explorer.exe using over 5GB of memory and showing as virus.

banj0chicken

Honorable
Jun 20, 2013
2
0
10,510
0
I have attempted everything I can to fix this issue with no success so I really hope someone in the community could shed some light on the situation.

When my computer boots I have 1 explorer.exe running that would seem quite normal using a few megabytes of RAM but after a few minutes a second explorer.exe opens which quickly climbs to 1GB, 2GB in memory I have even seen it go up to 6.5GB at one point and it is also using up quite a high percentage of the CPU.
http://i.imgur.com/PMOaKpV.png

At first when the second explorer opens my Anti virus software would react to it saying that it protected the computer from a harmful software located at C:\Windows\explorer.exe
http://i.imgur.com/W2uHDsy.png
I also downloaded a better anti virus ESET Smart Security 8 and it also flags up every few seconds with this: http://i.imgur.com/cere97K.png

Due to explorer.exe being a vital system process the anti virus was unable to delete it so it kept flagging it up every few seconds.

I tried sfc /scannow in command prompt it said that it found no issues. I also scanned explorer.exe manually and I got no threat found on my anti virus software plus I did a full scan with my anti virus software and still got no infected files showing up.

So I booted up a linux OS from a USB and used that to manually delete explorer.exe off the Windows boot drive. When booting back into windows I used the command prompt to do another sfc /scannow which found that explorer.exe was missing so it repaired it by adding a clean explorer.exe.

But it did not fix the issue.

Any help with this issue would be greatly appreciated as I really don't want to have to re-install my OS.

Here are my specs:

OS: Windows 7 Ultimate 64bit
CPU: Intel I5 3570K
RAM: 16GB DDR3
GPU: AMD R9 290X
Boot Drive: 120GB SSD Kingston
Storage: 2X 1TB HDD

Thanks.


 

mdd1963

Distinguished
This one has stumped a lot of people, but, here's a procedure pulled from another forum that supposedly worked...

-------------
1. Disconnect the machine from the Internet so that you can start Process Explorer without waiting a while.
2. Start Process Explorer (elevated), View lower pane.
3. Connect to the Internet and wait.
4. When the system starts going crazy check for a second instance of explorer.exe (will probably be there even before connecting to the Internet, but won't be doing much), and view the lower pane to look for that hidden folder/file in C:\ProgramData named {9A88E103-A20A-4EA5-8636-C73B709A5BF8}.
5. You can now kill the process but it won't help much since it will regenerate. You can't rename/remove the hidden folder since it's in use.
6. Boot to Recovery Environment, command line, unhide the hidden folder and rename (I added "bad" to the name in case I have to revert the change).
7. Boot to normal mode, check Process Explorer to see if the rogue explorer.exe appears. Check the formerly hidden folder. Previously it had 3 files in there, but now there should be only two. Unclear why.
8. Run D7's cleanup routine to clear "everything" out. (I also manually stopped and started System Restore to delete all restore points.)
9. Reboot and check Process Explorer to see if the CPU, RAM "and" HDD activity is normal. Check IE history to see if it's still populated with all those ad sites etc. Let it wait for a while connected to the Internet to ensure nothing funny is happening. (At this point when I checked the hidden folder again, there was only one file (a .dll) in there. I now moved the folder to the Support subfolder on the C: drive. still unsure if to delete it since I couldn't find anything in regedit or on the internet regarding those file and folder names.)
10. Run your typical post-removal routine
 

f-14

Distinguished
Apr 2, 2010
774
0
18,940
4
you need to send in a suspicious file report to ESET. you also need to uninstall all flash products as this is directly tied into your flash program namely adobe flash, but the virus could be programmed to jump ship to any flash program in order to work it's ad click magic as this looks to be a paid per click generator bot for one/many software vendors at that free software site listed.

also you should do a windows roll back to a date in time when you KNEW you didn't have this problem and run ESET anti virus after it's been updated. if you remain symptom free for a week, then you should be okay to go to the adobe site and install the newest version of flash they have.

if the problem starts back up you need to email adobe with the stuff you reported here as they have a serious security flaw that is out in the wild world web as well as that free site's web master with the same info you have here so the web master can look into the server hosting and contact the vendor paying for the per click traffic to get those bot IP's shut down or the traffic wiped and monitored for false readings and the bot's should shut down as the software vendors get sent lawsuits for acts of felony fraud.
 

banj0chicken

Honorable
Jun 20, 2013
2
0
10,510
0
Hi Thanks for replying. I have now uninstalled Adobe Flash player and google chrome which are the only 2 things I can think of. Problem still persists and my Avast anti virus is still flagging up this bot. My System restore is not working so I am unable to revert back to before I was infected. However ESET Anti Virus has stopped flagging anything. I keep getting this second explorer.exe popping up in task manager and that's when Avast flags it.


 

mdd1963

Distinguished
This one has stumped a lot of people, but, here's a procedure pulled from another forum that supposedly worked...

-------------
1. Disconnect the machine from the Internet so that you can start Process Explorer without waiting a while.
2. Start Process Explorer (elevated), View lower pane.
3. Connect to the Internet and wait.
4. When the system starts going crazy check for a second instance of explorer.exe (will probably be there even before connecting to the Internet, but won't be doing much), and view the lower pane to look for that hidden folder/file in C:\ProgramData named {9A88E103-A20A-4EA5-8636-C73B709A5BF8}.
5. You can now kill the process but it won't help much since it will regenerate. You can't rename/remove the hidden folder since it's in use.
6. Boot to Recovery Environment, command line, unhide the hidden folder and rename (I added "bad" to the name in case I have to revert the change).
7. Boot to normal mode, check Process Explorer to see if the rogue explorer.exe appears. Check the formerly hidden folder. Previously it had 3 files in there, but now there should be only two. Unclear why.
8. Run D7's cleanup routine to clear "everything" out. (I also manually stopped and started System Restore to delete all restore points.)
9. Reboot and check Process Explorer to see if the CPU, RAM "and" HDD activity is normal. Check IE history to see if it's still populated with all those ad sites etc. Let it wait for a while connected to the Internet to ensure nothing funny is happening. (At this point when I checked the hidden folder again, there was only one file (a .dll) in there. I now moved the folder to the Support subfolder on the C: drive. still unsure if to delete it since I couldn't find anything in regedit or on the internet regarding those file and folder names.)
10. Run your typical post-removal routine
 
Thread starter Similar threads Forum Replies Date
T Antivirus / Security / Privacy 3
D Antivirus / Security / Privacy 2
J Antivirus / Security / Privacy 5
B Antivirus / Security / Privacy 4
K Antivirus / Security / Privacy 1
O Antivirus / Security / Privacy 1
L Antivirus / Security / Privacy 7
everway9 Antivirus / Security / Privacy 20
2 Antivirus / Security / Privacy 5
K Antivirus / Security / Privacy 1
G Antivirus / Security / Privacy 10
R Antivirus / Security / Privacy 1
M Antivirus / Security / Privacy 1
A Antivirus / Security / Privacy 1
F Antivirus / Security / Privacy 3
B Antivirus / Security / Privacy 1
E Antivirus / Security / Privacy 1
S Antivirus / Security / Privacy 2
A Antivirus / Security / Privacy 14
T Antivirus / Security / Privacy 3

ASK THE COMMUNITY