IEXPLORE.EXE Processes Pegging CPU at 100% Utilization

I have a few systems that are at a constant 100% CPU usage. When I look at the processes I find that either one, two, or four IEXPLORE.EXE processes are causing it. If there is just one, then it is taking up 100%, if two then each is taking up 50%, if four then each is taking up 25%, etc. The IEXPLORE.EXE processes do not represent open browsers - there can be no Internet browsers open at all and I will still have the IEXPLORE.EXE processes running. I have tried scanning with Nod32 Antivirus and Spybot. Only a few systems are affected and several are running fine, and the few that are affected are in different locations and run differing types of software so there is no obvious common piece of 3rd party software causing it. I have searched other threads on Experts Exchange about this and tried their suggestions with no results as of yet.

On another thread, I saw a suggestion by one of your experts to post the contents of the IEXPLORE thread using Process Explorer. The contents of the thread are below if it will help:
ntoskrnl.exe+0x5909
!CoRegisterClassObject+0xad6
!CoWaitForMultipleHandles+0xdd37
!CoUninitialize+0x52
!RI_MakeRegKeyName+0xa5
!XmlTree::Get+0x3213
ntdll.dll!LdrShutdownProcess+0x142
!IsValidLocale+0x8eb
!ExitProcess+0x14
!Ordinal211+0xc140
!RegisterWaitForInputIdle+0x49

Any ideas would be appreciated.
james1-12Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOTCCommented:
I would almost bet they problem is related to spyware. I had a similar problem a few months back.

i'd recommend you download SuperAntiSpyware (free version) from www.superantispyware.com, update it and run a complete scan.

download Hijack This and post your scan  log of if you would
0
sentnerCommented:
Sounds like there may be a java or active-X plugin that is still running and not shutting down.  There is a java bug that can cause this symptom:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6213554

I'd suggest looking for java processes, and check to see what other plugins are loaded in IE (Tools->Manage Add-ins).  You can disable the plugins that you don't need, and that may solve the problem.  You can also use procmon (part of Win2K resource kit) to see details about what is going on on the system:  http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx


0
JonveeCommented:
It does look like either Malware or virus(es), and running HijackThis as suggested by FOTC is a good idea.  
You could click the "Attach File" box and paste your HJT logfile in the dropdown page.

Information>
"What is iexplore.exe? Is iexplore.exe spyware or a virus? ":
http://www.neuber.com/taskmanager/process/iexplore.exe.html

There's an uncompleted thread with no solution as yet, but you may like to view it periodically>
"Outlook as parent process of Iexplore.exe":
  http://www.experts-exchange.com/Hardware/Components/CPU_Processors/Q_23098110.html
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

JonveeCommented:
Even though your HJT logfile *may* look clean, that's no guarantee that you haven't acquired an infection.  Even if we see nothing sinister it's becoming more common now to see the need for running Combofix.

If that be the case, download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see just a blue screen with flashing cursor, and this can last for up to an hour.  Just let it run.

You may have to disable NAV if you have it installed, it's been reported that it can interfere with the cleanup.  Thanks.
0
james1-12Author Commented:
Thank you for all of your replies so far. I am going to try the spyware scan suggested and look for browser add-ins. I am reluctant to post a HijackThis log file for security reasons but I may if I can remove any sensitive information. I'll let you now how the scan goes and anything else I find.
0
FOTCCommented:
HIJACK THIS logs don't obtain any network vulnerable information.
it scans your pc and lists the registry and file settings which are commonly manipulated by malware & spyware...start up entries, running processes, web browser settings/ad ons etc.

no network info is shown, no passwords, serial keys, etc
0
james1-12Author Commented:
This HijackThis log should be fine.
hijackthis.log
0
JonveeCommented:
Your HijackThis logfile does look ok.  Two items though.  Do you recognise these two entries? >

HKCU\..\Policies\Explorer\Run: [1] C:\MAP\Powerset.exe

HKUS\S-1-5-21-136021565-1916339884-868815679-8591\..\Policies\Explorer\Run: [1] C:\MAP\Powerset.exe
0
FOTCCommented:
the log looks pretty good. i'm curious about these processes though...

C:\WINDOWS\system32\PMService.exe (could be part of your remotely anywhere software?)
----Description: PMService.exe is located in the folder C:\Windows\System32. The file size on Windows XP is 81920 bytes.
The program has no visible window. The process can be removed using the control panel Add\Remove programs applet. It is not a Windows core file. Therefore the technical security rating is 26% dangerous.

Important: Some malware camouflage themselves as PMService.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the PMService.exe process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer's security. It is one of the Top Download Picks of 2005 of The Washington Post and PC World.

http://www.file.net/process/pmservice.exe.html

C:\PROGRA~1\ACTIVE~1\AEXIT.exe (i've never seen that as a running process on a machine unless you're installing ACTIVE-X.
have you tried downloading and installing the latest version of active x from M$?


