Solved 2 explorer.exe

[RoWin7]

Win7 SP1 x64
....................................

Note: this is not Win. Explorer or IE Explorer.

I researched this online, and every site gives me a different answer.

Is it normal to have 2 explorer.exe in Task Manager? It's been there awhile, weeks or months, from the time I boot till I close down.
"http://postimg.cc/dZh5GG9V" (I don't know why Postimage called it "Walruses." It's my Task Mger)

 

[iko22]

In Task Manager, Right-mouse click on each occurrence of explorer.exe

select "open file location" from dropdown list.

Is the file in each file location the same item?

 

[RoWin7]

Yes, loc is Windows, same file.

 

[torchwood]

Hi Rowin7,

thats rather unusuall, can you run this tool

Download Farbar Recovery Scan Tool

note some AV's report this as malware its NOT##

please post both logs


Roy

 

[RoWin7]

Running scan now. Should I do the optional scan too?

 

[RoWin7]

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 08-03-2020 Ran b - Pastebin.com

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-03-2020 R - Pastebin.com

Glasswire is my firewall.

 

[torchwood]

Hi Rowin7

My AV, KIS, blocked both reports

can you copy/paste them both.


Roy

 

[RoWin7]

They're just text files, and too long to post, so Pastebin is a place to post them, like a photohosting site. Tell your AV it's OK.
.
The first file is 141,000 characters, and they want me to break it into files of 25,000, so 6 files. The 2nd file is a little shorter. I don't know where the 25,000 demarcations would be. Is there something I should look for in the logs?

 

[torchwood]

Hi Rowin7,

Anything with <<Attention
or No file


try zipping them


Roy

 

[torchwood]

Bree

im also getting insecure connection

you getting any probs


Roy

 

[RoWin7]

Using MSE A-V. No problems

ALL FROM first file:

GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

Task: {3025A5C3-DD97-4F91-AC6C-67C460DB9239} - \Avira SystrayStartTrigger -> No File <==== ATTENTION
(I haven't used Avira in several years.)

Task: {D7B3B105-962F-40FD-9864-ED663D9077FC} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION

FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\bd_js_config.js [2020-02-19] <==== ATTENTION (Points to *.cfg file)
FF ExtraCheck: C:\Program Files\mozilla firefox\bd_config.cfg [2020-02-19] <==== ATTENTION
Chucked AVAST a few months ago for BitDefender)



Task: {ED65A9AB-8F56-4D14-8EF9-115584A7E573} - \TechUtilities -> No File <==== ATTENTION


HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION

Task: {D7B3B105-962F-40FD-9864-ED663D9077FC} - \AVAST Software\Avast settings backup -> No File <==== ATTENTION
(I don't use IE, never have.)

=============================

 

[samuria]

The system is a mess you have lots of unsigned drivers temp folder is full firwall has 6000 entries



ootExecute: autocheck autochk /p \??\C:autocheck autochk * GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION




Details:
The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder. (HRESULT : 0x80070660) (0x80070660)


Date: 2020-03-14 21:00:09.210
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\igdkmd64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

[RoWin7]

from 2nd file
No "ATTENTION" but loads of errors:

Application errors:
==================
Error: (03/19/2020 05:11:29 PM) (Source: Windows Search Service) (EventID: 1006) (User: )
Description: The Windows Search Service has failed to create the new search index. Internal error <1, 0x80070005, Failed to add Gather Application: Windows>.

Error: (03/19/2020 05:11:29 PM) (Source: Windows Search Service) (EventID: 3030) (User: )
Description: The gatherer service cannot be initialized.

Details:
The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder. (HRESULT : 0x80070660) (0x80070660)

Error: (03/19/2020 05:09:29 PM) (Source: Windows Search Service) (EventID: 1006) (User: )
Description: The Windows Search Service has failed to create the new search index. Internal error <1, 0x80070005, Failed to add Gather Application: Windows>.

Error: (03/19/2020 05:09:29 PM) (Source: Windows Search Service) (EventID: 3030) (User: )
Description: The gatherer service cannot be initialized.

Details:
The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder. (HRESULT : 0x80070660) (0x80070660)

Error: (03/19/2020 05:09:03 PM) (Source: Windows Search Service) (EventID: 1006) (User: )
Description: The Windows Search Service has failed to create the new search index. Internal error <1, 0x80070005, Failed to add Gather Application: Windows>.

Error: (03/19/2020 05:09:03 PM) (Source: Windows Search Service) (EventID: 3030) (User: )
Description: The gatherer service cannot be initialized.

Details:
The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder. (HRESULT : 0x80070660) (0x80070660)

Error: (03/19/2020 05:08:54 PM) (Source: Windows Search Service) (EventID: 1006) (User: )
Description: The Windows Search Service has failed to create the new search index. Internal error <1, 0x80070005, Failed to add Gather Application: Windows>.

Error: (03/19/2020 05:08:54 PM) (Source: Windows Search Service) (EventID: 3030) (User: )
Description: The gatherer service cannot be initialized.

Details:
The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder. (HRESULT : 0x80070660) (0x80070660)


System errors:
=============
Error: (03/19/2020 05:11:30 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 164 time(s).

Error: (03/19/2020 05:11:30 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Search service terminated with the following error:
Access is denied.

Error: (03/19/2020 05:09:30 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 163 time(s).

Error: (03/19/2020 05:09:30 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Search service terminated with the following error:
Access is denied.

Error: (03/19/2020 05:09:03 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 162 time(s).

Error: (03/19/2020 05:09:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Search service terminated with the following error:
Access is denied.

Error: (03/19/2020 05:08:55 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 161 time(s).

Error: (03/19/2020 05:08:55 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Search service terminated with the following error:
Access is denied.

 

[RoWin7]

I had moved the TEMP folder to C:\ , don't remember why. I just emptied it again, and it's down to about 30 KB.

I don't know how to work all of Glasswire. But it hasn't blocked anything.

 

[Bree]

@Bree
im also getting insecure connection
you getting any probs

When connecting to the pastebin links in post #6? No, I'm not seeing an insecure connection. I can read the text OK. My Firefox does report that it blocked one tracking cookie and a fingerprinter though.



Nor do I see more than just the one explorer.exe in my W7's Task Manager. Maybe unconnected, but there's one oddity in RoWin7's screenshot of the processes, the csrss.exe process has no user name showing. Mine shows SYSTEM as the user name.

They're just text files, and too long to post...

Try putting them in a .zip file an attach them to a post.

 

[torchwood]

Hi

You should NEVER move the temp file away from C:

All programs/features and updates use it as a "holding" file and refer back to it to complete its operation.

As Samuria said your system is a mess.

Before we try and attempt 3rd party repairs, ie Me Bree Samaria
Please run these MS repair tools in this order
Chkdsk /r
sfc /scannow
Kb947821

REBOOT

Once completed rerun FRST
ZIP an post it please


Roy

 

[RoWin7]

I have 7Zip. I'm not sure how to zip a file, I've tried "Add" on the main UI, but it just shows me the file's contents.

 

[torchwood]

Hi Rowin7

just right click on the folder = select send to >>> compressed (zipped) folder and attach to your reply

note
might be usefull to Uninstall Glasswire for the time being MS built in is pretty good anyway



Roy

 

[RoWin7]

Temp folder IS in C.

2 zipped logs attached

 

[torchwood]

Hi Rowin7,

Once you have run the 3 system check tools, please open a thread at BleepingComputers - malware sub-forum.

There are a few items that i am suspicious off,


Roy