vj_mi
asked on
Explorer.exe takes 100%
When I use my Pc for around 20-25 mins, suddenly my PC becomes very slow. When I look the task manager, I find explorer.exe taking 97% of the CPU. I tried killing this process but I get error Access Denied. Is this any kind of virus or trojan? How to manually remove it?
Note: I am running QuickHeal antivirus though.
Regards,
MI
Note: I am running QuickHeal antivirus though.
Regards,
MI
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Will Szymkowski
Also update all of these programs in Windows 32-bit (Normal) mode and then reboot computer into safe mode and run the scans. When you have completed this turn system restore back on.
I've found that this also happens when you have a system that has ghosted/disconnected printers, and one of these is set to the "Default" printer. Check your printer settings, make sure the default printer is available. Also make sure you do not have any other network connections that are disconnected, if so delete them.
First, you want to download Process Explorer from sysinternals.com, install, and getting it running first.
Explorer.exe is a very large part of Windows, it is included as part of Internet Explorer and integrated with nearly everything. Often, it will have many subtasks, it is these processes and handles [subtasks] that can take up all the cputime when they hammer away at some driver. A typical example is that of trying to find a printer that no longer exists to print a document. Another example is a leftover acmsetup.exe that may reside in some temp file or on a pagefile partition, etc..
A known interfering acmsetup.exe is associated with gm.dls which is a General Midi file. This file can reside itself in
Windows\System32\Drivers\e
I have seen this thing spread from one Windows computer to another on our internal network. I don't know what it is, virus, adware, spyware, perhaps someone clicked on a link somewhere that somehow got around all the security, but it could just as well be something on some install disk, even a Windows on [they have had infections in the past, even the setup disks]. If it's a legitimate program, I have no idea why it is trying to worm its way around, but I have stopped it. AVG gave some indication, the latest release, but didn't really get rid of it; I had to do that by hand.
It was caught primarily with Process Explorer, but still seems to have some effect on the base machine where I found it, in that explorer.exe is taking far too long to display files and folders. But this too is a problem with explorer, and its super integration and all the dependencies, itself. I've gotten to a few handles that seem out of order, but nothing definitive yet and it's still bogging down times and constantly refreshing the folders display.
That's on a Windows XP Home machine, which seems more prone than XP Pro or our Windows Servers to such activity.
We're going to capture our data and install Windows XP Pro on that box.
As far as the ghosted printers, yes, we have found that to be true, but we've also now found it somehow associated with midi and acmsetup.exe
We killed of temp directory acmsetup.exe was accessing, but it only created another directory. When we killed off the partition, however, it seemed to have died; yet, we still have that 100% cputime every time we look at a directory using Windows Explorer.
Hijackthis will probably show the same thing, but Process Explorer is in real time and there is no need to build a massive text file. Hijackthis may or may not find the cause of the problem. Process Explorer will show you exactly which thread or handle is using the 100% cputime.
From there you have choices to make on what to do about it, suspend it usually, and note the effect. You can't just delete any process, as this may freeze your machine.
If you need more help on using Process Explorer, just ask, I'm sure everyone here knows how to use it.
Explorer.exe is a very large part of Windows, it is included as part of Internet Explorer and integrated with nearly everything. Often, it will have many subtasks, it is these processes and handles [subtasks] that can take up all the cputime when they hammer away at some driver. A typical example is that of trying to find a printer that no longer exists to print a document. Another example is a leftover acmsetup.exe that may reside in some temp file or on a pagefile partition, etc..
A known interfering acmsetup.exe is associated with gm.dls which is a General Midi file. This file can reside itself in
Windows\System32\Drivers\e
I have seen this thing spread from one Windows computer to another on our internal network. I don't know what it is, virus, adware, spyware, perhaps someone clicked on a link somewhere that somehow got around all the security, but it could just as well be something on some install disk, even a Windows on [they have had infections in the past, even the setup disks]. If it's a legitimate program, I have no idea why it is trying to worm its way around, but I have stopped it. AVG gave some indication, the latest release, but didn't really get rid of it; I had to do that by hand.
It was caught primarily with Process Explorer, but still seems to have some effect on the base machine where I found it, in that explorer.exe is taking far too long to display files and folders. But this too is a problem with explorer, and its super integration and all the dependencies, itself. I've gotten to a few handles that seem out of order, but nothing definitive yet and it's still bogging down times and constantly refreshing the folders display.
That's on a Windows XP Home machine, which seems more prone than XP Pro or our Windows Servers to such activity.
We're going to capture our data and install Windows XP Pro on that box.
As far as the ghosted printers, yes, we have found that to be true, but we've also now found it somehow associated with midi and acmsetup.exe
We killed of temp directory acmsetup.exe was accessing, but it only created another directory. When we killed off the partition, however, it seemed to have died; yet, we still have that 100% cputime every time we look at a directory using Windows Explorer.
Hijackthis will probably show the same thing, but Process Explorer is in real time and there is no need to build a massive text file. Hijackthis may or may not find the cause of the problem. Process Explorer will show you exactly which thread or handle is using the 100% cputime.
From there you have choices to make on what to do about it, suspend it usually, and note the effect. You can't just delete any process, as this may freeze your machine.
If you need more help on using Process Explorer, just ask, I'm sure everyone here knows how to use it.
check also the cpu temp when it is running slow - it can run too hot, stepping down the cpu speed
simple step run a disc cleanup at start all programs accessories system tools.
check in control panel administrative tools event viewer>applications db click an event paste back that event id numder.
check in control panel administrative tools event viewer>applications db click an event paste back that event id numder.
Overheating hardware wont cause explorer to hog 100%, it will cause failure or 0% on all processes.
