100% cpu usage by IE

[Marin85]

Hi,
I posted about this problem in the Z series section a day ago, now I think it´s not a Z series specific problem. I have an issue with IE increasing cpu usage to 100 % which lasts until I kill iexplorer.exe. I scanned for viruses, malware, spyware, adaware, but nothing of these came out. I always use CCleaner and I have no HDD fragemention problems since I use Perfect Disk. As I thought this could be due to some kind of software conflict or incomplete avi-files, I toke all measures to ensure that there aren´t any (removed all antivirus sofware for a while, removed all avi-files, removed quicktime and divx), but I still have this problem. Since I´ve been running Kaspersky and Ad-Aware for weeks (of course not at the same time) without having any problems, I think they don´t have much to do with that issue. JDHurst replied that he doesn´t run Kaspersky or DivX, he hasn´t such problems at all.
Here a log from hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 17:26:40, on 29.05.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
c:\programme\lenovo\system update\suservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Programme\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Windows Media Player\WMPNetwk.exe
C:\Programme\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\ICQ6\ICQ.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Process Explorer\procexp.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet 0.88\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: HTML Quick Edit - {C420F40F-9AD0-4EC5-BF71-01B8384CD66C} - C:\Programme\HTML Quick Edit Bar\HTMLQuickEditBar.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [cssauth] "C:\Programme\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet 0.88\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet 0.88\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet 0.88\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Programme\Lenovo\System Update\sulauncher.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7446873312
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33A021DD-8E8B-4AF5-907D-7750460F0BDD}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Programme\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: psfus - C:\WINDOWS\system32\psqlpwd.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Programme\LRZ VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Unknown owner - C:\Programme\iPod\bin\iPodService.exe (file missing)
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe

If someone has an idea how to fix this problem, I´ll be very thankfull to him to post it here. Believe me, those 100% of cpu usage are a real trouble

Marin

P.S. Don´t be irretated by AVG and Kaspersky in the process list. I never run them at the same time. Why both? My experience has shown that there is badware out there detected by AVG but not by Kaspersky and the other way around!

[tomh009]

When do you get the 100% usage? Immediately when IE starts up? If so, have you tried setting your home page to a blank page?

[Marin85]

Hi,
not only on startup. The problem is that I get 100 % cpu usage the whole time I run IE and it doesn´t decrease after. It just stays at a constant level of 99-100 % until I close IE and kill explorer.exe.

M.


EDIT: Sry, I actually meant iexplorer.exe above.

[Marin85]

I tried uninstalling IE 7 and now I´m running IE 6. This partly improved the average cpu usage by IE but it´s still too high. After rebooting I tried to install IE 7 again but it just hangs over every time I try to do it. Microsoft update tells me that i have completely downloaded the IE update but when trying to install it, it lasts forever without any result and after a while taskmanager shows no response of microsoft update.
I hope I didn´t screw up anything and I´ll not have to reinstall the whole system. I´m slowly getting really sick of that whole Microsoft rubbish (sry, if I´m breaking the forum rules by this but Microsoft has politics to create user-friendly software, especially for average users like me, correct me if I´m wrong; instead of this I have been having only problems for the past 3 weeks, and surprisingly, only with Microsoft-ware).

M.

[tomh009]

Hmmmm ... you may have ended up in the IE 6 1/2 never-never land. I had a non-functional IE for almost a year after a failed IE7 beta install that would neither complete nor uninstall.

So I used Firefox for that year, and I still use it as my primary browser. With the addition of the IETab plug-in (which lets me easily view IE-specific web sites), I'm very happy with Firefox.

[Marin85]

Hi,
I had some luck and could escape the never-ever-land of IE 6 and 1/2 . I managed to update to IE 7 and this wasn´t in vain. For I now have only (!) 49-50% cpu usage of iexplorer.exe. I tried out firefox and I stil have it on my dekstop if something should go wrong again next days. However, I wasn´t very impressed by mozilla since it came into "no response" 3 times today. But that´s not the problem here.
Now the real weird things. After having installed IE 7, it seemed to me to have fixed the problem. However, after detailed observation of IE bahaviour, I saw that in fact I was wrong. After I closed IE window, iexplorer.exe kept on running and increased its cpu usage to 49-50 % and it stayed so until I killed iexplorer.exe. Right the same thing happened later with outlook. What is more, I waited a while to see if the cpu usage of iexplorer.exe/outlook.exe would decrease by itself and in fact, it didn´t, so I had to kill it in order to get back the normal cpu performance. When I open two or more IE windows i.e. when I start two or more iexplorer.exes, they got together to 100 % cpu usage without any stop after I close all IE windows. If they are more than two, they have kinda competition (it´s a good job that one can only have 100 % cpu usage ). And that´s not all. iexplorer.exe appears either under explorer.exe-section of my processes list or under services.exe-section. I´m not very sure if this is a normal thing either (since I´m not sure in anything more after that...)
I hope this could give you some more informataion about the issue. For me it´s still a mistery I can´t solve and I´m really anxious about that because outlook also appears to be concerned by a similiar problem. As a bonus, when I get 100% of cpu usage my notebook becomes really slow, which might otherwise sound really unbelievable.

Looking forward to any possible solutions for this hopeless issue

Marin

[jdhurst]

Since you have the problem with either Outlook or with IE (or with both), I would say it is probably not Outlook even though Outlook can be a pig when first starting, when changing folders and in a couple of other circumstances, but it clears up (for me) in about a minute.

Other things start to come to mind (because I have IE7 and Outlook 2003) on my two production machines (NetVista and ThinkPad) with no problems and IE7 on an XP SP2 Virtual Machine with no problems.

1. Consider (again if you already did) spyware. Try Ad Aware and see if it can find anything.
2. Consider a Top Grade registry cleaner. I generally do NOT recommend these things, and I have had one or two break (in Virtual Machines), but I have been running Registry First Aid (NOT free) through versions 4, 5 and now 6 and consider it to be Top Grade, worthwhile, and valuable.

... JDH

[tomh009]

I'll second JD's suggestion -- there is something funny going on. And 50% CPU usage on a dual-core CPU really means that it's maxing out one of your two CPU cores.

With IE running (and sucking up your CPU), can you open a command prompt and run

netstat -b -n

and post the results?

[Marin85]

Here the output of cmd -> netstat -b -n:

active connections
proto Local address Remote address Status PID
TCP (avp.exe) 192.168.1.34:4256 208.56.68.2:8000 SYN_SENT 8284
TCP (avp.exe) 127.0.0.1:1110 127.0.0.1:4255 HERGESTELLT* 8284
TCP (Explorer.exe) 127.0.0.1:4255 127.0.0.1:1110 HERGESTELLT* 2084


*HERGESTELLT (ger.) – means produced, done, created, established (e.g. connection)...as I´m not very sure what is exactly meant here.

I run Ad-Aware and AVG today to make sure that there was no "badware" on my laptop causing those problems. No such things came out, my notebook is completely clean. However, I´ll try again.

[GomJabbar]

I know that avp.exe is Kaspersky's antivirus engine, as I have it on my T42.

edited typo

[Marin85]

Jup,
I activated Kaspersky for I was preparing to run a scan (maybe it´s stupid to have two antivirus programs...at least i don´t run them at the same time )

[tomh009]

Here the output of cmd -> netstat -b -n:

active connections
proto Local address Remote address Status PID
TCP (avp.exe) 192.168.1.34:4256 208.56.68.2:8000 SYN_SENT 8284
TCP (avp.exe) 127.0.0.1:1110 127.0.0.1:4255 HERGESTELLT* 8284
TCP (Explorer.exe) 127.0.0.1:4255 127.0.0.1:1110 HERGESTELLT* 2084

So when you ran this, IE7 was running and taking up and using 100% (or 50%) of CPU, right?

P.S. HERGESTELLT is ESTABLISHED, that's fine.

[Marin85]

Hi,
when I ran this, I had already closed IE window, but iexplorer.exe was stil running, using about 50 % of my cpu non-stop.

M.

[tomh009]

Can you do the netstat again right after you start IE7, and when it's using up all the CPU?

What site is your home page set to?

[Marin85]

This is after starting IE:

active connections
proto Local address Remote address Status PID
TCP (avp.exe) 127.0.0.1:1110 127.0.0.1:4917 ESTABLISHED 8284
TCP (avp.exe) 127.0.0.1:1110 127.0.0.1:1371 ESTABLISHED 8284
TCP (iexplorer.exe) 127.0.0.1:1371 127.0.0.1:1110 ESTABLISHED 6532
TCP (explorer.exe) 127.0.0.1:4917 127.0.0.1:1110 ESTABLISHED 2084
TCP (avp.exe) 192.168.1.34: 1373 66.102.9.99:80 ESTABLISHED 8284
TCP (avp.exe) 192.168.1.34:4918 222.76.56.120:8000 ESTABLISHED* 8284

I´m not sure if I stil can make IE reach 100 % cpu usage. At least I can giva a try
My homepage is set to google.com.

M.

P.S. *Thanks for the hint I have german Windows which means everything is in german-english, this mixture is sometimes really confusing...

[tomh009]

Hmmm. The only thing showing is the loopback connection between IE and Kaspersky AVP.

Can you easily disable Kaspersky to see if that makes any difference? I'm grasping at straws here ...

[Marin85]

Here my results form netstat with 100 % cpu usage of IE (in order to achieve that excellent performance I had to open 2 IE windows and then close them, so this is the output of two iexplore.exes):

Proto local address Remote address Status PID
TCP (avp.exe) 127.0.0.1: 1110 127.0.0.1:4917 ESTABLISHED 8284
TCP (Explorer.EXE) 127.0.0.1: 4917 127.0.0.1:1110 ESTABLISHED 2084
TCP (avp.exe) 192.168.1.34:4918 222.76.56.120:8000 ESTABLISHED 8284
TCP (avp.exe) 127.0.0.1: 1110 127.0.0.1 :1423 FIN_WAITING_2 8284
TCP (iexplore.exe) 127.0.0.1:1395 127.0.0.1: 1110 CLOSE_WAITING 6532
TCP (iexplore.exe) 127.0.0.1:1423 127.0.0.1:1110 CLOSE_WAITING 5908

As for Kaspersky, I´ll disable it to see if that changes something. (When I posted about this problem, I had already disabled it for I was preparing to run AVG since Kaspersky hadn´t discovered any threats and the problem was still there. Today I activated it for first time since then.)

M.

[ashleys]

Usual troubleshooting for loops (on other systems anyway) is to dump the address space and then look at the dump.

From what I can see, Windows now provides an on-the-fly dump routine, which can be found here,

http://www.microsoft.com/downloads/deta ... layLang=en

If you're up to it, get a dump out and then use a windows debugging tool to look at the trace table (I assume it has one of those !!!). This may give a clue.

[Marin85]

Hi,
if someone is still interested in the issue, here is my "report"
In fact, there was a kind of virus, actually a rootkit. Kaspersky and Ad-Aware were simply bypassed by it. After removing it, cpu usage got back to the usual levels (both for outlook and IE). Usual spyware programs just can´t deal with that sort of malware for it´s specially made to bypass them. If someone needs more informations about detecting and removing rootkits, just post here. Maybe it wouldn´t be a bad idea to open a new thread on this topic (just a suggestion)...

M.

P.S. Microsoft dump routine didn´t work on my laptop: for some reasons i couldn´t even start it.

[Temetka]

Did you find out which rootkit had infected your machine?

[tomh009]

P.S. Microsoft dump routine didn´t work on my laptop: for some reasons i couldn´t even start it.

Is that the sysinternals RootkitRevealer? Which rootkit detection package did you use, in the end?

[ashleys]

AVG have a free rootkit scanner.

http://free.grisoft.com/doc/39798/lng/us/tpl/v5

[Marin85]

Hi,
unfortunately, I didn´t find out which rootkit it was. I was happy to remove it though In fact, I first used Rootkit Revealer which reported 521 discrepancies (!) ... (and this is quite a lot). As I am not an expert and I wasn´t able to check out all of them manually (I didn´t even try to), it wasn´t very suitable for my needs. Nevertheless, it´s a very nice tool indicating any probable issues to be fixed (not necessairly rootkits). So I can only recommend it!
I was looking for more "precise" tools which could even remove rootkits for me (that´s not always the easiest part ) and I found some. Here a short overview listing those in three cathegories; I tried to comment on each one of them according to my own experience during the last days:

1. "expert" tools (here some very nice tools for detecting and removing rootkits, however some expert knowledge presumed as you really have to know what to do with them ):

RootkitRevealer
Seem (provides wide range of informations about one´s system)
IceSword (same)
AVZ (provides very detailed scanning of one´s system, is also able to remove rootkits if detected) (elaborated in KasperskyLab)
RkU Rootkit Unhooker (the very best rootkit detector and unhooker I know but you really have to know what you do , there are few rootkits able to bypass it if at all (!), incompatibe with GMER (!) )

2. "common" tools detecting and removing rootkits:
UnHackMe (effective against most commen types of trojans, incl. rootkit-based ones) (continuisly updated, but went commercial last year, so you can get only a trial version for free, namely v4.0)
(I used this tool to remove my "trojan" in safe mode)
AVG Anti-Rootkit (being updated): didn´t help in my case
Stinger McAffe anti-rootkit: scanning with it is really slow, has no updates and didn´t help in my case
Super AntiSpyware Pro: nice tool, didn´t help much in my case
Fsecure Blacklight: nice tool, didn´t help me
Bitdefender: nice tool
RootkitBuster: nice tool, didn´t help me
PAVARK (an anti-rootkit took of Panda): quick scanning, regularly updated, but didn´t help either
Sophos Anti-Rootkit tool: nice tool as well, quick scan, but didn´t help either

3. Only rootkits detecting tools (scanning tools):
GMER (in my opinion the best scanning tool out there)
SysProt
Helios Lite (good tool)
DarkSpy (good as well) (has a super-mode I haven´t tried oout yet)
HiddenFinder

4. Others (oh, now they are four ):
InjectedDLL: could give some clues
RootKit Hook Analyzer (nice tool for experienced users )
BreakPE (be carefull, it really breaks files (!) )
SafetyCheck (couldn´t run on my system for I lost some file "on the way"

Now: what does it all "nice/good tool" mean? Well, it´s my personal estimation of rootkits range covered, user-friendlyness, required expert skills and scanning performance (time and cpu usage).
There are some principal things you have to know about anti-rootkit tools:
1. They are mostly beta-versions, so you use them at your own risk! Don´t forget it! There might appear some bugs, software incompatibility etc. (However, I didn´t have such problems).
2. When running anti-rootkit tools, one has to disable any connections, any antivirus and spaware programms and stop any user applications (e.g. IE, Word, Outlook etc.) to obtain a realistic scan output.
3. They are all good for different tools cover different ranges of rootkits! Don´t forget that! If you have such problems, in most cases you won´t come up with only one tool! They all have different features and different "strategies" to uncover such kind of malware (well, I´m not sure whether they all have different platforms, but I can tell you for sure that this is very likely among the tools listed above )

Pls, don´t underestimate this kind of malware. It can run hidden processes, install hidden drivers, open hidden ports without your anti-virus and anti-spyware programs detecting these activities (and many many more)!

M.

[jdhurst]

Hi,
unfortunately, I didn´t find out which rootkit it was. I was happy to remove it though In fact, I first used Rootkit Revealer which reported 521 discrepancies (!) ... (and this is quite a lot).
<snip>

Good God!! 521?! After three years of the same machine on-line 24x7 (Windows XP Pro, properly secured and used), RootKit Revealer came up as Zero. No wonder your machine was hosed.
... JDH

[kulivontot]

I've seen the 100% CPU thing happen when using Webroot's spysweeper before. I dunno if that's your problem, but that's what happened in my case. You may also want to remove spurious addons by doing tools -> manage addons -> enable or disable addons.

[Marin85]

I was lucky to remove the gd thing and now everything seems to work properly

A propo 521 discrepancies: when I received my machine, it had already had about 500 of them...(and it´s not a second hand machine...)

M.