Solved Badly infected computer, reformat best option??

Won't close

I waited for about 10 minutes to see if the hijack this program would respond, but it didn't. So I tried to close (via the x). Received the message "this program is not responding" and chose to end program. But it won't close! Tried several times and get the same response.

Tried the C+A+D method, but that won't even come up!

I figure the next option would be to try and restart the computer, but with that program "hanging" I don't know if it will?

This just keeps getting better all the time doesn't it?

 

If you can't get it to close in a reasonable amount of time, hold in on the power button until the computer shuts down, then restart and try again.

 

results of scan

I did have to use the power button to shut down. But was able to do the scan upon restarting and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:02 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141944401843
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 6725 bytes

 

OK, since you have run the HostsXpert and rebooted, how is IE acting? Still hang on a blank page if you type in the address bar? Does bringing up a new page using Ctrl+N result in a hung page?

 

No change

Unfortunately, I notice no change in the way IE responds using either methods (typing in the address bar or ctrl+N). Both still open a blank window, cause the program (IE) to hang, having to "end task" to close.

 

I'm going to have to do some more research on this .... it's a new one on me. How would you feel about upgrading to IE7?

 

Just a "note ". I did try using the ctrl + N on my computer (to see how a 'normal' computer would operate.) While I notice on mine the new window that opens will have the same heading/title (not sure the correct term here) shown in the task bar area.

However, on the infected computer, when using this method, I see "Microsoft Internet Explorer ". Never really paid that much attention to this before, but I now notice that's the same results when typing in an address or right-clicking to open a new window. And that's when I have to use the "end task" to close.

 

I'm guessing you are referring to the page Title, at the very top of the window. That is normal for a default browser. The current browser is probably titled
Badly infected computer, reformat best option?? - Page 3 - Microsoft Internet Explorer
If the new window were to load fully rather than hang, it would display the same.

Lets try one more thing. Click Start>Run and type or paste the following command, then hit Enter.

sfc /scannow

If prompted for the XP cd, inser it to the cd-rom drive and cross your fingers. Reboot when complete and see if there's any change.

 

Ready to try the scan now, but before I do, another question....when it I am to reboot, will I be asked to remove the disk or should that remain in until after the reboot?

I'm guessing the "cross your fingers" part is due to the failure we had with the last attempt at using the XP disk?

 

Yes

If any files are found corrupted it may ask for the cd, and will copy them at that time. Once done you can remove the cd, then reboot.

 

sfc completed

Got through that. It did ask for the cd and seemed to work okay? (The windows protection file came up with the green progress bar showing). It did take quite some time to complete, but I never saw anything about it actually doing any "copying" of files?

Removed the disk and rebooted. Tried connecting to the internet (windows bbs still set to the homepage) but now results in opening 2 windows after typing in an address! (However, neither of them will load). I did manage to get one of them closed (the one that just said "Microsoft Internet Explorer) and the other was still trying to load the address I had typed in (www.msn.com). It would then flicker back and forth from this window to that one(msn), but would not stay open so I closed that out as well.

I know you mentioned possibly upgrading to IE7? If memory serves me correctly, I think that was on here once upon a time and my son didn't like it so reverted back to IE6?? But not sure when that took place or if he was having problems at that time too?

What a mess huh?

 

Have you conspired with my kids to speed up my hair loss?

Since you were prompted for the cd, I'm bettin there was at least 1 file replaced by sfc. Please run the ie-rereg batch from this post again, reboot and let me know how IE behaves.

 

Still no luck

Still receive the same results after running the ie-rereg batch. Doesn't matter if I try typing in an address, using the ctr + n, or right clicking to open new window, when the new window opens it will be blank. Will have to "end task" to get it to close.

I did notice on the task manager, the CPU usuage is at 100%?--and this is AFTER I have closed out of everything? (I am writing this from my computer) Never paid any attention to this before and don't know if it has any bearing on what's going on?

I also notice in the "processes" tab, there are 2 instances of IEXPLORER.EXE listed (is that normal?) There are a total of 35 process listed there.

You must be the type person who enjoys a challenge? As this certainly must be one of those!

I truly admire your perseverance! I would have given up looong ago! But I am very thankful that you haven't! (at least not yet!)

 

I have in the past been referred to as the New Bremen Bulldog. Once I start chewin a bone, I don't give it up easily.

Please download Process Explorer and extract it to it's own folder.
Open the folder and run the procexp.exe file.
Once it loads, see if you can identify any processes consuming a lot of cpu cycles, System Idle Process excluded.
When you find something, click on it to select it.
Now on the Toolbar, click View and make sure Show Lower Pane is selected.
Click View>Lower Pane View and select DLLs
Once the lower window populates, click File>Save As. Make note of the logfile name it populates.
Save the log to your desktop, then open it and post the contents here.

Do you have iexplore.exe or iexplorer.exe processes? Are they present even with no browser windows open?

 

Sorry for the confusion. It is IEXPLORE.EXE that shows up twice (now with this window open actually 3 of them). And yes, they seem to be there even when there are no IE windows open.

Here is the text file from that program you had me run:



Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 560 Windows NT Session Manager Microsoft Corporation
csrss.exe 632 1.52 Client Server Runtime Process Microsoft Corporation
winlogon.exe 656 Windows NT Logon Application Microsoft Corporation
services.exe 700 1.52 Services and Controller app Microsoft Corporation
svchost.exe 856 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 936 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 976 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1040 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1156 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1208 Generic Host Process for Win32 Services Microsoft Corporation
aawservice.exe 1312 Ad-Aware 2007 Service Lavasoft
spoolsv.exe 1588 Spooler SubSystem App Microsoft Corporation
avgamsvr.exe 1792 AVG Alert Manager GRISOFT, s.r.o.
avgupsvc.exe 1880 AVG Update Service GRISOFT, s.r.o.
avgemc.exe 1912 AVG E-Mail Scanner GRISOFT, s.r.o.
GoogleUpdaterService.exe 1956 gusvc Google
svcntaux.exe 2020 PC Tools Auxiliary Service PC Tools
swdsvc.exe 480 Spyware Doctor Service PC Tools
slmdmsr.exe 316 User-Level Modem Service
WRSSSDK.exe 284 Spy Sweeper SDK Webroot Software, Inc.
alg.exe 2340 Application Layer Gateway Service Microsoft Corporation
svchost.exe 3408 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 712 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1376 Windows Explorer Microsoft Corporation
jusched.exe 1528 Java(TM) Platform SE binary Sun Microsystems, Inc.
avgcc.exe 1548 AVG Control Center GRISOFT, s.r.o.
SDTrayApp.exe 1584 PC Tools Tray Application PC Tools
SpySweeper.exe 1604 Spy Sweeper Retail Executable Webroot Software, Inc.
ctfmon.exe 1616 CTF Loader Microsoft Corporation
GoogleUpdater.exe 1700 Google Updater Google
IEXPLORE.EXE 904 93.94 Internet Explorer Microsoft Corporation
IEXPLORE.EXE 3616 Internet Explorer Microsoft Corporation
procexp.exe 1664 3.03 Sysinternals Process Explorer Sysinternals

Process: IEXPLORE.EXE Pid: 904

Name Description Company Name Version
ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
appHelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180
browselc.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.2180
BROWSEUI.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.3231
c_28591.nls
CFGMGR32.dll Configuration Manager Forwarder DLL Microsoft Corporation 5.01.2600.2180
CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2982
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2982
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
COMRes.dll Microsoft Corporation 2001.12.4414.0258
CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
CRYPTUI.dll Microsoft Trust UI Provider Microsoft Corporation 5.131.2600.2180
CSCDLL.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
davclnt.dll Web DAV Client DLL Microsoft Corporation 5.01.2600.2180
DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.2938
drprov.dll Microsoft Terminal Server Network Provider Microsoft Corporation 5.01.2600.2180
GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3159
hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation 5.01.2600.2180
ieframe.dll Internet Explorer Microsoft Corporation 7.00.6000.16544
iertutil.dll Run time utility for Internet Explorer Microsoft Corporation 7.00.6000.16544
iexplore.exe Internet Explorer Microsoft Corporation 6.00.2900.2180
IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
ImgUtil.dll IE plugin image decoder support DLL Microsoft Corporation 6.00.2900.2180
IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation 5.01.2600.2180
index.dat
index.dat
index.dat
index.dat
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912
jscript.dll Microsoft (r) JScript Microsoft Corporation 5.06.0000.8834
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.3119
locale.nls
mlang.dll Multi Language Support DLL Microsoft Corporation 6.00.2900.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.01.2600.2180
msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation 5.01.2600.2180
MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
mshtml.dll Microsoft (R) HTML Viewer Microsoft Corporation 6.00.2900.3243
mshtml.tlb Microsoft (R) MSHTML Typelib Microsoft Corporation 6.00.2900.2180
msi.dll Windows Installer Microsoft Corporation 3.01.4000.4039
MSIMGSIZ.DAT
msimtf.dll Active IMM Server DLL Microsoft Corporation 5.01.2600.2180
msls31.dll Microsoft Line Services library file Microsoft Corporation 3.10.0349.0000
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation 5.01.2600.2180
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.2180
NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976
NETRAP.dll Net Remote Admin Protocol DLL Microsoft Corporation 5.01.2600.2180
NETUI0.dll NT LM UI Common Code - GUI Classes Microsoft Corporation 5.01.2600.2180
NETUI1.dll NT LM UI Common Code - Networking classes Microsoft Corporation 5.01.2600.2180
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntlanman.dll Microsoft® Lan Manager Microsoft Corporation 5.01.2600.2180
ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726
OLEAUT32.dll Microsoft Corporation 5.01.2600.3139
pngfilt.dll IE PNG plugin image decoder Microsoft Corporation 6.00.2900.3231
PortableDeviceApi.dll Windows Portable Device API Components Microsoft Corporation 5.02.5721.5145
PSAPI.DLL Process Status Helper Microsoft Corporation 5.01.2600.2180
rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.2938
RASAPI32.DLL Remote Access API Microsoft Corporation 5.01.2600.2180
rasman.dll Remote Access Connection Manager Microsoft Corporation 5.01.2600.2180
RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.3173
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
Secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.2180
sensapi.dll SENS Connectivity API DLL Microsoft Corporation 5.01.2600.2180
serwvdrv.dll Unimodem Serial Wave driver Microsoft Corporation 5.01.2600.0000
SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
shdoclc.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.2180
SHDOCVW.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.3231
SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241
SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.3231
smumhook.dll PC Tools 5.00.0005.0024
sortkey.nls
sorttbls.nls
ssi.dll Spy Sweeper SDK Webroot Software, Inc. 1.00.0003.0260
sti.dll Still Image Devices client DLL Microsoft Corporation 5.01.2600.2180
SXS.DLL Fusion 2.5 Microsoft Corporation 5.01.2600.3019
TAPI32.dll Microsoft® Windows(TM) Telephony API Client DLL Microsoft Corporation 5.01.2600.2180
umdmxfrm.dll Unimodem Tranform Module Microsoft Corporation 5.01.2600.0000
unicode.nls
urlmon.dll OLE32 Extensions for Win32 Microsoft Corporation 6.00.2900.3231
USER32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.3099
USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180
UxTheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
VERSION.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180
WININET.dll Internet Extensions for Win32 Microsoft Corporation 6.00.2900.3231
WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.2180
WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180
WINTRUST.dll Microsoft Trust Verification APIs Microsoft Corporation 5.131.2600.2180
WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180
wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180


I hope I did this correctly? I'm headed off to work shortly, so won't be able to follow up on this until morning. Hopefully you'll be getting some rest between now and then!

 

I'm going to study this log a bit more, but I'd like to know, do you have the installation files for PC Tools Spyware Doctor, and Webroot's SpySweeper? If so, I'd like for you to uninstall them via Add/Remove programs and see if IE behaves without them.

With Process Explorer open, select first the iexplore.exe process with high cpu usage, right click and select End Process, then do each of the others. Take note of whether or not the one consuming cpu closes the current open browser window and let me know please.

 

Removed Spyware Doctor & Webroot Spysweeper (via add/remove programs as you suggested). No change in how IE reacts.

Checking (& "killing ") the IEXPLORE.EXE with the high cpu did not close current browser (but cpu dropped to 1.54%!)

I was curious about this (from the Process Explorer log listing):

Is that "normal" to have IEXPLORE.EXE listed like that?? Just curious because when I view what I have on mine (using the task manager) mine is listed in small letters (iexplore.exe). Does that make any difference??

Won't be able to check back in until early evening. Hope you aren't spending all your free time trying to resolve this for me?! (And I know there are countless others you assist as well!!)

 

After a restart, please check and let me know if iexplore.exe is shown in running processes, without ever opening IE.


Download Dr.Web CureIt, saving the file to your desktop.

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

 

A restart does not show IEXPLORE.EXE to be running.

I can't seem to access the Dr. Web CureIt? I keep getting "the page cannot be displayed "?? (This was tried from my computer, not the infected one).

Once I do get that downloaded, saved and ready to run on the infected computer, did you wish that I run that prior to trying to hook up to the internet? (I've been downloading to disks from my computer and saving/installing them on the infected one). Don't want to take a chance with the download not going properly on the offending computer!

Am headed off to work shortly, so won't be able to continue with this any further this evening.

 

Hmmm..... that's a direct download link for Dr. Web, and it's working for me. Allow the troubled PC to connect, then copy the following address and paste it in the Start>Run line.

ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

It should initiate a download session. Disconnect when the download completes.