I have a Dell 8300 desktop with XP Professional SP2. The computer is always running in "overdrive" -- you can hear the CPU running high and when I check the CPU usage, Explorer.exe is grabbing 50%. The PC sounds like it would if a program was doing something intensive but I have no idea what is happening. Recently another related issue has arisen. If I try to boot into Safe Mode, the dialog box that asks if you are okay with running Safe mode comes up but before I can click OK/Yes, the dialog disappears, I get no desktop (explorer.exe is not an active process). Something is amiss and I need urgent help. Here is the Hijackthis log from today.
Please help and feel free to email me directly with any tips, etc.
Tim Reilly

email: Edit: Sorry Tim, not a good idea to post your email here, we answer all posts in the forum. LGW

Attached Files

HJT log.txt (13.2 KB, 1 views)

Hi Reilly,

Welcome to PCHF. We have a wonderful group of techs here, and I am sure that we will be able to help you determine what's causing your problems.

In the future, please only post logs as attachments. I will fix your post for you.

Please follow the instructions for PreWork in my signature, making SURE to unzip HijackThis into its own folder before running it.

Look forward to your reply,

TTFN

LGW

Hya Reillytj , welcome to PCHF.



When in safemode , see if you can start explorer and apps like this:

task manager/file/new task (run)/explorer.exe
task manager/file/new task (run)/hijackthis.exe
task manager/file/new task (run)/ect

If not , then do the fix in normal mode.

Please download Process Explorer by Systernals from HERE.

Also download KillBox by Option^Explicit from HERE.

And download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original Hosts file.

Then boot up in SAFE MODE and stay in safe mode (hit f8 when booting up), untill the entire fix is done.

Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of reg.dll once and then click the kill button.
After you have killed all of the reg.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of reg.dll then click the kill button.
Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following:

Now click fix checked and close HijackThis.


Please copy the text in the quote below, and paste it into a blank notepad window.

Save it as vundo.reg and in the "save as" type box choose "all files".
Once you have saved it double click it and allow it to merge with the registry.


Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box:

C:\WINDOWS\reg.dll

Click the red circle with the white x and allow your computer to reboot.
(if killbox doesn't reboot on its own then please reboot manually)

After your computer has rebooted run Hijackthis again and attach the new Hijackthis to a post , log instead of copying it to a post please.

Also do you know that Cisco Systems VPN Client is running on youre pc?

Joe,

Thanks for the instructions. I will try them ASAP. I have one question. You say to try executing the explorer.exe, Hijackthis, and ect in safe mode from the task manager. Then you say, "If not , then do the fix in normal mode.". Do you mean to apply all of the instructions following that in normal Windows mode instead of in safe mode? Or, keep trying to execute them in Safe Mode? Just want to be sure before I start. One aside. I booted up into a command prompt last week and tried to delete the C:\Windows\reg.dll file but the delete failed because the file was in use from other processes. I look forward to killing it from these processes and then deleting it. Let me know about my question above. Again, many thanks.

Tim

If you can follow the fix instructions in safemode by starting explorer , or running the tools the way i mentioned then please do so , but if you cant , then you can do it in normal windows mode.


And after you followed my instructions the reg.dll wil be gone.

Joe,

I have followed your instructions and explorer.exe is clean (no more reg.dll). Explorer.exe has not grabbed 50% of the CPU since last night so I thank you for your help. Where does reg.dll come from? Here is the attached Hijackthis log for your review.

Tim

Attached Files

hijackthis after reg.dll 1-10-2006.txt (12.3 KB, 1 views)

Its gone indeed. Youre hjt log is clean.


Where it comes from , good question. You have a AV , anti spyware , a firewall and windows is updated. So the most commen ways are blocked on youre pc.

But it is known to be installed by visiting a Web site link contained in a spammed email , although it could also be installed by an other app , or youve clicked on the wrong popup ect.


But you are rid of it. :cool: