Results 1 to 2 of 2

Thread: ntvdm.exe suspicious behaviour

  1. #1
    parmenides Guest

    Default ntvdm.exe suspicious behaviour

    When I run MS
    excel 4.0 I get the red security alert, about keylogging,
    however not always. Not when some other programs are open like a web browser. I always click on "deny" and this no problem to run
    Excel. This seems very suspicious to me. Why in one case and not in the other, and why is clicking on "deny" not a problem?

  2. #2
    chamath Guest

    Default Re: ntvdm.exe suspicious behaviour

    Hi Parmenides,

    I guess you are having Windows XP.

    MS Excel 4.0 is a 16 bit version application. Windows XP is a 32-bit/64-bit OS system. Ntvdm.exe is from Microsoft and it creates an environment in your computer to execute 16-bit applications.

    Now it's about the keylogger alert. You should know that the OS Firewall Alert of ZoneAlarm regarding "Monitor user activities" has "unusual things". Well, I don't call it as a bug. ZoneAlarm sometimes produces false alerts, making a view in the user's mind that the program is a keylogger. Even when you run Internet Explorer 7.0, ZoneAlarm warns about a keylogger. When a virus tries to take the control of the keyboard, ZoneAlarm warns about a keylogger, instead of warning about losing the control of the keyboard. The following are some links if you want to know more :

    http://forum.zonelabs.org/zonelabs/b...ssage.id=14731
    http://forums.zonelabs.com/zonelabs/...ssage.id=14747

    First make sure that Ntvdm.exe is the original executable file. (Surely it should be, otherwise you should not be able to run Excel.)
    In the alert, click "view properties." In the appeared window, click the "version" tab, and confirm whether it's from Microsoft. Note that this won't work always, because virus developers can simply add copyright information as Microsoft
    So the recommended way is to click "More Info" in the alert to check the NTVDM.exe from the online SmartDefense Advisor.

    Are you sure MS Excel works fine when you click Deny? Well, it must work fine. Even when you click "Deny" in Internet Explorer 7.0, it works fine. But if you are confirmed that it's from Microsoft, click "Allow". Because when you click "Deny", ZoneAlarm blocks something which NTVDM.EXE tries to perform. Only Microsoft Company would know that. Don't worry much about this. You can always click "Deny", if no program errors occur.

    Message Edited by chamath on 03-07-2008 01:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •