Jump to content


Explorer.exe, possible memory leak?

  • Please log in to reply
3 replies to this topic

#1 Jonnyboy28



  • New Member
  • Pip
  • 2 posts

Posted 20 June 2004 - 11:02 AM

Hi Everyone,

I'm running Win XP Pro SP1.
My IE homepage was reset to about:blank yesterday. Additionally, Notepad and Windows Media Player 9 refused to open. I discovered this was possibly due to a CoolWebSearch trojan. I fixed the Notepad and Media Player problems and ran Adaware, Spybot S&D, NAV 2004 scan to remove infected files/registry entries. I think that all traces of malware have been removed, BUT I am experiencing a problem with the Explorer.exe process.

At this moment, the explorer.exe process is running at 117MB. It used to run at 20 - 30MB. Additionally, Page File memory after a restart of XP used to run at 160MB. It now runs at 280MB when the PC starts and currently it's 410MB with only 1 Window open!! I tried a system restore, but Windows reports it cannot use any of the restore points.

How can I prevent the explorer.exe hogging so much memory, or will I have to format my system to get it back to how it was?

Any suggestions/solutions would be much appreciated.

Here's my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 16:44:42, on 20/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O1 - Hosts: ram
O1 - Hosts: mailhost2
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client - http://chat-a1.frees...va/cfs31235.cab
O16 - DPF: ChatSpace Full Java Client - http://chat-a3.frees...va/cfs31245.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://download.yaho...l/bty/yinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7583.3610648148
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yaho...alls/yab_af.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCE43C82-E32C-4EBB-AFB0-64AA5540CD21}: NameServer =

#2 Jonnyboy28



  • New Member
  • Pip
  • 2 posts

Posted 20 June 2004 - 04:58 PM

Hi All,

It looks like the memory leak prob has been solved.
I was looking for a solution to the problem this afternoon and thought I'd try installing Spywareblaster v3.1. I installed it, but whenever I tried to run the program, I received an error msg:

'This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.'

I searched on the web for this and found that a number of peeps had the same problem and that it was caused by a CoolWebSearch hijacker. One guy had posted a link to a German website.

CWS Removal Site

On there you can download a program that supposedly removes the hijacker. Scroll to the bottom of the page and choose 'download'. I downloaded the prog (about 30kb), ran it, it then restarts the PC and now the PC works perfectly. No more about:blank IE home page, Spywareblaster runs correctly and my memory leak has gone.

I hope this helps anyone on here who has been tearing their hair out over this.


#3 temp



  • New Member
  • Pip
  • 1 posts

Posted 28 June 2004 - 07:48 AM

Thankyou very much.

I've got 1 or 2 strands of hair left after searching the internet for hours.
As you said, had the SP spyware attack.
removed it using adaware, cwshredder, and then had problems with explorer.exe consuming over a gig of memory when performing a search files.
had thought it was virus, but both a trojan scanner and norton came up blank.
downloaded and ran the program and has worked a treat.

ta muchly.

#4 NeMeSiS



  • New Member
  • Pip
  • 1 posts

Posted 04 July 2004 - 09:25 AM

Hey, I had the same problem and I ran the CWShredder proggram and my explorer.exe is back to normal its at 20k. but my svchost is around 40k :thumbsdown: did you have that problem too? anybody have any idea how to fix it ? :wtf:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button