IEXPLORE.exe not closing

When I first boot up and bring up IE6 it takes a long time, and uses 100% CPU for a minute or two. Also, it often appears in my task manager even after it is closed and seems to be a resource hog (other programs lock up as a result). Finally every now and again my mouse seems to drag for a moment on it's own. These seem to be telltale signs of spyware, backdoor etc. I have had probems before with this.

I have Norton Antivirus, Norton Internet Security both running. Also, I have Ad Aware and Spybot both up to date and have scanned in the last 24 hours. I downloaded hijack this and to me untrained eye nothing in the log file looks suspect. The five hosts in 01:128.*.*.* are all work related(I work remotey). Any ideas?

Logfile of HijackThis v1.96.4
Scan saved at 7:27:51 AM, on 9/5/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\srvany.exe
C:\winnt\system32\Shared\dllhost.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\jerromy\Start Menu\Programs\Startup\vptray.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\totalcmd\TOTALCMD.EXE
C:\Documents and Settings\jerromy\My Documents\Programs\Virus-Spyware Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O1 - Hosts: 128.3.0.100 compsvr_tree
O1 - Hosts: 128.1.0.100 compsvr_s
O1 - Hosts: 128.3.0.100 compsvr_x
O1 - Hosts: 128.1.1.230 intrepid
O1 - Hosts: 128.1.1.200 hemi
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - Startup: vptray.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/active...media/Swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7832.5952199074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab


Any ideas?

Uninstall both NAV and NIS. Then everything should be fine again...

hth,
M.

Should I uninstall them permanently? I've been hit with security issues(viruses, worms, trojans) before they were running because of my DSL connection which is on whenever my computer is on and needed while I'm working. I was new to being networked in remotely via the internet (VPN) and when I ran an initial virus scan months ago(before using the NIS firewall) the list was long and disturbing.

Be careful with programs like NIS. The default installation usually shows 99% false alerts. I guess that´s because they can only sell you their software if it also does "something". Noone would want it if it was only sitting there quietly...

What you can safely ignore:
- portscans
- viruses in .html or .js files (or any file in your IE cache)
- attempts to connect to ports with no service running
- attacks from worms, trojans, ... from outside your machine
- "prevented hack attempts"
... and some others

What you should not ignore:
- viruses or trojans outside the cache folder
- suspicious services
- using outdated software
- attacks from worms, trojans, ... from inside your machine
...

But the problem with virus scanners and "internet security software" is that they change things deeply in the windows system. And if they made a single little mistake, it can take down your whole machine. And they are not releasing updates / fixes for their "engines" every other day because of new features....

I am disabling all virus scanners unless I want to scan my PC for virii. And I have an external firewall. You should never connect a windows box to the internet without any firewall though...

hth,
M.

I wouldn't leave NAV or a firewall off my full-time connected computer for any length of time

You might try deleting your temporary internet files. Your problems are not the norm for IE6.

Also make sure your windows updates are up to date.

Thanks for the input. I'm up to date on all windows patches etc. I have NIS set so that it only alerts me when being "attacked" but even these generally seem harmless(though it's hard for me to tell). I'm starting to realize that I am going to need an external hardware firewall of some sort rather than just software. The NIS also seems to hurt the bandwidth of my DSL connection. Just to check that I'm getting this right..the problem isn't with IE6 but more a conflict with the Norton programs running at the same time?

One thing to add...this is the logfile from using TCP View. Hard to tell if there is anything suspicious in there. Sorry if the tabs/spacing etc. looks bad.

System:8 TCP JCARLSON:microsoft-ds JCARLSON:0 LISTENING
System:8 TCP JCARLSON:1029 JCARLSON:0 LISTENING
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:netbios-ssn JCARLSON:0 LISTENING
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:427 JCARLSON:0 LISTENING
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3746 24.137.12.200:http TIME_WAIT
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3767 24.137.12.200:http TIME_WAIT
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3770 24.137.12.200:http TIME_WAIT
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3786 24.137.12.200:http TIME_WAIT
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3787 24.137.12.200:http TIME_WAIT
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3794 24.137.12.200:http TIME_WAIT
System:8 TCP JCARLSON:3700 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3704 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3706 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3707 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3711 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3719 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3722 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3724 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3725 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3726 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3730 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3731 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3734 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3736 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3737 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3740 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3741 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3744 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3745 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3748 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3749 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3752 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3753 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3758 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3760 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3762 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3763 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3764 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3768 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3769 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3772 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3773 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3777 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3780 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3781 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3784 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3785 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3788 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3789 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3792 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3793 localhost:1025 TIME_WAIT
System:8 TCP JCARLSON:3796 localhost:1025 TIME_WAIT
System:8 UDP JCARLSON:microsoft-ds *:*
System:8 UDP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:netbios-ns *:*
System:8 UDP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:netbios-dgm *:*
System:8 UDP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:427 *:*
System:8 UDP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:1027 *:*
System:8 TCP JCARLSON:3808 JCARLSON:0 LISTENING
System:8 TCP JCARLSON:3809 JCARLSON:0 LISTENING
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3808 compsvr_s:524 SYN_SENT
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3809 compsvr_s:524 SYN_SENT
System:8 TCP JCARLSON:3810 JCARLSON:0 LISTENING
System:8 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3810 compsvr_s:524 SYN_SENT
SVCHOST.EXE:456 UDP JCARLSON:3001 *:*
SVCHOST.EXE:420 TCP JCARLSON:epmap JCARLSON:0 LISTENING
SVCHOST.EXE:1108 TCP JCARLSON:3068 JCARLSON:0 LISTENING
SVCHOST.EXE:1108 TCP JCARLSON:3072 JCARLSON:0 LISTENING
SVCHOST.EXE:1108 TCP JCARLSON:3091 JCARLSON:0 LISTENING
SVCHOST.EXE:1108 TCP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:3091 80.15.249.177:https CLOSE_WAIT
SVCHOST.EXE:1108 TCP JCARLSON:3068 localhost:1025 CLOSE_WAIT
SVCHOST.EXE:1108 TCP JCARLSON:3072 localhost:1025 CLOSE_WAIT
rtvscan.exe:904 UDP JCARLSON:2967 *:*
rtvscan.exe:904 UDP JCARLSON:3002 *:*
mstask.exe:964 TCP JCARLSON:1026 JCARLSON:0 LISTENING
LSASS.EXE:260 UDP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:isakmp *:*
LSASS.EXE:260 UDP wbar1.sjo1-4-4-023-137.sjo1.dsl-verizon.net:4500 *:*
dllhost.exe:748 TCP JCARLSON:4117 JCARLSON:0 LISTENING
dllhost.exe:748 TCP JCARLSON:43958 JCARLSON:0 LISTENING
CCPXYSVC.EXE:680 TCP JCARLSON:1025 JCARLSON:0 LISTENING
CCPXYSVC.EXE:680 TCP JCARLSON:1025 localhost:3698 TIME_WAIT
CCPXYSVC.EXE:680 TCP JCARLSON:1025 localhost:3701 TIME_WAIT
CCPXYSVC.EXE:680 TCP JCARLSON:1025 localhost:3718 TIME_WAIT
CCPXYSVC.EXE:680 TCP JCARLSON:1025 localhost:3756 TIME_WAIT
CCPXYSVC.EXE:680 TCP JCARLSON:1025 localhost:3776 TIME_WAIT
CCAPP.EXE:1448 TCP JCARLSON:3013 JCARLSON:0 LISTENING
CCAPP.EXE:1448 TCP JCARLSON:3014 JCARLSON:0 LISTENING
CCAPP.EXE:1448 TCP JCARLSON:3014 localhost:3693 TIME_WAIT

I too am experiencing this problem, I believe it is most likely IE 6 related. My config is nearly identical to yours, I also work remotely via DSL and VPN.

OS: Windows 2000 SP4 (WinNT 5.00.2195)
IE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

The only difference is I can shut down IE, it doesn't quite cripple my system but comes close to it. I have a Dell Latitude Laptop PIII with 384MB RAM.

I have noticed IExplore.exe constantly using 100% CPU over the last week, no new software has been installed in the last week. Today I installed and ran Ad-aware & SpyBot with latest updates which cleaned out a lot of scumware. But the IE problem still persists. I've cleared all temp files/folders, history, run Norton Corporate Edition v7.6 with latest updates and no luck.

I am almost sure this is related to scumware or some sort of virus affecting IE 6.

This seems to be a very common problem, check out the many posts on Microsoft's newsgroup, search for "iexplore.exe" -

http://support.microsoft.com/newsgr...n-us;newsgroups

(http://support.microsoft.com/newsgroups -> Internet Technologies -> Internet Explorer 6.0 -> Browser)

H-E-L-P!

Look into TC.exe here: http://www.ghisler.com/

and also srvany.exe

Seems to me like your system has been compromised. I would advise a router and forward the ports you need for work. If you are forwarding ports I would advise a good software firewall such as AVG.

Cheers.