I noticed a few days ago that when I open IE theres two of them in my task manager but only one displays on the screen. I have tried to close one but it usually closes both or the tab recovers still leaving me with 2 iexlporer.exe. Im not sure if the two problems are related but when I ever I move the mouse inside any IE page my cpu usage spike to almost 100%. Mouse movement in an offline window such as task manager results in a cpu usage increase of about 15-20%. Whatever program im mousing around in is the program that will cause the cpu usage to rise. I have followed all the preliminary virus removal instuctions found on this forum and have attached the requested logs to this post. Any help would be greatly appreciated.
2 iexplorer.exe in task manager. Please help
- Thread starter cpunoob
- Start date
- Status
You have both McAfee and Avira Antivirus installed
I'm unsure which one you acually want, but if its Avira (here's hoping)
Then uninstall McAfee and then run the McAfee removal tool
Restart
Run IE Reset Fixit Tool:
Or manually from here https://www.techspot.com/vb/post682762-2.html
Then restart Internet Explorer
Then run a full updated scan with Avira
I'm unsure which one you acually want, but if its Avira (here's hoping)
Then uninstall McAfee and then run the McAfee removal tool
Restart
Run IE Reset Fixit Tool:
Or manually from here https://www.techspot.com/vb/post682762-2.html
Then restart Internet Explorer
Then run a full updated scan with Avira
I tried to uninstall mcafee from add/remove programs in the control panel and It worked on everything but the securtiy center itself. Just said there was an error trying to remove it. I made sure there was nothing with mcafee running and tried to uninstall again but got an error saying it could not run anything because some of the files are missing. So I then tried to run the mcafee removal tool and it stopped about 15% with an error about mskdetct.exe. So i tried to restart my pc and try again. On restart mcafee security center started up but with no virus scan or firewall, just the security center. Now when I try to run the mcafee removal tool again it says its already running but I can't find it in the taskmanager.
I restarted the pc again and mcafee security center is no where to be found this time. The Mcafee removal tool still says its already running though. Still no mcafee products or removal tool running in task manager. Also ran the IE reset Fix It tool, still two instances of it in my task manager.
Try AppRemover utility: https://www.techspot.com/downloads/5514-appremover.html
Bobbye
Posts: 16,313 +36
On your first concern: 2 iexplorer.exe in Task Manager: Multiple iexplore.exe processes are normal with IE8, which you have.
For remaining McAfee entries: Security programs usually won't allow removal when running, so>.
Boot into Safe Mode
Reopen HijackThis to 'do system scan only'. Check the following, if present:
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
Click on Start> Run> type in services.msc> find each of the following Services> double-click to open> Change Startup type to Disabled> Stop the Service:
McDetect.exe ( McAfee WSC Integration)
McTskshd.exe (McAfee Task Scheduler)
mcupdmgr.exe (McAfee SecurityCenter Update Manager)
Close the Services
Open Internet Eplorer> Tools> Manage add-ons> look in both 'add-ons currently running' and 'add-ons previously running' for either of the 2 McAfee processes mcinsctl and mcgdmgr (these are the 2 Active X entries 016 above)> highlight> Disable each
Use Windows Explorer: Right click on start> Explore> My Computer> Local Drive (C)> Programs> do a right click> Delete on any McAfee program folders.
Check Add/Remove Programs to make sure there are no McAfee entries.
Close all Windows except HijackThis. Click on "Fix Checked."
Reboot into Normal Mode
The HijackThis log is clean. But rescan once more to make sure all of the McAfee entries are gone.
Are having any problem other than the CPU spike> If so, what? With just the browser open and no other 'active' Windows running in the background (like a game running, music or video running)>
Open the Task Manager and click on the Processes tab. Double click on the frame over the CPU column to sort in descending mode. Note which process is spiking.
You should see the highest amount for System Idle- around 97%+/ Next will be taskmgr.exe, about 2-3 %. What processes show over 2-3%? -Give me name of process and PID #.
For remaining McAfee entries: Security programs usually won't allow removal when running, so>.
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Reopen HijackThis to 'do system scan only'. Check the following, if present:
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
Click on Start> Run> type in services.msc> find each of the following Services> double-click to open> Change Startup type to Disabled> Stop the Service:
McDetect.exe ( McAfee WSC Integration)
McTskshd.exe (McAfee Task Scheduler)
mcupdmgr.exe (McAfee SecurityCenter Update Manager)
Close the Services
Open Internet Eplorer> Tools> Manage add-ons> look in both 'add-ons currently running' and 'add-ons previously running' for either of the 2 McAfee processes mcinsctl and mcgdmgr (these are the 2 Active X entries 016 above)> highlight> Disable each
Use Windows Explorer: Right click on start> Explore> My Computer> Local Drive (C)> Programs> do a right click> Delete on any McAfee program folders.
Check Add/Remove Programs to make sure there are no McAfee entries.
Close all Windows except HijackThis. Click on "Fix Checked."
Reboot into Normal Mode
The HijackThis log is clean. But rescan once more to make sure all of the McAfee entries are gone.
Are having any problem other than the CPU spike> If so, what? With just the browser open and no other 'active' Windows running in the background (like a game running, music or video running)>
Open the Task Manager and click on the Processes tab. Double click on the frame over the CPU column to sort in descending mode. Note which process is spiking.
You should see the highest amount for System Idle- around 97%+/ Next will be taskmgr.exe, about 2-3 %. What processes show over 2-3%? -Give me name of process and PID #.
For example just moving the mouse around in this forum page the process iexplorer.exe PID#2580 spikes the cpu usage 40-60%. The process zlclient.exe PID#3264 spikes the cpu 10-20%. If i am watching a video on youtube for example and move the mouse around, the video will become choppy. As far as the Mcafee goes I did exactly what you said and the log is now clear of any mcafee entries, thank you so much. I went to run the mcafee removal tool once more and it still said it was already running. I dont know but I guess it doesnt matter since its not there. Also i probably should have mentioned this earlier but a few days ago my avira picked up this
"The file 'C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1823\A0303976.exe'
contained a virus or unwanted program 'DR/Dldr.Keenval.F' [dropper]
Action(s) taken:
The file was moved to '4b4cc8f9.qua'!"
I deleted it from there and rescanned at it isnt finding it anymore so assumed it was gone.
It never showed on any of the 8 virus removal steps either.
"The file 'C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1823\A0303976.exe'
contained a virus or unwanted program 'DR/Dldr.Keenval.F' [dropper]
Action(s) taken:
The file was moved to '4b4cc8f9.qua'!"
I deleted it from there and rescanned at it isnt finding it anymore so assumed it was gone.
It never showed on any of the 8 virus removal steps either.
Bobbye
Posts: 16,313 +36
FYI: zlclient.exe is a part of the ZoneLabs Internet Security range of products, which acts as a firewall for your computer. This blocks Internet-bound viruses from compromising weaknesses on your computer and should not be terminated.
It is possible that you're having multiple scans from the internet and the firewall is just doing it's job!
System Volume is where the system restore points are kept. When we are helping clean malware, we remove all the old restore points and set new clean one. These are protected files and cannot be deleted in the usual way.
I'd like you to do an online AV scan. Save the log and include in next reply. It's it's clean and the problems have been resolved, I'll have you remove the cleaning tools and the old restore points-and create a new cleanrestore point.
Run Eset NOD32 Online AntiVirus Scanner HERE
Note: You will need to use Internet Explorer for this scan.
It is possible that you're having multiple scans from the internet and the firewall is just doing it's job!
System Volume is where the system restore points are kept. When we are helping clean malware, we remove all the old restore points and set new clean one. These are protected files and cannot be deleted in the usual way.
I'd like you to do an online AV scan. Save the log and include in next reply. It's it's clean and the problems have been resolved, I'll have you remove the cleaning tools and the old restore points-and create a new cleanrestore point.
Run Eset NOD32 Online AntiVirus Scanner HERE
Note: You will need to use Internet Explorer for this scan.
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the Active X control to install
- Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
- Click Start
- Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
- Click Scan
- Wait for the scan to finish
- Re-enable your Antivirus software.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
I have the free version. I just got it when today when i got rid of my old mcafee. It does have a traffic monitor on the toolbar and it shows when im first loading a web page but not while moving around in the web page. Yes i have ie setup with tabs. I did an Avira scan in safe mode and it came up with 13 warnings. I checked the log and they were all files that could not be scanned from system32/shockwave8. Not sure if that is relevant to the issue.
