[SOLVED] Malware - second Explorer.exe that eats CPU and RAM

[shamrin]

I'm at the end of the line with this virus. I've thrown all the tools at it and it simply persists. Whether in Normal or Safe Mode, the machine starts a second explorer.exe instance. It's definitely the legitimate version of Explorer running from it's proper location, only the second instance opens thread after thread, consumes all the available RAM and all the available CPU.

It behaves a whole lot like the Poweliks virus, you can kill the extra explorer.exe process but it just regenerates a few seconds to a few minutes later, taking over the computer. Similarly, there is no virus file apparently, just some registry trick that is causing it. Unfortunately, the Poweliks fixes are aimed at runaway dllhost processes, not explorer.exe. I have not been able to find any generalized approach to killing this thing. If anyone has managed it, I would very much appreciate some guidance.

Here's what doesn't work: Norton, Hitman, Combofix, ESET, MWB, Rkill, ADW, TDSSKiller

 

[NYJimbo]

Whether in Normal or Safe Mode

It's time to either use AV boot disks/sticks or take the drive out and slave it to another machine and hit it with some good AV tools that can specifically scan that as an external (non boot) drive.

 

[glennd]

It behaves a whole lot like the Poweliks virus, you can kill the extra explorer.exe process but it just regenerates a few seconds to a few minutes later, taking over the computer. Similarly, there is no virus file apparently, just some registry trick that is causing it.

check scheduled tasks for something that executes every few minutes then check autoruns. clearly something is monitoring that second explorer.exe and restarts it when it finds it not there.

does process explorer or somesuch give an indication of what process spawned another process? does this explorer.exe have a parent process?

 

[mr m]

Try using Process Explorer to suspend the rogue process as opposed to killing it so you can run your tools. See what RogueKiller and the MBAR/M twins find.

I've been running the offline versions of Bitdefender and/or Kaspersky as of late as the first step in malware cleaning.

Stick with it, you'll get it.

 

[MDD1963]

It would be interesting if someone could get a screenshot of Comodo's "autoruns" while this memory hog/extra explorer.exe is running, it would be educational to see where it leads....

Also interesting to see if we can surmise where these (quite a few 'high cpu/ram useage, extra explorer.exe'-related posts out there these days!) infections are originating (drive by downloads, users clicking on fake Adobe updates, etc.)...

 

[shamrin]

check scheduled tasks for something that executes every few minutes then check autoruns. clearly something is monitoring that second explorer.exe and restarts it when it finds it not there.

does process explorer or somesuch give an indication of what process spawned another process? does this explorer.exe have a parent process?

Well, the only thing I can glean from Process Explorer is that this is a subprocess of Explorer. The only difference I can see from it is that the "legitimate" one shows a Explorer.exe capitalised on the command line and the illegitimate one shows it as explorer.exe in lower case.

I began to wonder last night whether this might actually be something other than viral but Norton keeps popping-up claiming that it's blocked an intrusion of some sort so clearly something is still going on here.

I rewrote the boot record yesterday in case it was spawning from something there, but that was to no avail. I really hate to re-install Windows but I'm getting close to full-time with this one.

 

[kevinjhaag]

Try A New User Profile

Does it happen in Safemode? Also check your usual startup locations, especially scheduled tasks. Definetly sounds like its infected with the two different spellings of Explorer.

I have ran into some weird issues myself. If your sure the computer is clean, then have you tried a new user profile? A corrupted profile can cause some usual issues sometimes.

 

[HFultzjr]

Well, the only thing I can glean from Process Explorer is that this is a subprocess of Explorer. The only difference I can see from it is that the "legitimate" one shows a Explorer.exe capitalised on the command line and the illegitimate one shows it as explorer.exe in lower case.

I began to wonder last night whether this might actually be something other than viral but Norton keeps popping-up claiming that it's blocked an intrusion of some sort so clearly something is still going on here.

I rewrote the boot record yesterday in case it was spawning from something there, but that was to no avail. I really hate to re-install Windows but I'm getting close to full-time with this one.

