iexplore huge memory useage

tinner777

I have five seperate internet explorers running, is that right? have scanned and rescanned and found nothing is there anything dodgey in my hijack this log file?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11:14, on 14/09/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Registry Defense\RegistryDefense.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\PROGRA~1\Java\jre6\bin\ssvagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F882228-94E1-4520-B38B-A62E0C686828}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F882228-94E1-4520-B38B-A62E0C686828}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\Windows\system32\DPWLEvHd.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxde_device - - C:\Windows\system32\lxdecoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7673 bytes

thanks

RoadKillTs

Well the Registry Defense program that is running is dodgey so maybe a mod could move this to the Virus & Malware forum.

whizgremlin

it looks like you have alot of overlapping with your IE, I am always amazed at how many people still use IE as their default browser.

Why dont you try Firefox? its very light weight and you will instantly see an improvement with your overall system resources

Link: http://www.mozilla-europe.org/en/firefox/

on a side note: I wouldnt be posting your hijackthis log file - it seems somewhat intrusive and makes those unsavoury types aware of potential software vulnerbilities!!

Saruman

The question should be, is internet explorer even open or are these 5 instances of it running in the background but no window?

Have you tried running malwarebytes?

whizgremlin

Well usually when IE crashes it will still show in the Task Manager, a simple end task should do the trick, I dont think this has been attempted prior to the hijackthis scan and thats why its showing up perhaps.

If your IE had crashed a few times prior to your scan or became nonresponsive this might be the cause of your memory hog tinner777

RoadKillTs

I wouldnt be posting your hijackthis log file - it seems somewhat intrusive and makes those unsavoury types aware of potential software vulnerbilities!!

Thats nonsense.
It would be impossible to help someone with a malware infection without a hijack this log or equivalent.

OP - Your pc is infected with malware.
Run the tools in the sticky
And create a new thread in the Virus & Malware removal forum
Seeing as this one has not been moved yet.

whizgremlin

Whats nonsense is your fixation on this being a malware issue when its not!

From the point of view of a professional and qualified in the IT field individual, I do not see any reason to panic someone into thinking they have a virus or infection on their computer when its quite simply an IE/memory issue which is probably associated with overloading of toolbars if you were bothered to read through the log.

In addition, anywhere you see Norton there is bound to be a lot of memory hogging and system crashing especially if you have a low end spec computer.

As for the log being intrusive I still stand by this.

onemorechance

I think the new IE8 uses a new process for each tab or group of tabs. I think this is so that if one tab fails, that you do not need to shut down the program. It will cause excessive memory usage.

Saruman

onemorechance wrote: »

I think the new IE8 uses a new process for each tab or group of tabs. I think this is so that if one tab fails, that you do not need to shut down the program. It will cause excessive memory usage.

Very good point actually, IE8 does in fact do that. In fact if you have two tabs open, you will probably see 3 instances of iexplore running.

OP are there any actual signs of an infection? I can see nothing in the log to worry about, perhaps too many anti malware and anti virus programs running but that is only a system resources issue.

I am with whizgremlin, off hand it looks fine so unless you are actually getting symptoms like redirects, ads popping up on legit sites etc then I would not worry.
You can switch to firefox but instead of a number of iexplores you will have one massive firefox.exe running (with multiple tabs)

Just one thing worries me and that is RegistryDefense.exe, I do not know what it is so unless you installed some registry program and know what it is, get rid of it.

tinner777

hey thanks for replies, sorry i posted in wrong forum, got it sorted with a new instal of windows 7. mods please delete this

whizgremlin

tinner777 wrote: »

hey thanks for replies, sorry i posted in wrong forum, got it sorted with a new instal of windows 7. mods please delete this

that was a bit of a drastic solution - or maybe you mean ie7 ? the finalised version of win7 isnt released til the 22nd oct! :pac: