Solved Two explorer.exe, one taking up to 3 gigs system memory

[spork]

So the other thread was no help, so I started this one. When I start up my computer and after its loaded (in normal and clean boot) an explorer.exe shows up and starts rapidly ballooning up over the 2 million bits mark, making my computer really slow.

I've cleaned with Comodo, Malwarebytes pro, and Kaspersky bootkit cleaner. This only happens when my computer is connected to the internet. The process has the path C:/Windows/explorer.exe but it shows up with no user in the task manager and when I try to end the task it gives me a message saying "access is denied. However, when I end it through the performance monitor it will let me end it, but a new one always pops back up in its place.

I've been googling for weeks trying to fix this and still no luck, please help.

 

[TJGOA]

Google select which programs run at startup for your OS. There should be a way to block any unwanted applications from starting up. You might want to try and see if this simple method would work.

 

[NimoTony]

The explorer.exe file is located in the folder C:\Windows. In other cases, explorer.exe is a virus, spyware, trojan or worm!

see this thread

http://www.sevenforums.com/performa...plorer-exe-one-taking-all-my-rams-memory.html

 

[spork]

Both of you read the OP before you reply.

 

[Tookeri]

The process has the path C:/Windows/explorer.exe but it shows up with no user in the task manager and when I try to end the task it gives me a message saying "access is denied.

You need to start Task Manager as administrator to see all processes and all details for all processes. When you start it normally(which means as a standard user even if you're an administrator) you can do this by clicking the button "Show processes from all users" in the bottom left corner.

When you start Performance Monitor it's started as administrator (UAC prompt). That's why you could kill it from there.

 

[spork]

Ok when I did that it showed it was from owner, which is me. Odd that it would show that after I clicked display processes from all users when the other one showed it normally. And also now I can click on the display file location and it brings up my windows folder, when it wouldn't do that before.

I tried booting in safe mode with networking and still got the same issue. I think its maybe a Microsoft problem? Like one of their updates caused a bug or something. I'm going to try the tool you posted in the other thread for the context menu thing then get back.


EDIT: I almost forgot, when this problem started happening, I now get a RunDLL error on startup saying C/users/owner/AppData/local/owengla.dll could not be found. I have no idea what that means.

 

[Tookeri]

It wasn't me who suggested that tool I suggested Process Explorer instead of Task Manager cause you get more info and can check the processes on VirusTotal.

This/your problem have been reported in several threads the last days so a recent Windows Update might be the cause. I've tried searching a little but only found these possible explanations so far:
- High CPU usage in the Explorer.exe process when you open a folder that contains corrupted .wav files (Hotfix download)
- Modified folder options(tab: view) in explorer to launch folder windows in a separate process. This would create additional explorer.exe processes more info

I can't find any useful info on owengla.dll other than in malware context. The path ...AppData/local/ is strange because normally files go in a sub-folder to that folder.

 

[spork]

Yeah sorry I just realized that

I used process explorer though and followed your tutorial. It all comes up clean and verified signed by microsoft, and there is a ctfmon attatched to it *sometimes*, but not always. Its using over 5 gigs as I type this and nothing is attached to it.

I spent the last hour talking to a nice girl from microsoft. she said it *had* to be a virus. So now I'm stumped.

Wathcing it just now it apears that around 5.2 gigs seems to be critical mass, it just restarted itself.

 

[Tookeri]

The tutorial also shows how to check DLL files that a process is using. And also wait for the ctfmon.exe to show up so you can check that too including the DLL's.
Press Ctrl+L to toggle the lower pane after selecting a process. Then right-click a column header in the lower pane to get the option to add more columns.

FYI, ctfmon is a text service for alternative user input features used for support of speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

 

[spork]

On the first DLL it said in the verified signer column (the form specified for the subject is not one supported or known by the specified trust provider). No virus detected. The other unknowns are from nvidia, and none of their stuff is signed so I'm not too concerned about that.

It found a virus in one of the files, CMC says it's a backdoor DLL, but that was the only red flag.

cfmon hasn't showed yet.

 

[Tookeri]

If only one AV detected anything it's likely a false positive. The other explanation is that this backdoor is only detected by CMC, and that no other AV can detect it (yet).

I know you already scanned with a couple of products but if it was my PC I'd scan with a few more, for example:
Free Virus Scan | Online Virus Scanner from ESET
HitmanPro 3 - SurfRight

 

[mdd1963]

It would be interesting for Comodo Killswitch to note which IP connections were attempted during this steadily climbing mem useage scenario, just to identify where the miscreant IPs were.....

(If this is a rapidly spreading issue, should not be too long before the 'big guns', i.e., MB, HitMan Pro, EMSISoft, ESET, etc., are on it)

For the poor souls afflicted with this, any idea whatsoever how it was obtained/injected into the system? (Porn sites, miracle free software offers, playing World of Warcraft allowing autodownloads, etc.)

 

[spork]

I ended up reformating and reinstalling Windows. Problem solved. From now on I'm just going to use this computer for sims so I think it would've been good to reformat anyway.

Hope the others get it solved.