If explorer is using up to 100%, it is either internet worm (or similar malware trying to flood net from your PC), or it is ofter corrupt registry. Even network access will not use explorer beyond typically 40%. SUggest you first look through installed programs to see any internet intensive task like AOL, instant messenger, chat, or file sharing utilities, and stop those processes or uninstall the apps. Also never heard of Quick Heal antivirus, might suspect / uninstall that app to test.
In the end, if not a malware / virus or an errant app, explorer usage to 100% usually means a corrupt windows install. Suggest you do a repair install by removing any unwanted apps first, then insert XP install CD, then go through as if you are installing XP again, but when it comes to find your existing installation, highlighted, then press R to repair. After this is done, reinstall SP2 -- that process just fixed a similar corrupt system tonight when not even registry repair would help.
If explorer is using up to 100%, it is either internet worm (or similar malware trying to flood net from your PC), or it is ofter corrupt registry. Even network access will not use explorer beyond typically 40%. SUggest you first look through installed programs to see any internet intensive task like AOL, instant messenger, chat, or file sharing utilities, and stop those processes or uninstall the apps. Also never heard of Quick Heal antivirus, might suspect / uninstall that app to test.
In the end, if not a malware / virus or an errant app, explorer usage to 100% usually means a corrupt windows install. Suggest you do a repair install by removing any unwanted apps first, then insert XP install CD, then go through as if you are installing XP again, but when it comes to find your existing installation, highlighted, then press R to repair. After this is done, reinstall SP2 -- that process just fixed a similar corrupt system tonight when not even registry repair would help.
@ scrathcyboy Hi
it was just an idea, have done this on my own computer/s when it was experiencing 100% cpu usage web browsing was so so slow, and discovered that this fixed it.
Cheers Merete
it was just an idea, have done this on my own computer/s when it was experiencing 100% cpu usage web browsing was so so slow, and discovered that this fixed it.
Cheers Merete
ASKER
Hi all,
Noticed one more thing:
In registry under RAS Autodial->Adresses, there are lot of junk IP adresses and web sites URLS. I am not sure of IP addresses so I did not touch that part but when I removed the junk URLs, they again get added. Also I found that when these junk URLS are not there, CPU usage is ok. The moment these entries again get added, CPU usage come down.
Also should I removed all IP addresses?
Regards,
MI
Noticed one more thing:
In registry under RAS Autodial->Adresses, there are lot of junk IP adresses and web sites URLS. I am not sure of IP addresses so I did not touch that part but when I removed the junk URLs, they again get added. Also I found that when these junk URLS are not there, CPU usage is ok. The moment these entries again get added, CPU usage come down.
Also should I removed all IP addresses?
Regards,
MI
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"In registry under RAS Autodial->Adresses, there are lot of junk IP adresses and web sites URLS. I am not sure of IP addresses so I did not touch that part but when I removed the junk URLs, they again get added. Also I found that when these junk URLS are not there, CPU usage is ok. The moment these entries again get added, CPU usage come down."
helper objects and hijack sites phoning home. Type this in command prompt:
ipconfig /flushdns
Go to IE Tools | Internet Options | General Tab and clear the files and history.
Secondly, if you're not using dial in, consider disabling it [unless, of course, your connection is a dialup], definitely do no let it dial a connection for anyone, and no call back. Most here are using DSL, so there's not longer much need for dialup.
You should do the scans, hijack and whatever else you can, including a rootkit finder. Check also under your temp files to see if anything there is trying to execute; often some sites when you visit them will install something to the temp files and then execute them, depending on you Internet Explorer settings.
\Windows\Temp
<drive>:\Documents and Settings\<username>\Local Settings\Temp
<drive>:\Documents and Settings\<username>\Local Settings\Temporary Internet Files
and your history is under:
<drive>:\Documents and Settings\<username>\Local Settings\History
whether <username> is Administrator or some username you login with. This is what makes it dangerous to be running as Administrator, with full system privilieges; basically anything under this account can execute, while other accounts are more limited.
It's best to clone Administrator to a new username and use that new username to log in with. You can curtail what the username can do and exectute by settings user permissions.
Apache and IIS, if you're running either, can also execute things in the temp folders; you can restrict this with locking down the permissions on these temp folders; another subject for another time.
A virus is any program that executes on your computer without your express permission, thereafore, adware and spyware are viruses. Technically it's called "Electronic Breaking and Entering" and the law and penalties apply to malicious viruses, adware, and spyware; it is a Class A Felony to break into a computer surreptitiously regardless of intent or motive. Therefore, do not think that adware or spyware is somehow less of a crime than a virus written for the malicious intent.
helper objects and hijack sites phoning home. Type this in command prompt:
ipconfig /flushdns
Go to IE Tools | Internet Options | General Tab and clear the files and history.
Secondly, if you're not using dial in, consider disabling it [unless, of course, your connection is a dialup], definitely do no let it dial a connection for anyone, and no call back. Most here are using DSL, so there's not longer much need for dialup.
You should do the scans, hijack and whatever else you can, including a rootkit finder. Check also under your temp files to see if anything there is trying to execute; often some sites when you visit them will install something to the temp files and then execute them, depending on you Internet Explorer settings.
\Windows\Temp
<drive>:\Documents and Settings\<username>\Local Settings\Temp
<drive>:\Documents and Settings\<username>\Local Settings\Temporary Internet Files
and your history is under:
<drive>:\Documents and Settings\<username>\Local Settings\History
whether <username> is Administrator or some username you login with. This is what makes it dangerous to be running as Administrator, with full system privilieges; basically anything under this account can execute, while other accounts are more limited.
It's best to clone Administrator to a new username and use that new username to log in with. You can curtail what the username can do and exectute by settings user permissions.
Apache and IIS, if you're running either, can also execute things in the temp folders; you can restrict this with locking down the permissions on these temp folders; another subject for another time.
A virus is any program that executes on your computer without your express permission, thereafore, adware and spyware are viruses. Technically it's called "Electronic Breaking and Entering" and the law and penalties apply to malicious viruses, adware, and spyware; it is a Class A Felony to break into a computer surreptitiously regardless of intent or motive. Therefore, do not think that adware or spyware is somehow less of a crime than a virus written for the malicious intent.
Hijackthis is an excellent diagnostic tool(don't know why not many people think of it first)
The culprit will probably show up its entries in the hijackthis log, hopefully :)
Some malware/viruses can still hide from hijackthis scan but most show us there.
The culprit will probably show up its entries in the hijackthis log, hopefully :)
Some malware/viruses can still hide from hijackthis scan but most show us there.
Yes, but hijackthis prints out a long text of mostly bloat, while a few prior steps may more quickly get a handle on it and at a lot less reading.
What hijackthis won't do is tell you which process, handle, or thread is using all the cputime. Process Explorer will tell you first exactly which is using all the cputime. From there, you can use hijackthis, etc., to trace the callers that are causing the problem. If some other program is calling on the Registry where the IP's are for phoning home, deleting them will only result in their re-emergence at some point, so, you have to find the source.
"when I removed the junk URLs, they again get added" who is adding these? A search bar, a helper bar? Most likely. Most suggest going to Add/Remove Programs and uninstalling all such searchbars and helper objects, and then hijackthis experts will tell you to go through the Registry and find all BHO entries [Bar Helper Objects] and delete them. It's important to uninstall the searchbarsa and helper objects first from Add/Remove programs because if you don't you will leave a lot of their program garbage lying about on you computer.
Aside from that, why doesn't Windows monitor cputime and report anything using over 70% cputime as a possible problem? Priorities are wrong, cputime allocation is wrong, and the lack of checks for endless loops is wrong on the Windows Operating Systems.
I can think of two handles offhand that have these problems:
BROWSEUI.dll!Ordinal138+0x
SHLWAPI.dll!Ordinal505+0x3
running under the Explorer.exe process tree and using 100% cputime at various points, in fact a lot, under one of our Windows boxes.
http://www.auditmypc.com/process/browseui.asp
http://www.auditmypc.com/process/shlwapi.asp
In particular, the suspected cause is that a link was clicked on which led to a site that had an a.bat install script which immediately hijacked this computer, but because it is behind various firewalls, including a Linux Firestarter, the hijack can't phone home so it causes Explorer/Internet Explorer integrated component to "spin its wheels" trying.
The next step for us is to emply the Windows Debugger to see what is calling these solve the problem there.
your problem may be similar, but it could also be a bad version of any Windows component related to Explorer.exe and/or Internet Explorer.
Often, suggested reinstalls of things like Service Packs and other Windows components will solve such problems, but you will not know exactly what caused them and the possibility of recurrence of the problem is likely. Which is why it is best to take the time to identify the actual cause the first time, so you'll recognise it and know how to deal with it immediately if the problem is revisited.
What hijackthis won't do is tell you which process, handle, or thread is using all the cputime. Process Explorer will tell you first exactly which is using all the cputime. From there, you can use hijackthis, etc., to trace the callers that are causing the problem. If some other program is calling on the Registry where the IP's are for phoning home, deleting them will only result in their re-emergence at some point, so, you have to find the source.
"when I removed the junk URLs, they again get added" who is adding these? A search bar, a helper bar? Most likely. Most suggest going to Add/Remove Programs and uninstalling all such searchbars and helper objects, and then hijackthis experts will tell you to go through the Registry and find all BHO entries [Bar Helper Objects] and delete them. It's important to uninstall the searchbarsa and helper objects first from Add/Remove programs because if you don't you will leave a lot of their program garbage lying about on you computer.
Aside from that, why doesn't Windows monitor cputime and report anything using over 70% cputime as a possible problem? Priorities are wrong, cputime allocation is wrong, and the lack of checks for endless loops is wrong on the Windows Operating Systems.
I can think of two handles offhand that have these problems:
BROWSEUI.dll!Ordinal138+0x
SHLWAPI.dll!Ordinal505+0x3
running under the Explorer.exe process tree and using 100% cputime at various points, in fact a lot, under one of our Windows boxes.
http://www.auditmypc.com/process/browseui.asp
http://www.auditmypc.com/process/shlwapi.asp
In particular, the suspected cause is that a link was clicked on which led to a site that had an a.bat install script which immediately hijacked this computer, but because it is behind various firewalls, including a Linux Firestarter, the hijack can't phone home so it causes Explorer/Internet Explorer integrated component to "spin its wheels" trying.
The next step for us is to emply the Windows Debugger to see what is calling these solve the problem there.
your problem may be similar, but it could also be a bad version of any Windows component related to Explorer.exe and/or Internet Explorer.
Often, suggested reinstalls of things like Service Packs and other Windows components will solve such problems, but you will not know exactly what caused them and the possibility of recurrence of the problem is likely. Which is why it is best to take the time to identify the actual cause the first time, so you'll recognise it and know how to deal with it immediately if the problem is revisited.
>>Yes, but hijackthis prints out a long text of mostly bloat,<<
NO.
>>What hijackthis won't do is tell you which process, handle, or thread is using all the cputime<<
That is correct! BUT Hijackthis entries can also tell us if the culprit is malware or not, bad entries in HJT points to an infection that may be causing the high cpu.
Instead of downloading malware scanners, I would suggest to use hijackthis first to eliminate the possibility of the culprit being malware or trojans.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
NO.
