Explorer.exe increases 12K per second and 2 unheard of files referenced.

Explorer.exe increases 12K per second and 2 unheard of files referenced.

--------------------------------------------------------------------------------

Also, on log out or reboot a window flashes for a fraction of a second that says MSRIPLUS.EXE - DLL initialization failed and the message is in the error log.

Also, a message, "olespmsg.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is bieng generated." In a popup window labeled "Program Error" with only an OK button appears shortly after load of explorer.exe on boot and on first load of explorer.exe to browse drive. It also happens about once a hour randomly. No file created that I can find. Clicking "OK" closes the window with no other effect I can track. Leave the mesage there for about 5 minutes and it closes on its own. Process "MMC.EXE" hosts the error window. Explorer.exe is the correct one, I also replaced it just to be sure. Same for MMC.EXE.

Starting Explorer.exe or MMC.exe causes the explorer process memory usage to drop back to a variable amount from 2.5M to 9M then jump back up a variable amount to around 10M and start creeping up at 12K per second again.

I have tried everything I can think of to peg what is bumping explorer.exe's footprint 12K at a time.

When you start another window of explorer.exe, the memory footprint reduces for a sec then jumps back to around 11M total and begins incrementing at 24K until you close the extra explorer window. Opening a copy of MMC.exe does not increase the memory step size.

I am able to keep the system useable by loading explorer every hour or so to dump the memory back down to around 11M.

HiJack has nothing, Spybot S&D has nothing, MS Defender has nothing.

Norton 2003 has nothing.

Norton Corp 9 has nothing.

Office Source Engine service was disabled, I put it back to Manual so Outlook updates could be applied.

Symantec Password Validation Service was disabled, I put it back to Manual also so Symantec A/V would quit complaining.

No Viruses, Worms, Trojans, Spyware reported by anything running. Running memory resident TeaTimer.

MSRIPLUS.EXE is a no hit in every engine I tried.
olespmsg.exe is a no hit in every engine I tried.

I started working on this system due to complaints of Pop-ups. I removed some extraneous things from "Add and Remove ". Of note is that "ContextPlus" was listed. Upon attempted removal, several (12 or so) pop-up messages regarding ole failure occured and no noticeable removal happened but it is no longer in "Add Remove" and I completed removal of remaining parts manually.

Does anyone recognize this?

Jesse Fenwick

I have run all the tools in my standard collection.

AdAware SE
Spybot S&D
EWIDO

Norton 2003 boot
Symantec Corp A/V 9
Panda
AVG

Panda Active Scan

HiJackThis

But I haven't spotted anything.

Logfile of HijackThis v1.99.1
Scan saved at 7:25:18 AM, on 3/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rushmore.dynip.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rushmore.dynip.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logon.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B490197B-C48E-4B9C-A3BD-6D93CD20E8BE}: NameServer = 166.102.165.13,166.102.165.11
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINNT\system32\Wintab32.exe



End of HiJackThis log

... WinTab32.exe is for my signature pad ...

 

login.bat is a redirect for DOS printing in a Terminal Services session. It is run on all 500+ computers we maintain. net use lpt1: \\servername\printershare

Neither files exists anywhere on the system, in any startup file or in the registry. (Of course this means there are no properties.)

Also, once per second the mouse cursor is flashing the hourglass.

 

DrWatson shows process on log dump

This is the DrWatson log addition when the olespmsg.exe error msg pops up.

Application exception occurred:
App: (pid=22004)
When: 3/1/2006 @ 08:03:38.000
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: PAULA
User Name: foobar
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: 4
Current Type: Uniprocessor Free
Registered Organization: Mount Rushmore Loan Company
Registered Owner: Machine1

*----> Task List <----*
0 Idle.exe
8 System.exe
184 SMSS.exe
208 CSRSS.exe
228 WINLOGON.exe
256 SERVICES.exe
268 LSASS.exe
444 SVCHOST.exe
468 spoolsv.exe
496 ccEvtMgr.exe
516 SVCHOST.exe
532 ewidoctrl.exe
572 ewidoguard.exe
652 Navapsvc.exe
776 REGSVC.exe
832 mstask.exe
936 SVCHOST.exe
1040 MsMpEng.exe
844 EXPLORER.exe
3496 ccApp.exe
2192 hkcmd.exe
3428 igfxpers.exe
3408 MSASCui.exe
3400 IEXPLORE.exe
3316 TeaTimer.exe
8076 TASKMGR.exe
16196 IEXPLORE.exe
22004 olespmsg.exe
22020 DRWTSN32.exe
0 _Total.exe

(77F80000 - 77FFC000)
(7C570000 - 7C623000)
(77E10000 - 77E79000)
(77F40000 - 77F7C000)
(7C2D0000 - 7C335000)
(77D30000 - 77DA8000)
(7CE20000 - 7CF0F000)
(779B0000 - 77A4B000)
(63000000 - 63095000)
(78000000 - 78045000)
(70A70000 - 70AD6000)
(7C740000 - 7C7CC000)
(77430000 - 77441000)
(75030000 - 75044000)
(75020000 - 75028000)
(780C0000 - 78121000)

State Dump for Thread Id 0x55f0

eax=00401000 ebx=00000000 ecx=004d8798 edx=00000022 esi=004c4004 edi=00000000
eip=00000000 esp=0012ff0c ebp=0012ffc0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246


function: <nosymbols>
FAULT ->00000000 ???
00000001 ???
00000002 ???
00000003 ???

