[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1364
  • Last Modified:

iexplore.exe uses 90% of CPU resources and wont shut down

I have a windows XP Pro, all updates current, with internet exporer 6.0. on a 1.7GHz Celeron Dell PC 1 gig pc4200, plenty of hdd space.    the PC works fine most of the time, but about once an hour, iexplore.exe starts to take up about 90% of the systems CPU Resources and everything else slows to a crawl. It is not possible to end task the iexplore.exe applicaton.  The only way to correct is to restart the pc and then it works fine for another hour or so.  I have run MS Windows malicious software removal tool and  Windows Defender Beta. Both find no virus or Spyware.  McAfee virus scan also finds no problems.  

I am attaching a log of hijack this.   I dont see anything that looks troubling, but am not really sure what i am looking for.  Y, the NDAS entry listed is for a network storage device that has run trouble free or over a year.  CTE.exe and norstart.exe are autodialer apps from nortel that integrate the PC with my phone system.  It has also been trouble free on other PCs.   mouse32a.exe is a mouse driver that has been trouble free for years elsewhere.   DPAgent is for a fingerprint scanner.

I have tried run the XP System scan to look for damaged files, and while I am not sure if it found any, it did not fix the problem.  MY IE temp file size is 75 megs. One user suggested that a really large amount of space allocated to this cold cause problems.

I have disabled third party browser extensions.

I use an acrobat professions 7.0 plug in frequently and there may be some correlation to loading this, but I cant say that i can predictably repoduce the problem by just opening the plug in.

Any suggestions would be appreciated.

HIJACK THIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 2:57:54 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\NorStart.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\Cte.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Adobe\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\downloads\hijack this\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.ameriprise.com (HKLM)
O15 - Trusted Zone: *.ameriprisecentral.com (HKLM)
O15 - Trusted Zone: *.ampadvisor.com (HKLM)
O15 - Trusted Zone: *.documentsonthenet.com (HKLM)
O15 - Trusted Zone: *.ez-data.com (HKLM)
O15 - Trusted Zone: *.foremostadvice.com (HKLM)
O15 - Trusted Zone: *.FundPOINTDesktop.com (HKLM)
O15 - Trusted Zone: *.marketwatch.com (HKLM)
O15 - Trusted Zone: *.ogilvy.com (HKLM)
O15 - Trusted Zone: *.orders.com (HKLM)
O15 - Trusted Zone: *.pii121.com (HKLM)
O15 - Trusted Zone: *.riversource.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147634731953
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Norstar TSP Launcher (NorStart) - Nortel Networks Corp. - C:\WINDOWS\SYSTEM32\NorStart.exe
O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe



0
klichcfp
Asked:
klichcfp
  • 8
  • 2
  • 2
1 Solution
 
zephyr_hex (Megan)DeveloperCommented:
here is a link to your analyzed log.  i will look at it more closely and post my opinions in a bit
http://www.hijackthis.de/logfiles/98a4678557fe7fb44f4d0f5bab4f0f7f.html
0
 
JonveeCommented:
Here's your analysed log, as you can see there are several items to fix.

http://www.hijackthis.de/logfiles/c3ff3bd70a881fa5f03a37f8bd622632.html
0
 
JonveeCommented:
Ideally you should create a folder where you would like the HijackThis file to reside, and run it from there, not from the Desktop or a temp folder. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.

Recommend you fix all items marked as "nasty".   Details to follow.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
JonveeCommented:
Confirming that as long as you did not add these "nasty" pages to your trusted pages, they should be fixed.
0
 
JonveeCommented:
By reading all the "tips" column of your HijackThis analysis against the "unknown" entries, you should be able to identify and probably 'Fix' most of them.   If in any doubt, please leave item alone.  Reboot and test.
0
 
zephyr_hex (Megan)DeveloperCommented:
i dont recognize norstart.exe, and google turns up nothing for it.  any idea what it is?
it is running out of system32, as is something called cte.exe. if you don't recognize them, it's strange that google shows nothing for them either.  they could be malware.

you also seem to have 2 antiviruses installed (network associates virusscan and mcafee).  you should uninstall one of them.  it's not good to run 2 antivirus programs.  i would start with this (uninstalling one of the two antivirus programs) and see if that resolves your problem.  another suggestion is to check IE in safe mode.  does the problem happen there, too?

HJT has marked several items as Trusted Zone.  look through them.  if you did not add those to your trusted pages, you should remove them.

other notes:  windows defender and MS malicious software remover are a far cry from adequate antispyware tools.  spybot (which you have installed) and ewido are better.
0
 
klichcfpAuthor Commented:
Thanks. all the unknown items marked on HJT log are knows safe to me.  cte and norstart are nortel telephone/pc integration apps. They let me dial my digital phone from the pc.

I will remove one ot the AV apps. Didnt realize I had two. One must have come with PC.  One is part of my comapny's SW suite.

Will also try safe mode to see if it happens there too.

Thanks
0
 
JonveeCommented:
Ok.  Well another idea is to download and run the small utility Process Explorer version 10.0 to show a list of your currently active processes, monitoring them throughout the whole period, and hopefully spotting the 'problem' as it begins.
It has been described as an advanced process management utility that picks up where Task Manager leaves off:

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Addionally, have you tried running this free version of Ewido anti-malware ?  Update first, then scan in Safe mode:  
http://www.ewido.net/en/download/
0
 
JonveeCommented:
Oops, sry .. just re-read the thread and see that zephyr_hex has already recommended ewido.
0
 
klichcfpAuthor Commented:
I looked and I can only find one AV application which is the McAfee Enterprise edition. What did you see that makes you think I also have Norton AV installed?

The system scan by Ewido found no malware.

the PCs user was out today so I couldnt really tell whether the problem has been resolved or not.
0
 
JonveeCommented:
Ok klichcfp, thanks for the feedback.   Apart from the fact that a McAfee AV seems heavy on PC resources, can't add much at the moment .. unless you can talk your client into using one of these.  The free AVG(Grisoft) scanner is excellent:

http://www.grisoft.com/us/us_dwnl_free.php
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com

[Have been off line for ~ 30 hours due to a phone company working party accidently removing the wrong cable(ours!), but we're back in business now]
Will await your later report.
0
 
JonveeCommented:
Hope you resolved the issue satisfactorily.   Thank you.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now