Multiple iexplore processes running

[Marshall]

Multiple iexplore processes running; finished 8 steps; logs attached

Like so many others, I have experienced multiple (usually 2) instances of internet explorer (iexplore.exe) running simultaneously. One will eat up 98% or so of my cpu capacity, making the computer non-responsive. I had a MAJOR virus infection a month or so ago, and paid our tech guys to remove it/restore system. Since then, I have had this problem. I have Panda L08, Malwarebytes, AdAware, and now Hijack This. I am attaching hjt log. I have found trojans using Malwarebytes and AdAware in the last couple of days, and have removed them. I have also run RegCure. Any help would be greatly appreciated. I am also attaching a Malwarebytes log. Couldn't figure out how to attach the AdAware log, but it shows a Win32 Trojan removed. The Panda log is too large to upload here, but shows mostly cookies, and no virus infections.

Wednesday 4-22
Ok, I'm a newbie. It took me awhile to figure out the 8 steps thing everyone referred to, but I finally found Julio's 8-step program in topic 58138. I have now completed all of the 8 steps and attach the requested logs. I ran a virus scan (Panda L08) and got a clean scan.

Also, Thanks to jobeard for his response. I will try that even though I have no idea what a dns is.

After reviewing the attached logs, is there anything else I need to do? Thanks for your assistance.

 

[DelJo63]

the malware bytes log found and cured one issue. You should have rebooted at least once after running it.

the other interesting issue is your DNS Settings.
you might try forcing a manual DNS pair like

208.67.222.222
208.67.222.220​

which point to the OpenDNS server.

If you do, then use this to avoid a reboot

Use an Admin Login to get a command prompt (run->cmd)
ipconfig /flushdns
net stop "DNS Client"
net start "DNS Client"​

enter as written (ie copy/paste into a command prompt)

 

[Marshall]

DNS settings

I looked at this and was completely confused. I am on a LAN, and the settings seem to be fixed by our tech consultant to let the settings be automatically determined. If I change it, after getting more detailed instructions how to do so, will it affect my use over the LAN?

 

[DelJo63]

yes, it can effect access to your Domain Controller --

you should have been discussing ALL OF THIS with the help desk.

 

[Marshall]

I appreciate your patience. As I said, I am new to this. Could you please look at the most recent logs I attached and advise if there is anything else I need to do based on the new hjt log? After performing the 8 steps, it appears that multiple iexplore processes run, but it does not appear that one of them is eating all the cpu capacity now. I still would like to solve the problem of multiple instances of iexplore running if possible.
I really appreciate your assistance. I don't even know which help desk with which I should have discussed the issue you identified. Thanks again for your patience and your help.

 

[Bobbye]

Like so many others, I have experienced multiple (usually 2) instances of internet explorer (iexplore.exe) running simultaneously.

I suspect you are using IE8. Multiple iexplore.exe are normal in IE8- so is high memory and CPU usage. Consider going back to IE7 after reading this:

https://www.techspot.com/vb/all/windows/t-124001-IE8--What-Are-They-Thinking.html

Mbam is clean and SAS found 1 Tracking Cookie- you get the prize for the fewest Tracking Cookies! Congrats on that.

You show 4 connections to barneslabor.local. Is that your company?
The IP192.168.2.5 IP 4.2.2.2 is for Level 3 Communications, Inc. in Colorado.
Is that the ISP?
This section might be what jobeard is referring to.

You can open HijackThis> Choose system Scan Only and check these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Close all open Windows and email except HijachThis and click on Fix Checked.

IF you are in a work environment, you will have an IT person in charge of the connections- that is who you should consult.

 

[Marshall]

Bobbye, thanks for your reply. I run IE7. Barnes is my company. I don't know who our ISP is, but I can ask that question tomorrow. I'll apply the Hijackthis fix when I get to the office tomorrow.
Our IT guys are a private company that we use. Every time we ask a question, it costs a bundle of $$$$. They charged me 500 to remove the virus, and clearly didn't cure the whole problem. Charged me another 125 to fix something shortly after that I thought they should have fixed the first time. I sat and watched the techie use google to find something on a problem, and I decided to use this approach to see if I could get it fixed. By googling the problem, I found lots of references to the issue, including one posted on techspot. Seemed to me you guys had a good handle on it, so I registered here to try to get back on track. Thanks for your repsonse.

