explorer.exe issue

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Runicmyst, Oct 28, 2014.

  1. Runicmyst

    Runicmyst Private E-2

    Explorer.exe (not iexplorer) keeps opening a second instance of itself. I did what investigating i could on my own but am unable to seemingly stop it. It then randomly uses ALL available memory seemingly stuck on something. I can close it via task manager but it opens again within 3 mins. While investigating i discovered it was opening craptons of threads. Using a task monitor I found that it was getting stuck on
    "Flash64_13_0_0_214.ocx!DllUnregisterServer+0x6e2ac" .

    After this i updated flash but it just kept getting stuck on the new version Flash64_XX_x_x_xxx.ocx at this point I deleted flash completely from my system but the explorer.exe 2nd process continues to start (when as of last week and the previous 5 years there has always only been 1 instance).

    AT THIS POINT i came on to the forums and then proceded to follow the list of instructions. I understand that I NOT supposed to modify anything without request on here untill the thread is finished. I just wanted to point out I did this BEFOREhand.

    ALL logs were run AFTER flash was removed.

    Also while the second explorer is still running, since I removed flash it hasnt gone into all memory hog mode. However opening "My Computer" and looking for files or searching directorys seems to hang for 20 seconds or more at times, i suspect this is due to the explorer.exe issue? "

    Any help would be appreciated, all logs should be below.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome. :)

    MGTools did not run to completion:

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

    Attach the new MGlogs.zip
     
  3. Runicmyst

    Runicmyst Private E-2

    This log is even smaller than the first. I've included the CMD log too so you can see everything there, unless thats in the zip file already then ill feel stupid lol.

    The only error i can see.. is at the very end where is says

    'find' is not recognized as an internal or external command,
    operable program or batch file.
     

    Attached Files:

  4. Runicmyst

    Runicmyst Private E-2

    Not sure if this is related or not but my sound device (on board) is completly missing. Its not under System info or anything. Its just completly gone, even my usb headphones dont show up when i plug them in.
     
  5. Runicmyst

    Runicmyst Private E-2

    I rebooted and sound seems to be working again, however it only shows up as a "USB audio device" (not the headphones the on board sound card) Its supposed to be C-Media CM6501 card. Perhaps my motherboard is failing based on some of the other oddities ive been seeing over the last month or so. Anyway didnt mean to bump up this thread again (as i know it takes longer). I just wanted to update you since the reboot.
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  7. Runicmyst

    Runicmyst Private E-2

    This is a nice program it's detailed. There was an extra "extras.txt" file that generated with the OTL.txt. I know you didnt ask for it but just in case ive included it as well.
     

    Attached Files:

  8. Runicmyst

    Runicmyst Private E-2

    random update. The second explorer.exe is randomly gone at the moment. The only thing I have done since opening this thread is restart the pc last night because the sound drivers and any evidence of an on board sound card peroid was completly missing. Nothing new was installed other than the instructed scanners. In fact I havnt even been using the pc, ive been doing other things and have just left it on all day. Also looking in directories is no longer lagging like it was when the 2nd explorer.exe was in taskmgr. The PC was restarted several times during the prepost scanner instructions listed on the forums, so a simple random 6th restart shouldnt have stopped whatever issue it was? I really hope something shows up in those logs to explain whats been happening. In the recent past about a week prior to the original post here, ive run hardware tests, ram tests, motherboard tests, hard drive tests and everything comes up clean, despite the random odd behaviors. Ive had no BSOD crashes, no random resets. Just posting this as an update to better help you and explain some of the symptoms.
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  10. Runicmyst

    Runicmyst Private E-2

    Computer has been fine so far today... should I reinstall macromedia flash and see if it returns?
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is why MGtools is not able to finish running. You are missing at least one Windows System file that should be on your PC.

    Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.


    Becareful with pluggins like FVDIEPlugin that you installed. They are know to install junkware/adware. And you do have some junkware to remove now.


    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    SpeeditupFree

    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    ActiveX:[b]64bit:[/b] {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - 
    ActiveX:[b]64bit:[/b] {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - 
     
    :Files
    C:\Windows\Installer\{069B290F-5398-4629-A009-85B4BCB4B1B9}\Claro.ico
    C:\Windows\Installer\{069B290F-5398-4629-A009-85B4BCB4B1B9}
    c:\windows|find;true;true;true /FP
    
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F8305D7D-CF79-465a-9003-813C6013A702}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\F092B960893592640A90584BCB4B1B9B]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F092B960893592640A90584BCB4B1B9B]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2E4A8FA31C5CBF34AB8A9A1FEEC064D1\F092B960893592640A90584BCB4B1B9B]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2E4A8FA31C5CBF34AB8A9A1FEEC064D1\F092B960893592640A90584BCB4B1B9B]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A9FAC99E2D8280F4482F22004D09FBA2]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AE26D37B0FFFAE4559860C5C4D938B71]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2E4A8FA31C5CBF34AB8A9A1FEEC064D1\F092B960893592640A90584BCB4B1B9B]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A9FAC99E2D8280F4482F22004D09FBA2]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AE26D37B0FFFAE4559860C5C4D938B71]
    [-HKEY_USERS\S-1-5-21-1091476626-1820821327-2806576048-500\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B}]
    [-HKEY_USERS\S-1-5-21-1091476626-1820821327-2806576048-500\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
    [-HKEY_USERS\S-1-5-21-1091476626-1820821327-2806576048-500\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC}]
    [-HKEY_USERS\S-1-5-21-1091476626-1820821327-2806576048-500\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow]
    [-HKEY_USERS\S-1-5-21-1091476626-1820821327-2806576048-500\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectShowTabsWelcome]
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  12. Runicmyst

    Runicmyst Private E-2

    Sorry it took a little while, was away for most of the weekend. There have been a few issues, nothing major, but I suspect my motherboard is starting to fail, rather than it being a virus, or malware at this point in time. I havn't had any BSOD or random resets but silly things.. Like sound drivers vanishing. (as in sound is working fine for 12 hours, and then just stops. I look down and the speaker icon has an X over it, and it says no sound drivers installed. My sound is not a seperate card its on board. I also have a pair of USB headphones which wont work in this case either. Simply rebooting fixes it so far. Also windows hangs on booting as well but only sometimes. It will boot eventually but it can literally take 20 mins sometimes. I previously did a /sfc scannow about 2 months ago when it first happened and it found a few orphaned files and took care of them. I ran the memtest64? or whichever it was overnight and that found no issues with ram, ive also run deep hard drive scans which have come up clean as well. (this was all months ago when windows started acting weird). My windows restore disk for some reason does not have a repair option...? So my only choice was to format and clean install which I wasnt quite ready to do yet.

    As for the issues here.. I havn't had any more explorer.exe issues.. although it is extremly odd that it vanished all on its own..
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then perhaps you should pursue your possible hardware and/or software issues in the Software Forum. You are still missing the find.exe program for Windows which therefore still stops MGtools from working properly.

    You can run the below the to finish some junk clean.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Run Hitman Pro again and alllow it to fix any of th Potential Unwanted Programs it reports. Assuming your trial period has not expired. Then reboot and run a new scanwith Hitman Pro and attach this new log too.
     
  14. Runicmyst

    Runicmyst Private E-2

    my second explorer.exe process is randomly back out of nowhere again.
     
  15. Runicmyst

    Runicmyst Private E-2

    JRT.exe starts. Where it says push any button to start I do. It starts a registry backup process.. once that is finished it closes and nothing else happens. Entire process takes 15 seconds?
     
  16. Runicmyst

    Runicmyst Private E-2

    another note.. norton hit me with a blocked attack attempt via the 2nd explorer.exe

    is still isnt stopping it from using near 2 gigs of memory and locking the system up though.
    JRT.exe still wont run past the registry backup. Yes ive right clicked run as admin and disabled norton. I will try in safe mode shortly.


    Category: Intrusion Prevention
    Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
    11/5/2014 9:05:36 PM,High,An intrusion attempt by conta.uwebmasterplan.mragowo.pl was blocked.,Blocked,No Action Required,Web Attack: Exploit Toolkit Website 32,No Action Required,No Action Required,"conta.uwebmasterplan.mragowo.pl (217.23.12.174, 80)",conta.uwebmasterplan.mragowo.pl/creatives/300x250/1414700951_300x250-002.jpg,"HOME (192.168.1.5, 60842)",217.23.12.174 (217.23.12.174),"TCP, www-http"
    Network traffic from <b>conta.uwebmasterplan.mragowo.pl/creatives/300x250/1414700951_300x250-002.jpg</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\WINDOWS\EXPLORER.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does the conta.uwebmasterplan.mragowo.pl mean anything to you?

