Second explorer.exe starts and uses all (high) memory
Hi,
I've never had such a tough time getting rid of a bug but I'm due for my dose of humility. I've got a Windows 7 Pro 64 workstation that was infected with something. Another tech spent several hours on it and cleaned it up. A few weeks later, the user complained about everything running slow. After looking at the TSKMGR I saw that explorer.exe starts a second one and increases memory use until there's only 3 or 4% available. I can end task on it but it starts up again a few minutes later. This happens in safe mode as well as normal mode. I've run Malwarebytes. It doesn't find anything. I've run combofix, it deletes a few things. I've run Superantispyware and it doesn't find anything. I've run their AV, NOD32 and it doesn't find anything but explorer.exe just takes off. I'm to the point of just reloading everything as that's what I've seen others having the same issue have ended up doing. Has anyone had any success in solving this problem? Thanks!
I've never had such a tough time getting rid of a bug but I'm due for my dose of humility. I've got a Windows 7 Pro 64 workstation that was infected with something. Another tech spent several hours on it and cleaned it up. A few weeks later, the user complained about everything running slow. After looking at the TSKMGR I saw that explorer.exe starts a second one and increases memory use until there's only 3 or 4% available. I can end task on it but it starts up again a few minutes later. This happens in safe mode as well as normal mode. I've run Malwarebytes. It doesn't find anything. I've run combofix, it deletes a few things. I've run Superantispyware and it doesn't find anything. I've run their AV, NOD32 and it doesn't find anything but explorer.exe just takes off. I'm to the point of just reloading everything as that's what I've seen others having the same issue have ended up doing. Has anyone had any success in solving this problem? Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Altight, Alan. Then let's provide the sha1 checksum of a patched Explorer.exe of win7 x64. Do you have it Handy? I would need to patch my virtual machine, first.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From a Windows 7 SP1 64-Bit PC (Clean as far as I know - but on the same site as the infected computer but nothing in the AV software being blocked and reporting to us):
//
// File Checksum Integrity Verifier version 2.05.
//
5a49d7390ee87519b9d69d3e4a
//
// File Checksum Integrity Verifier version 2.05.
//
5a49d7390ee87519b9d69d3e4a
Who's talking about Iexplorer?
jcimarron did:
Multiple instances of IE running is not at all unusual, but they should not take up the amount of CPU usage you report.
hahaha,,, missed that..
kendalltech --
Except for the last sentence in my post http:#a40476830 the rest of the advice is still valid.
Please ignore my comment "Multiple instances of IE running is not at all unusual, but they should not take up the amount of CPU usage you report. ".
Except for the last sentence in my post http:#a40476830 the rest of the advice is still valid.
Please ignore my comment "Multiple instances of IE running is not at all unusual, but they should not take up the amount of CPU usage you report. ".
ASKER
Wow! Thanks for all the posts guys! I'm determined not to let this bug force me to wipe and reload. I'd like to know how to fix it so if I run into it again, I'll say, "Oh yeah, this is how I fixed that problem!"
Alan, I have about 4 hours into this now and I feel like I'm so deep into it, I don't want to spend 4-5 hours reloading all of their software (probably most of it they can't find).
Jcimarron, good idea. I ran process explorer and I didn't see anything out of the ordinary other then two c:\windows\explorer.exe (the second one was c:\windows\Explorer.exe) But, what was really strange was after I restarted the computer, both instances were lower case (c:\windows\explorer.exe).
Rob G, I didn't see anything out of the ordinary in msconfig. Also, in the reg in the winlogin, I only saw one explorer.exe.
David Johnson, thanks for the advice. I agree that it would probably a good use of my time to spend the 4-5 hours to reload/reconfigure all 30 applications the user has (unfortunately the user is having a hard time finding some of the software that they daily use and the software company is defunct...so they're pretty desperate to get this box running right). I'd like to find out how to solve this problem and then hopefully know how to quickly fix it again if I run into it in the future.
So, I think that I'm dealing with a boot sector virus. I put the Windows 7 Pro 32 bit (yes, unfortunately they're running 32 bit) and started a repair and choose command prompt. I got a message, "This version of System Recovery Options is not compatible with the version of Windows you are trying to repair. Try using a recovery disc that is compatible with this version of Windows." I tried a Windows 7 Pro 64 bit disc and got the same message. I used Rufus to create a bootable USB drive and put bootsect.exe on it so I could run bootsect /fixmbr but the computer just hung on boot.
Any ideas on how I can reset the MBR? Can I disconnect the hard drive from the computer and connect it to another desktop and clean the MBR? Thanks for your help!