 

[Bobbye]

Marshall, I thought it might be IE8 because of this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:37 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

We see that sometimes if IE8 Beta is installed. So there appears to be some problem with IE7

I see this running:
C:\WINDOWS\system32\msiexec.exe which is the Windows Installer Component. Normally it doesn't show up as a 'routine' entry, but rather is normally started when you install a new program.

I do NOT see any entry for iexplore.exe which is the executable file of Microsoft Internet Explorer although I do see the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

The closest there is to repair in IE7 is a reset (REIS):
If the problem is caused by damaged or incompatible Internet Explorer settings or add-ons, you can usually resolve the problem by resetting Internet Explorer settings:

To use the Reset Internet Explorer Settings feature from Control Panel, follow these steps:

1. Exit all programs, including Internet Explorer (if it is running).
2. Start> Run> Type the following command in the Open box, and then press ENTER:
inetcpl.cpl
The Internet Options dialog box appears.
3. Click the Advanced tab> Under Reset Internet Explorer settings,> click Reset> Then click Reset again.
4. When Internet Explorer finishes resetting the settings> click Close in the Reset Internet Explorer Settings dialog box.
5. Start Internet Explorer again.

FYI: The Reset Internet Explorer Settings feature restores the following items to their default settings:

* Home pages
* Search scopes
* Browsing history
* Form data
* Passwords
* Appearance settings
* Toolbars
* ActiveX controls

Additionally, the Reset Internet Explorer Settings feature disables add-ons but does not remove them.

You can do the REIS after running HijackThis.

 

[Marshall]

I ran the Hijackthis and removed the three items. That seems to have cured the problem of one of the iexplore processes taking up all of the CPU capacity. I still have multiple instances of iexplore.exe running but so long as it doesn't jam up my processor, I suppose it's ok. If I have two tabs open, there are three processes running. If I have one tab open, there are two processes running.

I ran the RIES and got green checks by the first two items, and a red x by the "apply default settings" entry. I did as suggested in the help dialogue and shut down windows and tried again with the same result. Should I try removing IE7 through the control panel - add and remove programs and try to reinstall IE7?

 

[Bobbye]

If I have two tabs open, there are three processes running. If I have one tab open, there are two processes running.

I have Firefox and open my homepage with 7 tab set up. Only ONE 'Firefox' process shows in the Task Manager. IF I launched Firefox twice, I would show 2 Firefox entries. IF I launched it three times, I would have 3 entries.

Seems to me, the # of browser processes should coincide with how many actual launches were made with the browser, not how many tabs! But I an hearing about multiple iexplore.exe processes in IE8, which is normal for that version.

Malware can 'disguise' itself as virtually any process. But I would like for you to do two things:
1. Run the Windows Error Check:
My Computer> right click on Local Drive- usually C> Properties> Tools> Error Check> check both entries in the screen that comes up> OK> Close and reboot.

Let the check complete. System will reboot when through

Let me know how system is doing after that.

 

[Marshall]

Hope springs eternal....and I responded too quickly about the system running better. After I posted that, one of the iexplore processes has hung up on three occasions. Once when I tried to log in to techspot, once when (just now) I tried to open this thread to reply, and once when I tried to log in to yahoo to check email. I had run taskmanager all morning after removing the three registry entries and had no problem until just before noon. If anything, the problem has expanded, because it also occurred while using firefox which had been impervious to the problem until today. It seems that others in the office are also having a similar problem with their browsers.
I did run the error check, and two instances reported above happened after I ran it.

