Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task manager shows two explorer.exe processes


  • This topic is locked This topic is locked
5 replies to this topic

#1 JackOLantern

JackOLantern

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 15 January 2011 - 06:40 PM

I run XP SP3 32-bit version 2002

- My task manager shows two explorer.exe tasks;

- One shows a fairly-constant memory usage of 42,000 KB, using CPUs 01 and 02;

- The other one fluctuates up and down between 80,000 KB and 190,000 KB, using a multiplicity of CPUs from low (02) to mid (49, 52) double-digits;

- Is this normal? If not, what can be done to solve this?

- If it's of any help, I ran HijackThis scan and I have a .log file available with the results, which I I'll go ahead and copy & paste below. I don't dare erase anything without guidance.

Thank you!



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:40:42 pm, on 2011-Jan-15
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\BitDefender\BitDefender 2011\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\Common Files\Motive\McciCMService.exe
C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Archivos de programa\Windows Desktop Search\WindowsSearch.exe
C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\BitDefender\BitDefender 2011\updatesrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Documents and Settings\Juan M\Datos de programa\air\mute\1.0.0.0\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Juan M\Mis documentos\A.A - Juan's files & programs\Downloaded software\MailWasher Pro\MailWasher.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Archivos de programa\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Archivos de programa\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - C:\Archivos de programa\BitDefender\BitDefender 2011\IEToolbar.dll
O4 - HKLM\..\Run: [mute] C:\Documents and Settings\Juan M\Datos de programa\air\mute\1.0.0.0\updater.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [RegistryBooster] "C:\Archivos de programa\Uniblue\RegistryBooster\launcher.exe" -w
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Archivos de programa\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: Windows Search.lnk = C:\Archivos de programa\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8E4827-8E1B-4A06-9397-BE4ECBBA8376}: NameServer = 85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{967C6E6E-F138-4009-98FD-B33935C29E39}: NameServer = 93.188.164.129,93.188.160.209
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.129,93.188.160.209
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.129,93.188.160.209
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Archivos de programa\Common Files\Motive\McciCMService.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: BitDefender Update Server v2 (Update Server) - BitDefender - C:\Archivos de programa\Archivos comunes\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: BitDefender Desktop Update Service (Updatesrv) - BitDefender S.R.L. - C:\Archivos de programa\BitDefender\BitDefender 2011\updatesrv.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Archivos de programa\BitDefender\BitDefender 2011\vsserv.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 9301 bytes

BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:07:18 PM

Posted 15 January 2011 - 06:46 PM

Are there always two instances of explorer.exe or only when you open a folder in Windows Explorer?

Edited by Allan, 15 January 2011 - 06:46 PM.


#3 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 15 January 2011 - 07:13 PM

Allan: There are always two explorer.exe processes running, even right after computer start up, while using Firefox, etc.

#4 skoop

skoop

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 15 January 2011 - 07:53 PM

I as well have two running. Well not really because one says iexplore.exe which is running when I'm conected to the internet. the other is explorer.exe which runs from c:\windows folder. This instance is in use to allow task manager desktop icons etc. to load. Shut down the internet and check in the task manager to see whats now running.

#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,250 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:18 PM

Posted 15 January 2011 - 08:17 PM

Explorer.exe provides many services and features to the user. It is explorer.exe, for example, that displays your desktop and Start button. It also is responsible for showing the contents of folders when you open "My Computer." As such, it is not at all uncommon to have more than one instance of explorer.exe running at any given time.

However, your log does indicate the presence of (at least) the MyWebSearch spyware. You should follow this guide to create DDS and GMER logs and post them in the Malware Logs forum.

To avoid confusion with your anticipated Malware Logs forum topic, I am locking this topic. Please PM me or another staff member if you need it reopened.

Edited by Andrew, 15 January 2011 - 08:18 PM.


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:18 PM

Posted 15 January 2011 - 08:52 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic373624.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users