Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Virus-like activity - fake ntvdm.exe process - any handlings?

Posted on 2008-10-18
13
3,083 Views
Last Modified: 2013-11-22
I'm fixing a friend's computer.
Win XP Home

On boot up, the process ntvdm.exe runs, and uses 90-99% of CPU (mostly 99) and slows up system.

When I kill the process the system runs fine.

I renamed ntvdm.exe in WINDOWS/system32/ and rebooted and there is still a 'ntvdm.exe" process on start-up.

I tested system with AVG antivirus 8, Spybot, Ad-Aware and Spyware Doctor but nothing found. I also ran CleanUp.

I've been looking on Google for days now trying to figure this out but no solution yet.

I also ran regedit.exe and looked for instances of 'regedit.exe' and compared the results to my own computer's registry (that one is clean) and they were the same - i.e. there wasn't something planted in the registry in visible format that would give a clue.

As this is my friend's computer I don't have data on usage history but he seems to have downloaded/installed "shady" programs which I made him get rid of, but this could have introduced some cr*pware...

Anybody have an idea how to fix this/where to look - I am trying to do this without wiping the hard drive as then I have to re-install a bunch of other stuff...

Thanks in advance.

Z
0
Comment
Question by:coolcatcreative
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 2

Accepted Solution

by:
WebSvrPro earned 500 total points
ID: 22748991
ntvdm.exe tends to multiply files,

I beleive my friend had this, the reason for it taking up so much CPU is that copying files over and over again, it each file takes up under 1k but because it does it so fast it just rapes your processor.
The only way around this would be a rebuild of your mates PC.

Either that or you could call Microsoft up at 50p a minuet to try and remove it, but the end solution will be with them, copy your files to a external hard drive or CD/DVD (Depending on how much information you have got to back up) and then run a rebuild of the opperating system,
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22748994
Good luck !
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22748996
Hi,

ntvdm.exe is a valid process (though that doesn't mean that it still couldn't be malware). Is your friend running some older hardware on here that requires 16 bit dos drivers? Here is a description of this process...

Windows NT Virtual DOS Machine (NTVDM) for running 16-bit tasks on the 32-bit OS's (Windows NT, 2K and XP). Required if hardware on a machine with these OS's needs 16-bit DOS drivers.

Resource link: http://www.bleepingcomputer.com/startups/NTVDM.EXE-3796.html

Also post a HijackThis log.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22749009
Well the process it legit, but there is malware that attaches it to the process, I dont know if thats any help for you!
0
 

Author Comment

by:coolcatcreative
ID: 22749058
As I have said, I did rename the file (added a '0' at the end) and then after restarting the computer, the process still was running and had 'ntvdm.exe' for its name.

That made me think some other process was pretending to be 'ntvdm.exe' (as the original one might not even have been able to start as it wouldn't have been found under the name 'ntvdm.exe'). Also, wouldn't it be listed as 'ntvdm0.exe' under processes, if that was THE one running, since I renamed it?

Is my logic off in any way?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22749316
Can you get a HijackThis log?
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22749826
1.http://www.liutilities.com/products/wintaskspro/processlibrary/ntvdm/
-----------------------------------------------------------------------------
Process File: ntvdm or ntvdm.exe
Process Name: Windows 16-bit Virtual Machine
Description: The Windows Virtual Machine for 16-bit Windows and Dos programs is used to run dos programs and old Windows programs inside a virtual machine
Common Errors: N/A
System Process: No
-----------------------------------------------------------------------------

So if you don't run any 16-bit programs, you can safely disable it from the startuplist

2.16 bit programs are dos programs, old games (win95 and lower) so if you don't use any of them, just disable them.
Check this one
http://www.tamedos.com/
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22751093
Yeah, a HijackThis log would be good and Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) might help you to figure out more about the problem.
0
 

Author Comment

by:coolcatcreative
ID: 22753570
Thanks for everybody's help - as I was in a real time crunch to get this computer up and running, I just ended up running a system restore form the factory HP disk.

0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22756328
Yeah hope I helped, Restore normally fixes most things like this, it is just a case of weither you want to lose data or not...
0
 

Author Closing Comment

by:coolcatcreative
ID: 31507422
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 

Author Comment

by:coolcatcreative
ID: 22766172
I believe the problem here was NOT the real ntvdm.exe but something PRETENDING to be ntvdm.exe (as even when I renamed ntvdm.exe to test this, it would show in the task list with the original name, plus how could it have started when it now had a different name?) Nevertheless the good old "reinstall windows" handling solved this one as well. I just wish there would have been something more to the point.
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22766473
Good to hear!
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Zeus black pop up screen virus 7 76
how can I resolve Threat Has Been Detected message by AVAST? 4 166
Virus that hides folders 6 45
How do I allow access to an FTP server? 9 22
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question