 

[Marshall]

Perhaps I am running IE8 after all. When I click help, about Internet Explorer, it says I'm running IE8. However, in control panel, add/remove programs, it shows IE7 but not IE8. If IE8 is on the computer, how can I remove it and go back to IE7? I never intentionally downloaded IE8, so don't know how it got there. When our tech guy was working to remove viruses, he was here about 8 or 9 hours. Have no idea what he may have done. It does seem he asked about IE8 and I told him I didn't want it.

As of now, no further hangups on the cpu after three more hours of running the browser.

 

[Bobbye]

he was here about 8 or 9 hours. Have no idea what he may have done. It does seem he asked about IE8 and I told him I didn't want it.

The tech people you pay usually ignore the wishes of the user- if they even ask!

To remove IE8
1. Let Microsoft do it here: http://support.microsoft.com/kb/957700
2. Check the 'known issue'
OR
3. Remove it manually>> instructions at bottom of same site.

 

[Marshall]

It just gets more interesting. I tried the auto fix and it said it did not apply to my system. I tried the manual steps and got the message that it was not a valid path when I copied the command string into the dialogue box. What I am about to conclude is that the tech guy put IE8 on my machine and when I told him I didn't want it, did a half-assed job of removing it. I'm wondering if I could install IE8 again and then go to the MS site and use their removal tool. If that didn't work, I'm seriously considering reformatting and reloading, a process to which I do not look forward.

 

[Bobbye]

My apology Marshall- I'm 2-3 days behind in everything!

I hope you haven't reformatted/reinstalled yet. That is something best done when everything else fails. There are some who rather do it than troubleshoot, but I am very conservative about it's use.

Tell me what the system status is now:
1. Do you still have IE8, or are you unsure of the version?
2. Do you want IE8?
3. Are you willing to accept the multiple iexplore.exe processes and large resource use of IE8?
4. Would you prefer going back to IE7?

As for the Command prompt for Internet Options, if that is a problem, you can open Internet Options through the Control Panel.

The only program I see in the HJ log with excessive entries is Panda. It looks like a suite. Otherwise, just keep in mind that you have multiple connections through Barnes. Everything come with a price!

Let me know and well finish up, including removing the cleaning tools.

 

[Marshall]

Bobbye,
I'm running a bit behind also. I am running IE7. I believe this to be the case because I went to the MS download site and downloaded it again. Also, in the add/delete programs, IE7 is listed, but IE8 is not. The only place that IE 8 is indicated is in the Help, About Internet Explorer tab. Also, everytime I start IE, I get the dialogue box trying to get me to download IE8. Having said all that, I prefer to stick with IE7, although there are clearly some vestiges of IE8 on my system. After downloading a fresh IE7, the problem is less severe. I am still showing multiple processes running, but it's not hanging me up very often now.
As to the multiple Barnes connections, should we remove some of them? Panda is a suite, highly recommended by our tech type. I'm not so sure about it though. I run McAfee on all my other computers and like it.
Thanks for all your help.

 

[Bobbye]

I need a fresh HijackThis scan and log.

 

[Marshall]

log attached

 

[Bobbye]

You know that old saying "the hurrier I get the more I fall behind"? Didn't mean for this to go on so long!

HijackThis still can't ID the Internet Explorer version and shows 3 ieplore.exe entries. There are a few entries in HJ that can be removed, but first, I have a question:

You have this Active X control:
016 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://na.ntrsupport.com/nv/inquiero/mod/setup/ntractivex118_28.cab

The description is: NTRsupport delivers end-to-end support that's easy to access and highly secure.
It uses Squid software which is a proxy server and web cache daemon. Squid is a very fast proxy-cache program. Squid acts as an agent, accepting requests from clients (such as browsers) and passes them to the appropriate Internet server.Squid acts only as a HTTP-type proxy - it will act as a proxy for browser-type applications. Generally speaking, though, it won't act as a proxy for applications other than browsers. Squid gives you the ability to share data between caches,Although Squid is primarily designed to run on Unix-like systems but it also runs on Windows-based systems.

Can you tell me how you are using this?

