registry in visible format that would give a clue.

As this is my friend's computer I don't have data on usage history but he seems to have downloaded/installed "shady" programs which I made him get rid of, but this could have introduced some cr*pware...

Anybody have an idea how to fix this/where to look - I am trying to do this without wiping the hard drive as then I have to re-install a bunch of other stuff...

Thanks in advance.

Z
0
Comment
Question by:coolcatcreative
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 2

Accepted Solution

by:
WebSvrPro earned 1500 total points
ID: 22748991
ntvdm.exe tends to multiply files,

I beleive my friend had this, the reason for it taking up so much CPU is that copying files over and over again, it each file takes up under 1k but because it does it so fast it just rapes your processor.
The only way around this would be a rebuild of your mates PC.

Either that or you could call Microsoft up at 50p a minuet to try and remove it, but the end solution will be with them, copy your files to a external hard drive or CD/DVD (Depending on how much information you have got to back up) and then run a rebuild of the opperating system,
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22748994
Good luck !
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22748996
Hi,

ntvdm.exe is a valid process (though that doesn't mean that it still couldn't be malware). Is your friend running some older hardware on here that requires 16 bit dos drivers? Here is a description of this process...

Windows NT Virtual DOS Machine (NTVDM) for running 16-bit tasks on the 32-bit OS's (Windows NT, 2K and XP). Required if hardware on a machine with these OS's needs 16-bit DOS drivers.

Resource link: http://www.bleepingcomputer.com/startups/NTVDM.EXE-3796.html

Also post a HijackThis log.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22749009
Well the process it legit, but there is malware that attaches it to the process, I dont know if thats any help for you!
0
 

Author Comment

by:coolcatcreative
ID: 22749058
As I have said, I did rename the file (added a '0' at the end) and then after restarting the computer, the process still was running and had 'ntvdm.exe' for its name.

That made me think some other process was pretending to be 'ntvdm.exe' (as the original one might not even have been able to start as it wouldn't have been found under the name 'ntvdm.exe'). Also, wouldn't it be listed as 'ntvdm0.exe' under processes, if that was THE one running, since I renamed it?

Is my logic off in any way?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22749316
Can you get a HijackThis log?
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22749826
1.http://www.liutilities.com/products/wintaskspro/processlibrary/ntvdm/
-----------------------------------------------------------------------------
Process File: ntvdm or ntvdm.exe
Process Name: Windows 16-bit Virtual Machine
Description: The Windows Virtual Machine for 16-bit Windows and Dos programs is used to run dos programs and old Windows programs inside a virtual machine
Common Errors: N/A
System Process: No
-----------------------------------------------------------------------------

So if you don't run any 16-bit programs, you can safely disable it from the startuplist

2.16 bit programs are dos programs, old games (win95 and lower) so if you don't use any of them, just disable them.
Check this one
http://www.tamedos.com/
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22751093
Yeah, a HijackThis log would be good and Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) might help you to figure out more about the problem.
0
 

Author Comment

by:coolcatcreative
ID: 22753570
Thanks for everybody's help - as I was in a real time crunch to get this computer up and running, I just ended up running a system restore form the factory HP disk.

0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22756328
Yeah hope I helped, Restore normally fixes most things like this, it is just a case of weither you want to lose data or not...
0
 

Author Closing Comment

by:coolcatcreative
ID: 31507422
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 

Author Comment

by:coolcatcreative
ID: 22766172
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22766473
Good to hear!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question