Minimize or close (exit) window, window stays on screen

After about 10 minutes of being booted up, my computer acts very strange:

If I have a window open - any window (i.e., any application), and I click on the X (upper-right-hand corner) to exit the application, the application ends, but the display does not go away. In other words, the application has in fact ended, but the window stays on the screen.

Similarly, if I merely minimize the application, the display stays on the screen, even though in fact the application has been minimized.

I am running Windows XP Pro SP3

I've run everything, including combofix

Hello hepplewhite212,

Could you please give me just a tad more info please? When did this start? And, do you happen to use Firefox? I see you ran ComboFix, but it looks like this started before you did so I'd like to rule that out for sure as well.

Thanks,
tea

Thank you very much for answering! I was starting to fear no one would have a comment.
A "google-ing" of the problem reveals that a lot of people have this problem.

THE PROBLEM IS A LITTLE DIFFERENT NOW, in that I did a lot of work since I described the problem.

( I uninstalled IE 8, then I backed out of XP SP3, this then allowed me to uninstall IE7, and I ended up with IE6, running XP SP2
I then worked my way back forward:
I installed XP SP3
I then SKIPPED IE7,
and installed IE8 right away, on top of IE 6, bypassing ( skipping ) IE7

So , I am left with a system: running XP SP3, with IE 8.

AND,WHERE I AM AT IS, THE PROBLEM MANIFESTS AS FOLLOWS:
=========================================

I start an Internet Explorer v. 8, ... the browser window opens, and TWO iexplore.exe processes run in taskmgr
I then "x" out of the browser window ... one of the iexplore.exe processes go away, but ONE of them remains in taskmgr, as a "phantom" process.

OKAY, NOW THAT I'VE DESCRIBED THE CURRENT MANIFESTATION, LET ME GIVE YOU DETAILS:
===============================================================

I cannot tell you when it *started*. I *can* tell you that I noticed it about a week ago.

I am the IT tech support person for a team of 10 people or so. SO, this is not my computer. I was given this PC to work on, because it was "very slow" (which it was).

But as I tore away at it, I took care of most of the problems, with the one problem remaining being:


When I start Internet Explorer ( version 8 ), TWO iexplore.exe processes start running. I know that this is NORMAL.
But when I "x" out of the browser, ONE of the iexplore.exe processes keeps on running, does not go away.
So, you are in the situation where;
there is no browser window; but there is ONE iexplore.exe process running.

Then, I bring up Internet Explorer again, while it is running there are now THREE iexplore.exe processes running.
I "x" out of the browser, and one of the iexplore.exe processes go away, but now there are TWO iexplore.exe processes running, though no browser window.

Bring up Internet Explorer again, ... there will now be FOUR iexplore.exe processes running
( the TWO PHANTOM ones, and the TWO that are "NORMAL" for the browser window that is actually running.

But "x" out of that broser, and, again, I ended up with THREE phantom iexplore.exe processes running,

and so on, and so on.

In other words, every time I start an Internet Explore, and then "x" out of it, I end up with a phantom iexplore.exe process after I close the browser window.

ON THIS MACHINE, the fellow did not have Firefox, only Internet Explorer.

( I happen to prefer Firefox, and, as a WORK-AROUND, I installed Firefox on my colleague's PC, and told him to use Firefox, avoid Internet Explorer.

But that is no answer, really. I'd like to figure out why these phantom iexplore.ext processes hang around, because:

(a) he might prefer IE over Firefox
( he might accidentally start IE rather than Firefox
© as you know, some Microsoft sites, e.g., Windows Update, is not friendly to Firefox at all, wants IE
(d) IT IS POSSIBLE, is it not, that these "phantom" iexplore.exe processes are doing some malware / spyware / whatever work
(e) and even if it is perfectly innocent, not a malware situation,
each of these phantom iexplore.exe processes eat up memory, the more you create, the more memory they use,
SO , OF COURSE, I suspect that at least PART of the "very slow" performance problem had to do with these phantom iexplore.exe processes runnin gin the backgroun.

AGAIN, THANKS VERY MUCH FOR RESPONDING.

I DO HOPE YOU CAN HELP.

Hello,

Thank you very much for the info! Do you still have the ComboFix report? I would like to see it if it deleted anything, and have a look at a couple of the other sections it produces, please.

