shamrin
Active Member
- Reaction score
- 48
- Location
- Lexington, Ky
Both machines that I worked on had that same hidden folder.
[SOLVED] Malware - second Explorer.exe that eats CPU and RAM
- Thread starter shamrin
- Start date
Both machines that I worked on had that same hidden folder.
1. Disconnect the machine from the Internet so that you can start Process Explorer without waiting a while.
2. Start Process Explorer (elevated), View lower pane.
3. Connect to the Internet and wait.
4. When the system starts going crazy check for a second instance of explorer.exe (will probably be there even before connecting to the Internet, but won't be doing much), and view the lower pane to look for that hidden folder/file in C:\ProgramData named {9A88E103-A20A-4EA5-8636-C73B709A5BF8}.
5. You can now kill the process but it won't help much since it will regenerate. You can't rename/remove the hidden folder since it's in use.
6. Boot to Recovery Environment, command line, unhide the hidden folder and rename (I added "bad" to the name in case I have to revert the change).
7. Boot to normal mode, check Process Explorer to see if the rogue explorer.exe appears. Check the formerly hidden folder. Previously it had 3 files in there, but now there should be only two. Unclear why.
8. Run D7's cleanup routine to clear "everything" out. (I also manually stopped and started System Restore to delete all restore points.)
9. Reboot and check Process Explorer to see if the CPU, RAM "and" HDD activity is normal. Check IE history to see if it's still populated with all those ad sites etc. Let it wait for a while connected to the Internet to ensure nothing funny is happening. (At this point when I checked the hidden folder again, there was only one file (a .dll) in there. I now moved the folder to the Support subfolder on the C: drive. still unsure if to delete it since I couldn't find anything in regedit or on the internet regarding those file and folder names.)
10. Run your typical post-removal routine, update everything, educate client, get paid.
The End
2. Start Process Explorer (elevated), View lower pane.
3. Connect to the Internet and wait.
4. When the system starts going crazy check for a second instance of explorer.exe (will probably be there even before connecting to the Internet, but won't be doing much), and view the lower pane to look for that hidden folder/file in C:\ProgramData named {9A88E103-A20A-4EA5-8636-C73B709A5BF8}.
5. You can now kill the process but it won't help much since it will regenerate. You can't rename/remove the hidden folder since it's in use.
6. Boot to Recovery Environment, command line, unhide the hidden folder and rename (I added "bad" to the name in case I have to revert the change).
7. Boot to normal mode, check Process Explorer to see if the rogue explorer.exe appears. Check the formerly hidden folder. Previously it had 3 files in there, but now there should be only two. Unclear why.
8. Run D7's cleanup routine to clear "everything" out. (I also manually stopped and started System Restore to delete all restore points.)
9. Reboot and check Process Explorer to see if the CPU, RAM "and" HDD activity is normal. Check IE history to see if it's still populated with all those ad sites etc. Let it wait for a while connected to the Internet to ensure nothing funny is happening. (At this point when I checked the hidden folder again, there was only one file (a .dll) in there. I now moved the folder to the Support subfolder on the C: drive. still unsure if to delete it since I couldn't find anything in regedit or on the internet regarding those file and folder names.)
10. Run your typical post-removal routine, update everything, educate client, get paid.
The End
Last edited:
atlanticjim
Well-Known Member
- Reaction score
- 36
- Location
- Long Island, New York
I have had this same problem and the one with the WindowUpdate loop.
My solution?
Windows7 inplace repair, set it up, walk away and come back to a fixed machine.
My solution?
Windows7 inplace repair, set it up, walk away and come back to a fixed machine.
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
Just got 1 of these machines in with same issue.
I will be using the method provided by tek9.
Thank you Shamrin for your info also.
Wish me luck!
Harold
I will be using the method provided by tek9.
Thank you Shamrin for your info also.
Wish me luck!
Harold
Last edited:
- Reaction score
- 130
- Location
- West Michigan
Just saw this today as well.
Found that folder with a slightly different string in ProgramData, blew it away offline, problem gone. There were about 10-15 other files in there.
No AV currently detects it.
Wish I would have read this post before hunting it down myself. Would have saved me a few hours.
Found that folder with a slightly different string in ProgramData, blew it away offline, problem gone. There were about 10-15 other files in there.
No AV currently detects it.
Wish I would have read this post before hunting it down myself. Would have saved me a few hours.
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
Ok, Here is where I'm at so far.
See the attached .zip file for progress so far. I can password protect the program data files if anyone would want them. (Or anything else, time permitting)
If anybody needs or cares to see anything about this machine, let me know now. It is now being imaged and cleaning will begin in the morning, approx. 12 hours from now.
Interesting piece of malware and interesting NOBODY seems to be catching it. This machine was a fully patched Win7 64 bit running Kaspersky. The only thing I can think of is someone "clicking" a fake something on October 25, 2014.
Harold
Harold
See the attached .zip file for progress so far. I can password protect the program data files if anyone would want them. (Or anything else, time permitting)
If anybody needs or cares to see anything about this machine, let me know now. It is now being imaged and cleaning will begin in the morning, approx. 12 hours from now.
Interesting piece of malware and interesting NOBODY seems to be catching it. This machine was a fully patched Win7 64 bit running Kaspersky. The only thing I can think of is someone "clicking" a fake something on October 25, 2014.
Harold
Harold
Grinler
Member
- Reaction score
- 2
Any chance anyone saved the C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} folder? Would love to look at the contents and see if we can come up with an easy solution.
If nothing else, I can try and get its detection and possible removal added to the tools at BC.
Thanks
If nothing else, I can try and get its detection and possible removal added to the tools at BC.
Thanks
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
Ok, here are my results. Much too long to type, so I've attached files, including the malicious one. Password is explorer for the .zip file.
Very long, but interesting read, with unbelievable ending result!
For your enjoyment.
Wish I new more about process explorer!
Harold
P.S. for those who get a .php file when downloaded, just change the extension to .zip and it should be fine.
Very long, but interesting read, with unbelievable ending result!
For your enjoyment.
Wish I new more about process explorer!
Harold
P.S. for those who get a .php file when downloaded, just change the extension to .zip and it should be fine.
Last edited:
Grinler
Member
- Reaction score
- 2
Thanks Harold. Will take a look at them today.
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
I also forgot to mention that there was a 4th partition of 0 MB before Norton Power Eraser. After cleaning it was gone.
Harold
Harold
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
No problem. Let me know if you need anything else. I have an Acronis Image of the entire drive, but I think that doesn't image some files by default.
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
Don't know why but I went to download my files on another computer and they were .php.
For those who get a .php file when downloaded, just change the extension to .zip and it should be fine.
Harold
For those who get a .php file when downloaded, just change the extension to .zip and it should be fine.
Harold
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
Here they are in 1 zip file. The enclosed zip file password is still explorer.
Sorry! It's been a long day....and night!
Harold
Sorry! It's been a long day....and night!
Harold
HFultzjr
Well-Known Member
- Reaction score
- 907
- Location
- Central PA, USA
Ok, In looking at my Norton Power Eraser log.....way down near the bottom it references File ID 356 with path e:\ctfmon.exe. I don't think the computer had a drive e:. Could that have something to do with the dis-appearing 0 MB partition that is no longer there?
Way too much info in these logs for my little brain!!
Harold
Way too much info in these logs for my little brain!!
Harold
