Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bo:heap And Explorer.exe At 50% Cpu Usage


  • This topic is locked This topic is locked
6 replies to this topic

#1 bdf

bdf

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 25 August 2008 - 05:49 PM

Hi all,

Can't seem to get rid of this problem. It started a couple weeks ago with joke-bluescreen and 'xp antivirus 2008' viruses. For a while I could only boot into safe mode. Eventually, using malwarebytes antimalware program cleared up these viruses, but the system is still not 100%.

This computer is on a larger (university) network.

Current symptoms are that frequently, the McAfee onaccess scanner will pop up with the bo:heap virus detection. The message will either be something like
c:\program files\Internet Explorer\iexplore.exe::RegOpenKeyA, or c:\Windows\EXPLORER.EXE::InternetOpenA, or c:\Windows\EXPLORER.EXE::socket, or c:\Windows\EXPLORER.EXE::VirtualProtectEx.

Also, the system becomes very sluggish, again quite frequently. A check of cpu usage in task manager indicates that EXPLORER.EXE is either pegged to 50%, or oscillates to 50% and then back to 0%.

Malwarebytes Antimalware repeatedly finds a {backdoor.agent, registry value, trojan, xrt_options}, and {backdoor.agent, registry value, trojan, xrt_id}. The program says it succesfully quarantines and deletes it, but they keep re-appearing.

Spybot S&D repeatedly finds Microsoft.WindowsSecurityCenter.FirewallBypass. It says it successfully fixes it, but it keeps coming back also.

Ad-Aware didn't find anything of note. Scans with McAfee Viruscan and Stinger didn't find anything. The online virus scanning websites didn't work for me. One halted with the bo:heap issue. Another wouldn't start at all. I didn't try the panda antivirus as I've been disappointed with its results for other computers.

And finally before the HJT log, once in a while, soon after rebooting, a pop-up window appears saying "Windows Security Alert - Windows firewall has blocked some features of this program. Name: Windows Explorer". Never sure what to click on this one. Keep blocking, Unblock, or Ask Again Later.


Here's HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:08 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\SiteAdvisor\6170\SAService.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\HPCOMPAN\hpjbtrck.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\Program Files\SiteAdvisor\6170\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6170\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6170\SiteAdv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [APC] C:\utils\Advanced Parental Control\BackProcessAPC.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6170\SiteAdv.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdmlp.exe] C:\WINDOWS\system32\kdmlp.exe
O4 - HKCU\..\Run: [APC] C:\utils\Advanced Parental Control\BackProcessAPC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\bdf\xrt_mkbr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130524243421
O16 - DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} (Active DJ Studio ActiveX Control) - http://www.christianrock2.net/amp3dj.cab
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://oas4.wright.edu:7778/forms90/jinitiator/jinit.exe
O20 - Winlogon Notify: !SASWinLogon - C:\utils\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\utils\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: HP LaserJet Companion Service (Hpjbtrck) - Unknown owner - C:\HPCOMPAN\hpjbtrck.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6170\SAService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 9033 bytes


Thanks for any help or advice,

bdf

BC AdBot (Login to Remove)

 


m

#2 bdf

bdf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 30 August 2008 - 09:26 AM

Hi all,

So I went ahead and tried to fix this and the problem seems to be gone. I tried quite a few things all at once (never a good idea when debugging something, but I was desparate), so I won't be able to provide the exact sequence or details, but here is the general outline.

I installed process explorer and process monitor, Microsoft tools, in order to see what program was calling explorer.exe so much. In process monitor I noticed that the registry key xrt_options was constantly being opened. In the process monitor log, just before the xrt_options key was accessed, McAfee was active. So I uninstalled McAfee Viruscan and that seemed to reduce the load by explorer.exe on the cpu (and of course no more bo:heap messages from McAfee). But process monitor still showed xrt_options being accessed. Reboots and cleans with Malwarbytes didn't fix this.

Somewhere around this time I also searched the registry for anything with xrt in the name and removed all these keys (there weren't many, 4 or so). I also deleted a registry key referring to kdid.exe (a file which didn't exist on the hard drive anyway as far as I could tell), which was located in the same registry places as the xrt entries. I don't think this was effective.

I also went and removed any resident programs that I didn't want, such as some microsoft search indexer. Some of these I could only stop from running by editing the registry where the last few branches of the tree were Windows/Current Version/Run. I don't think this necessarily fixed the problem either, but I've been wanting to stop some of these programs for a while anyways.

Finally, I tried Malwarebytes after booting in safe mode. I know I had done some scans in safe mode, but maybe not with Malwarebytes. Anyway, in safe mode Malwarebytes found 4 problems (in normal mode it always found just 2 problems). One of the 4 problems was a .exe file, not just a registry key, that never showed up either in the normal mode Malwarebytes scan, nor in straight search of the c: drive. After letting Malwarebytes fix these, the computer seemed to be ok.

Now the only problem is that I can't seem to reinstall McAfee, but that's not an uncommon problem in my experience with McAfee.

So thanks to this board in a general sense, since some of the above actions were taken as a result of suggestions made in other posts.

#3 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 AM

Posted 10 September 2008 - 08:41 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please see here for instructions
how to install HijackThis and make a logfile. Save it into convenient location and include it to your next reply, please.

Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with HijackThis log and Kaspersky report.

Regards
Microsoft MVP Consumer Security
Posted Image

Posted Image

#4 bdf

bdf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 September 2008 - 09:59 AM

The original problem has been resolved. The issue with re-installing McAfee Viruscan was not malware related, but rather just a McAfee authentication problem.

Thanks again.

#5 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 AM

Posted 10 September 2008 - 10:02 AM

So you don't need help anymore?
Microsoft MVP Consumer Security
Posted Image

Posted Image

#6 bdf

bdf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 September 2008 - 07:11 PM

No, I don't think so. I was tempted to post a new hijack log so an expert could look it over to see if there are any other potential problems. But at the moment cpu usage is normal, virus scans are clean, and spyware/adware scans are finding the usual minor issues.

Thanks for volunteering!

#7 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:54 AM

Posted 11 September 2008 - 01:41 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users