I am attaching a few combofix logs:
(1) log--2010-06-22-1123.txt
log of very first combofix
as you can see, it deleted a couple of files, and also reported userinit.exe as infected
(2) log--2010-06-22-1150.txt
log of a second combofix, just a half hour later
this one found that ntfs.sys was infected and pulled a reference one from an odd (to me) place
(3) log--2010-06-24-1957.txt
log of next-to-last combofix that I ran, after uninstalling and reinstalling XP SP3 and installing IE8 on top of XP SP3
it does not seem to have deleted any files, but it required a reboot, do not know why
(4) log--2010-06-24-2021.txt
log of very last combofix I ran, half an hour later, did not require reboot

And I am attaching two more files:
(5) ComboFix5.txt
I found this in the C:\Qoobox folder,
it looks like some amalgamation of multiple combofix run logs ,
I thought you might want to see it
It is 170 kb large.
(6) ComboFix-quarantined-files.txt
I found this in C:\Qooboox folder as well.
You will find there references to userinit.exe and ntfs.sys among others.

HHmmm....While there was the presence of malware, I don't think that is the issue now. I did see some references to Firefox. Please open the owner's task manager and see if there is a process running called plugin-container.exe

this one found that ntfs.sys was infected and pulled a reference one from an odd (to me) place

Perfectly fine.

I do understand that the IE processes are the problem now. I'm looking at the overall picture as well, so please don't think I'm ignoring the main problem as you've described it. I'm wondering if there is a program on board that is phoning home, or trying to?

(1) I am thinking the same thing about some processes trying to phone home.


This particular user had all kinds of programs that I ended up either removing ( e.g., AOL ) or not starting on StartUp ( Windows Live Messenger ).
He also has a Service called "Pal Talk" , which I did not remove ( because I don't see anywhere to remove it ), but I removed it from the set of Services that start up on start up.

So I do think it is very possible that some program or service in his machine is leveraging IE Explorer after it starts and taking over ( continuing to use ) iexplore.exe even after the browser window is closed.


(2) No, there is no process called plugin_container.exe, but there is one called Communications_Helper.exe running in the task manager -- but I think I looked into that and it is an okay process to be running.

(3) I understand your approach and why you are approaching it that way. But I am curious why you are interested in Firefox's behavior / presence when it is IE-8 that is acting weird.

Hehehe.....fair enough question. When I first was made aware of this thread your description reminded me of how my own system is behaving, minus the IE process problem. Firefox just did an update that is wreaking havoc everywhere. It's so bad that people are threatening to quit Firefox all together.

Yes, Communications_Helper.exe is Logitech.

Do a Windows search for PalTalk. If the owner isn't attached to it, it needs to go. It's junk. I also see Real Player recently installed? It does have an updater that can be annoying.

I see a very old version of Norton installed. It needs to go. The Norton uninstall tool uninstalls ALL Norton 2004-2010 products from your computer. It also uninstalls Norton Ghost 10.0/9.0/2003. http://service1.symantec.com/SUPPORT/tsgen...005033108162039

You say you've run everything....does that include Malwarebytes?

tea

Sorry to butt in here, but I did a google search on the following: a4d2dee2-098d-4aae-ad14-b189ab17fad3, and the below search results came back.

Search for a4d2dee2-098d-4aae-ad14-b189ab17fad3 results in Zamalek Toolbar

I dont know how relevant it is to the issue, but a tool bar can cause issues with IE and other browsers.

The following: a4d2dee2-098d-4aae-ad14-b189ab17fad3 was contained in the quarantined log file.

was contained in the quarantined log file.

Yes, which means it no longer has any bearing on any behavior issues at this point.

Hi, sorry for delay in responding.

Yes, I ran malwarebytes.

I think I already ran the norton removal tool ... I'll double-check.

I really did a pretty thorough cleansing.

I am left with the situation where, you bring up IE8, it brings up 2 iexplore.exe processes ; you exit IE8, it leaves one iexplore.exe process running. So now 1 mysterious iexplore.exe process is running
Next, you bring up IE8 again. That creates 2 iexplore.exe processes ( for a total of 3: the 2 new ones ; plus the 1 mysterious one ).
Then, you exit IE8 -- one of the 2 new exes exit, but the other one remains. So now there are 2 mysterious iexplore.exe processes running.
Do this again: Start, then stop, IE8 -- you end up with 3 mysterious iexplore.exe processes running.

My "money" is on there is some process or some service or something that is latching onto each of these "mysterious" iexplore.exe processes and therefore refusing to let them exit.

Are there tools / utilities that can help analyze what each of these phantom iexplore.exe processes are actually *doing* ? Maybe something in the Sysinternals toolkit that can help us figure out what is connected / connecting to them / what is keeping them from exiting.

Again, it is perfectly normal behavior, when you start IE8 , for 2 iexplore.exe processes to be running in the task manager. But when you close / exit IE8, BOTH of these 2 iexplore.exe processes are supposed to exit. That is the normal behavior.