Solved Two explorer.exe, One taking all of my RAM's Memory

same problem - thanks! - but also fyi and a ?

Ran into same issue - computer was crawling. Thanks so much for all your work and problem solving on this - I read through the 12 thread pages. The uvk script worked great as I noted the same hidden folder. My computer now screams along fine/as usual ... EXCEPT: I still see two windows explorer processes when I go on line. The good news is that it is no longer a RAM hog ( was using almost 4GB and now stays in the 30-40k range) but still there after reboot. Something to worry about? leave it alone? keep an eye on? The memory usage has stabilized (waited 24 hours to share this) - will let you know. Thanks for any thoughts.
 

My Computer My Computer

At a glance

Windows 7 Hoem Premium 648 GBNVIDIA
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Hoem Premium 64
Memory
8 GB
Graphics Card(s)
NVIDIA
Antivirus
Norton
Browser
IE Explorer
Maybe thats there because you have the option for a new explorer,exe process to run when a new file is open?
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64bitIntel i5 quad core CPU 3470 3.20GHz8GB Corsair RamEVGA 650 2gb
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Home Premium 64bit
CPU
Intel i5 quad core CPU 3470 3.20GHz
Memory
8GB Corsair Ram
Graphics Card(s)
EVGA 650 2gb
Antivirus
Microsoft Security Essentials
Browser
Google Chrome
Folder still present

Ran into same issue - computer was crawling. Thanks so much for all your work and problem solving on this - I read through the 12 thread pages. The uvk script worked great as I noted the same hidden folder. My computer now screams along fine/as usual ... EXCEPT: I still see two windows explorer processes when I go on line. The good news is that it is no longer a RAM hog ( was using almost 4GB and now stays in the 30-40k range) but still there after reboot. Something to worry about? leave it alone? keep an eye on? The memory usage has stabilized (waited 24 hours to share this) - will let you know. Thanks for any thoughts.


My thoughts: Try running UVK as administrator - right click and choose "run as administrator"

If that doesn't work try the "Force Delete" option. Check results after a reboot.

If that doesn't work [SHIFT+Right Click] the folder and choose "copy as path" and paste the result here just to check that it's identical.

Other than that try PC Hunter:

Download PC Hunter - MajorGeeks

Run the program - there's a 32bit executable for 32bit machines and a 64bit executable for 64bit machines. From the "File" tab navugate to the problem folder and right click then choose "Force Delete"
 
Last edited:

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
Id like to thank you all , was having the same issue found this thread , found the same folder and cleaned it up

Saved me so much time after a few scans , only thing id done lately was windows updates and a flash player update so no idea where it came from but it was driving me nuts so thanks for the hard work
 

My Computer My Computer

At a glance

Windows 7pro 64bit
Computer type
PC/Desktop
OS
Windows 7pro 64bit
I'm having exactly the same problem with my laptop! So glad I found this thread, I've been trying to find a solution since October. I also have the folder with the same name in \ProgramData and have 2 Explorers, one of which uses all my memory. Can you please post the fix, I didn't quite understand how to delete this folder and get rid of the virus. Both Norton and Kasperski couldn't find it and I didn't quite get from this topic how to remove it. Thank you!
 

My Computer My Computer

At a glance

Windows 7
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Toshiba
OS
Windows 7
Antivirus
Norton
Browser
IE
UPDATE: downloaded UVK and used it to delete the folder in \ProgramData. THe problem appears to be solved. Anything else I need to do? Thanks!
 

My Computer My Computer

At a glance

Windows 7
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Toshiba
OS
Windows 7
Antivirus
Norton
Browser
IE
Clean Up?

UPDATE: downloaded UVK and used it to delete the folder in \ProgramData. THe problem appears to be solved. Anything else I need to do? Thanks!

