Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

explorer.exe is eating my ram!


  • Please log in to reply

#1
nerrad

nerrad

    Member

  • Member
  • PipPip
  • 12 posts
Hi,

Lately the amazing yellow balloon pops up and tells me that I am running low on virtual memory.

Now I have 768mb of RAM and at one time I was running nothing but a putty terminal and AV etc...

So I decided to investigate a little I ran hijack this (thinking maybe it was malware or a Trojan) and found nothing to out of the ordinary, puzzled I then turned to sysinternals Process Explorer.

After looking around a bit I noticed that explorer.exe was to blame for the vanishing memory in particular two dll files "stobject.dll" which shows as "stobject.dll!DllCanUnloadNow+0x1fa4" and "SHLWAPI.dll" which shows as "SHLWAPI.dll!Ordinal505+0x3e9". I looked on the net and discovered that stobject.dll is to do with the system tray and shlwapi.dll is also to do with windows but why the [bleep] are they doing eating all my ram!?

Oh I know that it is stobject.dll and shlwapi.dll are the culprits as every time I kill the threads the performance graph goes from a steady / to a nice flat ___ and after I kill explorer the colourful line plummets!

I hope you can be of some help


Darren
:tazz:
  • 0

Advertisements


#2
nerrad

nerrad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
LOL you actually "[bleep]"ed the word...... well where the devil lives begins with a H ends in an L and has E and L in between.

Hardly offensive language I have used?!?!?
  • 0

#3
computerwiz12890

computerwiz12890

    Fixer-upper guy

  • Retired Staff
  • 1,802 posts
Hello and welcome to Geeks to Go.

That's a very interesting problem. I've got several ideas:

1. Do a Windows update.
2. Do a Windows repair.
3. Use Filemon to figure out what the heck those 2 files are doing.
4. Scan for an infection with Kaspersky's online scanner

Try each one until the problem is resolved. If it is not resolved after going through each one, let me know. When using Filemon, disable unnecessary programs in order to narrow down the problematic files. You may have to play around with that program in order to learn what it does and how to use it. If you decide to use it (it may not even be helpful, but on the other hand it could be very valuable), save a report after letting it run for about 30 seconds.

Let me know how it goes.

Edited by computerwiz12890, 11 January 2006 - 08:02 PM.

  • 0

#4
nerrad

nerrad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi thank you for you reply,

I tried your steps and found nothing no viruses no extreme reading and writing to the file system etc so I decided to have a look at what is going on in the registry with REGMON and I found very interesting results the following is a very small cut out (2 seconds) of what is going on with explorer.