Have you explored it more thoroughly with Process Explorer?

Right click and try some of those options to track it down.

Upload to virus total results from right click?

Properties from right click?

Lots more to check out with Process Explorer.

Just for *hits and giggles, I once had something similar, that turned out to be a "stuck in the loop" windows update. Doesn't sound like your problem, but it drove me crazy.

Also, offline scan is a must....try Kaspersky Rescue Disk, make sure to update definitions before scanning.

Harold

 

[MDD1963]

how about MS/Sysinternals 'autoruns'? (This will allow it to be deleted from startup, *assuming* it's not been granted 'higher than admin' authority, which, btw, is the status of nanosvc.exe, a part of Nano AV which can't be gotten rid of without a complete uninstall)

 

[Grinler]

Well, the only thing I can glean from Process Explorer is that this is a subprocess of Explorer. The only difference I can see from it is that the "legitimate" one shows a Explorer.exe capitalised on the command line and the illegitimate one shows it as explorer.exe in lower case.

It's probably an injected module into explorer.exe causing the issue.

In process explorer (run it as administraotr), click on View and select Show lower pane. Then select on View -> Lower Pane View -> Handles.

The lower pane should fill up with all the objects that the process has a handle too. You should be able to see the file thats being injected

 

[shamrin]

Does it happen in Safemode?

Same behaviour in Safe Mode

how about MS/Sysinternals 'autoruns'?

I can't find anything out of the ordinary, maybe I'm just missing it but it all looks fine.

It's probably an injected module into explorer.exe causing the issue.

In process explorer (run it as administraotr), click on View and select Show lower pane. Then select on View -> Lower Pane View -> Handles.

The lower pane should fill up with all the objects that the process has a handle too. You should be able to see the file thats being injected

Tried this, there's a lot of stuff in there and nothing really jumps out. There were a couple of things in Temporary Internet Files that looked a bit odd so I went in and deleted everything there but it didn't have any impact. I'm not sure what I'm looking for, something out of place I suppose, but there is nothing obvious enough to grab my attention.

Also, ran Kaspersky Rescue for 2 hours, no result.

 

[MDD1963]

I've seen about a dozen instances of these symptoms over the past week in other forums, and, unfortunately, this unnamed malware is still unidentified, and, to my knowledge, there is as of yet, no quick method of removal short of a wipe/reload. (If trying to clear this infection on someone else's comp, running 19 hours of assorted scanners that don't detect anything seems a waste of time; it might be best to admit that, until these symptoms are at least recognized and named by one of the major antimalware players, and a patch subsequently released, a wipe/reload might be the only solution)

 

[MDD1963]

Wish I knew how this infection was occurring, so I could intentionally get it on a Win7 VM just to tinker with it with 40+ assorted tools!

 

[shamrin]

Well, alas, since we are a repair shop and not a research facility I had to wipe the drive and install Windows on this unit. In the end, I think this was either a Poweliks-like virus based in the registry only OR some kind of monkey business with the boot record or a hidden partition.

When I went to reinstall from the recovery partition, that failed and I couldn't even install Windows from a disc either; that failed just after clicking on "Custom" install. I had to go into the disk with diskpart and do a clean of all the partitions before I could initiate an install.

 

[JRDtechnet]

Ah I had dealt with this one a few weeks ago, trying to remember what I did. It wasn't powerliks that's for sure. I wish I could remember all the details but I had to use roguekiller, delete a bunch of executables that kept regenerating in the appdata folder (or one of the subfolders can't remember), reboot into recovery & fixmbr and then re-run roguekiller to make sure. That was a PITA, lost money on that one considering the time I spent battling it. It looks like he got it from a fake flash installer.

 

[shamrin]

Ah I had dealt with this one a few weeks ago, trying to remember what I did. It wasn't powerliks that's for sure. I wish I could remember all the details but I had to use roguekiller, delete a bunch of executables that kept regenerating in the appdata folder (or one of the subfolders can't remember), reboot into recovery & fixmbr and then re-run roguekiller to make sure. That was a PITA, lost money on that one considering the time I spent battling it. It looks like he got it from a fake flash installer.

Well, it's encouraging that you found a solution even if it's a little fuzzy. I've got another machine here with the same issue. Will see if I can document a solution.

 

[shamrin]

I've got a solution

Wouldn't you know it, as soon as I dispatched the machine with the explorer.exe problem (by re-installing Windows), I got another machine in with the same issue.

It looks like there is a relationship between a Microsoft Office program called CTFMON.EXE and the respawning, malicious instances of Explorer. I found that by renaming CTFMON (and not letting it start), I could keep the rogue Explorers from starting as well.

I noticed this relationship on both machines I worked on. The second machine had a hidden instance of the Deep Freeze service as well. I don't know if this was associated with the Explorer problem or one of the many other viruses on the second computer but Deep Freeze is a program that returns the computer to a previous state, quite helpful I suppose to a virus that doesn't want to be removed.

My detailed steps can be found here.

 

[tek9]

I have a computer in now with the same explorer.exe problem.
I checked Process Explorer's lower pane and it showed that the rogue explorer.exe was referencing a hidden folder in C:\ProgramData named {9A88E103-A20A-4EA5-8636-C73B709A5BF8}. I renamed the folder in Recovery Mode and rebooted and the second explorer does not show up and the HDD activity is normal... until I open up Internet Explorer. Then it starts going crazy and you can see in the history that it's accessing dozens of sites. The CPU and RAM usage is normal, just the HDD is through the roof and the computer is very slow as a result, naturally.
I didn't rename ctfmon.exe since I thought the problem was with the hidden folder, and indeed, the second explorer instance is gone. I already ran RogueKiller, ESET and Symantec Poweliks removers, D7 scan but nothing interesting came up.
I'm running D7's temp, history etc. cleanup tools, and it's taking a very long time to delete the IE history. I'll wait a bit more then hit it with ComboFix, MBAM and an offline Kaspersky scan. Hopefully it'll get resolved.
Anyone have any other ideas what I should try?

 

[tek9]

Looks like it's taken care of.
I just had to wait until D7 finished all the cleanup routines, deleted temps, temp internet files, history, restore points, etc. Took over an hour, but the computer is working fine now.
Scanned with offline Kaspersky, came up clean. MBAM was clean. Combofix didn't find anything.
It sure took a while, but at least we know where to look in the future. I just wish Kaspersky AntiVirus, which they have installed, would have caught this.
Still unsure where it originated. Might be a rogue flash installer.
Anyway, thanks shamrin for pointing me in the right direction.

 

[MDD1963]

Trying to gather the key to the sequence of defeating it....

You mentioned renaming the hidden folder, but, yet when you launch internet explorer, the infection again takes hold...?

At some point did you ever delete the hidden folder mentioned above? Or did process explorer allow you to kill the child process after renaming the folder?

(The combination of MBAM, Roguekiller, assorted offline scanners, etc., to date have not found anything, so just trying to gather the key facts to the sequence you mentioned)

If I am reading correctly, it appeared to be MS/SysInternal's process explorer (if viewing lower pane!) that at least allowed you to discover the hidden folder being referenced by the rogue explorer child process...

If you could perhaps summarize yoru successful routine into something similar to a checklist? (Think it's safe to leave out all the preliminary ComboFix/Kaspersky RescueCD, MBAM, since they all found/removed nothing?):

1. Use Process Explorer to investigate explorer child process, view lower pane to see location details
2. (can process be killed here?)
2. ??
3. Rename (and/or delete) hidden folder?
4. D7, delete all assorted restore points, history, temp files, etc (perhaps bleeping computer's 'TFC' (TempFileCleaner) might delete the same basic things?)
5. ?


The quicker we can get a quasi-checklist in logical order encompassing the key points, the quicker we can give you credit for defeating the "Rogue Explorer Memory Hog"!