Have a clean up maybe. Run Ccleaner or similar if you've got it installed. Delete all system restore points and create a new one. You could also check what's connecting using the method in Post #81 or use any similar utility that you've got installed.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
UPDATE: downloaded UVK and used it to delete the folder in \ProgramData. THe problem appears to be solved. Anything else I need to do? Thanks!

Have a clean up maybe. Run Ccleaner or similar if you've got it installed. Delete all system restore points and create a new one. You could also check what's connecting using the method in Post #81 or use any similar utility that you've got installed.
Thank you! I used a Kasperski tool tdsskiller and Norton's clean up utilities to look for virus in the last few days and both came back clean. They only thing that helped was the deletion of that folder in \ProgramData. I might get the ccleaner and run it. The rest looks a bit too complicated for me :) Thank you so much for posting the solution, I've been googling the solution to this problem for 2 months and couldn't find the it anywhere! Why doesn't Norton address it? I have it running all the time!
 

My Computer My Computer

At a glance

Windows 7
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Toshiba
OS
Windows 7
Antivirus
Norton
Browser
IE
Why doesn't Norton detect it?

Well according to the VirusTotal report none of the big name AV's detect it. I honestly don't know too much about it but here's my thoughts:

It seems to use digitally signed files to evade detection. MBAM Pro alerts on suspicious connections but doesn't remove it. It may take time for the big name AV's to come up with a safe method that they can use for detection and removal. Possibly it's classed as Adware and not malicious or not stealing your personal data.

The best thing that you can do for now is ask yourself how it got on your system. My guess (it's just a guess) is that it's a flash exploit that used a vulnerability in an old version of flash player to install itself. So just make sure that you check that all third party software (non microsoft) is patched and up to date and that the old versions have been fully removed. That's about all you can do without installing extra protection!
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
Thank you

A big thanks to all of you for doing the leg work.

I too had the same symptoms and GUID folder (Hidden under c:\ProgramData) with the recently modified login date.

For any others out there it seems to be getting in by old Java versions. AVG, MalwareBytes, and even combofix hadn't detected the issue.

I ended up using unlocker (downloaded from CNET Unlocker - Free download and software reviews - CNET Download.com) to forcefully delete the folder.

So far no 2nd explorer has come back taking up all the ram. Agreed that it's using signed DLLs to avoid detection . . . though I think mine was a different DLL name.

Thanks again for the help.
 

My Computer My Computer

At a glance

Windows 7 Ultimate NI7 4770KPatriot viper 3 Extreme Performance 2133 2x8EVGA Geforce GTX 780 Superclocked Video Card
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Built
OS
Windows 7 Ultimate N
CPU
I7 4770K
Motherboard
GA-Z87X-UDH4
Memory
Patriot viper 3 Extreme Performance 2133 2x8
Graphics Card(s)
EVGA Geforce GTX 780 Superclocked Video Card
Hard Drives
Samsung 840 Pro 128 GB SSD
Seagate 3TB Baracuda
Antivirus
AVG Free
Browser
IE11 / Chrome
I've been have the same problem, mines slightly different though, I have the computer in sleep mode right now just so I could research what the problem and how to fix it and it lead me here. From reading over the thread and other ones I can skip over how I think I came to get it in detail, put short I was browsing websites and when I closed a popup ad my problems started, I've yet to act on any info in the thread because my problem like I said is slightly different.

I get the second explorer.exe popping up, constantly increasing the amount of RAM its using until I kill it manually, it stays down for a few minutes, unless I have internet explorer open, in which case it automatically just comes back, and always loads ctfloader (ctfmon.exe) with it, if I kill the actual explorer.exe it goes with it, and I can operate the computer as normal as it wont restart until I run explorer.exe.

I tried doing windows updates and updating other software before I put the computer into sleep mode but here's the part where things get slightly different, my AV Avast constantly detects and stops connections to various urls, categorizing them as malware (Thankfully I always set antivirus's to max sensitivity and to scan stuff even if it causes slow down), it stops them so that's great, the problem there are probably 13-15 connections every minute its stopping, so my desktop gets bombarded with notices whenever explorer.exe is running, and with avasts audio queues, it causes the worrier in you just to kill explorer.exe to stop it.

So this is where I run into my problem, I don't want to run explorer.exe out of worries it might backdoor in something worse since my situation is a little different from everybody else it seems, but at the same time in order to try anything, I really need explorer.exe. I was thinking of doing a boot time scan, but that cache 22 of being worried something worse might happen if I give whatever this is a chance at my computer on shutdown/startup.
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
hp
OS
Windows 7 Home Premium x64
@JustPassing:

I would recommend you go into the C:\ProgramData and see if you see any GUID folders that were recently modified:

Just so people know, a GUID is a string which has the following HEX FORMAT:

3F2504E0-4F89-11D3-9A0C-0305E82C3301 (note your numbers may appear differently).

If you DO see a GUID folder, the 2nd explorer is most likely coming from this directory. I used the unlocker program to delete the folder forcefully, other's have used the UVK.

It's also been noted that if you don't have an internet connection the 2nd explorer stays dormant. So my suggestion would be to download utilities from a clean machine, disconnect the computer from the network, run your explorer, and then attempt the clean off of the thumb drive.

After you reboot, the 2nd explorer shouldn't come back.
 

My Computer My Computer

At a glance

Windows 7 Ultimate NI7 4770KPatriot viper 3 Extreme Performance 2133 2x8EVGA Geforce GTX 780 Superclocked Video Card
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Built
OS
Windows 7 Ultimate N
CPU
I7 4770K
Motherboard
GA-Z87X-UDH4
Memory
Patriot viper 3 Extreme Performance 2133 2x8
Graphics Card(s)
EVGA Geforce GTX 780 Superclocked Video Card
Hard Drives
Samsung 840 Pro 128 GB SSD
Seagate 3TB Baracuda
Antivirus
AVG Free
Browser
IE11 / Chrome
Avoid Explorer?

I don't see why you won't allow explorer to run but in addition to the above post you can download this:

https://explorerplusplus.com/download

It's a portable alternative to windows explorer and if you're worried you can use it to check the suspect folder.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
I guess I wasn't the most clear, the reason for "avoiding" explorer was listed at the bottom of the second paragraph. "if I kill the actual explorer.exe it goes with it, and I can operate the computer as normal as it wont restart until I run explorer.exe."

I realise that I should stop getting the constant alerts if I just pull the ethernet cable from the tower, making the "Oh my god is sounds like its about to blow up" fear go away, and from there try to so far tested and trusted solutions, I'm just reading as much as I can on this "subject", being explorer.exe related, that's a pretty crucial part of the OS and not just some program I can toss away willy nilly, so I'm just siding on the air of caution before I go off doing anything, best safe than sorry.

Oh and thanks for the explorerplusplus download, that should be really handy.
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
hp
OS
Windows 7 Home Premium x64
Thankyou thankyou thankyou!

I had a basically frozen laptop for the last 2 days. Found the explorer.exe duplicate in Task manager consuming 100% RAM. Commenced internet search which led me here.

Solution as per cpubus: Locate and delete GUID folder under C:\programdata (used UVK delete utility).

Laptop running normally.

Note the rogue explorer.exe was cycling up and down - so laptop was usable for brief spurts - enough to download and run the software tools (eg UVK)

Also, the laptop was just as poorly performing when disconnected from internet - unlike as reported by others in this thread that the problem only surfaced when connected.

I'm non-techie but I assume the file doing the damage on my machine was thawbrkr.dll (created 29/1/15 7.25am, which corresponds to the time the problem started). Can't think of anything out of the ordinary I did around that time or just before. It's a work machine running only basic apps.

Thanks for help everyone!
 

My Computer My Computer

At a glance

Windows 7 Professional 64bit
Computer type
Laptop
Computer Manufacturer/Model Number
Acer
OS
Windows 7 Professional 64bit
Back
Top