Posted 16 August 2010 - 10:42 AM
First time poster - can usually resolve my issues by using something cool like MBAM, Spybot, HJT, Process Explorer or CurrPorts - but have become stumped by my latest. Any advice and guidance would be really appreciated.
After reboot, the computer works as you'd expect for a while before you can no longer access the Internet. There is another program I use to tunnel into work and that gave me an inkling - it said something about the TCP/IP running out of memory so I started digging around.
Running Process Explorer, I noticed that c:\windows\explorer.exe was running at about 25% CPU every 3 seconds or so - then it would go quiet - before jumping back up to 25% for a moment. If I killed explorer.exe then I could use my browser to access the Internet again.
Right-clicking on explorer.exe in Process Explorer and looking at the performance graph showed me that the process indeed regularly jumping up to 25% CPU (never any more) and then settling down again. I had a look at the TCP/IP page and I saw there were about 12 rows there - most were 217.205.97.[62 to 71]:microsoft-ds with SYN_SENT but one kept reappearing which was valueshells.inc.gs.
I saw other stuff as well, but this one kept appearing - the remote address is 126.96.36.199.
I had a look at the stack when the port was opened and saw the following (I don't know enough to decide if anything is suspicious here):
I used CurrPorts and, sure enough, explorer.exe was connecting here - but also to mail.sovereign-stainless.co.uk - which is starting to sound like advertising.
I tried to disable explorer.exe's access to the Internet in my firewall - but that seemed to have no effect.
I can kill explorer.exe and gain access to the Internet again... as soon as I start it back up, within moments, I get "the page could not be displayed" in the browser and my other program starts moaning about TCP/IP having used up all its memory - although there is plenty of memory free on the system itself.
Does anyone know how I might properly track back what is causing explorer.exe to want to continually hook up to these remote addresses?
P.S. - I did run an sfc / scannow and nothing was announced as being replaced... so I think the explorer.exe itself is fine.
Any advice gratefully received.