>>What hijackthis won't do is tell you which process, handle, or thread is using all the cputime<<
That is correct! BUT Hijackthis entries can also tell us if the culprit is malware or not, bad entries in HJT points to an infection that may be causing the high cpu.
Instead of downloading malware scanners, I would suggest to use hijackthis first to eliminate the possibility of the culprit being malware or trojans.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
seems you got a spy or a trojan download or install any kind od protection agaist one or both
try the process explorer from sysinternals.com see the runnig directory of the explorer .exe there maybe 2 one real explorer and the other is fake if the running directory is not c:\windows\explorer.exe then it's fake check size too (mine is 1,032,192 bytes)
try the process explorer from sysinternals.com see the runnig directory of the explorer .exe there maybe 2 one real explorer and the other is fake if the running directory is not c:\windows\explorer.exe then it's fake check size too (mine is 1,032,192 bytes)
agree with rpggamergirl the added advantage of running hijackthis is the free analyse which is excellent, by all means please run it, for the sake of a 2 minute process it can eliminate so much possibilities and then take it from there.
The client can even look at their own results and decide which way to go.
The reason we suggest this as a precaution is the fact there is a lot of unused URL, so for the purposes of cleanup ensure everything is cleaned out.
The most popular site which is hijackthis site as we have both repeatedly suggested is>http://www.hijackthis.de/
otherwise run it and copy the log and paste here ;)
here an example of a analysed log.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html
The client can even look at their own results and decide which way to go.
The reason we suggest this as a precaution is the fact there is a lot of unused URL, so for the purposes of cleanup ensure everything is cleaned out.
The most popular site which is hijackthis site as we have both repeatedly suggested is>http://www.hijackthis.de/
otherwise run it and copy the log and paste here ;)
here an example of a analysed log.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html
Process Explorer is not a malware scanner. It is written by one of the top Microsoft MVP's http://www.sysinternals.com/AboutUs.html Mark Russinovich.
hijackthis does print out a very long report, and when posted to a site, it is very hard to wade through to find the numerous problems. It's just an easier first step to find out what is using all the cputime, suspend it so your computer can run fast enough to do an hijackthis log, and, you'll already have a handle on where the problem lies.
I've recently tracked down quite a few sites where merely clicking on the link gets you infected, with things like a.bat, among others. You may have seen information on this in the news, regarding Google, some unscrupulous people falsifying links to Google, and subsequent hijacks with tracks covered as to where they came from. The Department of Justice caught this international ring, but that doesn't mean they got all of them. In a related story, the banks have decided to no longer honor the business credentials and carry the credit cards of such sites and businesses. These people have known for some time how to hijack and infect just about any Windows computer and most of them are expert programmers. You may have read about the Deputy Director of Homeland Security having been arrested for his illegal activities through this group. They were all caught the old fashioned way, some real people tracked the hijack back by using their brains and not just some computer program.
Kind of sad that. I get a lot of skeptics about our participation with various authorities; I ignore them and the detractors. Hijacking is taken as very serious business because it's a first step in Identity Theft. And that is why we search out the offending process, it will, sooner or later, have to phone home to be effective, even if home involves numerous offshore accounts, the three country shell game, evading U.S. Law, and any and all other kinds of end around runs. It's also a matter of National Security, so we have a lot of people involved in catching these hijackers.
Once you've identified the cputime hog, copy its entire name and post it. Then run hijackthis and someone will help you clean up your computer. I'd just like to know the name of the process for Microsoft Development Team.
hijackthis does print out a very long report, and when posted to a site, it is very hard to wade through to find the numerous problems. It's just an easier first step to find out what is using all the cputime, suspend it so your computer can run fast enough to do an hijackthis log, and, you'll already have a handle on where the problem lies.
I've recently tracked down quite a few sites where merely clicking on the link gets you infected, with things like a.bat, among others. You may have seen information on this in the news, regarding Google, some unscrupulous people falsifying links to Google, and subsequent hijacks with tracks covered as to where they came from. The Department of Justice caught this international ring, but that doesn't mean they got all of them. In a related story, the banks have decided to no longer honor the business credentials and carry the credit cards of such sites and businesses. These people have known for some time how to hijack and infect just about any Windows computer and most of them are expert programmers. You may have read about the Deputy Director of Homeland Security having been arrested for his illegal activities through this group. They were all caught the old fashioned way, some real people tracked the hijack back by using their brains and not just some computer program.
Kind of sad that. I get a lot of skeptics about our participation with various authorities; I ignore them and the detractors. Hijacking is taken as very serious business because it's a first step in Identity Theft. And that is why we search out the offending process, it will, sooner or later, have to phone home to be effective, even if home involves numerous offshore accounts, the three country shell game, evading U.S. Law, and any and all other kinds of end around runs. It's also a matter of National Security, so we have a lot of people involved in catching these hijackers.
Once you've identified the cputime hog, copy its entire name and post it. Then run hijackthis and someone will help you clean up your computer. I'd just like to know the name of the process for Microsoft Development Team.
>>Process Explorer is not a malware scanner<<
Now who would even think of Process explorer as a malware scanner? I definitely was not talking about that, lol
I know that Process explorer is a very good tool in its own right. Hijackthis on the other hand is a completely different tool which is also a very good tool in its own right. And I prefer it because I use it all the time and its bad entries tells me if they are part of an infection or not.
Let's say a pc has a look2Me infection, there is only one process running and if you kill that it changes into another random named process, there is NO WAY that you can remove an infection by just merely using a process explorer, look2me infection creates numerous random named files.
Whereas using hijackthis, it can pinpoint the entry that relates to look2me and to the Hijackthis Expert's eye he/she already know what tools to use to fix the whole thing.
Let us not forget that our aim is to help resolve the Asker's problem instead of filling this thread with my own unnecessary comments, it's a period for me, lol.
Now who would even think of Process explorer as a malware scanner? I definitely was not talking about that, lol
I know that Process explorer is a very good tool in its own right. Hijackthis on the other hand is a completely different tool which is also a very good tool in its own right. And I prefer it because I use it all the time and its bad entries tells me if they are part of an infection or not.
Let's say a pc has a look2Me infection, there is only one process running and if you kill that it changes into another random named process, there is NO WAY that you can remove an infection by just merely using a process explorer, look2me infection creates numerous random named files.
Whereas using hijackthis, it can pinpoint the entry that relates to look2me and to the Hijackthis Expert's eye he/she already know what tools to use to fix the whole thing.
Let us not forget that our aim is to help resolve the Asker's problem instead of filling this thread with my own unnecessary comments, it's a period for me, lol.
This is a bit of a shot in the dark, but since it is easy to try:
Disable your anti-virus program as a test, and see if the problem goes away.
I recently had a similar case where this turned out to be the problem.
Disable your anti-virus program as a test, and see if the problem goes away.
I recently had a similar case where this turned out to be the problem.
I wouldn't disable the anti-virus while on line; it can lead to instant infection.
You can stop a virus from executing random names by suspending it with Process Explorer; that was my point.
There are lots of ways to manually stop a virus. Once stopped, it can be dealt with. hijackthis may or may not find its root cause, a human being should be able to, given enough time and the proper tools and knowhow.
You can stop a virus from executing random names by suspending it with Process Explorer; that was my point.
There are lots of ways to manually stop a virus. Once stopped, it can be dealt with. hijackthis may or may not find its root cause, a human being should be able to, given enough time and the proper tools and knowhow.
"I wouldn't disable the anti-virus while on line; it can lead to instant infection."
Perhaps you're thinking of a firewall. Disabling a firewall may lead to instant infection. Disabling an AV program is highly unlikely to lead to any infection unless you follow that up with other unsafe behavior (such as clicking of attachments or web links).
Perhaps you're thinking of a firewall. Disabling a firewall may lead to instant infection. Disabling an AV program is highly unlikely to lead to any infection unless you follow that up with other unsafe behavior (such as clicking of attachments or web links).
lets wait till vj_mi on gives us some feed back, there is plenty for him to test now.
vj_mi on how is going please let us know what suggestions you have tried?
Cheers Merete
vj_mi on how is going please let us know what suggestions you have tried?
Cheers Merete
r-k
No, I was speaking of antivirus protection because disabling it disables the protection against viruses, while firewalls serve another purpose.
No, I was speaking of antivirus protection because disabling it disables the protection against viruses, while firewalls serve another purpose.
ASKER
Hi,
Since my system has become very slow, I am unable to download the suggested tools. I also found that most of you recommend Hijackthis.
Today I downloaded HijackThis. At the end, it displayed long results and it was very confusion. I still tried to remove couple of registry entries as suggested by the tool. But it did not resolve my problem.
Let me know try other links as mentioned here. Will keep you friends updated .... but I am really frustated with this issue since all my deliverables to the client has stopped!
Regards,
MI
Since my system has become very slow, I am unable to download the suggested tools. I also found that most of you recommend Hijackthis.
Today I downloaded HijackThis. At the end, it displayed long results and it was very confusion. I still tried to remove couple of registry entries as suggested by the tool. But it did not resolve my problem.
Let me know try other links as mentioned here. Will keep you friends updated .... but I am really frustated with this issue since all my deliverables to the client has stopped!
Regards,
MI
Another reason for this might be that the user profile is corrupted. I've seen this happen with Win/2000 sometimes. You can create a new username, or log-in as Administrator, and see if the system works normally then.
Re. HijackThis, post the results (using copy-and-paste) to http://www.hijackthis.de/ then click on the "Analyze" button, and on the next page click on "Save Analysis" at the bottom, and finally post the link to the saved analyzed page here.
What Windows version are you running? If XP, is it Home or Pro?
Re. HijackThis, post the results (using copy-and-paste) to http://www.hijackthis.de/ then click on the "Analyze" button, and on the next page click on "Save Analysis" at the bottom, and finally post the link to the saved analyzed page here.
What Windows version are you running? If XP, is it Home or Pro?
ASKER
Hi r-k,
I am already logged in as adminsitrator.
"post the results (using copy-and-paste) to http://www.hijackthis.de/ ..."-> Yes I did this.
Windows version -> 2000
Regards,
MI
I am already logged in as adminsitrator.
"post the results (using copy-and-paste) to http://www.hijackthis.de/ ..."-> Yes I did this.
Windows version -> 2000
Regards,
MI
you should post the link where you saved the analysis . . . not the general link . . .
"I am already logged in as adminsitrator"
In that case, if you can, create a new user from the Control Panel, then log-in as that user and see if the system works normally then.
In that case, if you can, create a new user from the Control Panel, then log-in as that user and see if the system works normally then.
>>Today I downloaded HijackThis. At the end, it displayed long results and it was very confusion.<<
that's what we are here for, to look at the log, the analyzer itself wouldn't know the difference between a legit windows file and not. that analyzer is only as good as their database.
EE doesn't recommend posting hijackthis log on the topic that's why we always suggest to have the log uploaded somewhere.
You need to save the analysis of your logfile and then post the link of the saved analysis back here.
Or:
You can also paste your hijackthis log to this site below.
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url of the pasted log and post it here:
that's what we are here for, to look at the log, the analyzer itself wouldn't know the difference between a legit windows file and not. that analyzer is only as good as their database.
EE doesn't recommend posting hijackthis log on the topic that's why we always suggest to have the log uploaded somewhere.
You need to save the analysis of your logfile and then post the link of the saved analysis back here.
Or:
You can also paste your hijackthis log to this site below.
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url of the pasted log and post it here:
ASKER
Hi,
I tried using http://www.ewido.net/en/download/.
I executed in safe mode. I got number of messages warning of infected files. I used "Action = Remove". At the end, I rebooted the machine. I again executed this utility. It again started giving the same messages for infected files. Does this mean that the utility could not clean the PC correctly? Or is it due to trial version?
Regards,
MI
I tried using http://www.ewido.net/en/download/.
I executed in safe mode. I got number of messages warning of infected files. I used "Action = Remove". At the end, I rebooted the machine. I again executed this utility. It again started giving the same messages for infected files. Does this mean that the utility could not clean the PC correctly? Or is it due to trial version?
Regards,
MI
Ewido is good but it also has its limitations just like other antivirus\malware scanners.
Ewido can not remove look2Me, Vundo, new qoologic etc etc.
That's why we wanted to see your hijackthis log so we'll know what malware are present in your system, so we can then point you to a special tool specifically designed to remove particular malware infections.
Did you save the Ewido log?
Ewido can not remove look2Me, Vundo, new qoologic etc etc.
That's why we wanted to see your hijackthis log so we'll know what malware are present in your system, so we can then point you to a special tool specifically designed to remove particular malware infections.
Did you save the Ewido log?
vj_mi to assist you and help you understand, the reason you have viruses or spyware or trojans etc is because your accessing the internet Without proper protection,just as in life we have to practise safe sex lol it is now mandatory for us poor computer users to do the same when going out in the WWW
your anti virus program is not being updated enough, you may not have a firewall and the necessary spyware protecters in place, and they are free.
Your email client security is not good enough or your anti virus is not scanning the incoming emails, attachments from our friends and family is the most common way trojans enter your machine because the trojan writers know we trust our friends..
Everytime you clean your machine even in safemode, reboot to normal if you have not added extra protection they will re-infect.
the malware come back.
Please download these and install them and then run them now.. for a perminent protection and to assist in keeping your machine free.
s&d spybot malware scanner requires updating.
http://www.majorgeeks.com/download.php?det=2471
spyblaster is not a scanner it prevents spyware from accessing your computer and works with s&d spybot requires updating.
Free Download - SpywareBlaster 3.5.1
http://majorgeeks.com/download2859.html
update your anti virus definitions and run it.
Perform a windows update.
run this to help
Microsoft Malicious Software Removal Tool then download it for full protection it gets updated with windows updates.
http://www.microsoft.com/security/malwareremove/default.mspx
Then go to your start menue internet options and delete all the cookies internet tempoorary files and history.
You may have to dis-able your system restore to delete them then re-enable it to start a new one.
trojans can hide in them and while windows is using it anto virus programs cannot scan it, that is why safemode is the best place to run scans, it opens all files and folders, safemode is a diagnostic platform running with minimum drivers for this reason.
If you have a lot of files on your hdd it pays to back them up regulary, or better still get a slave hdd and permanently ave everything to the slave.
The high rate of computer crashes with non repairable options is growing.
I see your having problems understanding the hijackthis, did you run the hijackthis then simply save the log please dont fix it just yet, then open the log go to edit at the top copy it all and paste the whole thing here, we'll check it.
Please download HijackThis 1.99.1 and save it into its own folder make a new folder paste the .exe inside this folder, then run it save the program to this folder as well. Then simply run it, it takes about 10 secs to run.
Open Hijackthis, click scan and save a logfile
then navigate to the hijackthis folder and copy out the log file
contents and paste here
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
This what an analysed log looks like not yours though, after you paste yours here I'll show you the outcome asap.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html
your anti virus program is not being updated enough, you may not have a firewall and the necessary spyware protecters in place, and they are free.
Your email client security is not good enough or your anti virus is not scanning the incoming emails, attachments from our friends and family is the most common way trojans enter your machine because the trojan writers know we trust our friends..
Everytime you clean your machine even in safemode, reboot to normal if you have not added extra protection they will re-infect.
the malware come back.
Please download these and install them and then run them now.. for a perminent protection and to assist in keeping your machine free.
s&d spybot malware scanner requires updating.
http://www.majorgeeks.com/download.php?det=2471
spyblaster is not a scanner it prevents spyware from accessing your computer and works with s&d spybot requires updating.
Free Download - SpywareBlaster 3.5.1
http://majorgeeks.com/download2859.html
update your anti virus definitions and run it.
Perform a windows update.
run this to help
Microsoft Malicious Software Removal Tool then download it for full protection it gets updated with windows updates.
http://www.microsoft.com/security/malwareremove/default.mspx
Then go to your start menue internet options and delete all the cookies internet tempoorary files and history.
You may have to dis-able your system restore to delete them then re-enable it to start a new one.
trojans can hide in them and while windows is using it anto virus programs cannot scan it, that is why safemode is the best place to run scans, it opens all files and folders, safemode is a diagnostic platform running with minimum drivers for this reason.
If you have a lot of files on your hdd it pays to back them up regulary, or better still get a slave hdd and permanently ave everything to the slave.
The high rate of computer crashes with non repairable options is growing.
I see your having problems understanding the hijackthis, did you run the hijackthis then simply save the log please dont fix it just yet, then open the log go to edit at the top copy it all and paste the whole thing here, we'll check it.
Please download HijackThis 1.99.1 and save it into its own folder make a new folder paste the .exe inside this folder, then run it save the program to this folder as well. Then simply run it, it takes about 10 secs to run.
Open Hijackthis, click scan and save a logfile
then navigate to the hijackthis folder and copy out the log file
contents and paste here
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
This what an analysed log looks like not yours though, after you paste yours here I'll show you the outcome asap.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html
ASKER
I also tried http://www.microsoft.com/security/malwareremove/default.mspx but no sign of my PC getting free of the problem.
I have uploaded the image of the messages I get. Any idea what they are? URL for my image upload:
https://filedb.experts-exchange.com/incoming/ee-stuff/150-Message_Malware.zip
Regards,
MI
I have uploaded the image of the messages I get. Any idea what they are? URL for my image upload:
https://filedb.experts-exchange.com/incoming/ee-stuff/150-Message_Malware.zip
Regards,
MI
lol awsome I just saw that site recently and wondered what it was for so can we link snap shots there? cool. Thanks for showing the way. I shall use that.
Your snap>> windows cannot access skunkmasters.ipupdater.com
ooo I found it..
this is what it is, a dating service, not good maybe trying to get money out of you.
http://ipupdate.greatdate.com/greatdate/index.jsp?portal_id=143&domain=ipupdate.com&keyword=date&referrer=http://www.google.com/search?hl=en&lr=&rls=GGLG%2CGGLG%3A2006-17%2CGGLG%3Aen&q=+skunkmasters.ipupdate.com&btnG=Search
Quick fix create a new profile, in control panel USER accounts. Log off this and onto new.
Create a duplicate user profile with a different name
http://windowsxp.mvps.org/dupprofile.htm
How to copy data from a corrupted user profile to a new profile
http://support.microsoft.com/?kbid=811151
some kind of spyware has hijacked your browser installed a link some where associated to your isp.
do a search for this>>skunkmasters.ipupdat
check your modem setings and home page.
did you delete >all< your cookies delete all your temporary IE files history
http://www.masternewmedia.org/spyware_scan/spyware_tools/free_online_spyware_scanners_20050713.htm
Free Online Spyware and Virus Scanners: Is My PC Infected?
adaware
http://www.lavasoft.de/software/adaware/
s&d spybot malware scanner requires updating.
http://www.majorgeeks.com/download.php?det=2471
spyblaster is not a scanner it prevents spyware from accessing your computer and works with s&d spybot requires updating.
Free Download - SpywareBlaster 3.5.1
http://majorgeeks.com/download2859.html
Top 3 things you can do to prevent spyware
http://antivirus.about.com/gi/dynamic/offsite.htm?zi=1/XJ&sdn=antivirus&zu=http%3A%2F%2Fwww.microsoft.com%2Fspyware
Your snap>> windows cannot access skunkmasters.ipupdater.com
ooo I found it..
this is what it is, a dating service, not good maybe trying to get money out of you.
http://ipupdate.greatdate.com/greatdate/index.jsp?portal_id=143&domain=ipupdate.com&keyword=date&referrer=http://www.google.com/search?hl=en&lr=&rls=GGLG%2CGGLG%3A2006-17%2CGGLG%3Aen&q=+skunkmasters.ipupdate.com&btnG=Search
Quick fix create a new profile, in control panel USER accounts. Log off this and onto new.
Create a duplicate user profile with a different name
http://windowsxp.mvps.org/dupprofile.htm
How to copy data from a corrupted user profile to a new profile
http://support.microsoft.com/?kbid=811151
some kind of spyware has hijacked your browser installed a link some where associated to your isp.
do a search for this>>skunkmasters.ipupdat
check your modem setings and home page.
did you delete >all< your cookies delete all your temporary IE files history
http://www.masternewmedia.org/spyware_scan/spyware_tools/free_online_spyware_scanners_20050713.htm
Free Online Spyware and Virus Scanners: Is My PC Infected?
adaware
http://www.lavasoft.de/software/adaware/
s&d spybot malware scanner requires updating.
http://www.majorgeeks.com/download.php?det=2471
spyblaster is not a scanner it prevents spyware from accessing your computer and works with s&d spybot requires updating.
Free Download - SpywareBlaster 3.5.1
http://majorgeeks.com/download2859.html
Top 3 things you can do to prevent spyware
http://antivirus.about.com/gi/dynamic/offsite.htm?zi=1/XJ&sdn=antivirus&zu=http%3A%2F%2Fwww.microsoft.com%2Fspyware
Try creating a new User account, log-in as that new user and see if the problem goes away then.
another tip
at start run type in regedit press enter
minimise everything so only my computer is showing
go to edit find copy this skunkmasters.ipupdater.com
if it finds it delete it
at start run type in regedit press enter
minimise everything so only my computer is showing
go to edit find copy this skunkmasters.ipupdater.com
if it finds it delete it
lol sorry r-k
already posted before you create a new user account :)
already posted before you create a new user account :)
Merete, it is good advice, but I was just repeating what I posted earlier. See my post dated 5/30/2006 8:18 PDT also 9:46 AM :)
Is there any chance for us to peek at your hijackthis log, :)
You need not be confused with the log, you don't have to interpret it, we just want to have a look at it.
Normally malware entries would show up there.
You need not be confused with the log, you don't have to interpret it, we just want to have a look at it.
Normally malware entries would show up there.
