2 iexplorer.exe in task manager. Please help

By cpunoob ยท 36 replies
Dec 6, 2009
  1. I noticed a few days ago that when I open IE theres two of them in my task manager but only one displays on the screen. I have tried to close one but it usually closes both or the tab recovers still leaving me with 2 iexlporer.exe. Im not sure if the two problems are related but when I ever I move the mouse inside any IE page my cpu usage spike to almost 100%. Mouse movement in an offline window such as task manager results in a cpu usage increase of about 15-20%. Whatever program im mousing around in is the program that will cause the cpu usage to rise. I have followed all the preliminary virus removal instuctions found on this forum and have attached the requested logs to this post. Any help would be greatly appreciated.
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    You have both McAfee and Avira Antivirus installed
    I'm unsure which one you acually want, but if its Avira (here's hoping)
    Then uninstall McAfee and then run the McAfee removal tool

    Run IE Reset Fixit Tool:
    Or manually from here https://www.techspot.com/vb/post682762-2.html
    Then restart Internet Explorer

    Then run a full updated scan with Avira
  3. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    I tried to uninstall mcafee from add/remove programs in the control panel and It worked on everything but the securtiy center itself. Just said there was an error trying to remove it. I made sure there was nothing with mcafee running and tried to uninstall again but got an error saying it could not run anything because some of the files are missing. So I then tried to run the mcafee removal tool and it stopped about 15% with an error about mskdetct.exe. So i tried to restart my pc and try again. On restart mcafee security center started up but with no virus scan or firewall, just the security center. Now when I try to run the mcafee removal tool again it says its already running but I can't find it in the taskmanager.
  4. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    I restarted the pc again and mcafee security center is no where to be found this time. The Mcafee removal tool still says its already running though. Still no mcafee products or removal tool running in task manager. Also ran the IE reset Fix It tool, still two instances of it in my task manager.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  6. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    Appremover didnt find mcafee on my pc. Im pretty sure its gone but the two iexplorer.exe remain with the cpu usage spikes just by moving the mouse but that may be another issue all together, im not sure. I made a new hijackthis log if that helps.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    On your first concern: 2 iexplorer.exe in Task Manager: Multiple iexplore.exe processes are normal with IE8, which you have.

    For remaining McAfee entries: Security programs usually won't allow removal when running, so>.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Reopen HijackThis to 'do system scan only'. Check the following, if present:

    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

    Click on Start> Run> type in services.msc> find each of the following Services> double-click to open> Change Startup type to Disabled> Stop the Service:

    McDetect.exe ( McAfee WSC Integration)
    McTskshd.exe (McAfee Task Scheduler)
    mcupdmgr.exe (McAfee SecurityCenter Update Manager)

    Close the Services

    Open Internet Eplorer> Tools> Manage add-ons> look in both 'add-ons currently running' and 'add-ons previously running' for either of the 2 McAfee processes mcinsctl and mcgdmgr (these are the 2 Active X entries 016 above)> highlight> Disable each

    Use Windows Explorer: Right click on start> Explore> My Computer> Local Drive (C)> Programs> do a right click> Delete on any McAfee program folders.

    Check Add/Remove Programs to make sure there are no McAfee entries.

    Close all Windows except HijackThis. Click on "Fix Checked."

    Reboot into Normal Mode

    The HijackThis log is clean. But rescan once more to make sure all of the McAfee entries are gone.

    Are having any problem other than the CPU spike> If so, what? With just the browser open and no other 'active' Windows running in the background (like a game running, music or video running)>

    Open the Task Manager and click on the Processes tab. Double click on the frame over the CPU column to sort in descending mode. Note which process is spiking.

    You should see the highest amount for System Idle- around 97%+/ Next will be taskmgr.exe, about 2-3 %. What processes show over 2-3%? -Give me name of process and PID #.
  8. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    For example just moving the mouse around in this forum page the process iexplorer.exe PID#2580 spikes the cpu usage 40-60%. The process zlclient.exe PID#3264 spikes the cpu 10-20%. If i am watching a video on youtube for example and move the mouse around, the video will become choppy. As far as the Mcafee goes I did exactly what you said and the log is now clear of any mcafee entries, thank you so much. I went to run the mcafee removal tool once more and it still said it was already running. I dont know but I guess it doesnt matter since its not there. Also i probably should have mentioned this earlier but a few days ago my avira picked up this
    "The file 'C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1823\A0303976.exe'
    contained a virus or unwanted program 'DR/Dldr.Keenval.F' [dropper]
    Action(s) taken:
    The file was moved to '4b4cc8f9.qua'!"
    I deleted it from there and rescanned at it isnt finding it anymore so assumed it was gone.
    It never showed on any of the 8 virus removal steps either.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    FYI: zlclient.exe is a part of the ZoneLabs Internet Security range of products, which acts as a firewall for your computer. This blocks Internet-bound viruses from compromising weaknesses on your computer and should not be terminated.

    It is possible that you're having multiple scans from the internet and the firewall is just doing it's job!

    System Volume is where the system restore points are kept. When we are helping clean malware, we remove all the old restore points and set new clean one. These are protected files and cannot be deleted in the usual way.

    I'd like you to do an online AV scan. Save the log and include in next reply. It's it's clean and the problems have been resolved, I'll have you remove the cleaning tools and the old restore points-and create a new cleanrestore point.

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  10. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    heres the log
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    The log is clean. Are you still having any problems that you can't attribute to firewall activity?
  12. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    just the iexplorer.exe spiking to 70% cpu usage when i do as little as moving the mouse. If i hold the down arrow to scroll through this forum it spikes to 100%
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Do you have the free version or paid version of ZoneAlarm? If you can set it to log, you can check the time when it spikes and see if there is firewall activity at that time.

    Another thought- do you have IE set up with tabs?
  14. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    I have the free version. I just got it when today when i got rid of my old mcafee. It does have a traffic monitor on the toolbar and it shows when im first loading a web page but not while moving around in the web page. Yes i have ie setup with tabs. I did an Avira scan in safe mode and it came up with 13 warnings. I checked the log and they were all files that could not be scanned from system32/shockwave8. Not sure if that is relevant to the issue.
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Download TFC http://oldtimer.geekstogo.com/TFC.exe
    And run it, then Restart your computer

    After Restart, please provide a fresh HJT Scan Only Log, as an Attachment, to a new reply

    You could also check Task Manager (Ctrl + Alt + Del) for any high memory resourced processes that you could mention in a new reply too
  16. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    Heres the new log. The highest memory usage is iexlporer.exe (54,272 K)
    svchost.exe (26,728 K) exlorer.exe (22,0076 K) vsmon.exe (19,952 K). Not sure if that is what you were needing,
  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    All of the following are non essential (They don't need to load with Windows)
    Startup HJT Scan Only and check (tick) all the following entry boxes
    Before selecting FIX, close all Internet Browsers
    Close HJT


    Actually, you could also uninstall SUPERAntispyware (since I just disabled it from starting with Windows :D)
    And do you really require ZoneAlarm? I know I don't, I use Windows Firewall (god forbid :D ) Oh and it works perfectly well ;)

    After Restart, provide a fresh HJT Scan log (again)
    Oh and let me know if its now better or not ;)
  18. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    New log attached. The cpu spiking remains. If windows firewall is enough than i wouldnt mind getting rid of Zone Alarm. I just got it because it was the one recommended in the 8 step section of the forums. How do i go about removing it?
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Uninstall ZoneAlarm by going to Start > Control Panel > Add/Remove Programs > ZoneAlarm > Uninstall

    Also here's the ZoneAlarm Uninstall Tool, that can be run after doing the above: http://download.zonealarm.com/bin/free/support/cpes_clean.exe

    Log looks clean, but I'd like to hear after Restart how it is again :)
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please attach the Avira log. I'll check out what you're seeing.

    As for the firewall: a firewall 'listens' at ports. Think about a house (computer system) with alarm systems at every door (port). but the alarms are set to let some people (IP) in to specific doors (Port number) if they act a certain way (protocol) at the door. The firewall, like the alarm system, is set for specific behavior and it either lets the person - their name (IP) in or it doesn't. (blocks)

    That is a very non technical comparison, but I hope it gives you an idea. When a firewall is set to log, it would be like every person (IP) who came to the house had to sign a paper- this would show everything about the person (IP, port number, type of protocol) ans whether the alarm let them in or not.

    So basically, if that person has been set to be allowed to come through the door- that it, they meet the specific criteria set into the alarm system, they will be admitted. But even if they are not, there will be a record of their attempt to enter (scan) .

    Once the alarm system (firewall) has accessed the person (IP) as to whether it meets the criteria to come in- or not-it (ports, protocol) is not going to keep checking that person (moving around on the webpage)

    A firewall log can show this:
    ZoneAlarm Logging Client v8.0.065.000
    Windows Vista-6.0.6001-Service Pack 1-SMP
    type,- incoming or outgoing
    source- this is the IP of either the incoming or out going IP
    destination- this is the IP if either the incoming or outgoing IP
    transport- this is the type of transaction
    (Security)- this happens to be the program involved in the attempt.

    the following flow the same way- just by different programs or apps.
    ype,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
    type,date,time,source,destination,action,service (IM Security)
    type,date,time,source,destination,program,action (Malicious Code Protection)
    type,date,time,action,product,file,event,subevent, class,data,data,... (OSFirewall)
    type,date,time,name,type,mode (Anti-Spyware)

    The next time you notice the spike, do this:
    Open the c:\WINDOWS\Internet Logs\ZALog.txt folder - copy and paste in the next post.
    [Search for this: ZALog.txt

    something to consider: the more auto-updates you have set, the more internet activity you will have. Each program update will access the internet several times during each day to see if there is any update. Technically it could be doing this every day for months before there is an update. And each time a program or app IN you system attempts to access the internet, the firewall will determine whether to let it.

    If you have a tab set to receive RSS feeds, this may also happen numerous times of every day and each time there is an incoming attempt to access YOUR system FROM the internet, the firewall will decide whether to let it pass.

    Have a look here> this is the type of activity that you want to see:

    Here are their FAQs to give you a more detailed idea of what you can see:

    You can also try closing some of the tabs- the busiest on for instance. you may be able to pin down the source of the activity by doing this.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I eon't see any reason at this point to uninstall ZomAlarm. It IS one of the two firewalls we recommend, the other being Comodo.
  22. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I don't see any reason why personal firewalls are in the Malware removal guide (especially at the beginning)

    I don't use a 3rd party firewall. Windows already comes with one ;)
  23. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    heres the za log, and i just want to go ahead and thank you for taking the time to explain all this.
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    kimsland, you are getting into the realm of optional removals which should be explain to the poster. The programs are legitimate but they do not need to be on startup. You should explain why you are recommended a removal or install. The entries are not malware or viruses. They just don't need to start on boot and can be started in Add Programs.

    Even though the programs and apps don't need to start on boot, it should still be left up tot then user whether to remove that, after giving them reference why you recommend removal. For instance, you are recommending the removal of WinCinemaMgr. The user needs to know what this does and why is isn't required on boot.

    We are usually so busy finding and removing the malware that we don't have time for listing and suggesting removal of performance issued.

    cpunoob: about this comment:
    No, the Windowd firewal is not enough- I don't even recommend it to anyone. It does NOT listen at both incoming AND outgoing ports. Frankly, that means it does ha half-add job.
  25. cpunoob

    cpunoob TS Rookie Topic Starter Posts: 18

    Is the free version of Zone Alarm enough for a fire wall? Also do you think the other recommened firewall (Comodo) might use less cpu? Is it safe for me to go about my normal business on the web (paying bills etc...) This is the only site i have been visiting since i have suspected a virus.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...