Iexplorer.exe using 180000+K Memory Help?

I'll use this space to ramble.

ComboFix takes us deeper. The 30-day file list is included, as well as, some malware removal.
Combofix instructions courtesy of Blind Dragon

(180,000K + of my memory ) --> 180MB
That’s one boat-load of web pages.

Possible sources of corruption:
Bad IE7 load --> Control panel > add/remove programs > uninstall
(Note: will not work if SP3 was installed after IE7)
Takes you back to IE6. Re-apply IE7 update.

Broken/corrupt YT add-on > uninstall or use HJT tick-fix (easy to undo; advance)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

RIES - reset IE setting. Not likely to fix this. Extra work to re-link add-ons/plugins
Link courtesy of kimsland

My 'express' notation may confuse. Post back for clarification.

I recommend posting the ComboFix log. You cite prior infection. Your did not mention IF MBAM or SAS detected infections prior to submitting clean logs.

The incremental approach to corrupted IE
Unlink plugins/toolbars --> RIES --> re-install ie7
Unlinking can be accomplished with HJT tick/fix and be brought back via advance menu to undo changes.

Okay i've included a scan i did the day before yesterday using malwarebytes and it did find a registry key but deleted it successfully and as i stated previously the online scan found an Trojan.Wimad.AT but it was also successfully deleted... the combo log requested is also attached but about your rambling i have no idea what your talking about....

replyvb5644

Thank you for the ComboFix log. I will seek the assistance of another specialist to confirm my views. The 1 file deleted does not appear to be significant. Suspects on the 30-day list fall outside the create-date criteria.

Conclusion (tentative): No malware involvement.

ComboFix does not fully report all of what it fixes.

Any changes to the symptoms? 180000K+ memory usage? Computer lagging? Click delay icon response?

Perhaps you realize that I am working in one dimension - malware removal. So it takes effort to consider the functioning of the browser. My express notation leaves crumbs for me to pick up where I left it.

These crumbs are pointers for the user to evaluate the apparent effort to follow my approach.

RIES - easy to execute; immediate results to evaluate; effort to re-link plugin & toolbars. Follow the link.

Re-installing software is another approach. Limitations are noted.

You have the option to submit new thread, with different title, to re-focus the description and reference this thread to acknowledge the malware component was considered.

Please remain subscribed to this thread should the ComboFix log suggest corrective action.

So let's focus on the application.

It seems that my computer is more responsive which is good and that it doesn't take a bunch of clicks to change windows and such, in my task manager i've noticed a spike of 120000 with the iexplorer.exe with only two windows open so i'm still unsure about whats going on with that also there have been a couple of spikes with my CPU usage staying in the 65% + range for long periods of time... how does the HJT.log i attached look? is it clean or do i need to fix some of the found problems i'll attach another... but i think if nothing is wrong with the combofix log and nothing was found in the scanners that it is fine and if not i'll create a new forum...

thanks for you help

I believe that Spelling Counts. Differences in spelling between the log files caught my attention. This type of virus is so old that I question my sanity! Did these logs come from the same load of XP? This is the most logical explanation.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:36 PM, on 11/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
End of file - 8317 bytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:04 AM, on 11/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
End of file - 9272 bytes

Click to expand...

i'm not sure what you mean by same load of xp but i gave you two scans of my HJT.log and i two noticed that both of these are spelt different as far as uppercase and lower case... i'm not exactly sure what to do though... can you give me some guidance?

Guidance - not really.

I've seen this problem before

At that time I re-loaded XP to solve the concern over different spellings.

At another time on a different computer, a 'hung' window with IE was tied to a PID using a smaller amount of memory compared to working instances, Upgrade to IE7 solved that problem.

It appears the universal solution is to re-install something. That is a heck of an answer.

P.S. I held back the personal experience from the initial response to get your input first,

well thanks for the no help... maybe someone more fit for what i'm looking for can assist me................................

hey eric,

welcome back.

Obviously we recommend against P2P file sharing as far as security is concerned.

**P2P programs = Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation. see http://spywarewarrior.com/viewtopic.php?t=26216

==================================================

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
c:\windows\system32\mlfcache.dat

Folder::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

==================================================

CCleaner

• Download from HERE
• Close all browsers.
• Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
• Click the run cleaner button.

====================================================

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

Spelling does NOT count in windows

rf647 -

Actually, in Windows:

iexplore.exe
and
IEXPLORE.EXE

are exactly the same filename and are treated the same.

However, you are definitely showing two different versions of Internet Explorer in the two folders. Explore to each of them and right-click, choose properties and click on Version.

Memory usage by Internet Explorer

big_eric - I hate to tell you this but that is really not that unusual if you are really using a lot of the browser's functionality. Using 180MB with multiple tabs open is not necessarily an indication of a problem. I understand you found a trojan, but that may not be the cause of your issue.

I routinely push 200MB of RAM used by IE8. I used to use WAAAY more than that with IE7 and Firefox is the worst of the bunch (IMO) as it gets up in the 300MB range fairly often. Of course I usually have 8-10 tabs open in each browser too! You just need to have enough physical RAM and a large enough swapfile to handle it all. Flushing your temp internet files and cutting back on the Addons or BHOs will help some. I found a lot of lag and excess memory usage was from so-called helper objects that I rarely use.

Okay i've done as you asked and i've attached the three log files you've requested. I had to make my own .txt file for the online scanner since it wouldn't let me save it for some reason but all the information is there. Looking forward to your reply.

Looks good, all 3 things kaspersky found were music downloads that must have been malicious.

Delete these 3 files then we can cleanup:

C:\Documents and Settings\Eric\.housecall6.6\Quarantine\3oh3 - still around.mp3.bac_a0164
C:\Documents and Settings\Eric\.housecall6.6\Quarantine\benny at dispatch.mp3.bac_a0164
C:\Kelsey's Folder\Incomplete\Preview-T-5745425-bounce with me kresah turner.mp3

Actually delete anything in the quarantine folder of housecall

====================================================

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

---------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Set correct settings for files
   • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
   • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
   • If unchecked please check Hide protected operating system files (Recommended)
   • If necessary check "Display content of system folders"
   • If necessary Uncheck Hide file extensions for known file types.
   • Click OK
   
   clear system restore points
   • 
     This is a good time to clear your existing system restore points and establish a new clean restore point:
     • Go to Start > All Programs > Accessories > System Tools > System Restore
     • Select Create a restore point, and Ok it.
     • Next, go to Start > Run and type in cleanmgr
     • Select the More options tab
     • Choose the option to clean up system restore and OK it.
     This will remove all restore points except the new one you just created.
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
        
      • Change the Download unsigned ActiveX controls to Disable
        
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
        
      • Change the Installation of desktop items to Prompt
        
      • Change the Launching programs and files in an IFRAME to Prompt
        
      • Change the Navigate sub-frames across different domains to Prompt
        
      • When all these settings have been made, click on the OK button.
        
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.
   
   
7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

thank your for your help my computer seems more responsive all ready =) thats why i come to this site because you no what your talk about

For performance, when was the last time you defragmented your hard drive.

check out this program, after you analyze - you can select files and only defrag the files that need it which saves time over defragging a whole drive.

Defraggler

• You can download defraggler from HERE
• Select download latest version in the top right corner
• Save the installer to your Desktop or someplace easy to find it.
• Double click the installer and follow the prompts to install.
• It's a good idea to run a temp file cleaner first to reduce scan times (CCleaner or ATF Cleaner)
• Once you Launch the program you will see the following GUI
• After you click analyze you can select file list to simply defrag just the files that need it.