ntvdm.exe suspicious behaviour
When I run MS
excel 4.0 I get the red security alert, about keylogging,
however not always. Not when some other programs are open like a web browser. I always click on "deny" and this no problem to run
Excel. This seems very suspicious to me. Why in one case and not in the other, and why is clicking on "deny" not a problem?
Re: ntvdm.exe suspicious behaviour
I guess you are having Windows XP.
MS Excel 4.0 is a 16 bit version application. Windows XP is a 32-bit/64-bit OS system. Ntvdm.exe is from Microsoft and it creates an environment in your computer to execute 16-bit applications.
Now it's about the keylogger alert. You should know that the OS Firewall Alert of ZoneAlarm regarding "Monitor user activities" has "unusual things". Well, I don't call it as a bug. ZoneAlarm sometimes produces false alerts, making a view in the user's mind that the program is a keylogger. Even when you run Internet Explorer 7.0, ZoneAlarm warns about a keylogger. When a virus tries to take the control of the keyboard, ZoneAlarm warns about a keylogger, instead of warning about losing the control of the keyboard. The following are some links if you want to know more :
First make sure that Ntvdm.exe is the original executable file. (Surely it should be, otherwise you should not be able to run Excel.)
In the alert, click "view properties." In the appeared window, click the "version" tab, and confirm whether it's from Microsoft. Note that this won't work always, because virus developers can simply add copyright information as Microsoft ;)
So the recommended way is to click "More Info" in the alert to check the NTVDM.exe from the online SmartDefense Advisor.
Are you sure MS Excel works fine when you click Deny? Well, it must work fine. Even when you click "Deny" in Internet Explorer 7.0, it works fine. But if you are confirmed that it's from Microsoft, click "Allow". Because when you click "Deny", ZoneAlarm blocks something which NTVDM.EXE tries to perform. Only Microsoft Company would know that. Don't worry much about this. You can always click "Deny", if no program errors occur.
Message Edited by chamath on 03-07-2008 01:30 AM