Download TFC http://oldtimer.geekstogo.com/TFC.exe
And run it, then Restart your computer
After Restart, please provide a fresh HJT Scan Only Log, as an Attachment, to a new reply
You could also check Task Manager (Ctrl + Alt + Del) for any high memory resourced processes that you could mention in a new reply too
And run it, then Restart your computer
After Restart, please provide a fresh HJT Scan Only Log, as an Attachment, to a new reply
You could also check Task Manager (Ctrl + Alt + Del) for any high memory resourced processes that you could mention in a new reply too
All of the following are non essential (They don't need to load with Windows)
Startup HJT Scan Only and check (tick) all the following entry boxes
Before selecting FIX, close all Internet Browsers
Restart
Actually, you could also uninstall SUPERAntispyware (since I just disabled it from starting with Windows
)
And do you really require ZoneAlarm? I know I don't, I use Windows Firewall (god forbid ) Oh and it works perfectly well
After Restart, provide a fresh HJT Scan log (again)
Oh and let me know if its now better or not
Startup HJT Scan Only and check (tick) all the following entry boxes
Before selecting FIX, close all Internet Browsers
Close HJT
Restart
Actually, you could also uninstall SUPERAntispyware (since I just disabled it from starting with Windows
)And do you really require ZoneAlarm? I know I don't, I use Windows Firewall (god forbid
) Oh and it works perfectly well After Restart, provide a fresh HJT Scan log (again)
Oh and let me know if its now better or not
Uninstall ZoneAlarm by going to Start > Control Panel > Add/Remove Programs > ZoneAlarm > Uninstall
Also here's the ZoneAlarm Uninstall Tool, that can be run after doing the above: http://download.zonealarm.com/bin/free/support/cpes_clean.exe
Log looks clean, but I'd like to hear after Restart how it is again
Also here's the ZoneAlarm Uninstall Tool, that can be run after doing the above: http://download.zonealarm.com/bin/free/support/cpes_clean.exe
Log looks clean, but I'd like to hear after Restart how it is again
Bobbye
Posts: 16,313 +36
Please attach the Avira log. I'll check out what you're seeing.
As for the firewall: a firewall 'listens' at ports. Think about a house (computer system) with alarm systems at every door (port). but the alarms are set to let some people (IP) in to specific doors (Port number) if they act a certain way (protocol) at the door. The firewall, like the alarm system, is set for specific behavior and it either lets the person - their name (IP) in or it doesn't. (blocks)
That is a very non technical comparison, but I hope it gives you an idea. When a firewall is set to log, it would be like every person (IP) who came to the house had to sign a paper- this would show everything about the person (IP, port number, type of protocol) ans whether the alarm let them in or not.
So basically, if that person has been set to be allowed to come through the door- that it, they meet the specific criteria set into the alarm system, they will be admitted. But even if they are not, there will be a record of their attempt to enter (scan) .
Once the alarm system (firewall) has accessed the person (IP) as to whether it meets the criteria to come in- or not-it (ports, protocol) is not going to keep checking that person (moving around on the webpage)
A firewall log can show this:
ZoneAlarm Logging Client v8.0.065.000
Windows Vista-6.0.6001-Service Pack 1-SMP
type,- incoming or outgoing
date,time,
source- this is the IP of either the incoming or out going IP
destination- this is the IP if either the incoming or outgoing IP
transport- this is the type of transaction
(Security)- this happens to be the program involved in the attempt.
the following flow the same way- just by different programs or apps.
ype,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent, class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
The next time you notice the spike, do this:
Open the c:\WINDOWS\Internet Logs\ZALog.txt folder - copy and paste in the next post.
[Search for this: ZALog.txt
something to consider: the more auto-updates you have set, the more internet activity you will have. Each program update will access the internet several times during each day to see if there is any update. Technically it could be doing this every day for months before there is an update. And each time a program or app IN you system attempts to access the internet, the firewall will determine whether to let it.
If you have a tab set to receive RSS feeds, this may also happen numerous times of every day and each time there is an incoming attempt to access YOUR system FROM the internet, the firewall will decide whether to let it pass.
Have a look here> this is the type of activity that you want to see:
http://www.mynetwatchman.com/tpincr.asp
Here are their FAQs to give you a more detailed idea of what you can see:
http://www.mynetwatchman.com/faq.asp
You can also try closing some of the tabs- the busiest on for instance. you may be able to pin down the source of the activity by doing this.
As for the firewall: a firewall 'listens' at ports. Think about a house (computer system) with alarm systems at every door (port). but the alarms are set to let some people (IP) in to specific doors (Port number) if they act a certain way (protocol) at the door. The firewall, like the alarm system, is set for specific behavior and it either lets the person - their name (IP) in or it doesn't. (blocks)
That is a very non technical comparison, but I hope it gives you an idea. When a firewall is set to log, it would be like every person (IP) who came to the house had to sign a paper- this would show everything about the person (IP, port number, type of protocol) ans whether the alarm let them in or not.
So basically, if that person has been set to be allowed to come through the door- that it, they meet the specific criteria set into the alarm system, they will be admitted. But even if they are not, there will be a record of their attempt to enter (scan) .
Once the alarm system (firewall) has accessed the person (IP) as to whether it meets the criteria to come in- or not-it (ports, protocol) is not going to keep checking that person (moving around on the webpage)
A firewall log can show this:
ZoneAlarm Logging Client v8.0.065.000
Windows Vista-6.0.6001-Service Pack 1-SMP
type,- incoming or outgoing
date,time,
source- this is the IP of either the incoming or out going IP
destination- this is the IP if either the incoming or outgoing IP
transport- this is the type of transaction
(Security)- this happens to be the program involved in the attempt.
the following flow the same way- just by different programs or apps.
ype,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent, class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
The next time you notice the spike, do this:
Open the c:\WINDOWS\Internet Logs\ZALog.txt folder - copy and paste in the next post.
[Search for this: ZALog.txt
something to consider: the more auto-updates you have set, the more internet activity you will have. Each program update will access the internet several times during each day to see if there is any update. Technically it could be doing this every day for months before there is an update. And each time a program or app IN you system attempts to access the internet, the firewall will determine whether to let it.
If you have a tab set to receive RSS feeds, this may also happen numerous times of every day and each time there is an incoming attempt to access YOUR system FROM the internet, the firewall will decide whether to let it pass.
Have a look here> this is the type of activity that you want to see:
http://www.mynetwatchman.com/tpincr.asp
Here are their FAQs to give you a more detailed idea of what you can see:
http://www.mynetwatchman.com/faq.asp
You can also try closing some of the tabs- the busiest on for instance. you may be able to pin down the source of the activity by doing this.
Bobbye
Posts: 16,313 +36
kimsland, you are getting into the realm of optional removals which should be explain to the poster. The programs are legitimate but they do not need to be on startup. You should explain why you are recommended a removal or install. The entries are not malware or viruses. They just don't need to start on boot and can be started in Add Programs.
Even though the programs and apps don't need to start on boot, it should still be left up tot then user whether to remove that, after giving them reference why you recommend removal. For instance, you are recommending the removal of WinCinemaMgr. The user needs to know what this does and why is isn't required on boot.
We are usually so busy finding and removing the malware that we don't have time for listing and suggesting removal of performance issued.
cpunoob: about this comment:
No, the Windowd firewal is not enough- I don't even recommend it to anyone. It does NOT listen at both incoming AND outgoing ports. Frankly, that means it does ha half-add job.
Even though the programs and apps don't need to start on boot, it should still be left up tot then user whether to remove that, after giving them reference why you recommend removal. For instance, you are recommending the removal of WinCinemaMgr. The user needs to know what this does and why is isn't required on boot.
We are usually so busy finding and removing the malware that we don't have time for listing and suggesting removal of performance issued.
cpunoob: about this comment:
No, the Windowd firewal is not enough- I don't even recommend it to anyone. It does NOT listen at both incoming AND outgoing ports. Frankly, that means it does ha half-add job.
Is the free version of Zone Alarm enough for a fire wall? Also do you think the other recommened firewall (Comodo) might use less cpu? Is it safe for me to go about my normal business on the web (paying bills etc...) This is the only site i have been visiting since i have suspected a virus.
- Status
Similar threads
