explorer.exe uses full core pemanently, ntdll.dll!RtlValidateHeap+0x17

geverl

New member
Local time
11:12 AM
Messages
24
After having wasted several days with useless scanner software I've installed an SSD drive and installed Windows 7 on it, which works fine. The disk on which the infected Windows 7 is installed is now used purely for data storage, although I can still boot into the infected Windows if someone likes to explore the problem.
-------------------------------------------------

As soon as I open Windows Explorer, it uses a full core of my 4 core system. I'm running Windows 7 Pro 64 Bit. Process Hacker shows ntdll.dll!RtlValidateHeap+0x170 as start address for the thread that uses the processor resources. I've tried Process Monitor to find out what this thread is doing, but only the thread exit with success (after I've terminated it in Process Hacker) shows up in Process Monitor. A System Restore has brought no change. I can't find anything suspicious in Event Viewer. I've run full scans with Microsoft Security Essentials, Anti-Malware, Hitman Pro and most other programs listed at http://www.bleepingcomputer.com/download/windows/security, to no avail.

The problem also occurs with other programs, e.g. Notepad, as soon as the Windows file dialog is opened, although in that case it is not always ntdll.dll that seems to use the processor resources.
When I boot in safe mode with pretty much everything disabled, Windows Explorer works fine.

DDS.txt and Attach.txt are attached (couldn't post DDS.txt as too long).
 

Attachments

My Computer My Computer

At a glance

Windows 7 Pro 64 biti2500K
OS
Windows 7 Pro 64 bit
CPU
i2500K
Hello Geverl mate I see you have been waiting for a while now for an answer and that you have tried a fair bit of stuff already but just as a suggestion try this
Download Kaspersky Rescue Disk 10 it will as you probably know run from power up and scan without "involving" Windows.
It is usually pretty good at digging out stuff that is missed on the other scanners. I see you know re bleepingcomputer site I refer to it all the time top site eh?

by the by have you run a rootkit scan> as I cannot see a mention of it there in your post. You will of course be aware that the TDSS Killer in this link is probably as good as any. But which one you use is up to you, I have used about three of those linked and find them all good but the TDSS is my pick:)
Best Free Rootkit Scanner and Remover
 

My Computer My Computer

At a glance

Desk1 7 Home Prem / Desk2 10 Pro / Main lap A...Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i...Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop...Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build (new) Desk1 / Asus ROG Win 7 / Desk2 1st build
OS
Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
CPU
Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i5 2500
Motherboard
Desk1 Asus P877-V / Desk2 Gigabyte H67 UD3H / Laptop ?
Memory
Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop 8Gb DDR3
Graphics Card(s)
Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Sound Card
Desk 1 & 2 -XONAR DG Realtek High Def audio Laptop
Monitor(s) Displays
Desk 1 Benq HD 2450 / Desk2 Philips 24" / Laptop 17.5"
Screen Resolution
1920x1080 D1 & D2 & Laptop 1
Hard Drives
Desk1 Samsung 120GB 830 SSD
Asus ROG 256GB 850 Pro SSD
Desk2 Samsung 840 256 SSD
Toshiba 120GB EVO
PSU
Desk 1 Corsair HX 1050/ Laptop ? / Desk 2 Corsair HX 650
Case
Desk 1 Cooler HAF XM ? Toshiba laptop / Desk2 Coolermaster
Cooling
Fans on all Desk1 -2 Desk2 - all Coolermasters 5 Laptop ?
Keyboard
Desk 1 MS Sidewinder X6 Desk 2 MS Sidewinder X 4
Mouse
Desk 1&2 - Gigabyte MS 900 gamer - laptop - Logitec wireless
Internet Speed
ADSL2+
Other Info
One other Desktop (tester) and spare Toshba laptop both with SSD's
Running Kaspersky 2016 ISS on all machines config'd identically
Logitec audio stereo systems on each machine (x3)
Canon MG5250MFC
Router/modem TP-Link running WPA2SK
Thanks for the suggestion. Kaspersky Rescue Disk 10 has taken some 9 hours to find nothing noteworthy.
I had already run TDSS a few days ago, with the same result.
 

My Computer My Computer

At a glance

Windows 7 Pro 64 biti2500K
OS
Windows 7 Pro 64 bit
CPU
i2500K
Have you tried Autoruns?

Safe Mode doesn't process the Run and RunOnce registry keys. One additional startup method is the Winlogon Shell, but that is also skipped if you choose Safe Mode with Command Prompt.

Also it's better to not immediately kill a malicious process. You should try to identify if there's more than one process and suspend them first. Or they can restart each other.

Here's a great guide that uses Sysinternals tools: Microsoft SIR - Advanced Techniques - Malware Cleaning

Here's basically the same thing but explained in a video: Malware Hunting with the Sysinternals Tools | TechEd North America 2012 | Channel 9
 

My Computer My Computer

At a glance

Windows 7 Pro 32Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz4,00 GB (Usable 2,98)NVIDIA NVS 5100M
Computer type
Laptop
Computer Manufacturer/Model Number
HP Elitebook 8540p
OS
Windows 7 Pro 32
CPU
Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz
Motherboard
Hewlett-Packard 1521
Memory
4,00 GB (Usable 2,98)
Graphics Card(s)
NVIDIA NVS 5100M
Sound Card
NVIDIA High Definition Audio
Screen Resolution
1600x900
Hard Drives
INTEL SSDSA2CW120G3
Antivirus
F-Secure Internet Security
Browser
IE, Firefox, Opera
Other Info
Sandboxie,
SRP (Software Restriction Policy),
EMET (Enhanced Mitigation Experience Toolkit),
WFC (Windows Firewall Control by BiniSoft),
Malwarebytes Premium
Thanks for the suggestion. Kaspersky Rescue Disk 10 has taken some 9 hours to find nothing noteworthy.
I had already run TDSS a few days ago, with the same result.
Ok Rev that is an inordinate amount of time for that to run but at least it rules anything "lurking" or anything like that just about.

Now Tookeri has come up with some good suggestions follow T with those links:)
 

My Computer My Computer

At a glance

Desk1 7 Home Prem / Desk2 10 Pro / Main lap A...Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i...Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop...Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build (new) Desk1 / Asus ROG Win 7 / Desk2 1st build
OS
Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
CPU
Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i5 2500
Motherboard
Desk1 Asus P877-V / Desk2 Gigabyte H67 UD3H / Laptop ?
Memory
Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop 8Gb DDR3
Graphics Card(s)
Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Sound Card
Desk 1 & 2 -XONAR DG Realtek High Def audio Laptop
Monitor(s) Displays
Desk 1 Benq HD 2450 / Desk2 Philips 24" / Laptop 17.5"
Screen Resolution
1920x1080 D1 & D2 & Laptop 1
Hard Drives
Desk1 Samsung 120GB 830 SSD
Asus ROG 256GB 850 Pro SSD
Desk2 Samsung 840 256 SSD
Toshiba 120GB EVO
PSU
Desk 1 Corsair HX 1050/ Laptop ? / Desk 2 Corsair HX 650
Case
Desk 1 Cooler HAF XM ? Toshiba laptop / Desk2 Coolermaster
Cooling
Fans on all Desk1 -2 Desk2 - all Coolermasters 5 Laptop ?
Keyboard
Desk 1 MS Sidewinder X6 Desk 2 MS Sidewinder X 4
Mouse
Desk 1&2 - Gigabyte MS 900 gamer - laptop - Logitec wireless
Internet Speed
ADSL2+
Other Info
One other Desktop (tester) and spare Toshba laptop both with SSD's
Running Kaspersky 2016 ISS on all machines config'd identically
Logitec audio stereo systems on each machine (x3)
Canon MG5250MFC
Router/modem TP-Link running WPA2SK

My Computer My Computer

At a glance

Windows 10 Pro. 64/ version 1709 Windows 7 Pr...Intel i7-6800K @ 4.3Corsair Platinum 16 gig @2400EVGA GTX 1070 OC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home made Desktop
OS
Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
CPU
Intel i7-6800K @ 4.3
Motherboard
ASUS X-99 Deluxe II
Memory
Corsair Platinum 16 gig @2400
Graphics Card(s)
EVGA GTX 1070 OC
Monitor(s) Displays
Asus 27" LED LCD/VE278Q
Screen Resolution
1920-1080 or 1280-720 HDMI
Hard Drives
INTEL SSD 730-240 Gb Sata 3.0/
PSU
EVGA Platium 1200W
Case
Phanteks Luxe Tempered Glass 8 fans/ one radiator
Cooling
XSPC/ Water Cooled CPU
Keyboard
Das 4 Professional
Mouse
Logitech M705/MX Anywhere 2-S
Internet Speed
100 mbits
Antivirus
Microsoft Security Essentials/ Malwarebytes Premium 3.0/ SAS
Browser
I.E. 11 default/Firefox/ ISP Time Warner Cable/Spectrum
Other Info
LG BluRay Burner/
Sound system-KLipsch-THX/
Icy Dock ssd Hot Swap bays.
I did, I don't have an Igfxupdate.exe.
 

My Computer My Computer

At a glance

Windows 7 Pro 64 biti2500K
OS
Windows 7 Pro 64 bit
CPU
i2500K
Could you back up the data from the infected drive, then do a factory reset of the drive?
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64 BitIntel Core i3 CPU 2.27 GHz / Intel Core i5 CP...500 GB HDD / 2TB HDDToshiba HD Graphics / GTX 750Ti
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Satellite A665 Laptop / Home Built Gaming PC
OS
Windows 7 Home Premium 64 Bit
CPU
Intel Core i3 CPU 2.27 GHz / Intel Core i5 CPU ~3.8 GHz
Memory
500 GB HDD / 2TB HDD
Graphics Card(s)
Toshiba HD Graphics / GTX 750Ti
Monitor(s) Displays
Attached Screen / 2 ACER and 1 AOC
Screen Resolution
1366 x 768 / 1920 x 1080
Cooling
Laptop Fan(s) / 3 Stock Case Fans
Keyboard
Laptop Keyboard / Logitech G710+
Mouse
Mousepad / Logitech G500
Antivirus
Commodo / Avast
Browser
Chrome / Chrome
Shame Laybacks suggestions could not be run but if you want to back up data see this

BOOTABLE UBUNTU

Make a bootable Ubuntu disk http://www.ubuntu.com/download

Set the BIOS to boot from theoptical when the machine boots it will show you a screen with TRY or INSTALL> select TRYnot INSTALL

When it is finished - it takes verylittle time you will get a screen like in the pic .

Open the drive you want > Userand dig down until you get to the data / settings you may be able to copy /paste the material you want to an external source or other installed drive doingthis.

I am not sure if it will but I haverecovered tons of data etc using this method both on "dead" or justplain drives that you cannot get data from using Windows.


PS you will need a DVD a cd is not big enough anymore
 

Attachments

  • UBUNTU SCREEN X2.PNG
    UBUNTU SCREEN X2.PNG
    272.7 KB · Views: 0

My Computer My Computer

At a glance

Desk1 7 Home Prem / Desk2 10 Pro / Main lap A...Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i...Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop...Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build (new) Desk1 / Asus ROG Win 7 / Desk2 1st build
OS
Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
CPU
Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i5 2500
Motherboard
Desk1 Asus P877-V / Desk2 Gigabyte H67 UD3H / Laptop ?
Memory
Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop 8Gb DDR3
Graphics Card(s)
Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Sound Card
Desk 1 & 2 -XONAR DG Realtek High Def audio Laptop
Monitor(s) Displays
Desk 1 Benq HD 2450 / Desk2 Philips 24" / Laptop 17.5"
Screen Resolution
1920x1080 D1 & D2 & Laptop 1
Hard Drives
Desk1 Samsung 120GB 830 SSD
Asus ROG 256GB 850 Pro SSD
Desk2 Samsung 840 256 SSD
Toshiba 120GB EVO
PSU
Desk 1 Corsair HX 1050/ Laptop ? / Desk 2 Corsair HX 650
Case
Desk 1 Cooler HAF XM ? Toshiba laptop / Desk2 Coolermaster
Cooling
Fans on all Desk1 -2 Desk2 - all Coolermasters 5 Laptop ?
Keyboard
Desk 1 MS Sidewinder X6 Desk 2 MS Sidewinder X 4
Mouse
Desk 1&2 - Gigabyte MS 900 gamer - laptop - Logitec wireless
Internet Speed
ADSL2+
Other Info
One other Desktop (tester) and spare Toshba laptop both with SSD's
Running Kaspersky 2016 ISS on all machines config'd identically
Logitec audio stereo systems on each machine (x3)
Canon MG5250MFC
Router/modem TP-Link running WPA2SK
I could backup and format the infected disk and then just copy the data that I need back to it. In that case I'd also have a backup of the infected Windows partition files, but would not be able to boot into the infected partition anymore.
 

My Computer My Computer

At a glance

Windows 7 Pro 64 biti2500K
OS
Windows 7 Pro 64 bit
CPU
i2500K
What I meant and was going to suggest is that to clean that drive properly is to retrieve any data such as pics Docs and any programs you really need (say paid for ones) and then do a complete reinstall.
This is a good tutorial to follow for the install as it has the latest ISO and will cut down on the updates http://www.sevenforums.com/tutorials/219487-clean-reinstall-factory-oem-windows-7-a.html this means though you have to format and get that drive ready as new to do this.
Just make sure you pick only the version you have others get greedy and it ends in grief - see pic
and this http://www.sevenforums.com/tutorials/113967-ssd-alignment.html

I think in the long run this may be your best option and just in case you do do this then use this to make an image for future problems if they arise - so much easier than plodding through installing everything you like

http://www.sevenforums.com/tutorials/73828-imaging-free-macrium.html I set my machines to do this at weekly intervals - saves so much hassle
 

Attachments

  • ISO.PNG
    ISO.PNG
    41.5 KB · Views: 0

My Computer My Computer

At a glance

Desk1 7 Home Prem / Desk2 10 Pro / Main lap A...Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i...Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop...Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build (new) Desk1 / Asus ROG Win 7 / Desk2 1st build
OS
Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
CPU
Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i5 2500
Motherboard
Desk1 Asus P877-V / Desk2 Gigabyte H67 UD3H / Laptop ?
Memory
Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop 8Gb DDR3
Graphics Card(s)
Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Sound Card
Desk 1 & 2 -XONAR DG Realtek High Def audio Laptop
Monitor(s) Displays
Desk 1 Benq HD 2450 / Desk2 Philips 24" / Laptop 17.5"
Screen Resolution
1920x1080 D1 & D2 & Laptop 1
Hard Drives
Desk1 Samsung 120GB 830 SSD
Asus ROG 256GB 850 Pro SSD
Desk2 Samsung 840 256 SSD
Toshiba 120GB EVO
PSU
Desk 1 Corsair HX 1050/ Laptop ? / Desk 2 Corsair HX 650
Case
Desk 1 Cooler HAF XM ? Toshiba laptop / Desk2 Coolermaster
Cooling
Fans on all Desk1 -2 Desk2 - all Coolermasters 5 Laptop ?
Keyboard
Desk 1 MS Sidewinder X6 Desk 2 MS Sidewinder X 4
Mouse
Desk 1&2 - Gigabyte MS 900 gamer - laptop - Logitec wireless
Internet Speed
ADSL2+
Other Info
One other Desktop (tester) and spare Toshba laptop both with SSD's
Running Kaspersky 2016 ISS on all machines config'd identically
Logitec audio stereo systems on each machine (x3)
Canon MG5250MFC
Router/modem TP-Link running WPA2SK
I could backup and format the infected disk and then just copy the data that I need back to it. In that case I'd also have a backup of the infected Windows partition files, but would not be able to boot into the infected partition anymore.

Well, what I mean, is that on a laptop, I know, at least, I can actually do a factory reset of the laptop. It reverts back to an out-of-the-box condition, formatting all files, and keeping windows. The infected files, I would assume, could be cleaned and put back on the reset computer.
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64 BitIntel Core i3 CPU 2.27 GHz / Intel Core i5 CP...500 GB HDD / 2TB HDDToshiba HD Graphics / GTX 750Ti
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Satellite A665 Laptop / Home Built Gaming PC
OS
Windows 7 Home Premium 64 Bit
CPU
Intel Core i3 CPU 2.27 GHz / Intel Core i5 CPU ~3.8 GHz
Memory
500 GB HDD / 2TB HDD
Graphics Card(s)
Toshiba HD Graphics / GTX 750Ti
Monitor(s) Displays
Attached Screen / 2 ACER and 1 AOC
Screen Resolution
1366 x 768 / 1920 x 1080
Cooling
Laptop Fan(s) / 3 Stock Case Fans
Keyboard
Laptop Keyboard / Logitech G710+
Mouse
Mousepad / Logitech G500
Antivirus
Commodo / Avast
Browser
Chrome / Chrome
Well you are right 2stone but it does load all the crapware and doing it the way I laid out there is none of that and believe me it saves so much on boot time and loading the essential programs.

I have done this a few times and even used an OEM and the effect on the machines performance is just what you need.
 

My Computer My Computer

At a glance

Desk1 7 Home Prem / Desk2 10 Pro / Main lap A...Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i...Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop...Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Own build (new) Desk1 / Asus ROG Win 7 / Desk2 1st build
OS
Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
CPU
Desk1 i5 3750K / Laptop i7 GTX 860M / Desk2 i5 2500
Motherboard
Desk1 Asus P877-V / Desk2 Gigabyte H67 UD3H / Laptop ?
Memory
Desk1 8GB (1866) / Desk2 16GB (1333) / Laptop 8Gb DDR3
Graphics Card(s)
Desk 1& 2NVidia GTX 650 & Laptops on board Intel
Sound Card
Desk 1 & 2 -XONAR DG Realtek High Def audio Laptop
Monitor(s) Displays
Desk 1 Benq HD 2450 / Desk2 Philips 24" / Laptop 17.5"
Screen Resolution
1920x1080 D1 & D2 & Laptop 1
Hard Drives
Desk1 Samsung 120GB 830 SSD
Asus ROG 256GB 850 Pro SSD
Desk2 Samsung 840 256 SSD
Toshiba 120GB EVO
PSU
Desk 1 Corsair HX 1050/ Laptop ? / Desk 2 Corsair HX 650
Case
Desk 1 Cooler HAF XM ? Toshiba laptop / Desk2 Coolermaster
Cooling
Fans on all Desk1 -2 Desk2 - all Coolermasters 5 Laptop ?
Keyboard
Desk 1 MS Sidewinder X6 Desk 2 MS Sidewinder X 4
Mouse
Desk 1&2 - Gigabyte MS 900 gamer - laptop - Logitec wireless
Internet Speed
ADSL2+
Other Info
One other Desktop (tester) and spare Toshba laptop both with SSD's
Running Kaspersky 2016 ISS on all machines config'd identically
Logitec audio stereo systems on each machine (x3)
Canon MG5250MFC
Router/modem TP-Link running WPA2SK
Back
Top