explorer.exe uses full core pemanently, ntdll.dll!RtlValidateHeap+0x17

geverl · 28 Oct 2014

After having wasted several days with useless scanner software I've installed an SSD drive and installed Windows 7 on it, which works fine. The disk on which the infected Windows 7 is installed is now used purely for data storage, although I can still boot into the infected Windows if someone likes to explore the problem.
-------------------------------------------------

As soon as I open Windows Explorer, it uses a full core of my 4 core system. I'm running Windows 7 Pro 64 Bit. Process Hacker shows ntdll.dll!RtlValidateHeap+0x170 as start address for the thread that uses the processor resources. I've tried Process Monitor to find out what this thread is doing, but only the thread exit with success (after I've terminated it in Process Hacker) shows up in Process Monitor. A System Restore has brought no change. I can't find anything suspicious in Event Viewer. I've run full scans with Microsoft Security Essentials, Anti-Malware, Hitman Pro and most other programs listed at http://www.bleepingcomputer.com/download/windows/security, to no avail.

The problem also occurs with other programs, e.g. Notepad, as soon as the Windows file dialog is opened, although in that case it is not always ntdll.dll that seems to use the processor resources.
When I boot in safe mode with pretty much everything disabled, Windows Explorer works fine.

DDS.txt and Attach.txt are attached (couldn't post DDS.txt as too long).

ICIT2LOL · 28 Oct 2014

Hello Geverl mate I see you have been waiting for a while now for an answer and that you have tried a fair bit of stuff already but just as a suggestion try this
Download Kaspersky Rescue Disk 10 it will as you probably know run from power up and scan without "involving" Windows.
It is usually pretty good at digging out stuff that is missed on the other scanners. I see you know re bleepingcomputer site I refer to it all the time top site eh?

by the by have you run a rootkit scan> as I cannot see a mention of it there in your post. You will of course be aware that the TDSS Killer in this link is probably as good as any. But which one you use is up to you, I have used about three of those linked and find them all good but the TDSS is my pick:)
Best Free Rootkit Scanner and Remover

geverl · 29 Oct 2014

Thanks for the suggestion. Kaspersky Rescue Disk 10 has taken some 9 hours to find nothing noteworthy.
I had already run TDSS a few days ago, with the same result.

Tookeri · 29 Oct 2014

Have you tried Autoruns?

Safe Mode doesn't process the Run and RunOnce registry keys. One additional startup method is the Winlogon Shell, but that is also skipped if you choose Safe Mode with Command Prompt.

Also it's better to not immediately kill a malicious process. You should try to identify if there's more than one process and suspend them first. Or they can restart each other.

Here's a great guide that uses Sysinternals tools: Microsoft SIR - Advanced Techniques - Malware Cleaning

Here's basically the same thing but explained in a video: Malware Hunting with the Sysinternals Tools | TechEd North America 2012 | Channel 9

ICIT2LOL · 29 Oct 2014

geverl said:

Thanks for the suggestion. Kaspersky Rescue Disk 10 has taken some 9 hours to find nothing noteworthy.
I had already run TDSS a few days ago, with the same result.

Ok Rev that is an inordinate amount of time for that to run but at least it rules anything "lurking" or anything like that just about.

Now Tookeri has come up with some good suggestions follow T with those links:)

Layback Bear · 30 Oct 2014

Geverl did you ever look at this from my post in your other thread?

Igfxupdate.exe forces cpu to load @ 100% - Microsoft Community

explorer.exe uses full core pemanently, ntdll.dll!RtlValidateHeap+0x17

geverl · 02 Nov 2014

I did, I don't have an Igfxupdate.exe.

3StoneBlue · 04 Nov 2014

Could you back up the data from the infected drive, then do a factory reset of the drive?

ICIT2LOL · 04 Nov 2014

Shame Laybacks suggestions could not be run but if you want to back up data see this

BOOTABLE UBUNTU

Make a bootable Ubuntu disk http://www.ubuntu.com/download

Set the BIOS to boot from theoptical when the machine boots it will show you a screen with TRY or INSTALL> select TRYnot INSTALL

When it is finished - it takes verylittle time you will get a screen like in the pic .

Open the drive you want > Userand dig down until you get to the data / settings you may be able to copy /paste the material you want to an external source or other installed drive doingthis.

I am not sure if it will but I haverecovered tons of data etc using this method both on "dead" or justplain drives that you cannot get data from using Windows.

PS you will need a DVD a cd is not big enough anymore

geverl · 05 Nov 2014

I could backup and format the infected disk and then just copy the data that I need back to it. In that case I'd also have a backup of the infected Windows partition files, but would not be able to boot into the infected partition anymore.