IE6 iexplore.exe process not closing


V

V Green

Recent development - last 3 -4 days.

iexplore.exe process does not close after closing
window - crashes witn "...must close..." dialog about
five minutes after closing window. 0xC00000005
access vioation. If you leave window open, no crash.

Can kill with Task Manager, it's not the "iexplore" virus.

CA / Malwarebytes / etc. find nothing.

Stopping all BHO's etc. doesn't help.

Can't think of anything I did to cause this...

XP SP3, fully patched.
 
Ad

Advertisements

V

V Green

OK, installed IE7 and patched to most recent.

Now, doesn't crash 5 min after exiting, but still
keeps iexplore.exe open.

Thoughts?
 
P

PA Bear [MS MVP]

Upgrading in hopes of fixing an existing problem is seldom a wise idea.

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
 
V

V Green

PA - I got the SOB before reading your reply, but
at usual you were right.

It's a relatively new scumware based on XWREG32.DLL and
LIB.DLL. CA does NOT have it in their A/V database,
nor does Malwarebytes. I won't go into the specifics here,
you can get plenty info by googling those two .DLL's.

Hijack This saw it at a text/html filter hijack, but didn't
offer much info...

SuperAntiSpyware knows about it though, I hadn't updated
SAS for a while...shows how stupid I can be!


PA Bear said:
Upgrading in hopes of fixing an existing problem is seldom a wise idea.
I know, but the symptoms were such that they did not fit any
info I could find (was looking for the wrong thing then) and I know
I should have gone to IE7 several months ago...lazy. So, I get
a more secure browser as part of the bargain. Also, you guys here
tend to chastise people for using old browsers...

Couple weeks ago, I was having trouble with Cox email blacklisting
issues and I did a lot of searching for info. Probably got the
infection on one of the shady "answer" sites. Ugh.

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the MSRT
on a non-infected machine, then transfer MRT.EXE to the infected machine and
rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested logs
in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and independent
(i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


V said:
OK, installed IE7 and patched to most recent.

Now, doesn't crash 5 min after exiting, but still
keeps iexplore.exe open.

Thoughts?
 
P

PA Bear [MS MVP]

All well & good but I would NOT rely solely on SAS at this point and assume
the machine's 100% clean! See Steps #1 through #3 in my previous reply.

V said:
PA - I got the SOB before reading your reply, but
at usual you were right.

It's a relatively new scumware based on XWREG32.DLL and
LIB.DLL. CA does NOT have it in their A/V database,
nor does Malwarebytes. I won't go into the specifics here,
you can get plenty info by googling those two .DLL's.

Hijack This saw it at a text/html filter hijack, but didn't
offer much info...

SuperAntiSpyware knows about it though, I hadn't updated
SAS for a while...shows how stupid I can be!


PA Bear said:
Upgrading in hopes of fixing an existing problem is seldom a wise idea.
I know, but the symptoms were such that they did not fit any
info I could find (was looking for the wrong thing then) and I know
I should have gone to IE7 several months ago...lazy. So, I get
a more secure browser as part of the bargain. Also, you guys here
tend to chastise people for using old browsers...

Couple weeks ago, I was having trouble with Cox email blacklisting
issues and I did a lot of searching for info. Probably got the
infection on one of the shady "answer" sites. Ugh.

There is a very good chance that you are seeing the effects of a
hijackware
infection!

NB: If you had no anti-virus application installed or the subscription
had
expired *when the machine first got infected* and/or your subscription
has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as
well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


V said:
OK, installed IE7 and patched to most recent.

Now, doesn't crash 5 min after exiting, but still
keeps iexplore.exe open.

Thoughts?


Recent development - last 3 -4 days.

iexplore.exe process does not close after closing
window - crashes witn "...must close..." dialog about
five minutes after closing window. 0xC00000005
access vioation. If you leave window open, no crash.

Can kill with Task Manager, it's not the "iexplore" virus.

CA / Malwarebytes / etc. find nothing.

Stopping all BHO's etc. doesn't help.

Can't think of anything I did to cause this...

XP SP3, fully patched.
 
V

V Green

Thanks for the concern. Using multiple tools, Process Explorer,
and manually removing some registry entries, I am pretty sure
I got it.

PA Bear said:
All well & good but I would NOT rely solely on SAS at this point and assume
the machine's 100% clean! See Steps #1 through #3 in my previous reply.

V said:
PA - I got the SOB before reading your reply, but
at usual you were right.

It's a relatively new scumware based on XWREG32.DLL and
LIB.DLL. CA does NOT have it in their A/V database,
nor does Malwarebytes. I won't go into the specifics here,
you can get plenty info by googling those two .DLL's.

Hijack This saw it at a text/html filter hijack, but didn't
offer much info...

SuperAntiSpyware knows about it though, I hadn't updated
SAS for a while...shows how stupid I can be!


PA Bear said:
Upgrading in hopes of fixing an existing problem is seldom a wise idea.
I know, but the symptoms were such that they did not fit any
info I could find (was looking for the wrong thing then) and I know
I should have gone to IE7 several months ago...lazy. So, I get
a more secure browser as part of the bargain. Also, you guys here
tend to chastise people for using old browsers...

Couple weeks ago, I was having trouble with Cox email blacklisting
issues and I did a lot of searching for info. Probably got the
infection on one of the shady "answer" sites. Ugh.

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


V Green wrote:
OK, installed IE7 and patched to most recent.

Now, doesn't crash 5 min after exiting, but still
keeps iexplore.exe open.

Thoughts?


Recent development - last 3 -4 days.

iexplore.exe process does not close after closing
window - crashes witn "...must close..." dialog about
five minutes after closing window. 0xC00000005
access vioation. If you leave window open, no crash.

Can kill with Task Manager, it's not the "iexplore" virus.

CA / Malwarebytes / etc. find nothing.

Stopping all BHO's etc. doesn't help.

Can't think of anything I did to cause this...

XP SP3, fully patched.
 
P

PA Bear [MS MVP]

Uh-huh...

V said:
Thanks for the concern. Using multiple tools, Process Explorer,
and manually removing some registry entries, I am pretty sure
I got it.

PA Bear said:
All well & good but I would NOT rely solely on SAS at this point and
assume
the machine's 100% clean! See Steps #1 through #3 in my previous reply.

V said:
PA - I got the SOB before reading your reply, but
at usual you were right.

It's a relatively new scumware based on XWREG32.DLL and
LIB.DLL. CA does NOT have it in their A/V database,
nor does Malwarebytes. I won't go into the specifics here,
you can get plenty info by googling those two .DLL's.

Hijack This saw it at a text/html filter hijack, but didn't
offer much info...

SuperAntiSpyware knows about it though, I hadn't updated
SAS for a while...shows how stupid I can be!


Upgrading in hopes of fixing an existing problem is seldom a wise idea.

I know, but the symptoms were such that they did not fit any
info I could find (was looking for the wrong thing then) and I know
I should have gone to IE7 several months ago...lazy. So, I get
a more secure browser as part of the bargain. Also, you guys here
tend to chastise people for using old browsers...

Couple weeks ago, I was having trouble with Cox email blacklisting
issues and I did a lot of searching for info. Probably got the
infection on one of the shady "answer" sites. Ugh.



There is a very good chance that you are seeing the effects of a
hijackware infection!

NB: If you had no anti-virus application installed or the subscription
had expired *when the machine first got infected* and/or your
subscription has since expired and/or the machine's not been kept
fully-patched at Windows Update, don't waste your time with any of the
below: Format & reinstall Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download
the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan (only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the
requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as
well.** If these procedures look too complex - and there is no shame in
admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


V Green wrote:
OK, installed IE7 and patched to most recent.

Now, doesn't crash 5 min after exiting, but still
keeps iexplore.exe open.

Thoughts?


Recent development - last 3 -4 days.

iexplore.exe process does not close after closing
window - crashes witn "...must close..." dialog about
five minutes after closing window. 0xC00000005
access vioation. If you leave window open, no crash.

Can kill with Task Manager, it's not the "iexplore" virus.

CA / Malwarebytes / etc. find nothing.

Stopping all BHO's etc. doesn't help.

Can't think of anything I did to cause this...

XP SP3, fully patched.
 
Ad

Advertisements

R

robd

Having precisely the same issues on my 2ghz p4 w/1gb w/xp sp3 & ie6
spawning and not closeing multiple iexplorer.exe processes and also
pegging the cpu - malwarebytes and others declared workstation clean.
Having observed on multiple healthy xp w/ie6 that iexplore.exe process
typically drop from task manager immediately upon closing ie6 I knew
something was gravely wrong. The ultimate solution was so simply I had
to share this since non of the dozens of postings I read on this
offered a clue - the solution - create a fresh xp user-profile.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top