Second explorer.exe starts and uses all (high) memory


I've never had such a tough time getting rid of a bug but I'm due for my dose of humility.  I've got a Windows 7 Pro 64 workstation that was infected with something.  Another tech spent several hours on it and cleaned it up.  A few weeks later, the user complained about everything running slow.  After looking at the TSKMGR I saw that explorer.exe starts a second one and increases memory use until there's only 3 or 4% available.  I can end task on it but it starts up again a few minutes later.  This happens in safe mode as well as normal mode.  I've run Malwarebytes.  It doesn't find anything.  I've run combofix, it deletes a few things.  I've run Superantispyware and it doesn't find anything.  I've run their AV, NOD32 and it doesn't find anything but explorer.exe just takes off.  I'm to the point of just reloading everything as that's what I've seen others having the same issue have ended up doing.  Has anyone had any success in solving this problem?  Thanks!
Matt KendallTech / Business owner operatorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
I ran the same tools on a machine that I found this on recently and after about 4 hours of not managing to find out what it was and blocking traffic out from explorer.exe using the AV software that was installed on it (it was talking to Ukraine / Russia / Spain / Canada) I flattened the computer and rebuilt it.

Not helpful I'm afraid, but seemed to be the best option (for me / my customer).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kendalltech --
Run Process Explorer and see if you find any unexpected programs running.

Also look in Control Panel|Programs and Features to see if anything unexpected is shown as installed.

Eventually you may want to try a Repair Install.
It should not affect installed programs or personal data,  but a backup first is always a good idea.

Of course a Clean Install might be more effective, but a Repair Install is easier to recover from .

Multiple instances of IE running is not at all unusual, but they should not take up the amount of CPU usage you report.
Normally, analysis would start with finding out if the "second" explorer.exe is the real windows file or not. task manager can tell you what path it lies in.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Alan HardistyCo-OwnerCommented:
From my experience, the 2nd explorer.exe is a genuine file and the file path points to the same (normal) windows location.

I also used process explorer and didn't see anything untoward running or causing the 2nd explorer.exe to run, but blocking explorer.exe from talking to the web (which wanted to talk to a BT IP Address in Ealing, a Rogers IP Address in Toronto and an OVH SAS IP Address in Montreal) stopped the 2nd explorer.exe from being spawned, so it appears that if allowed to talk to the world, explorer.exe talks to a command and control centre, then a 2nd instance is spawned and then it starts to talk to Eastern Europe / Russian IP's and who knows what it is doing at that point.

My guess is that explorer.exe is infected / has been replaced.

Altight, Alan. Then let's provide the sha1 checksum of a patched Explorer.exe of win7 x64. Do you have it Handy? I would need to patch my virtual machine, first.
Rob GMicrosoft Systems EngineerCommented:
Do you see it in MSconfig running under a different name?
Also you can check this:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>CurrentVersion>Winlogon
Check to see what is listed in the shell version..
It should say Explorer.exe
Assuming it is only in there once, but if it is in there twice, you can have it launch a second time..
David Johnson, CD, MVPOwnerCommented:
there is a big difference between explorer.exe and iexplore.exe. and the asker is referring to the former. With that in mind I'd suggest sysinternal's Autoruns and see what your autostart settings are.  With it starting up after the system has loaded, I'd be looking at the task scheduler as well. Most of the problems come from users not paying attention when they download and install new software.. A lot of downloadable content has other 'goodies' packaged along with the item you want to install.. Each of these has a way of 'declining' the offer and unless you pay attention and don't just click next, next, next, ok then you get the 'goodies' These are not viruses or malware since you agreed to the terms and conditions and installed them as well as the item you wanted.  So check the add/remove programs in control panel for any 'goodies'

If you can't find the offenders within a short period of time it is time to consider how much time you've already spent on this task.. and can you truly trust this machine in the future.  Flattening the machine and starting from scratch is probably a more productive use of your time.
Alan HardistyCo-OwnerCommented:
From a Windows 7 SP1 64-Bit PC (Clean as far as I know - but on the same site as the infected computer but nothing in the AV software being blocked and reporting to us):

