Question

Locked

ntvdm.exe consumes 99% of CPU

By rob.w.westcott ·
Hi, I am running XP Home (actually re-installed a month ago from scratch) and find that if the PC is left unattended for about an hour the ntvdm.exe process starts up and slows everything down as it consumes 99% of CPU load. It never starts on initial boot, only after significant unattended time.

I have run Virus scanners and Spybot to see if it clears it, turned off screensavers, etc. but can't find out what is starting it.

Can anyone give me some tips on tracking what is setting ntvdm.exe running, ie. can I use Process Explorer or similar to trace it?

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Delete it

by Bax2x In reply to ntvdm.exe consumes 99% of ...

I would just delete the file. I had this happen to a friend's machine. It was a quicktime file actually that ate up all the open CPU usage. I deleted it and the problem was solved.

Collapse -

desperate measures

by rob.w.westcott In reply to Delete it

Thanks for the suggestion. In desperation I did try this, however Windows managed to get another copy of the file from somewhere (I'm guessing in a CAB file or similar). I found one of these alternates and deleted it but it is still coming back!

Collapse -

See my post below...

by boxfiddler Moderator In reply to desperate measures
Collapse -

I can't help you re: what to do about it...

by boxfiddler Moderator In reply to ntvdm.exe consumes 99% of ...

but the link below will tell you what it is. It is likely not a good idea to delete it.

http://www.processlibrary.com/directory/files/ntvdm/24761


edit: add a line

Collapse -

resignation

by rob.w.westcott In reply to ntvdm.exe consumes 99% of ...

Thanks for all the suggestions.

I tried many other spy and virus removal techniques. None of them stopped the problem, and none of the tools ever detected anything malicious on my machine.

The only suspicious thing I found was a lot of extra entires in the hosts file, which is a symptom of some type of malware getting through.

Eventually I gave up and just re-installed XP, so far so good, will keep my fingers crossed.

Collapse -

Waste of time, not a virus

by ComputerCookie In reply to resignation

if you search your computer for ntvdm.exe it will show up in system32 files and it hasn't gone away as it's used to run 16bit apps in a 32bit environment.

The only way that I could see it running is if you run a 16bit app, so if you go to run same again you may see the problem recur. I would think the process would only display that type of behaviour if the application had an error or was incorrectly terminated.

You will need to check task manager and end the process if after running a 16bit app if it is still running.

Collapse -

yes but

by rob.w.westcott In reply to Waste of time, not a viru ...

Yes I know that it is meant to run when a 16-bit app runs, and yes I can kill it. But I am not running any 16-bit apps (that I know of), in fact it actually starts up after some idle time when I haven't been running anything. What no-one can tell me so far is how to find out what 16-bit app is being started (remembering it only starts after a period of idle time so isn't a boot process).

Reinstalling XP seems to have fixed whatever it was in any case.

Collapse -

You

by Jacky Howe In reply to yes but

probably wasn't getting an error message because it was probably running from startup.
I think that one of these were damaged.
? Config.nt
? Autoexec.nt
? Command.com

http://support.microsoft.com/kb/324767

Collapse -

An old screensaver?

by seanferd In reply to yes but

Like Pyro?

Anyway, you would use some type of system information tool to find out what 16-bit apps or modules are loaded. Norton's (old) Sysinfo did that, and I believe Sysinternals Process Monitor will display that info also.

Collapse -

Might

by Jacky Howe In reply to An old screensaver?

have been a nasty that had enough time to modify the file before it got zapped. One of those files could have set off the exe with no instructions.

Back to Malware Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Security Forums