25770	10:29:07	explorer.exe:1208	OpenKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}	SUCCESS	Access: 0x1 	
25771	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}\AddressType	SUCCESS	0x0	
25772	10:29:07	explorer.exe:1208	CloseKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}	SUCCESS		
25773	10:29:07	[b]explorer.exe:1208	QueryValue	HKLM\SYSTEM\ControlSet004\Services\Tcpip\Linkage\Bind	BUFFER OVERFLOW[/b]		
25774	10:29:07	[b]explorer.exe:1208	QueryValue	HKLM\SYSTEM\ControlSet004\Services\Tcpip\Linkage\Bind	BUFFER OVERFLOW[/b]		
25775	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\ControlSet004\Services\Tcpip\Linkage\Bind	SUCCESS	"\Device\{0B5A38F6-6228-4790-A150-57C93452D550}"	
25776	10:29:07	explorer.exe:1208	OpenKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}	SUCCESS	Access: 0x20019 	
25777	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}\EnableDHCP	SUCCESS	0x1	
25778	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}\LeaseObtainedTime	SUCCESS	0x43C60979	
25779	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}\LeaseTerminatesTime	SUCCESS	0x43C75AF9	
25780	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}\DhcpServer	SUCCESS	"10.0.0.2"	
25781	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}\DhcpServer	SUCCESS	"10.0.0.2"	
25782	10:29:07	explorer.exe:1208	CloseKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0B5A38F6-6228-4790-A150-57C93452D550}	SUCCESS		
25783	10:29:07	explorer.exe:1208	OpenKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7DBD38D5-C10F-40A3-88F4-369A990C218D}	SUCCESS	Access: 0x20019 	
25784	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7DBD38D5-C10F-40A3-88F4-369A990C218D}\EnableDHCP	SUCCESS	0x0	
25785	10:29:07	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7DBD38D5-C10F-40A3-88F4-369A990C218D}\DhcpServer	NOT FOUND		
25786	10:29:07	explorer.exe:1208	CloseKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7DBD38D5-C10F-40A3-88F4-369A990C218D}	SUCCESS		
25871	10:29:08	explorer.exe:1208	CloseKey	HKCR\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}	SUCCESS		
25872	10:29:08	explorer.exe:1208	EnumerateKey	HKCR\Drive\shellex\FolderExtensions	NO MORE ENTRIES		
25873	10:29:08	explorer.exe:1208	CloseKey	HKCR\Drive\shellex\FolderExtensions	SUCCESS		
25874	10:29:08	explorer.exe:1208	QueryValue	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7DBD38D5-C10F-40A3-88F4-369A990C218D}\DhcpServer	NOT FOUND		
25875	10:29:08	explorer.exe:1208	CloseKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7DBD38D5-C10F-40A3-88F4-369A990C218D}	SUCCESS		
25876	10:29:08	[b]explorer.exe:1208	QueryValue	HKLM\SYSTEM\ControlSet004\Services\Tcpip\Linkage\Bind	BUFFER OVERFLOW[/b]		
25877	10:29:08	[b]explorer.exe:1208	QueryValue	HKLM\SYSTEM\ControlSet004\Services\Tcpip\Linkage\Bind	BUFFER OVERFLOW[/b]		
25878	10:29:08	explorer.exe:1208	QueryValue

Now I noticed something that I am pretty sure shouldn’t be happening HKLM\SYSTEM\ControlSet004\Services\Tcpip\Linkage\Bind BUFFER OVERFLOW?? Buffer Overflow?

It’s obviously got something to do with the network and I am guessing the network status icon as it involves stobject.dll.

It may help you to know that my ADSL is currently down and I am on temporary dialup maybe this is the problem? And when I disconnect from dialup the memory consumption steadies

Any idea how I go about fixing this?

If this is what is the problem of course

Edited by nerrad, 12 January 2006 - 07:35 PM.

  • 0

#5
computerwiz12890

computerwiz12890

    Fixer-upper guy

  • Retired Staff
  • 1,802 posts
Yes, you are quite right. There is something wrong with that buffer overflow. The computer I am currently on accesses the same key, but it says "success", not "buffer overflow".

Let's try this to repair it:

Go to Start, Run, type sfc.exe /scannow You will need an XP CD for this. If you have any problems running this, check out the following link: http://www.updatexp....cannow-sfc.html

This should repair any corruption with windows files.
  • 0

#6
nerrad

nerrad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Already tried that one!

However I did get a file that did not match an originals signature the TCPIP.SYS file, the file was restored with an original the computer was rebooted the scan was rerun and it found no more bad files.

But the problem still existed.

[OFF TOPIC (a little)]
After a little thinking of why that file was found to be modified I remembered it was the file used to control how many concurrent connections are possible to your PC from the net (default 10) which I increased to 50 as I am a heavy p2p user. At least I know now it was not corrupt or hadn’t been infected!
//


Anyway I am still lost as to what on earth is going on!

Anymore ideas?

Your help is really appreciated
  • 0

#7
computerwiz12890

computerwiz12890

    Fixer-upper guy

  • Retired Staff
  • 1,802 posts
Download and install Tune Up 2006 Trial

Click on Clean up & Repair. Run TuneUp DiskCleaner. Delete all junk files.

Click on Clean up & Repair. Run TuneUp RegistryCleaner. Fix all errors.

Click on Optimize & Improve. Run TuneUp RegistryDefrag, which will take a few minutes and need a reboot.

After the reboot, click on Optimize & Improve then click on TuneUp System Optimizer. Now click on Accelerate downloads and Internet surfing to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click on Optimize & Improve then click on TuneUp System Optimizer. In the menu to the left called "Wizards", choose System Advisor. Note some of the advice it tells you.

Edited by computerwiz12890, 12 January 2006 - 01:24 PM.

  • 0

#8
nerrad

nerrad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Nope still no luck :)

I followed all you suggestions and the Buffer Overflow still exists and so does the disappearing RAM… Bummer

At least now my computer is running far nippier then usual.

I have noticed two things:
  • When I disable the network status icon appearing in the system tray all is fine no more buffer overflow issues or memory loss. :)
  • The connection is using Netmon Packet Capture driver and I can not disable or uninstall it as it simply freezes and hogs the CPU when I try. Maybe this has something to do with it?

Anyway at least I have found a work around to this very annoying issue! But if you have more ideas then please let me know! Because I hate leaving something unsolved!!

Meanwhile I will look around the net to see if I can find another way to remove the Packet Capture Driver and see if this is contributing to the problem.
:tazz:
  • 0

#9
computerwiz12890

computerwiz12890

    Fixer-upper guy

  • Retired Staff
  • 1,802 posts
Very interesting: http://nvd.nist.gov/...e=CVE-2005-2127

See #29, it's Stobject.dll, just like your problem. See that at the bottom?:

Vulnerability Type: Buffer Overflow


Also interesting: http://www.securitys...d.html?id=11583


Read the first link and see what it says. I would read it myself, but I don't have the time right now.


My recommendation:

1. Read this link and see if it helps
2. Update for Internet Explorer 6
3. Do a windows update
4. Do a windows repair


If the problem is not solved after thoroughly exploring the first link I gave you, or after trying the other 3 recommendations, we will delve deeper into the problem.

As for your question:

The connection is using Netmon Packet Capture driver and I can not disable or uninstall it as it simply freezes and hogs the CPU when I try. Maybe this has something to do with it?

I have no idea what Netmon Packet Capture is...

Edited by computerwiz12890, 12 January 2006 - 05:16 PM.

  • 0

#10
nerrad

nerrad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I have all the latest updates etc from Microsoft including internet explorer, therefore am hopefully patched from any vulnerabilities, Also I am behind 2 sets of firewalls one software and one hardware and always have an up to date AV that scans every night for spy ware and viruses etc. So i am hoping that the chances of me being infected my some type of malicious code are minimal.... Buts it’s a cruel world and I am not the luckiest person!

I read through a few of the posts and didn’t find anything really relevant to my situation that is not patched.

Well I can safely say I am at a loss!

I think we need to find somebody who is a real Guru on memory leaks and so forth.


And the Netmon Packet Capture I was referring was used for a program that I used to sniff / analyse network traffic. But it impossible to remove! So if anyone knows how let me know.

I am not quite yet prepared to reinstall windows (as you may have noted I have found a work around and it only happens when the Dial Up connection is active… That led me to think maybe dodgy drivers or hardware? So tried reinstalling but still same problem) + SOOD downloading Sp2 on dialup!!

Anyway it’s now more of an annoyance where I want and am interested to know what is causing it then need to know.
  • 0

Advertisements


#11
computerwiz12890

computerwiz12890

    Fixer-upper guy

  • Retired Staff
  • 1,802 posts
What firewalls are you using?

Also, download A Really Small App and install it. Run it while your "RAM eating" problem is occuring and click on Copy. You don't have to run it while the problem is occuring, but I might be able to figure out what is causing the problem if you do. Paste the copied info in your reply to me, but please remove your IP Address from the report that A Really Small App will generate.

Edited by computerwiz12890, 13 January 2006 - 09:01 AM.

  • 0

#12
nerrad

nerrad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I am running ZoneAlarm Security Suite on my PC and when i am not on dialup all my connections come though my router which has an SPI (Stateful Packet Inspection) firewall.

The following is what A Really Small App produced:

======================================================================
   A Really Small App v1.5  ---  From  www.AnswersThatWork.com
======================================================================

Operating System :  Windows XP Professional	Service Pack :  2.0	Build :  2600

Total RAM :  768 MB

Drives : 
C:\	Fixed drive	Capacity :  26.46 GB	Free :  10.61 GB
D:\	Fixed drive	Capacity :  9.87 GB	Free :  6.44 GB
E:\	Fixed drive	Capacity :  1.03 GB	Free :  435.13 MB
F:\	Fixed drive	Capacity :  142.79 GB	Free :  8.7 GB
H:\	CD-ROM/DVD-ROM
I:\	Removable drive
Z:\	CD-ROM/DVD-ROM

Computer Up time :  8 Hours, 44 Minutes, 55 Seconds.
Active connections to your PC from other computers : 0
Your TCP/IP Addresses :  10.0.0.10,  x.x.x.x

--------------------------------------------------

Twenty Four processes were running at 16:49 on Friday 13-Jan-2006

A_Really_Small_App.exe	C:\Program Files\AnswersThatWork\A Really Small App\A_Really_Small_App.exe
alg.exe	C:\WINDOWS\System32\alg.exe
Crypserv.exe	C:\WINDOWS\system32\crypserv.exe
csrss.exe	C:\WINDOWS\system32\csrss.exe
E_S4I0F2.EXE	C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
explorer.exe	C:\WINDOWS\Explorer.EXE
isafe.exe	C:\WINDOWS\system32\ZoneLabs\isafe.exe
lsass.exe	C:\WINDOWS\system32\lsass.exe
msnmsgr.exe	C:\Program Files\MSN Messenger\msnmsgr.exe
putty.exe	C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\putty.exe
services.exe	C:\WINDOWS\system32\services.exe
smss.exe	C:\WINDOWS\system32\smss.exe
SOUNDMAN.EXE	C:\WINDOWS\SOUNDMAN.EXE
spoolsv.exe	C:\WINDOWS\system32\spoolsv.exe
svchost.exe	C:\WINDOWS\system32\svchost.exe
svchost.exe	C:\WINDOWS\system32\svchost.exe
svchost.exe	C:\WINDOWS\System32\svchost.exe
svchost.exe	C:\WINDOWS\system32\svchost.exe
svchost.exe	C:\WINDOWS\system32\svchost.exe
svchost.exe	C:\WINDOWS\system32\svchost.exe
vsmon.exe	C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wdfmgr.exe	C:\WINDOWS\system32\wdfmgr.exe
winlogon.exe	C:\WINDOWS\system32\winlogon.exe
zlclient.exe	C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

--------------------------------------------------

Your startups on the same day and time are listed below :

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
======================================================================
STYLEXP	C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
µTorrent	"C:\Documents and Settings\Mel\Desktop\utorrent.exe"

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
======================================================================
EPSON Stylus Photo R300 Series	C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
Zone Labs Client	C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
Cmaudio	RunDll32 cmicnfg.cpl,CMICtrlWnd
SoundMan	SOUNDMAN.EXE

--------------------------------------------------

Your scheduled task is listed below :

Task Name :  1-Click Maintenance
Application :  C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
Comment :  Starts 1-Click Maintenance at scheduled times
Last Run :  30/11/1999
Next Run :  13/01/2006 17:15:00

======================================================================
   A Really Small App v1.5  ---  From  www.AnswersThatWork.com
======================================================================

Also below is an image of the memory increase whilst the network status icon is enabled and then when it is disabled showing how it steadys:

Posted Image

Sorry about the quality but dialup is slow and i dont want to wait for it to upload!
  • 0

#13
computerwiz12890

computerwiz12890

    Fixer-upper guy

  • Retired Staff
  • 1,802 posts
A Really Small App told me that you have a few infections. I believe that these infections are the root of your problem.

Please follow all the directions found here. After you get to step 5, if your problem is not resolved, post a HijackThis log in the Malware forum. If your problem persists after getting a clean bill of health from a malware expert, return here and we'll continue troubleshooting. If your problem is resolved simply by running the programs in the link, let me know. I always like to know the results :tazz: .

Edited by computerwiz12890, 13 January 2006 - 05:54 PM.

  • 0

#14
nerrad

nerrad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

A Really Small App told me that you have a few infections.


Wow?! Really? Which part of the log told you this?

After a quick analysis of that log and the hijack this log I was fairly certain that there was no infection.

Nevertheless based on your concerns I took the following actions:

Verified that each executable was original and legitimate process and had not been infected with malware using Kaspersky Online File Scanner, these are the results:
  • alg.exe - (Verified) Microsoft Windows Publisher 5.01.2600.2180- core process for Microsoft Windows Internet Connection sharing and Internet connection firewall. VIRUS FREE
  • crypserv.exe - (Unable to verify) - belongs to the CrypKey software (validates i have a valid license). VIRUS FREE
  • csrss.exe - (Verified) Microsoft Windows Publisher - process manages most graphical commands in Windows. VIRUS FREE
  • E_S4I0F2.EXE - (Unable to verify) - Epson Printer Manager / driver. VIRUS FREE
  • isafe.exe - (Unable to verify) - part of Computer Associates eTrust AntiVirus which keeps your Internet security product upto date. VIRUS FREE
  • lsass.exe - (Verified) Microsoft Windows Publisher 5.01.2600.2180 - specifically deals with local security and login policies. VIRUS FREE
  • msnmsgr.exe - (Verified) Microsoft Windows Publisher 7.05.0311.0000 - Instant Messenger application. VIRUS FREE
  • putty.exe -(Unable to verify) - Putty terminal for access using to another box. VIRUS FREE
  • services.exe- (Verified) Microsoft Windows Publisher 5.01.2600.2180 - manages the operation of starting and stopping services. VIRUS FREE
  • smss.exe - (Verified) Microsoft Windows Publisher 5.01.2600.2180 - responsible for handling sessions on your system. VIRUS FREE
  • SOUNDMAN.EXE -(Unable to verify) -For Realtek sounds cards and is used to display the system tray icon to access the diagnostic utilities. VIRUS FREE
  • spoolsv.exe -(Verified) Microsoft Windows XP Publisher 5.01.2600.2696 - handles the printing process to your local printers. VIRUS FREE
  • svchost.exe - (Verified) Microsoft Windows Publisher 5.01.2600.2180 - handles processes executed from DLLs. VIRUS FREE
  • vsmon.exe - (Verified) Check Point Software Technologies Inc. 6.01.0737.0000 - used to monitor Internet traffic and generate alerts depending on the security rules configured by the user.. VIRUS FREE
  • wdfmgr.exe - (Verified) Microsoft Windows Component Publisher 5.02.3790.1230 - part of Microsoft Windows media player 10 and above. This process decreases compatibility problems whilst the product is in use (I had closed WMP just before I run that app). VIRUS FREE
  • winlogon.exe - (Verified) Microsoft Windows Publisher 5.01.2600.2180 - handles the login and logout procedures on your system. VIRUS FREE
  • zlclient.exe - (Verified) Check Point Software Technologies Inc. 6.01.0737.0000 - part of the Zonelabs Internet Security range of products, which acts as a firewall for your computer. VIRUS FREE
Processes not active but still start up
  • StyleXP.exe - (Unable to verify) – Used to adjust the computer look and feel. VIRUS FREE
  • utorrent.exe - (Unable to verify) – Bit torrent Client. VIRUS FREE
  • Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd – process belonging to C-Media based soundcards which is initiated upton startup to configure this audio hardware's control panel applet. VIRUS FREE
  • SystemOptimizer.exe - (Unable to verify) TuneUp Software GmbH – Part of tune up system optimizer. VIRUS FREE
For processes that couldn’t be verified I think is due to the lack of a digital signature/certificate

I think we can safely say that there is no infection here, however as A Small App doesn’t actually show every process that can be executed when you system running such as BHO’s I have installed 2 a different AV software, AVG and Norton Antivirus I did bit by bit scanning in the most sensitive modes just to be extra sure and not a single virus was found.

I also ran several spyware utilities such as Spycop, Adaware, spywaredetector and my always active Zonelabs one, Results; No major spyware infections (just a few tracking cookies)

I also did a boot scan (booted AV form a disc) to be completely sure using f-prot and Mcafee with the latest updates, and no infection was found.

So I think we can safely say there is no infection what so ever, and I have never had a single virus on my system.

I am not a computer novice and have 4 years of technical/server experience and know how to safely insure a computer stays free of viruses and remove an infestation if one is found.

I am pretty sure this problem is a little more complicated then a simple malware infection.

Do you have anymore ideas?
  • 0

#15
computerwiz12890

computerwiz12890

    Fixer-upper guy

  • Retired Staff
  • 1,802 posts

Verified that each executable was original and legitimate process and had not been infected with malware using Kaspersky Online File Scanner, these are the results:


I love Kaspersky, but it isn't perfect. Even Kaspersky can miss an infection, especially a new one. In addition, a virus is only one type of infection, there are many other types.

I have installed 2 a different AV software, AVG and Norton Antivirus


Having more than one AV installed on your computer can cause conflicts. I recommend removing AVG.

I also ran several spyware utilities such as Spycop, Adaware, spywaredetector and my always active Zonelabs one, Results


I can't find any info on Spycop, and I'm not familiar with it. Spywaredetector used to be rogue, it would find false positives. If this is a newer version, then it is okay. See Spyware warrior's rogue anti-spyware list for more info.

I am pretty sure this problem is a little more complicated then a simple malware infection.


You wanna tell that to the malware experts? I think they'd hardly call malware infections simple. There are some very nasty ones out there, and some very tricky ones too.

Wow?! Really? Which part of the log told you this?


Here is how I came to that determination

I am currently in training, and I was told one of the tricks of identifying a legitimate entry from an identically named infection was by looking at it's location. See where these two are located?:

isafe.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe
vsmon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Upon seeing these two entries, I immediately thought "infection". And through thorough searching, I found this. A worm which disguises itself as ZoneLabs's executable vsmon.exe. However, because of your last post, I decided to install ZoneAlarm on my own computer to see it's characteristics. Apparently vsmon.exe is one of those rare 3rd party programs that are suppose to be in the System32 folder.

But as for isafe.exe, it was NOT installed on my computer when I installed ZoneAlarm. In fact, you said that isafe.exe is part of eTrust Antivirus. And yet it is in a ZoneLabs folder in System32! You did not say that you had eTrust, so I remain suspicious about this file. In fact:

isafe.exe - (Unable to verify)
vsmon.exe - (Verified)
zlclient.exe - (Verified)


All three of those are in that ZoneLabs folder in System32. Why is isafe.exe unable to be verified, but the others are? If you don't have eTrust, where did isafe.exe come from? isafe.exe shoud be in the C:\Program Files\CA\eTrust Vet Antivirus\ folder, like in this person's HijackThis log. This could be a new infection, or maybe there's a bit of info that I'm missing. Like I said, I'm in only in training. But I remain suspicious, unless a malware expert says otherwise, or unless you can verify what isafe.exe really is.


If you are really convinced it is not an infection, I would recommend starting a topic in the Networking Forum and telling them what you told me earler:

When I disable the network status icon appearing in the system tray all is fine no more buffer overflow issues or memory loss.
The connection is using Netmon Packet Capture driver and I can not disable or uninstall it as it simply freezes and hogs the CPU when I try. Maybe this has something to do with it?


If it isn't an infection, I don't know what to suggest next, other than going to the Network Forum and telling them that.

Edited by computerwiz12890, 14 January 2006 - 03:16 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP