explorer.exe running at 170,000 K + [F]

[DMcLaughlin]

When I check my processes, explorer is running at 170,000 K + most of the time. That is abnormally high. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:55 AM, on 6/30/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Sizer\sizer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\twhirl\twhirl.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Sizer (2).lnk = C:\Program Files\Sizer\sizer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://origin.games.yahoo.net/games/clients/y/poti_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1196117104849
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 1: (no name) - Netvibes

--
End of file - 4401 bytes



----------------
Now playing: Death Cab for Cutie - Styrofoam Plates
via FoxyTunes

 

[KSoD]

Re: explorer.exe running at 170,000 K + [N]

Hello

Do you know what twhirl.exe is? From my research it shows that it can be a legit app but it also is shown as a virus. So did you install this yourself? If not then we have some work to do.

Cheers,
Mak

 

[DMcLaughlin]

Hello

Do you know what twhirl.exe is? From my research it shows that it can be a legit app but it also is shown as a virus. So did you install this yourself? If not then we have some work to do.

Cheers,
Mak

Yeah, I installed twhirl myself. It isn't a virus. It is an Adobe AIR application that acts as a desktop client for the web application Twitter: What are you doing?

295,000 K now!

 

[KSoD]

Re: explorer.exe running at 170,000 K + [P]

Hello,

Okay do this then.

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs needed in next post:

ComboFix

Cheers,
Mak

 

[DMcLaughlin]

Re: explorer.exe running at 170,000 K + [P]

Hello,

Okay do this then.

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs needed in next post:

ComboFix

Cheers,
Mak

It says that the version of ComboFix is not up to date so I can't use it. And are you sure that this is okay to use if someone "holds my hand" down this path? I'm trusting you guys.

 

[KSoD]

Re: explorer.exe running at 170,000 K + [P]

Hello,

You can go to some experts over at GTG. They have a special training course and fully trained experts to work with you if you trust that more.

I suggest you take your log to the malware doctors found in this forum.
Please make sure that you read this before posting anything in the malware forum.

If you're still having problems after the malware doctors declare your log clean feel free to post back here and we'll help you to the best of our knowledge!

Cheers,
Mak

 

[DMcLaughlin]

Re: explorer.exe running at 170,000 K + [P]

Hello,

You can go to some experts over at GTG. They have a special training course and fully trained experts to work with you if you trust that more.

I suggest you take your log to the malware doctors found in this forum.
Please make sure that you read this before posting anything in the malware forum.

If you're still having problems after the malware doctors declare your log clean feel free to post back here and we'll help you to the best of our knowledge!

Cheers,
Mak

Thanks for the reference to Geekstogo.com cool website.

I was wondering. Could it be Windows SP3 that is causing it? If so, how can I downgrade to SP1 or SP2?

 

[KSoD]

Re: explorer.exe running at 170,000 K + [P]

Hello,

I have been using XP SP3 since it was Beta and i have never experienced anything like this. I have seen reports of it but i can not say for sure if it is or isnt as i could never reproduce the issues they were having.

Your Welcome for the reference. If you are going to continue with them i will move this to the finished area.

Cheers,
Mak

 

[DMcLaughlin]

Re: explorer.exe running at 170,000 K + [P]

Hello,

I have been using XP SP3 since it was Beta and i have never experienced anything like this. I have seen reports of it but i can not say for sure if it is or isnt as i could never reproduce the issues they were having.

Your Welcome for the reference. If you are going to continue with them i will move this to the finished area.

Cheers,
Mak

Sure you can go ahead and moved it to the finished section. I'm gonna reformat and keep it at SP1 or do you think I should keep it at SP2? Also, I'm probably gonna go out and buy a macbook and if I ever get an IT job I can just use Virtual Machine to run windows on my mac. And I don't play PC games so I don't think I will be at a disadvantage.

What ya think?

 

[KSoD]

Re: explorer.exe running at 170,000 K + [P]

Hello,

I would go with SP2. That makes Windows the 2nd most secure it can be.

MacBooks are good. I know a few people that do what you are talking about and i think it is a great idea.

Moved.

Cheers,
Mak