Solved Two explorer.exe, One taking all of my RAM's Memory

Look at network connections

As you are all reporting problems when internet is connected it might be worth running CrowdStrike. It's a portable tool that checks your network connections against WOT and VirusTotal and highlight anything suspicious or dangerous. If you want to run it you can get it here:

Community Tools | CrowdStrike - scroll down the page to CrowdInspect

If you choose "Run as Admin" when running the executable then toggle "Show full path" see if anything shows up for explorer. If it does - make a note of the ip address and DNS server.

Also toggle the Live/ History button so see current and past connections during the CrowdInspect session.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
Correction

Correction to my reported observations in my first post: The second .exe is always there, internet connection or not. However, it doesn't grow until the internet connection is made, and starts to shrink when the connection is disabled.

Yes I have unchecked "launch folders window in a separate process".

Interesting note which may or may not be relevant. When I first bring up Task Manager the rogue explorer.exe shows no "user" and cannot be shut down, nor can I right click to find its location. However, when I check "show all users" then it shows me as user and I can disable it (it comes back in about 10 seconds).
 

My Computer My Computer

At a glance

Win 7 64-bit Home4
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Gateway
OS
Win 7 64-bit Home
Memory
4
Antivirus
Malewarebytes
Browser
MS
Callender: Not sure of your instructions regarding Load as Admin, etc, but I loaded CrowdInspect and it shows one explorer.exe UNTIL the second rogue explorer.exe shows on my Task Manager, then a ton of them show up. I have no idea what the data means. Here is the data, if it means anything to you.

Code:
explorer.exe|6384|0%|??|??|--|TCP|SYN_Sent|10.0.0.32|63104|96.17.8.160|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|SYN_Sent|10.0.0.32|63103|96.17.8.160|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|SYN_Sent|10.0.0.32|63102|31.13.76.102|443|?
explorer.exe|6384|0%|??|??|--|TCP|SYN_Sent|10.0.0.32|63101|74.121.136.139|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|SYN_Sent|10.0.0.32|63100|152.163.13.6|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63099|31.13.76.102|443|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63098|184.28.155.54|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63097|96.17.8.89|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63096|64.20.243.243|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63095|69.194.244.11|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63094|96.17.8.89|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63093|162.248.16.24|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63092|173.194.33.153|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63091|162.248.16.24|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63090|173.194.33.153|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|FIN_Wait1|10.0.0.32|63089|31.13.76.102|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63088|199.59.150.11|443|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63086|96.17.8.81|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63084|199.59.150.11|443|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63083|68.67.129.94|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Close_Wait|10.0.0.32|63023|108.161.189.35|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63081|69.192.195.209|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63079|69.192.192.156|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63077|64.74.101.52|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63076|66.150.102.78|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63070|96.17.15.18|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63069|54.225.202.82|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63068|184.72.248.32|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63066|96.17.15.18|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63065|96.17.8.81|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63064|96.17.8.81|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Close_Wait|10.0.0.32|63057|66.45.56.124|80|?
explorer.exe|6384|0%|??|??|--|TCP|Close_Wait|10.0.0.32|63010|46.165.220.115|80|hosted-by.leaseweb.com
explorer.exe|6384|0%|??|??|--|TCP|SYN_Sent|10.0.0.32|63062|69.172.216.161|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63061|108.162.207.94|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63059|174.129.26.212|443|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63058|74.119.117.75|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63055|198.232.124.192|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63054|74.119.117.72|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63053|108.161.189.34|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63052|108.161.189.34|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63051|69.192.192.156|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63050|108.162.207.94|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63049|199.96.57.6|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63048|64.12.245.3|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63047|64.12.245.3|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63046|96.17.8.91|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63045|96.17.8.91|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63044|204.137.31.109|80|pda.adkvx.com
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63043|68.67.128.131|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63041|64.12.245.3|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63040|64.12.245.3|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63039|149.174.67.70|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63038|96.17.8.82|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63037|184.28.155.54|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63036|173.194.33.159|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63035|173.194.33.159|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63034|205.185.216.42|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63033|74.125.25.95|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63031|204.154.111.224|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63029|173.194.33.132|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63028|31.13.76.100|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63027|23.41.188.168|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63026|68.67.128.131|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63025|96.17.8.48|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63024|96.17.8.48|80|...resolving...
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63021|204.137.28.75|80|static-204-137-28-75.adknowledge.com
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63018|192.237.193.127|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63016|69.172.216.161|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63013|69.172.216.58|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63012|204.137.31.103|80|static-204-137-31-103.adknowledge.com
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63011|69.172.216.56|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|63007|204.137.28.75|80|static-204-137-28-75.adknowledge.com
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|62972|185.48.57.46|80|s13.sinarohost.com
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|62970|66.45.56.124|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|62965|5.149.250.194|80|?
explorer.exe|6384|0%|??|??|--|TCP|Established|10.0.0.32|62964|185.48.57.46|80|s13.sinarohost.com
iexplore.exe|2588|0%|OK|??|--|TCP|Established|10.0.0.32|58910|134.170.18.160|443|...resolving...
iexplore.exe|2588|0%|OK|??|--|TCP|Established|10.0.0.32|58902|193.149.72.18|443|...resolving...
 
I deleted much of the rest to fit. Thor
 
 
lsass.exe|616|0%|??|??|--|TCP|Listening|All IPv6|49156|---|---|
lsass.exe|616|0%|??|??|--|TCP|Listening|All IPv4|49156|---|---|
mbam.exe|2340|0%|OK|??|59%|TCP|Close_Wait|10.0.0.32|56329|23.23.181.24|443|ec2-23-23-181-24.compute-1.amazonaws.com
mbam.exe|2340|0%|OK|??|59%|TCP|Close_Wait|10.0.0.32|56328|54.225.203.94|443|ec2-54-225-203-94.compute-1.amazonaws.com
mbamservice.exe|2260|0%|??|??|--|TCP|Listening|127.0.0.1|43227|---|---|
MsMpEng.exe|864|0%|??|??|--|TCP|Established|10.0.0.32|62871|191.238.241.80|443|...resolving...
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62492|54.230.68.216|80|...resolving...
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62491|198.27.86.193|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62485|69.172.216.56|443|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62484|69.172.216.111|443|?
System Idle Process|0|??|--|??|83%|TCP|Time_Wait|10.0.0.32|62480|173.194.33.155|80|sea09s17-in-f27.1e100.net
System Idle Process|0|??|--|??|50%|TCP|Time_Wait|10.0.0.32|62457|96.17.8.96|80|a96-17-8-96.deploy.akamaitechnologies.com
System Idle Process|0|??|--|??|50%|TCP|Time_Wait|10.0.0.32|62431|23.3.105.51|80|a23-3-105-51.deploy.static.akamaitechnologies.com
System Idle Process|0|??|--|??|50%|TCP|Time_Wait|10.0.0.32|62430|23.3.105.51|80|a23-3-105-51.deploy.static.akamaitechnologies.com
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62377|54.230.68.204|80|server-54-230-68-204.sea50.r.cloudfront.net
System Idle Process|0|??|--|??|50%|TCP|Time_Wait|10.0.0.32|62321|96.17.8.96|80|a96-17-8-96.deploy.akamaitechnologies.com
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62496|54.230.68.204|80|server-54-230-68-204.sea50.r.cloudfront.net
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62490|69.172.216.111|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62468|38.71.5.33|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62466|69.172.216.111|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62459|69.172.216.56|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62452|46.229.172.232|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62442|96.17.8.73|80|...resolving...
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62433|31.13.76.102|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62429|31.13.76.102|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62428|69.172.216.56|443|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62425|192.96.201.36|80|...resolving...
System Idle Process|0|??|--|??|59%|TCP|Time_Wait|10.0.0.32|62418|192.96.201.35|80|us41.ua-hosting.com.ua
System Idle Process|0|??|--|??|59%|TCP|Time_Wait|10.0.0.32|62416|162.210.196.218|80|us53.ua-hosting.com.ua
System Idle Process|0|??|--|??|8%|TCP|Time_Wait|10.0.0.32|62414|46.165.229.125|80|hosted-by.leaseweb.com
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62405|207.198.109.208|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62404|207.198.109.209|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62392|31.13.76.102|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62387|31.13.76.102|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62386|54.230.68.204|80|server-54-230-68-204.sea50.r.cloudfront.net