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0012FF08 780011B3 00000000 0048340A 004C4000 004C4164 ntdll!<nosymbols>
0012FFC0 7C598989 00000000 00000000 7FFDF000 C0000005 !initterm
0012FFF0 00000000 00483340 00000000 000000C8 00000100 kernel32!ProcessIdToSessionId

*----> Raw Stack Dump <----*
0012ff0c b3 11 00 78 00 00 00 00 - 0a 34 48 00 00 40 4c 00 ...x.....4H..@L.
0012ff1c 64 41 4c 00 60 ff 12 00 - 50 ff 12 00 5c ff 12 00 dAL.`...P...\...
0012ff2c 00 00 00 00 54 ff 12 00 - 68 41 4c 00 6c 41 4c 00 ....T...hAL.lAL.
0012ff3c 00 00 00 00 00 00 00 00 - 00 f0 fd 7f 05 00 00 c0 ................
0012ff4c 08 ff f8 00 60 3b d6 00 - 00 00 00 00 18 bf 45 00 ....`;........E.
0012ff5c d8 29 d6 00 01 00 00 00 - 78 f9 f8 00 7c 6c 00 78 .)......x...|l.x
0012ff6c b5 ac 40 00 08 ff f8 00 - bc 87 45 00 fc fa f8 00 ..@.......E.....
0012ff7c 18 bf 45 00 d0 f9 f8 00 - 7c 6b 00 78 fc fa f8 00 ..E.....|k.x....
0012ff8c 08 ff f8 00 1c fb f8 00 - d4 fa f8 00 e8 be 45 00 ..............E.
0012ff9c 30 bf 45 00 98 87 45 00 - 18 bf 45 00 3c ff 12 00 0.E...E...E.<...
0012ffac 58 fb 12 00 e0 ff 12 00 - 16 38 48 00 a8 e2 49 00 X........8H...I.
0012ffbc 00 00 00 00 f0 ff 12 00 - 89 89 59 7c 00 00 00 00 ..........Y|....
0012ffcc 00 00 00 00 00 f0 fd 7f - 05 00 00 c0 c8 ff 12 00 ................
0012ffdc 58 fb 12 00 ff ff ff ff - 54 1f 5c 7c 18 2b 57 7c X.......T.\|.+W|
0012ffec 00 00 00 00 00 00 00 00 - 00 00 00 00 40 33 48 00 ............@3H.
0012fffc 00 00 00 00 c8 00 00 00 - 00 01 00 00 ff ee ff ee ................
0013000c 02 00 00 00 00 00 00 00 - 00 fe 00 00 00 00 10 00 ................
0013001c 00 20 00 00 00 02 00 00 - 00 20 00 00 a3 01 00 00 . ....... ......
0013002c ff ef fd 7f 01 00 08 06 - 00 00 00 00 00 00 00 00 ................
0013003c 00 00 00 00 00 00 00 00 - 98 05 13 00 0f 00 00 00 ................

 

Theory I have been working with.

Looks more to me like the olespmsg.exe is what was cuasing the pop-ups originally and that MSRIPLUS.EXE is the heartbeat timer for the next pop-up. Probably beat to some specified size, then dump out of memory in explorer.exe and olespmsg.exe pops up a message, then reload in explorer.exe (~1M increase) and start over.

BUT, I can find no hard evidence anywhere that this exists....

 

Then again, anyone know "Musahoo! "

RootKit Revealer found 1789 lines about Musahoo!

C:\Program Files\Musahoo! 2/28/2006 6:45 PM 0 bytes Hidden from Windows API.
C:\Program Files\Musahoo!\Cache 2/20/2006 11:47 AM 0 bytes Hidden from Windows API.
C:\Program Files\Musahoo!\Cache\00006486_439f32c5_000d59f8 12/13/2005 2:44 PM 3.16 KB Hidden from Windows API.
C:\Program Files\Musahoo!\Cache\00006486_43e921e4_000487ab 2/7/2006 4:40 PM 1.01 KB Hidden from Windows API.
C:\Program Files\Musahoo!\Cache\dns 2/28/2006 6:44 PM 163.00 KB Hidden from Windows API.
C:\Program Files\Musahoo!\Cache\index 2/28/2006 6:44 PM 952.78 KB Hidden from Windows API.
C:\Program Files\Musahoo!\data.bin 11/28/2005 9:21 AM 114.94 KB Hidden from Windows API.
C:\Program Files\Musahoo!\nwstclog.exe 11/28/2005 9:21 AM 164.00 KB Hidden from Windows API.
C:\Program Files\Musahoo!\olespmsg.exe 11/28/2005 9:21 AM 912.00 KB Hidden from Windows API.
C:\Program Files\Musahoo!\WinGenerics.dll 11/28/2005 9:21 AM 576.00 KB Hidden from Windows API.
C:\WINNT\SYSTEM32\DRIVERS\cdfproxy.sys 11/28/2005 9:21 AM 12.00 KB Hidden from Windows API.
C:\WINNT\SYSTEM32\msriplus.exe 11/28/2005 9:21 AM 488.00 KB Hidden from Windows API.

I clipped out the middle 1750 lines of repetitiveness.

Jesse

 

Thanks.

I agree. But, it would be nice to get to it to preserve it. Might make a good base for a snoop I have been planning for all the corporate computers, lol.

Unless anyone has anything to add in the next day I will close this thread.

Jesse