Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ieframe.dll keeps cycing and cycling


  • Please log in to reply
6 replies to this topic

#1 Jongira

Jongira

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 22 June 2009 - 02:14 PM

Hi. Thanks in advance for any help or advice you can give on this one:

In task manager, I see that explorer keeps using 2% of resources all the time. So I open 'process monitor' and see that explorer keeps calling "ieframe.dll". A web search indicates that ieframe.dll is part of IE7. I do use IE7, and it seems to work properly. But after a reboot, without ever invoking IE7, windows explorer keeps running the "ieframe.dll".

There is a "buffer overflow" in the 'process monitor' listing (below). There are no errors in the system event viewer. Application programs seem to work correctly. This MIGHT have started just after Norton detected and quarantined a small swarm of threats, cleverly called "a.exe" "b.exe" "c.exe" etc. Norton says my system is clean.

Any thoughts on how to stop the continuous calling of ieframe.dll by explorer. [Yes, it's being called by explorer, not internet explorer].

Thanks, John

Process Monitor listing (just one chunk).
[codebox]2:40:24.2000674 PM Explorer.EXE 1516 CreateFile C:\WINDOWS\system32\ieframe.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
2:40:24.2003635 PM Explorer.EXE 1516 CreateFile C:\WINDOWS\system32\ieframe.dll SUCCESS Desired Access: Generic Read, Write Attributes, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Random Access, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:40:24.2005920 PM Explorer.EXE 1516 QueryBasicInformationFile C:\WINDOWS\system32\ieframe.dll SUCCESS CreationTime: 10/27/2006 4:09:58 PM, LastAccessTime: 6/22/2009 2:40:22 PM, LastWriteTime: 4/29/2009 12:55:57 AM, ChangeTime: 6/22/2009 1:53:34 PM, FileAttributes: A
2:40:24.2010328 PM Explorer.EXE 1516 SetBasicInformationFile C:\WINDOWS\system32\ieframe.dll SUCCESS CreationTime: -1, LastAccessTime: -1, LastWriteTime: -1, ChangeTime: -1, FileAttributes: n/a
2:40:24.2012535 PM Explorer.EXE 1516 QueryInformationVolume C:\WINDOWS\system32\ieframe.dll BUFFER OVERFLOW VolumeCreationTime: 8/12/2004 9:03:58 PM, VolumeSerialNumber: 706E-65A3, SupportsObjects: True, VolumeLabel: CanJ
2:40:24.2014583 PM Explorer.EXE 1516 QueryFileInternalInformationFile C:\WINDOWS\system32\ieframe.dll SUCCESS IndexNumber: 0x13000000037ac6
2:40:24.2032608 PM Explorer.EXE 1516 QueryStandardInformationFile C:\WINDOWS\system32\ieframe.dll SUCCESS AllocationSize: 6,066,176, EndOfFile: 6,066,176, NumberOfLinks: 1, DeletePending: False, Directory: False
2:40:24.2035242 PM Explorer.EXE 1516 CloseFile C:\WINDOWS\system32\ieframe.dll SUCCESS
2:40:24.2038324 PM Explorer.EXE 1516 CreateFile C:\WINDOWS\system32\ieframe.dll SUCCESS Desired Access: Read Attributes, Write Attributes, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
2:40:24.2041268 PM Explorer.EXE 1516 QueryBasicInformationFile C:\WINDOWS\system32\ieframe.dll SUCCESS CreationTime: 10/27/2006 4:09:58 PM, LastAccessTime: 6/22/2009 2:40:22 PM, LastWriteTime: 4/29/2009 12:55:57 AM, ChangeTime: 6/22/2009 1:53:34 PM, FileAttributes: A
2:40:24.2044065 PM Explorer.EXE 1516 CloseFile C:\WINDOWS\system32\ieframe.dll SUCCESS
2:40:24.2049079 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 0, Length: 64
2:40:24.2051292 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 240, Length: 4
2:40:24.2053412 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 244, Length: 20
2:40:24.2055488 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 488, Length: 40
2:40:24.2057633 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 528, Length: 40
2:40:24.2059692 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 568, Length: 40
2:40:24.2061782 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,513,920, Length: 16
2:40:24.2063855 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,513,936, Length: 8
2:40:24.2065942 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,548,444, Length: 2
2:40:24.2068051 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,513,944, Length: 8
2:40:24.2071361 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,550,010, Length: 2
2:40:24.2073476 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,513,952, Length: 8
2:40:24.2075560 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,548,016, Length: 2
2:40:24.2077608 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,548,018, Length: 14
2:40:24.2079759 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,514,104, Length: 16
2:40:24.2081818 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,514,120, Length: 8
2:40:24.2083944 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,519,976, Length: 16
2:40:24.2085989 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,519,992, Length: 8
2:40:24.2088056 PM Explorer.EXE 1516 ReadFile C:\WINDOWS\system32\ieframe.dll SUCCESS Offset: 2,536,832, Length: 16
2:40:24.2090137 PM Explorer.EXE 1516 QueryStandardInformationFile C:\WINDOWS\system32\ieframe.dll SUCCESS AllocationSize: 6,066,176, EndOfFile: 6,066,176, NumberOfLinks: 1, DeletePending: False, Directory: False
2:40:24.2092160 PM Explorer.EXE 1516 CreateFileMapping C:\WINDOWS\system32\ieframe.dll SUCCESS SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY
2:40:24.2092294 PM Explorer.EXE 1516 QueryStandardInformationFile C:\WINDOWS\system32\ieframe.dll SUCCESS AllocationSize: 6,066,176, EndOfFile: 6,066,176, NumberOfLinks: 1, DeletePending: False, Directory: False
2:40:24.2094375 PM Explorer.EXE 1516 CreateFileMapping C:\WINDOWS\system32\ieframe.dll SUCCESS SyncType: SyncTypeOther
[/codebox]