ASKER
Hi,
As you all requested, I have uploaded the log file of HijackThis at:
https://filedb.experts-exchange.com/incoming/ee-stuff/151-hijackthis_01June2006.zip
Regards,
MI
As you all requested, I have uploaded the log file of HijackThis at:
https://filedb.experts-exchange.com/incoming/ee-stuff/151-hijackthis_01June2006.zip
Regards,
MI
ASKER
As suggested below:
another tip
at start run type in regedit press enter
minimise everything so only my computer is showing
go to edit find copy this skunkmasters.ipupdater.com
if it finds it delete it
==========================
I tried that and I do it almost everyday every 30 minutes ..... but it comes again! I am tired of removing them but these entries do not seem to be tired and they keep coming back slowing down my system..... :(
Regards,
MI
another tip
at start run type in regedit press enter
minimise everything so only my computer is showing
go to edit find copy this skunkmasters.ipupdater.com
if it finds it delete it
==========================
I tried that and I do it almost everyday every 30 minutes ..... but it comes again! I am tired of removing them but these entries do not seem to be tired and they keep coming back slowing down my system..... :(
Regards,
MI
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Then stop these services if they are still running:
Go to START > RUN > type in
services.msc
In the next window, look on the right hand side for these services:
Microsoft SSL
QoS Provider
Windows Product Activation
Double click on each and STOP the service if still running
In the drop down menu, change the startup type to "Disabled"
Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, type each of the following into the Open field and hit OK
ssl
System Event
wpa
And make sure these files are really gone:
C:\WINNT\system32\ssl.exe
C:\WINNT\system32\explorer
C:\WINNT\system32\wpa.exe
Go to START > RUN > type in
services.msc
In the next window, look on the right hand side for these services:
Microsoft SSL
QoS Provider
Windows Product Activation
Double click on each and STOP the service if still running
In the drop down menu, change the startup type to "Disabled"
Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, type each of the following into the Open field and hit OK
ssl
System Event
wpa
And make sure these files are really gone:
C:\WINNT\system32\ssl.exe
C:\WINNT\system32\explorer
C:\WINNT\system32\wpa.exe
Lol go get em rpggamergirl ..
@vj_mi
Here is your analysed log if you wish to look at it yourself.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html
Also perform the disc cleanup as suggested above..
@vj_mi
Here is your analysed log if you wish to look at it yourself.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html
Also perform the disc cleanup as suggested above..
Hi Merete! :)
vj_mi,
I just spotted my error there, I missed to put the backward slash "\" in one of the files I asked you to Killbox'd.
C:\WINNT\System32service.e
Killbox sometimes would not delete the rest of the files if it can't find the first file to delete. So please put the backward slash in.
This Hijackthis entry below is marked "Safe" by the analyzer(among others), but the analyzer is wrong. The analyzer is only as good as its database. So I would be very careful when following its analysis on what entries to fix, :)
O4 - HKLM\..\RunServices: [Microsoft Service Control] service.exe
vj_mi,
I just spotted my error there, I missed to put the backward slash "\" in one of the files I asked you to Killbox'd.
C:\WINNT\System32service.e
Killbox sometimes would not delete the rest of the files if it can't find the first file to delete. So please put the backward slash in.
This Hijackthis entry below is marked "Safe" by the analyzer(among others), but the analyzer is wrong. The analyzer is only as good as its database. So I would be very careful when following its analysis on what entries to fix, :)
O4 - HKLM\..\RunServices: [Microsoft Service Control] service.exe
ASKER
Hi rpggamergirl,
I did as you instructed. I deleted all entries and also service.exe! My anti-virus online protector did not allow me to download and run http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.removal.tool.html. So while download, I saved the file as .dat. Could not rename as .exe because the moment I do that, the file got deleted by my anti-vrius. I then ran the system in safe mode, renamed it and executed the file. No virus were found. I manually deleted:
C:\WINNT\System32service.e
C:\WINNT\system32\explorer
C:\WINNT\System32\wuamgrd3
C:\WINNT\System32\ms-dos.p
C:\WINNT\System32\winsass.
C:\WINNT\System32\google.e
C:\WINNT\System32\firefox.
Because Pocket Killbox could not be downloaded again as my anti-virus would treat these files as suspicious files :)
All these files were delete in safe mode.
At least for now I find my system stable! I thank all of you who gave your suggestions on various tools, techniques etc. Special thanks to rpggamergirl who in her suggestion mentioned files to delete. I am really relieved since past so many days I could not send any deliveries to my client.
Thanks all you!
Regards,
MI
I did as you instructed. I deleted all entries and also service.exe! My anti-virus online protector did not allow me to download and run http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.removal.tool.html. So while download, I saved the file as .dat. Could not rename as .exe because the moment I do that, the file got deleted by my anti-vrius. I then ran the system in safe mode, renamed it and executed the file. No virus were found. I manually deleted:
C:\WINNT\System32service.e
C:\WINNT\system32\explorer
C:\WINNT\System32\wuamgrd3
C:\WINNT\System32\ms-dos.p
C:\WINNT\System32\winsass.
C:\WINNT\System32\google.e
C:\WINNT\System32\firefox.
Because Pocket Killbox could not be downloaded again as my anti-virus would treat these files as suspicious files :)
All these files were delete in safe mode.
At least for now I find my system stable! I thank all of you who gave your suggestions on various tools, techniques etc. Special thanks to rpggamergirl who in her suggestion mentioned files to delete. I am really relieved since past so many days I could not send any deliveries to my client.
Thanks all you!
Regards,
MI
Hi vj_mi,
No problem, glad to hear you'd gotten rid of those bad files and you're able to use your pc again.
You might like to think of getting the patch to fix these vulnerabilities exploited by these worms if you haven't yet:
http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.c.html
http://www.sophos.com/virusinfo/analyses/w32rbotbau.html
Thanks and good luck!
No problem, glad to hear you'd gotten rid of those bad files and you're able to use your pc again.
You might like to think of getting the patch to fix these vulnerabilities exploited by these worms if you haven't yet:
http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.c.html
http://www.sophos.com/virusinfo/analyses/w32rbotbau.html
Thanks and good luck!
hi