Alan, I have about 4 hours into this now and I feel like I'm so deep into it, I don't want to spend 4-5 hours reloading all of their software (probably most of it they can't find).
Jcimarron, good idea. I ran process explorer and I didn't see anything out of the ordinary other then two c:\windows\explorer.exe (the second one was c:\windows\Explorer.exe) But, what was really strange was after I restarted the computer, both instances were lower case (c:\windows\explorer.exe).
Rob G, I didn't see anything out of the ordinary in msconfig. Also, in the reg in the winlogin, I only saw one explorer.exe.
David Johnson, thanks for the advice. I agree that it would probably a good use of my time to spend the 4-5 hours to reload/reconfigure all 30 applications the user has (unfortunately the user is having a hard time finding some of the software that they daily use and the software company is defunct...so they're pretty desperate to get this box running right). I'd like to find out how to solve this problem and then hopefully know how to quickly fix it again if I run into it in the future.
So, I think that I'm dealing with a boot sector virus. I put the Windows 7 Pro 32 bit (yes, unfortunately they're running 32 bit) and started a repair and choose command prompt. I got a message, "This version of System Recovery Options is not compatible with the version of Windows you are trying to repair. Try using a recovery disc that is compatible with this version of Windows." I tried a Windows 7 Pro 64 bit disc and got the same message. I used Rufus to create a bootable USB drive and put bootsect.exe on it so I could run bootsect /fixmbr but the computer just hung on boot.
Any ideas on how I can reset the MBR? Can I disconnect the hard drive from the computer and connect it to another desktop and clean the MBR? Thanks for your help!
kendalltech, there has been no indication of a boot sector virus, yet.
If the bootdisk tells you it is not compatible, then it's because you have SP1 installed and the DVD is without SP1 integrated. Use one with SP1 integrated.
But before you do that please use a checksum tool on explorer.exe so that we can make sure it's not manipulated. Take this for example: www.microsoft.com/en-us/download/details.aspx?id=11533
If the bootdisk tells you it is not compatible, then it's because you have SP1 installed and the DVD is without SP1 integrated. Use one with SP1 integrated.
But before you do that please use a checksum tool on explorer.exe so that we can make sure it's not manipulated. Take this for example: www.microsoft.com/en-us/download/details.aspx?id=11533
Here look like some useful links..
https://forums.malwarebytes.org/index.php?/topic/140963-multiple-instances-of-explorerexe-in-task-manager/
http://support.emsisoft.com/topic/14584-multiple-explorerexe-processes-nearly-100-cpu-usage/
You will likely need this..
http://www.bleepingcomputer.com/download/combofix/
https://forums.malwarebytes.org/index.php?/topic/140963-multiple-instances-of-explorerexe-in-task-manager/
http://support.emsisoft.com/topic/14584-multiple-explorerexe-processes-nearly-100-cpu-usage/
You will likely need this..
http://www.bleepingcomputer.com/download/combofix/
I've requested that this question be deleted for the following reason:
Not enough information to confirm an answer.
Not enough information to confirm an answer.
kendalltech ----
Did you try a Repair Install as suggested earlier? http:#a40476830
http://www.sevenforums.com/tutorials/3413-repair-install.html
It should not affect installed programs or personal data, but a backup first is always a good idea.
Did you try a Repair Install as suggested earlier? http:#a40476830
http://www.sevenforums.com/tutorials/3413-repair-install.html
It should not affect installed programs or personal data, but a backup first is always a good idea.
ASKER
I tried everything. I did a repair install with the Windows disc but it still didn't fix the problem. Alan, I ended up doing the same thing you did. I backed up their data, formatted and installed Windows. I really wanted to make this work but I couldn't spend anymore time on it. If I run into this again, I'll just backup and reload. Major bummer!
Sorry it came to that for you too. I reached the same conclusion that time was ticking away and a rebuild would be guaranteed to work (and potentially quicker).
Alan
Alan
I also used process explorer and didn't see anything untoward running or causing the 2nd explorer.exe to run, but blocking explorer.exe from talking to the web (which wanted to talk to a BT IP Address in Ealing, a Rogers IP Address in Toronto and an OVH SAS IP Address in Montreal) stopped the 2nd explorer.exe from being spawned, so it appears that if allowed to talk to the world, explorer.exe talks to a command and control centre, then a 2nd instance is spawned and then it starts to talk to Eastern Europe / Russian IP's and who knows what it is doing at that point.
My guess is that explorer.exe is infected / has been replaced.
Alan