// File Checksum Integrity Verifier version 2.05.
5a49d7390ee87519b9d69d3e4aa66ca066cc8255 c:\windows\explorer.exe
Rob GMicrosoft Systems EngineerCommented:
Who's talking about Iexplorer?
Alan HardistyCo-OwnerCommented:
jcimarron did:

Multiple instances of IE running is not at all unusual, but they should not take up the amount of CPU usage you report.
Rob GMicrosoft Systems EngineerCommented:
hahaha,,, missed that..
kendalltech --
Except for the last sentence in my post http:#a40476830 the rest of the advice is still valid.

Please ignore my comment "Multiple instances of IE running is not at all unusual, but they should not take up the amount of CPU usage you report. ".
Matt KendallTech / Business owner operatorAuthor Commented:
Wow!  Thanks for all the posts guys!  I'm determined not to let this bug force me to wipe and reload.  I'd like to know how to fix it so if I run into it again, I'll say, "Oh yeah, this is how I fixed that problem!"  

Alan, I have about 4 hours into this now and I feel like I'm so deep into it, I don't want to spend 4-5 hours reloading all of their software (probably most of it they can't find).  

Jcimarron, good idea.  I ran process explorer and I didn't see anything out of the ordinary other then two c:\windows\explorer.exe (the second one was c:\windows\Explorer.exe)  But, what was really strange was after I restarted the computer, both instances were lower case (c:\windows\explorer.exe).  I would end task on both and of course the taskbar would disappear.  A few minutes later, explorer.exe started up (not the real one as the taskbar didn't come back) and would start eating up memory again.  Nothing unusual in Programs and Features.  Thanks for the advice.

Rob G, I didn't see anything out of the ordinary in msconfig.  Also, in the reg in the winlogin, I only saw one explorer.exe.

David Johnson, thanks for the advice.  I agree that it would probably a good use of my time to spend the 4-5 hours to reload/reconfigure all 30 applications the user has (unfortunately the user is having a hard time finding some of the software that they daily use and the software company is they're pretty desperate to get this box running right).  I'd like to find out how to solve this problem and then hopefully know how to quickly fix it again if I run into it in the future.  

So, I think that I'm dealing with a boot sector virus.  I put the Windows 7 Pro 32 bit (yes, unfortunately they're running 32 bit) and started a repair and choose command prompt.  I got a message, "This version of System Recovery Options is not compatible with the version of Windows you are trying to repair.  Try using a recovery disc that is compatible with this version of Windows."  I tried a Windows 7 Pro 64 bit disc and got the same message.  I used Rufus to create a bootable USB drive and put bootsect.exe on it so I could run bootsect /fixmbr but the computer just hung on boot.  

Any ideas on how I can reset the MBR?  Can I disconnect the hard drive from the computer and connect it to another desktop and clean the MBR?  Thanks for your help!
kendalltech, there has been no indication of a boot sector virus, yet.
If the bootdisk tells you it is not compatible, then it's because you have SP1 installed and the DVD is without SP1 integrated. Use one with SP1 integrated.

But before you do that please use a checksum tool on explorer.exe so that we can make sure it's not manipulated. Take this for example:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
kendalltech ----
Did you try a Repair Install as suggested earlier?  http:#a40476830
It should not affect installed programs or personal data,  but a backup first is always a good idea.
Matt KendallTech / Business owner operatorAuthor Commented:
I tried everything.  I did a repair install with the Windows disc but it still didn't fix the problem.  Alan, I ended up doing the same thing you did.  I backed up their data, formatted and installed Windows.  I really wanted to make this work but I couldn't spend anymore time on it.  If I run into this again,  I'll just backup and reload.  Major bummer!
Alan HardistyCo-OwnerCommented:
Sorry it came to that for you too.  I reached the same conclusion that time was ticking away and a rebuild would be guaranteed to work (and potentially quicker).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.