Suspicious explorer.exe network activity, no virus found

Followed Malware scan proceedures: nothing found.
Thread is here: http://forums.majorgeeks.com/showthread.php?t=279827

Malware forum recommended I re-post here.

Original thread has screen shot showing high activity just after reboot. I can re-attach here if necessary.

An additional (possibly related?) symptom: save dialogs from programs like photoshop and notebook show no existing files or folders.

--Michael

 

majassow...

Just based on my experiences with this type of thing (limited), I have found usually the answer is in finding out what is using explorer.exe to create the network traffic. One program that can help with this is Process Explorer here:

http://www.majorgeeks.com/files/details/microsoft_process_explorer.html

Click on Explorer.exe in the processes list in PE and then select the "show process tree" button in the button bar. First see if there are two Explorer.exe processes running. If not, see if anything shows up under Explorer.exe. If so, that process may have hijacked your net connection. From there you can kill it in Process Explorer or TaskMgr if it's running and then go about determining how it got there and remove it...

While you are working and not on the net, probably a good idea to disable your internet connection on the affected PC if you haven't already. This will save your bandwidth.

Think I remember fixing a similar problem some time ago with a SuperAntiSpyware scan. Couldn't hurt to run SAS, especially since it's good with trackers...

Oh yeah, CPorts is a good program for identifying the problem process. Look for established connections. CPorts will show you the PID which you can use in Task Mgr to see what the process is. To see PIDs in Task Mgr, select the View header, then "Select Columns...", and then place a check mark in the PID check box...

 

AtlBo,
Thanks for the pointers. I am disabling network access by removing the wifi adapter except when testing.

I ran SAS....nothing abnormal, except for a bunch of tracking cookies which I removed. No difference in the network activity.

Process Explorer didn't allow me to click on the process tree - button is greyed out.
I turned on the column for I/O activity to see if anything jumped out when I re-enabled network access -- nothing abnormal in PE (which seems in itself strange...unless the I/O in PE is disk only). I've attached screen shots before network access and during peak network activity. I also attached displays of TCP/IP activity from PE, showing quite a few ports established just after networking re-enabled, and again during high network activity.

I also ran cports.exe: again lots of ports associated with the same explorer pid, as well as some strange unknown process names with PID 0 connecting to the same IPs.

I have killed explorer.exe (and it's process tree), restarted, etc. within a minute or two of either, network activity starts right back up.

 

AtlBo,

Thanks for the suggestions. I thought I posted last night, but something appears to have timed out - if this is a duplicate, I apologize.

I do disable the network, except while testing.
I tried SAS: if found tracking cookies which I removed with no difference in symptoms.

I installed PE: was not able to click on process tree: the button is greyed out. I turned on the I/O delta columns to try to see which processes associated with explorer might be the issue: did not see any difference between idle and high activity states (which seems odd, unless I/O on this screen refers to disk activity only). I attached screen shots of both PE with network disabled, and PE under high activity.
I also used the TCP/IP screen in PE to show the open ports. One screen shot was take just after the network was enabled, the other when the activity was high.

I ran cports.exe - again, many connections associated with the explorer PID, but also quite a few "unknown" process names with PID = 0 to the same IPs.

I have tried killing the process tree for explorer, but a minute or two after I start a new explorer task, the network connections return. Rebooting also does not help.
--Michael

 

majassow...

From what I see (screenshots are too low quality to see well here at MG ), you appear to have one process in PE that is under Explorer.exe when the problem is occurring that wasn't there before. Can't read the process name, but in the middle column is called "Client Manager V" I think. Might be a good idea to Google that one. I checked tvnserver.exe, and it is safe. usb3monitor.exe looks safe, too.

This situation looks tricky. Have you installed anything on the affected PC lately? Honestly, any of the processes that show up anywhere in PE could be "ponying" onto the ones showing up under Explorer.exe and then causing the net traffic. Unless it's something like the Zune Launcher going berserk, I think you will need to do some Googling of the processes open when the problem is occurring.

One thing you can do is try disabling processes one by one until you find the culprit. For this, you can use the services menu of Windows that lists all your services and gives you the ability to start and stop them. Task Mgr o/c gives you only the ability to stop them. Even then, closing non-essential ones one at a time wouldn't hurt anything. They will restart on reboot. At least it's a place to start. If you need help identifying necessary processes in Task Mgr, please let me know. I know in XP, the essential processes can't be shut down...

 

Good spot - xxxMain.exe, Client manager V, Buffalo inc. Wireless client monitor - I'd remove it and allow the native Windows wireless manager.

http://www.shouldiremoveit.com/BUFFALO-Client-Manager-25340-program.aspx

Plenty of other things going on there that I'd deselect from auto-starting using Autoruns.

 

majassow...

This one looks like it might have something to do with the issue you are having:

BCU.exe

"Seems to be bundled with Asus Motherboards and possibly Gigabyte Mobos too. May be part of Asus Express Gate which allows instant connection to the internet on boot before entering windows. Called Splashtop by the maker"

More info here:

http://www.file.net/process/bcu.exe.html

Comments at the bottom got my attention...

Here is another one:

http://www.file.net/process/osppsvc.exe.html

One other to take a look at:

http://www.file.net/process/vdeck.exe.html

As satrow mentioned there are several there that can be looked at...

 

Thanks for the suggestions so far...
I've killed all processes under explorer.exe (except for GoogleToolbarNotifier -- which could not be killed). Re-enabling the network causes explorer.exe I/O and excessive network bandwidth.
I've re-booted into safemode with networking enabled. Only 2 processes under explorer: cftmon.exe and procexp.exe. When network is enabled I get high activity even under safe mode.
In safe mode, all of the suspicious executables suggested so far do not appear to be running. I've attached txt files of idle vs. high activity: There are no new processes when networking is enabled, and explorer appears to be the source of the high network bandwidth.

--Michael

 

You don't need Explorer running to continue troubleshooting, kill it and use TaskMan to kill the google thing, if you need to run anything, use the Run menu in TaskMan, to call TaskMan from a blank screen, Ctrl+Alt+Esc.

 

majassow...

Funny thing. I had this exact same thing happen the other day, but it took over the processor, too. I have noticed some network activity when the browser is closed, albeit, but this was alot, and the processor was at like 80%. Usually, it's avast doing it's thing with its cloud connections. In this case, it turned out to be the GoogleUpdater. It was updating Google Chrome in the background.

The problem went away in about 2 or 3 minutes, but it caught me off guard. Leaves me wondering if something is wrong with your GoogleUpdater...

On Explorer.exe...there isn't anything wrong with it unless it's a rogue version that replaced your original. Don't know how a hacker would go about that. Anyway, I think network/processor usage problems when associated with explorer.exe are usually a process using it to gain access to the net...back door access sort of. Honestly, though, if it's not GoogleUpdater, I am stumped for the time being...

Oh, one thng I just thought of. Do you have a torrent client on the affected PC? Maybe it's open?