Two explorer.exe, One taking all of my RAM's Memory

This GUID path under programdata is listed in that log report posted by callender...

[QUOTE=Thorbro;2963803]Today? Sorry cpubus but I'm not sure I have seen anyone resolve this issue at all - this thread has been going for weeks without a clue. But who knows, maybe someone will find something. It does appear to be something malicious that is accessing the computer from remote location.

I'd say if this thing is using the same GUID folder for every computer to store the files then this thing is solved. A Christmas miracle! The question is what is this thing? Norton was on this machine and it was no help at all. You'd think running a dll with the same name as a system32 file would be at least something to raise an alarm about...

Callender said:

If anyone else tracks it down request uploading to VirusTotal to get a report and post the link to the report before deleting the folder and files.

I will try this, it is still in the recycle bin at the moment I think. First I need to delete the registry entries that loaded it.

Brilliant Cpubus; as soon as I am logged into my other (infected) PC I will give it a try. You might have to walk me through the delete process as your description is beyond my computer competence.

I don't have the same DLL file in that location, but I do have the following under the same folder:
xrWCtmg2.dll (updated today)
Any reason I can't delete that? The original file name in Details is "XPSlayer"....

(Should the whole folder be deleted?)

Thorbro said:

I don't have the same DLL file in that location, but I do have the following under the same folder:
xrWCtmg2.dll (updated today)
Any reason I can't delete that? The original file name in Details is "XPSlayer"....

(Should the whole folder be deleted?)

Yes, that looks suspicious, they just chose a different name for the file. Mine also had "XPSlayer" listed in the details. That folder should be deleted. Could you first drag out a copy of the dll file to your desktop and upload it to virustotal? Mine got deleted for good.

In order to delete that you can't have any explorer processes open, but you need explorer open to use the normal file system tools. Use the script suggested above or run a command prompt which will stay open with explorer closed.

@cpubus I tried to find the thing you told me and its not within the folder, here is whats in the folder for me - Screenshot by Lightshot -. As for the uvk scan you want me to do callender im doing it right now

EDIT
Iv done the scan here is the LOG https://www.dropbox.com/s/z2iiwr8osl...%2014.log?dl=0