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62385|31.13.76.102|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62379|54.230.68.204|80|server-54-230-68-204.sea50.r.cloudfront.net
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62376|8.39.37.21|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62375|8.39.37.21|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62371|198.54.233.83|443|?
System Idle Process|0|??|--|??|83%|TCP|Time_Wait|10.0.0.32|62364|173.194.33.139|443|sea09s17-in-f11.1e100.net
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62357|31.13.76.102|80|?
System Idle Process|0|??|--|??|50%|TCP|Time_Wait|10.0.0.32|62350|23.3.105.51|80|a23-3-105-51.deploy.static.akamaitechnologies.com
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62347|199.96.57.6|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62346|199.96.57.6|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62344|31.13.76.102|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62336|31.13.76.102|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62318|69.172.216.111|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62316|69.172.216.55|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62313|69.172.216.55|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62312|64.237.56.12|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62311|69.172.216.111|80|?
System Idle Process|0|??|--|??|--|TCP|Time_Wait|10.0.0.32|62305|69.172.216.55|80|?
System Idle Process|0|??|--|??|8%|TCP|Time_Wait|10.0.0.32|62296|46.165.220.113|80|hosted-by.leaseweb.com
System Idle Process|0|??|--|??|8%|TCP|Time_Wait|10.0.0.32|62295|46.165.220.115|80|hosted-by.leaseweb.com
System Idle Process|0|??|--|??|96%|TCP|Time_Wait|10.0.0.32|62290|83.145.197.2|80|api.mywot.com
System Idle Process|0|??|--|??|96%|TCP|Time_Wait|10.0.0.32|62289|83.145.197.2|80|api.mywot.com
System Idle Process|0|??|--|??|96%|TCP|Time_Wait|10.0.0.32|62288|83.145.197.2|80|api.mywot.com
wininit.exe|492|0%|??|??|--|TCP|Listening|All IPv6|49152|---|---|
wininit.exe|492|0%|??|??|--|TCP|Listening|All IPv4|49152|---|---|
wmpnetwk.exe|172|0%|??|??|--|UDP|Listening|All IPv6|5005|---|---|
wmpnetwk.exe|172|0%|??|??|--|UDP|Listening|All IPv6|5004|---|---|
wmpnetwk.exe|172|0%|??|??|--|UDP|Listening|All IPv4|5005|---|---|
wmpnetwk.exe|172|0%|??|??|--|UDP|Listening|All IPv4|5004|---|---|
wmpnetwk.exe|172|0%|??|??|--|TCP|Listening|All IPv6|554|---|---|
wmpnetwk.exe|172|0%|??|??|--|TCP|Listening|All IPv4|554|---|---|
 
Last edited by a moderator:

My Computer My Computer

At a glance

Win 7 64-bit Home4
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Gateway
OS
Win 7 64-bit Home
Memory
4
Antivirus
Malewarebytes
Browser
MS
same here

I'm having the same exact issue as you this morning, ever expanding explorer.exe with the same quirk that the explorer process has no user listed and you can't end it until you elevate, then it shows the normal user name. I don't know what's causing it yet but hopefully one of us figures it out today. (I work on computers for a living)
 

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem
don't hold your breath

Today? Sorry cpubus but I'm not sure I have seen anyone resolve this issue at all - this thread has been going for weeks without a clue. But who knows, maybe someone will find something. It does appear to be something malicious that is accessing the computer from remote location.

Here is a thread from Bleeping Computer which may or may not be of interest to you or Callender, I have no idea how to check for the virus this guy found...
Extra copy of explorer.exe runs, contacts foreign website sinarohost.com - Virus, Trojan, Spyware, and Malware Removal Logs
 

My Computer My Computer

At a glance

Win 7 64-bit Home4
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Gateway
OS
Win 7 64-bit Home
Memory
4
Antivirus
Malewarebytes
Browser
MS
Well, unfortunately for me if i don't get results soon, I have to just format the thing. I would like to figure it out though because these things seem to come to me in waves so I'll probably have to see more of these soon. i just hate dealing with "all my settings are gone wtf" after a format lol. I'll help as much as I can.
 

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem
Interesting

Today? Sorry cpubus but I'm not sure I have seen anyone resolve this issue at all - this thread has been going for weeks without a clue. But who knows, maybe someone will find something. It does appear to be something malicious that is accessing the computer from remote location.

Here is a thread from Bleeping Computer which may or may not be of interest to you or Callender, I have no idea how to check for the virus this guy found...
Extra copy of explorer.exe runs, contacts foreign website sinarohost.com - Virus, Trojan, Spyware, and Malware Removal Logs

That is interesting but the entry mentioned in the article doesn't show up in the logs. I've checked a few of the ip addresses you posted and they're shown as malicious on VirusTotal. I didn't check them all though.

It might be worth everybody checking their maconfig startup entries just to see if an explorer.exe entry exists. There should not be any such explorer.exe entry found and if one exists it would point to a trojan.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
Ok, I want to try to confirm something with OP, I think I found the culprit although I don't know what exactly it's called.

I went looking for recently changed folders, and ended up in c:\programdata\ and noticed a hidden folder with a GUID name and recent file date. (it had hidden attribute set)

inside this folder was some files and a "ListSvc.dll" which is a legitimately named windows system file (windows home group listener) but it is supposed to be in system32, not here. Of course inspecting the properties showed the wrong information, and that it was not the home group listener dll. Tried to delete it and I was told the file was in use, of course. I opened a CMD prompt and killed all the explorer processes, then I was able to delete it from the command prompt, and restarted. So far, no more second explorer after 30 minutes. Here are some images of what I found. (Last image is original ListSvc.dll from system32 folder for comparison)
 

Attachments

  • Capture2.JPG
    Capture2.JPG
    29.6 KB · Views: 45
  • Capture3.JPG
    Capture3.JPG
    24.9 KB · Views: 45
  • Capture4.JPG
    Capture4.JPG
    40.6 KB · Views: 45
  • Capture5.JPG
    Capture5.JPG
    38 KB · Views: 45

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem
Sinarohost?

Check out my log and Sinarohost.com is a foreign hosting service?? Are we getting close here?
 

My Computer My Computer

At a glance

Win 7 64-bit Home4
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Gateway
OS
Win 7 64-bit Home
Memory
4
Antivirus
Malewarebytes
Browser
MS
And I gotta say, this computer runs so much better. It was like getting a piggyback ride from your grandpa who uses a walker.
 

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem
This GUID path under programdata is listed in that log report posted by callender...
 

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem
Process Explorer

Okay try this: Run Process Explorer and highlight the problem explorer.exe then right click and choose "Suspend"

Then double click the explorer.exe entry and look at the "Threads" tab then click "Stack"

Click "Copy All" and open your text editor. Paste the results. Post them here.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
Today? Sorry cpubus but I'm not sure I have seen anyone resolve this issue at all - this thread has been going for weeks without a clue. But who knows, maybe someone will find something. It does appear to be something malicious that is accessing the computer from remote location.

I'd say if this thing is using the same GUID folder for every computer to store the files then this thing is solved. A Christmas miracle! The question is what is this thing? Norton was on this machine and it was no help at all. You'd think running a dll with the same name as a system32 file would be at least something to raise an alarm about...
 

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem
Afrims' log

This GUID path under programdata is listed in that log report posted by callender...

Indeed it does appear in Afims's log:

{9A88E103-A20A-4EA5-8636-C73B709A5BF8}

So Afrim - you can try running the attached script in UVK (Rename with .uvk extension) and reboot if requested to do so by UVK.

View attachment UVK - FixList Afrim.txt
 
Last edited:

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
Request

If anyone else tracks it down request uploading to VirusTotal to get a report and post the link to the report before deleting the folder and files.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit 7601 ...AMD C-60 APU with Radeon(tm) HD Graphics4.00 GBAMD Radeon HD 6290 Graphics
Computer type
Laptop
Computer Manufacturer/Model Number
ASUS
OS
Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
AMD C-60 APU with Radeon(tm) HD Graphics
Motherboard
ASUSTeK COMPUTER INC. X501U
Memory
4.00 GB
Graphics Card(s)
AMD Radeon HD 6290 Graphics
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
Hitachi HTS545050A7E380 SATA Disk Device
Antivirus
Comodo CIS & FW, SecureAplus App Whitelisting, Threatfire
Browser
Cyberfox 64bit, Opera 64bit, Airfox
Other Info
Spy-The-Spy, HitmanPro.Alert, Norton Connect Safe, MJRegWatcher, BitDefender TrafficLight, Voodoo Shield, Zemana AntiMalware
If anyone else tracks it down request uploading to VirusTotal to get a report and post the link to the report before deleting the folder and files.

I will try this, it is still in the recycle bin at the moment I think. First I need to delete the registry entries that loaded it.
 

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem
Brilliant Cpubus; as soon as I am logged into my other (infected) PC I will give it a try. You might have to walk me through the delete process as your description is beyond my computer competence.
 

My Computer My Computer

At a glance

Win 7 64-bit Home4
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Gateway
OS
Win 7 64-bit Home
Memory
4
Antivirus
Malewarebytes
Browser
MS
I don't have the same DLL file in that location, but I do have the following under the same folder:
xrWCtmg2.dll (updated today)
Any reason I can't delete that? The original file name in Details is "XPSlayer"....

(Should the whole folder be deleted?)
 

My Computer My Computer

At a glance

Win 7 64-bit Home4
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Gateway
OS
Win 7 64-bit Home
Memory
4
Antivirus
Malewarebytes
Browser
MS
I don't have the same DLL file in that location, but I do have the following under the same folder:
xrWCtmg2.dll (updated today)
Any reason I can't delete that? The original file name in Details is "XPSlayer"....

(Should the whole folder be deleted?)

Yes, that looks suspicious, they just chose a different name for the file. Mine also had "XPSlayer" listed in the details. That folder should be deleted. Could you first drag out a copy of the dll file to your desktop and upload it to virustotal? Mine got deleted for good.

In order to delete that you can't have any explorer processes open, but you need explorer open to use the normal file system tools. Use the script suggested above or run a command prompt which will stay open with explorer closed.
 

My Computer My Computer

At a glance

Win 7 64 Home Prem
Computer type
PC/Desktop
OS
Win 7 64 Home Prem

My Computer My Computer

At a glance

Windows 7 Home Premium 64bitIntel i5 quad core CPU 3470 3.20GHz8GB Corsair RamEVGA 650 2gb
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Home Premium 64bit
CPU
Intel i5 quad core CPU 3470 3.20GHz
Memory
8GB Corsair Ram
Graphics Card(s)
EVGA 650 2gb
Antivirus
Microsoft Security Essentials
Browser
Google Chrome
Back
Top