Open HijackThis> Do system Scan Only> check the following if present:

C:\WINDOWS\system32\devldr32.exe
(another usless Dell pre-load, installed with Creative Labs audio hardware. Their is a bug in them which prevents to shutdown the devldr32.exe correctly during the shutdown procedure. This process is a freqient cause of problems. One use describes it as "evil part of Creative SB Live" and went on to remove it from from computer.0
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\devldr32.exe

Close all Windows except HijackThis> Click on Fix Checked.
Close when through.

Please also consider fixing these optional entries. I recommend fixing each of them and will explain why:
C:\WINDOWS\Nhksrv.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
(This program is installed by certain Dell and Compaq computers. It is used to disable any configured hotkeys while the screensaver is running.)
IF you use the multimedia features of the keyboard, leave these entries. If not, take off startup and Disable the Service.

Boot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
Any processes for Netropa if you don't use the MM keyboard
Any processes for 'Creative'
Debug or mdm.exe

When through> Apply> OK
Boot into Normal Mode. Ignore nag message and close after checking 'don't show message again.' Stay in Selective Startup.

Please let me know what problems you still have, if any. Make sure when you use IE that you set up tabs for additional sites. If you launch IE each time you want a site or new link, you will see an iexplore.exe process for each.

We will remove the cleaning tools if the problems have been resolved.

 

[Marshall]

I have no idea how the NTR Active X control is used. I would guess that if it is not a part of the Windows update deal, I have no use for it.

I ran hijack and did not find devldr32.exe, debug\mdm.exe or nhksrv.exe. I did find and fix 023 - Service: Netropa NHK Server\\nhksrv.exe.

In msconfig, none of those processes were in the startup tab, but Machine Debug Manager and Netrope NHK Server were in the Services Tab. I unchecked those and rebooted.

As a test, I opened IE and have three tabs open. I have three iexplore processes showing in task manager. One of them bogged the processor down when I first started it and had to end the process. After the tab was "recovered" it seemed to run normally. It is interesting that I also show dlvldr32.exe in task manager, although it did now show up in the start tab in msconfig.

 

[Bobbye]

I ran hijack and did not find devldr32.exe, debug\mdm.exe or nhksrv.exe. I did find and fix 023 - Service: Netropa NHK Server\\nhksrv.exe.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:25 AM, on 5/6/2009
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\devldr32.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe


For devlrd.exe:
Open windows Explorer> navigate to Windows> system32> right click on devldr.exe> delete

If that doesn't stop it or causes an error message, instead of deleting it, rename the files to devldr32.old.

 

[Marshall]

Bobbye,
Sorry for the long span before responding. Had a family wedding and a crisis at work. I have deleted devldr32.exe 5 or 6 times. It keeps re-appearing in task manager. Seems the little devil is hard to delete. I'm still having the problem with bogging down if multiple tabs are open in IE. Most of the time, I'm using Firefox although I don't like it as well. It doesn't bog me down, but it is slower than IE7 to respond.

See my prior post for the results of the other actions you recommended. Thanks again for your patience and advice.

 

[Bobbye]

Yes, I know- it doesn't go down without a fight! I was trying to remember how I finally got mine to stop a few years ago. I think I ended using The Ultimate Troubleshooter from answersthatwork, a program with multiple utilities to access and control various system processes.

Check Devldr32.exe(Creative Labs) on this page:
http://www.answersthatwork.com/Tasklist_pages/tasklist_d.htm

What the process is from:

Company Creative Technology Ltd.
file version 1.0.0.17
product name Creative Ring3 NT Interface
Creative SB Live!
description DevLdr32
size 23.5 KB
copyright Copyright © Creative Technology Ltd. 1998-2001

I can't address this problem:

I'm still having the problem with bogging down if multiple tabs are open in IE. Most of the time, I'm using Firefox although I don't like it as well. It doesn't bog me down, but it is slower than IE7 to respond.

except to remind you that IE isn't being recognized correctly as previously mentioned. And IE8 IS boggy! I use Firefox and have homepage with 7 tabs. I may end up with 10-12 over any period of time, but this doesn't not slow Firefox down. I still have IE6, rarely use it, don't have any experience with v7 or v8.