Two versions of IExplore.exe running at the same time and pc crawling

Hi,

My PC has slowed to a crawl again. I opened Task Manager and noticed that I have 2 versions of IExplore.exe running at the same time. One is for user named owner and is using 40,136k memory (constant) and 02 cpu (constant), and the second one is also for user named owner, the memory varies between 50k and 53k, and is using about 65 cpu.

My System Idle Process fluctuates between 0 and 10 and the only processes running are Major Geeks Support Forum, and a Search (that's finished but still displaying the results).

I've run several anti-virus/malware/adware/spyware/trojan programs again and I've cleaned up my pc and defragged. There were no results to any of the programs I ran except a couple of cookies. I used all the options available on Dial-a-Fix and some of the tools that are under tools, ie., flushed DNS, purged SFC, repaired permissions. When I Process Idle Tasks, the speed of my pc will pick up for a few hours but it slowly goes back down to a crawl.

It's been less than a week since my pc was running quickly again. I haven't installed or uninstalled any programs and I haven't changed any settings.

Anyone have any ideas as it to why I have 2 versions of iexplore.exe running at the same time, and why my pc keeps slowing down to such an extreme low speed and what I can do to fix these?

Denise

 

Upon a reboot, do you still have two instances of IE running?

Start IE, check task manager. What about now?

Close IE, check task manager...

 

Hi theefool,

I rebooted and didn't have 2 instances of IE running. I opened IE, checked Task Manager, and had only 1 instance of IE running. I closed IE and had no instance of IE running.

But I had a virus. Today I ran a number of programs to see if I'd picked up a virus, malware, etc, and none of them found anything. With nothing else to do, I decided to run BitDefender and it found a virus. I could'n attach the report because it's in html so I copied and pasted it:

BitDefender Online Scanner

Scan report generated at: Wed, Aug 09, 2006 - 21:17:02

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics

Time
03:22:29

Files
451841

Folders
6419

Boot Sectors
4

Archives
11748

Packed Files
42004

Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1

Engines Info

Virus Definitions
443731

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
39

Unpack plugins
5

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
Infected with: Trojan.Exploit.Html.Codebaseexec.CC

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
Disinfection failed

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
Deleted

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)
Update failed


I was browsing through Add/Remove Software and saw Logitech Desktop Messenger and Logitech Resource Center. I had no idea what they do so I Googled them and browsed a few pages, but still wasn't sure if I should uninstall them so I left them alone. It's the only way that my pc could've caught this virus. Can I delete those programs?

It's pretty late where I live so tomorrow I'm going to do the processes at http://forums.majorgeeks.com/showthread.php?t=35407. Last time I did them, it took me over 8 hrs . . . groan . . .

I did warn you guys that I'll practically be living here. I like meatballs, green peppers, mushrooms and fried onions on my pizzas . . . all Chinese food is good if you bring a Mai Tai.

Denise

 

Seems like I live here too, except on the weekends. Someone PM'd me that I should be making dinner right now, which I am.

When do you EXACTLY notice two instances of iexplore.exe running?

Can you give a step by step procedure to reproduce this issue?

Btw, I prefer japanese food.

To the logitech issue. Are ye running a multimedia keyboard or mouse based on the logitech brand?

 

Hi,

Yes, I have a Logitech keyboard and a Logitech mouse but I didn't think these items would warrant Logitech Desktop Messenger and Logitech Resource Center. The mouse and keyboard were both plug and play. That was the reason why I was looking for the purpose of the 2 programs. Since I couldn't find any concrete information, I didn't uninstall the programs.

The first and only time I noticed that I had 2 IEXPLORE.EXE files running was when I was here, beginning this post. I opened Task Manager so that I could give you some information. I didn't notice it prior to that, but I rarely check Task Manager . . . only if I'm having a problem.

Denise

 

Hi, (Post One)

The last time I ran this procedure, there was a special forum for posting HiJackThis logs but I couldn't find it tonight so I'm posting the results of all the scans here. I can post them again in another forum if this one isn't good.

When I renamed the HiJackThis exe file to analyse.exe, the program still ran under the name of HijackThis v 1.99.1 and that's the name of the log file also.

I'm also attaching bdscan.log, runkeys.txt, and newfiles.txt

While I was in Safe Mode with "show hidden files and folders," I also ran AVG. It found:

C:\Windows\system32\drivers\etc\hosts file had a Reading Error.
Manage Add Ons: Disabled - Active Data Info Class - Symantec Corp.
Messenger Checker Class (not verified) TODO: <company name>

Denise

All of the other scans found nothing, not even negligible risks.

Denise

 

Hi, (POST TWO)

Post for additional attachment. The extension of AVG is .csv, but I couldn't upload that extension. I changed it to .txt and I'm hoping you can change it to .csv and still be able to read it.

Denise

 

With a quick casual scan, I ddin't see any issues, but if you want to be safe, then post here:

http://forums.majorgeeks.com/forumdisplay.php?f=35 <- safe place to post hijack this logs, only if you follow the next rule:

http://forums.majorgeeks.com/showthread.php?t=38752 <--- NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for the links. The tutorial for a HiJackThis log would take me into next year to figure it out. I'll post the HiJackThis log there. The one scan that I wanted you to see is the one that I couldn't upload, the bdscan. Wednesday, the scan found 4 issues. When I ran it last night, it found a lot more files. It was able to clean those additional files but it couldn't clean or delete the 4 original files. The log is attached here.

I get about 10 requests a day requesting permission from Sygate to allow Logitech dll files.

Denise

 

I couldn't post the HiJackThis log to
http://forums.majorgeeks.com/forumdisplay.php?f=35 because the system already acknowledged that it was post in this thread.

Why isn't "Post HiJackThis logs" in the forum list anymore?

Denise

 

Hi,

Does anyone know how I can get rid of these items? Can I simply delete them myself? I looked through the links at http://forums.majorgeeks.com/showthread.php?t=38752 but none of these items were listed. I want to get rid of this trojan as soon as possible.

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
Infected with: Trojan.Exploit.Html.Codebaseexec.CC

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
Disinfection failed

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
Deleted

C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)
Update failed

Denise

 

Hi,

I was hoping someone could lead me in the right direction regarding this Trojan.

Can you tell me if I can simply delete the file, or what the ramifications might be if I do so?

I can't let a Trojan take residence in my pc forever. I have to get rid of it. Any ideas are better than no ideas.

Denise

 

Hi Tim,

I've already followed steps 1 thru 7 and ran all the scans and submitted all the logs, first in this thread because it was where I started, and then at http://forums.majorgeeks.com/forumdisplay.php?f=35, due to the advice given (above) by theefool.

I haven't heard from anybody yet about the scan results. I also posted the results of the scans at Help2Go Detective but I haven't received a reply from that forum either. I'm getting nervous as this trojan has been in my pc for several days now and I don't know what damage it might be doing.

Denise

 

Hi Tim,

Maybe you can help me out. I thought I posted all the scans that were requested. I put them all in one post. Maybe they were too long for one post? So If you can tell me what is missing, I'll attach it.

Downloading, installing and running the programs, in Safe Mode, Safe Mode with Networking, and in regular mode took me almost 24 hours, and I'm not exaggerating. Maybe it has to do with the fact that I have a 946Hz processor. I also ran scans that weren't mentioned, such as AVG, CWShredder, and McAfee Stinger. So I ran the whole gammit and plus some. I want to eradicate this beast that dared to enter my private domain.

I can't find the post to see what I attached and what I didn't attach. What happened to that great link "Post Your HiJackThis Logs Here?"

I'd like to say, though, for future reference for people who will install and run Spy Sweeper, that it took about an hour to run and it found 4 cookies. It won't delete the cookies unless the program is purchased. These sites should state that up-front so people don't waste their time. I was a little annoyed about it.

Denise

 

You need to attach as in use the "manage attachments" button, not post the entire log file within the post.

Similar to an attachment within an email.

 

As I had written in a couple of posts, MG won't allow me to attach the file a second time. I had already attached it to the thread that I originally opened. You received the information that you requested in the only way that I could get it to you.

I've been reading up on these files and it seems that only BitDefender has been finding them, so the concensus is that they might be false positives. But FP's or not, I'd like to get rid of them. Wild Tanget, I've found, is for gaming. I have no idea how these files found their way into my pc last week because I don't do gaming. The Trojan is a different matter but it installed itself in my pc at the same time as WildTangent. I Googled the Trojan and found only questions with procedures that haven't worked. I have no idea where I picked it up.

Denise

 

Shadow puter dude just replyed to your post (within the malware forum). I'd check back to the malware forum, and re-type what you posted here, over there.