    Farbar Recovery Scan Tool and save it to your Desktop.


    Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
  18. Runicmyst

    Runicmyst Private E-2

    Specifically? No.. all it tells me some website/computer/person from poland is the origin or whatever is going on or part of the source. I know I have not gone to any .pl website on my own. (ad redirects etc.. obviously could have). The worst part of getting stuff like this is not knowing how you got it to begin with. I mean i am not a complete noob when it comes to computers, but I am by no means advanced tier either. I'd rather know where it came from, and what I did wrong and learn, than to simply click a fix (in general i mean). Obviously this malware/virus is one of the nastiest things ive come across ever. First powerliks then this (i have a feeling both are connected somehow).

    I did run the /SFC Scannow you mentioned earlier when you had told me to. I couldnt upload the file here though too big?

    Here are the latest Farbar logs.
     
  19. Runicmyst

    Runicmyst Private E-2

    The attachments arent showing up under the post, so i sent them again.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Compress it into a Zip file and attach that.

    Do you have another PC with the same version of Windows running that you can copy the missing find.exe file from?

    Please boot your PC in safe boot mode and see if you can get JRT to run.

    I see you ran FRST in safe boot mode! Why? Is it not possible to run this in normal boot mode?

    Also please uninstall the below. The first two leave you open to attacks.
    BitRaider
    BitTorrent
    FVDIEPlugin

    You can always reinstall them if really necessary after we have finished resolving your problems. But it we finish and everything is good until you reinstall these, then you know where the blame is.

    Also note that you have a crack being used inorder to run MS Office we normally remove cracks and hacks like this automatically and may even refuse to help when we see things like this.
    Task: {79FBDB34-ACF2-4826-8D92-40B8A5C2605F} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
    Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe


    Download this >> View attachment fixlist.txt

    Save fixlist.txt on your Desktop. Make sure you save it as a txt file.
    • You should now have both fixlist.txt and FRST64.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)


    Now attach the below logs:
    • Fixlog.txt


    Also, please download SystemLook_x64 from one of the links below and save it to your Desktop.

    Download Mirror #1

    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      find.exe
      explorer.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
    Last edited: Nov 6, 2014
  21. Runicmyst

    Runicmyst Private E-2

    I dont have another pc at home no just this one.

    The reason the previous logs were in safe mode is because i was attempting to run JRT in safe mode. It did the same thing as normal mode, ran a registry back up and that was it. It auto closed when it was done with that.

    BitRaider
    BitTorrent
    FVDIEPlugin

    These have all been uninstalled, although BitRaider is part of Star Wars / or Star Trek online. I still removed it as requested.

    The Office crack I didnt know was even still on this pc. I only have openoffice at the moment from Apache. All forms of Microsoft office have been uninstalled ages ago unless there are reminants floating around. I do apologize about this and would have removed it prior had i known it was even still there. Its been at least a year since Ive touched anything like that.

    If you wish them removed I will gladly delete them, although one looks like a registry key?

    find.exe is showing where its supposed to? but those othe entires look odd.

    As of now the second explorer.exe is launching but something is immediatly killing it on its own. I can see it pop up in taskmgr and then it vanishes immediatly.
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now that I can see that your find.exe file is in place it would seem that there is an issue in your Windows PATH environment variable that prevents it from being found in batch file programs. I made a change to MGtools to try and allow for this. Let's see if it works.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista, Win7, or Win8, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below logs:

    • C:\MGlogs.zip

    Then it is probably normal. Explorer.exe is the windows shell and some processes that run can cause a temporary new explorer process to run.
     
  23. Runicmyst

    Runicmyst Private E-2

    well the tools ran much longer this time, although there still were a few errors...

    ie Path not found C:\Windows\System32\drivers\etc which i navagated to and it is there.

    later on it had issues with "cmd" which it was running from so not sure on that one.
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    MGtools ran properly. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    8. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  25. Runicmyst

    Runicmyst Private E-2

    The second explorer.exe is back again.
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As stated earlier it can be quite common that multiple explorer.exe process are seen ( I assume you do mean explorer.exe and not iexplore.exe ?? ). Sometimes you may see a couple of them for a short time frame before windows blends them together into one process.

    Also as stated this can be due to some software you are running.

    Are you actually having any real problems?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds