Re: ping to google

From: giordi <giordi@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Nov 2006 03:40:02 -0800

Sorry, I confused the name of the process: as you observed, the correct one
is ntvdm.exe (and not the other ntdvm.exe that is a malware).
I know that ntvdm.exe should be related to 16bit dos application (an I am
not running nothing of it), but I have seen that the file cmd.exe is probably
called. It is interesting to observe that from Prefetch, the following
sequence is called:
WUAUCLT.EXE
PING.EXE
FIND.EXE
CMD.EXE
Do you have any suggestion? The files you mentioned are created/deleted each
time and then it is not possible to remove the possible malware (if it is).
I should find where the ping command is assigned..
Thank you

I have seen

"Pegasus (MVP)" wrote:

"giordi" <giordi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:818C9022-3D36-4E91-B005-3B4833808543@xxxxxxxxxxxxxxxx

I have a strange problem in my notebook with XPsp2: when I work at home

and I

connect to ADSL, the process NTDVM.exe starts and "inglobes" 100% of CPU.
By means of Norton GoBack, I have found, that after the connection, a ping
to google occurs (so involving cmd.exe). In particular, these are the

related

commands:

/C ping -n 1 -w 1000 66.102.9.99 | find/C"(100%"
ping -n 1 -w 1000 66.102.9.99
find/C"(100%"
After these, the following occurs:
c:\windows\temp\QkstCBFsc.jpg (created/eliminated)
c:\windows\fdtnfnhrgit.exe
c:\windows\tasks\ipfqvkq|crfynpnoo.dat (substitued/modified)
c:\windows\system32\ntdvm.exe -f -i1
..and CPU goes to 100%!
I have run F-secure and Panda anti-virus, as well as Spyboot

Search&Destroy,

but I have not found virus. In addition, Hijackthis does not highlightes
particular problem (at least, this is my impression..). Any suggestion to
solve the problem?
Where could be located the ping command? I have seen that some virus
(W32.Mimail.p@mm) ping to google to propagate itself, but I have not found
the virus file on my computer.. Thank you for your help

Sounds like spyware or malware. The processes you list:

c:\windows\temp\QkstCBFsc.jpg (created/eliminated)
c:\windows\fdtnfnhrgit.exe
c:\windows\tasks\ipfqvkq|crfynpnoo.dat (substitued/modified)

are not native Windows processes. Furthermore, if ntvdm.exe
(not ntdvm.exe!) gets invoked then you're running some 16-bit
command. It's not ping.exe - ping is a 32-bit application.

References:
- Re: ping to google
  - From: Pegasus \(MVP\)

Prev by Date: Re: ACER laptop slow down after installing programmes: HELP!!!!
Next by Date: Re: shutdown problem
Previous by thread: Re: ping to google
Next by thread: Re: Windows Updates doesn't re-install SP2 onto replacement HD
Index(es):
- Date
- Thread

Relevant Pages

Re: Command Prompt error (not working properly) malware/worm infection
... This has indeed dropped several bogus .com files and has indeed hampered tracert & ping. ... If you must use the command interpreter, you will have to use "CMD.EXE" ... Sysclean would be a good first run for virus check. ... Just be sure sure to also run other spyware / malware checks. ...
(microsoft.public.windowsxp.help_and_support)
strange ICMP - packets from node
... as a ping to the IP-Adress). ... We observe this in our network monitoring. ...
(AIX-L)