Jonvee...Powerset.exe is a Power Management Wizard MFC Application. It's part of the quickset that dell commonly uses.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FOTCCommented:
disregard that about the active x comment. I misread it. Active Exit is an automatic log off utility.

did you run the spyware scan yet?
0
james1-12Author Commented:
A scan from SuperAntiSpyware showed 0 threats.
0
james1-12Author Commented:
I am using the EZ GPO tool and I believe this is the PMService process that is showing up in HijackThis. It is on all of our computers.
0
james1-12Author Commented:
You can also rule out Java because one of the problem systems does not have Java installed on it at all.
0
FOTCCommented:
Try finding out what sub process is hogging the CPU.....

Process Explorer for Windows v10.21
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

Double click iexplore.exe. Then Select the Threads tab, and see what .exe or .dll is using the CPU, then select it by double clicking it....and copying/pasting the call stack here.....
0
FOTCCommented:
another thing you should try doing is disabling items one at a time such as:

- browser ad ons
- browser toolbars
- ad/pop up blockers
- anti-virus software
- anti-spyware
- etc

it could be that a sub process is actually the main culprit in this situation.
0
james1-12Author Commented:
As far as the Process Explorer issue goes, I already did it and pasted the call stack in the original question, but I didn't see anything obvious about what originally generated the process.
0
james1-12Author Commented:
I finally found a system that I can recreate the problem on. It happens when closing Internet Explorer, which makes the CPU utilization shoot up and puts an IEXPLORE.EXE process in task manager that takes up 50% of the CPU. Doing it twice creates two that each take up 50%. I disabled all browser add-ons that have ever been in Internet Explorer and it still happens, so browser add-ons can be ruled out. I also cleared all temporary internet files with offline content, removed all cookies including going into the cookies folder for his profile and manually deleting all of them, cleared browser history, and none of this helped. It does appear to be an issue with his user profile. I logged on as administrator and the problem did not happen. I then logged back on as him and it happened again the first time I closed a browser. Recreate his user profile would probably fix it but I would like to find a precise solution since it is spreading to other users.
0
james1-12Author Commented:
This question may be getting too old but I am still having the problem. I tried scanning with Kapersky, AVG, Bit Defender, Trend Micro, Eset Nod32 - time will tell if the problem returns on these systems. The best thing I have found is that on one system, going to www.msnbc.msn.com consistently causes the problem when IE 6.0 is closed while going to www.msn.com does not cause the problem. www.msnbc.msn.com must open something, save a cookie, or do something else that is causing the problem, even though I have disabled all browser add-ons and still had the problem happen. Just some more thoughts.
0
JonveeCommented:
Still here monitoring your situation & have been throughout, but just don't have anything really constructive to add at the moment.  
Don't worry about the question becoming too old, you can always post a 'Pointer question' (worth 20 points) which will get you back up to the front of the queue.
0
james1-12Author Commented:
It took a few days but I finally found a solution to this problem earlier today and I thought I would post it here so that it might be of help someone else. The problem came down to the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP.
If this key exists then the problem happens, even if I delete everything under the key. I then went into Windows Media Player, tools, options, network, and I configured the HTTP streaming proxy setting to "Do not use a Proxy server." This fixed the problem. It was difficult to find since we have roaming profiles and, of course, the NTUSER.DAT file roams with the profile and this was the problematic file. I ended up deleting the user's local profile on the workstation, then deleting the NTUSER.DAT file in the user's profile on our server, logging the user in again, making a copy of a good NTUSER.DAT file, making the problem happen (thus "corrupting" the NTUSER.DAT file) and then making a copy of the bad NTUSER.DAT file. I then used a registry file viewer utility to convert the NTUSER.DAT files to .REG files and used a file comparison utility to find the diferences. It came down to Media Player proxy settings.
0
JonveeCommented:
@  james1-12,
That's great!  Thanks for such a detailed feedback which will almost certainly help someone else.  
As you appear to have answered the question yourself however, you have the option of retrieving your points.
Take a look at this link under the heading "I answered my question myself. What do I do?":
http://www.experts-exchange.com/help.jsp#hi70 
Then refer to your thread http:Q_23156553.html  and ask for a refund, posting a 0 points question below:
http://www.experts-exchange.com/Community_Support/General/

@  FOTC,
Thanks for the earlier information on Powerset.exe.
0
james1-12Author Commented:
I also need to add that, although the Media Player seemed to fix the issue, the real problem was an Active Exit update that we put in place a while ago. We went from 3.1 to 3.2.1 and that was the source of multiple problems, including the IEXPLORE.EXe problem and MS ActiveSync not starting.
0
james1-12Author Commented:
Thank you to all of you for your help and suggestions. This is a vey good site.
0
james1-12Author Commented:
I am going to select the Expert Comment that asked about ActiveExit as the nearest solution since that was the problem.
0
james1-12Author Commented:
Selected this as the solution since it reflects the actual problem, which was ActiveExit.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.