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:38 AM

Posted 22 June 2009 - 05:42 PM

You might try IEFix:
http://windowsxp.mvps.org/IEFIX.htm
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 22 June 2009 - 09:38 PM

Mark, thanks for the reply. I looked at the page you suggested, and it seems to be a fix for IE*. My IE7 currently works just fine. The problem is with 'windows explorer' repeatedly running this ieframe.dll. I didn't want to try the IEFix you suggested on an IE7 install which works well (let sleeping dogs lie).

Could you confirm that you think that running the IEfix would cure a problem windows explorer?

Thanks, John

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:38 AM

Posted 23 June 2009 - 05:42 PM

ieframe.dll is for the Internet Explorer Browser UI Library

Could you confirm that you think that running the IEfix would cure a problem windows explorer?

That was my intent

Edited by garmanma, 23 June 2009 - 05:48 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 24 June 2009 - 01:30 PM

Thanks, I'll give it a try when I get home tonight. Additional info. The other thing that keeps coming up in explorer (using process monitor) are continuous requests from lass.exe. It looks like lass.exe and ieframe.dll are playing ping-pong. I disabled all the 'automatic updaters' (including the almost impossible-to-get-rid-of google updater).

I'll see if the ieFIX addresses it tonight (looking at it, basically it reregisters all the IE .dll's).

Thanks for you help - J

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:38 AM

Posted 24 June 2009 - 05:39 PM

please double check spelling
lsass.exe is legit

lass.exe is a trojan

Even if it's the first one there is still the possibility of an infection
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Jongira

Jongira
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 25 June 2009 - 03:19 PM

Hi Garmanma

The IEFix program doesn't support IE7 (I ran it, and got a box saying so, then it exited).

Yes it is lsass.exe. Here is a snippet of what ti's doing (continuously) as shown in Process Explorer.
[codebox]
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS
Type: REG_NONE, Length: 180, Data: 01 00 04 80 98 00 00 00 A8 00 00 00 00 00 00 00

01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS
Type: REG_NONE, Length: 180, Data: 01 00 04 80 98 00 00 00 A8 00 00 00 00 00 00 00

01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS
01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
01:43.0 lsass.exe 808 RegCloseKey HKLM\SECURITY\Policy SUCCESS
01:43.0 lsass.exe 808 RegOpenKey HKLM\SECURITY\Policy SUCCESS
[/codebox]

There are also fairly continuous bursts from svchost...
[codebox]
4:01:43.4044224 PM svchost.exe 1060 RegCloseKey HKCR\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
SUCCESS
4:01:43.4044403 PM svchost.exe 1060 RegOpenKey HKCR\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
SUCCESS Desired Access: Read
4:01:43.4044649 PM svchost.exe 1060 RegOpenKey HKCR\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32
SUCCESS Desired Access: Maximum Allowed
4:01:43.4044925 PM svchost.exe 1060 RegQueryValue HKCR\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InProcServer32\InprocServer32
NAME NOT FOUND Length: 144
[/codebox]

... always to that same key

And, of course calls to ieframe.

I don't know enough beyond process explorer to know what is TRIGGERING the events, only that they occur.

Any suggestions? Thanks, John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users