C:\Windows\Explorer.exe is acting as a Virus, Windows 7

Malware I hate it with a passion! The new malware coming out these days is extremely smart. Recently, I had the opportunity or maybe misfortune of having to try to remove some malware.

The customer contacted us and said his laptop had been running very slowly the past week or two. He told us the process, explorer.exe was hogging a lot of memory, sometimes up to 4 gigabytes of it!Explorer.exe Hogging Memory I connected and began troubleshooting his problem and soon came to the conclusion that malware was definitely the culprit for making his laptop run slowly. I will list my steps and what I tried, bear with me if I’m kind of scattered. I went down a lot of dead-end streets before killing the malware.

Step One: Download Process Explorer and Process Monitor. These tools were immensely helpful in identifying what processes were using up memory and processor.

I ran Processor Explorer and soon saw the parent Explorer.exe process had a sub process hiding underneath it called Explorer.exe. Process Monitor Explorer.exeI became suspicious that the sub process explorer.exe was malicious. I right clicked on the suspicious process and selected Properties. Underneath properties I selected the TCP/IP tab, and soon noticed weird network activity. Malicious IP Addresses and WebsitesAll kinds of IP addresses and websites were being accessed underneath the process explorer.exe. Just to verify that I wasn’t going off the deep end, I went to the TCP/IP tab on the parent Explorer.exe process. There were no websites or weird IP addresses being accessed. Normal Explorer.exe ActivityI was positive I had the process the virus was using for a disguise. I watched the malicious explorer.exe process. It would randomly eat memory and processor. It would also go through the temporary internet files and try to upload them to some random server.Internet Traffic I also noticed underneath the malicious explorer.exe process there was another process called cfmon.exe .

I ran Malwarebytes and Sophos Internet Security. Malwarebytes detected a couple malicious items but nothing that was associated with the Explorer.exe virus.

I tried killing the process using Process Explorer. The process would end but would come return within 30 seconds.

Step Two: Download Autoruns. Disable anything unnecessary that is starting up.  I ran Autoruns and disabled everything that was unnecessary or that I thought may have been malicious. However, explorer.exe kept using my cpu and memory.

Microsoft Security Essentials was the antivirus software installed on the infected laptop. I opened it up and went into its history. I noticed in its history it had quarantined a couple trojans. I can’t remember what exactly they were but I remember the one had “Backdoor” in its name. I decided to do a full system scan with Microsoft Security Essentials, it didn’t pick up anything.

After studying the virus for a couple hours and trying to find the source of what was causing the infection, I was about at my wits end. I Googled the virus and tried to find some troubleshooting help but I was running dry. Then I decided to Google one of the sites that explorer.exe was uploading information to. I “Googled” s13.sinarohost.com:http. Boom! I was in luck. I found a Microsoft forum thread depicting the exact same virus. Many thanks to _Sam_  for his troubleshooting tips. From what I can tell this virus, is pretty new and most antivirus engines are not detecting this as a threat.

Since I couldn’t kill the process with Process Explorer and no antivirus engines could detect the virus I had to dig deeper. I went into C:\ProgramData and found a weird folder called {9A88E103-A20A-4EA5-8636-C73B709A5BF8} . However, there was only one file in the folder. I changed my view to show hidden files and folders.Folder & Search Options

 

Show Hidden Files

Once I enabled that view I saw a suspicious dll called rdpencom.dll. rdpencom.dllThe rdpencom.dll is actually a legit dll in Windows. However, you will find this dll underneath C:\Windows\System32 not under C:\ProgramData.  I right-clicked the rdpencom.dll and went to details. The file description said it was an Internet Connection Wizard. That was bogus, the rdpencom.dll  file description is RDPSRAPI COM Objects. The thing that really convinced me that it was a virus was the original file name. The original file name was ICWPHBK.DLL . If this was a legit dll it would have said rdpencom.dll .rdpencom.dll Details

 

When I right-clicked on the malicious explorer.exe and clicked on properties. Next I went to Threads and then Stack. Under Stack I saw the following.

ntoskrnl.exe!KeWaitForMultipleObjects+0xc0a
ntoskrnl.exe!KeAcquireSpinLockAtDpcLevel+0x732
ntoskrnl.exe!KeWaitForSingleObject+0x19f
ntoskrnl.exe!_misaligned_access+0xba4
ntoskrnl.exe!_misaligned_access+0x1821
ntoskrnl.exe!KeAcquireSpinLockAtDpcLevel+0x93d
ntoskrnl.exe!KeWaitForMultipleObjects+0x26a
ntoskrnl.exe!NtWaitForSingleObject+0x40f
ntoskrnl.exe!NtWaitForSingleObject+0x77e
ntoskrnl.exe!KeSynchronizeExecution+0x3a23
ntdll.dll!NtWaitForMultipleObjects+0xa

The two threads I highlighted in bold looked suspicious.

I needed to delete the registry keys from this virus. I went into Process Monitor and captured the computers processes and events for a couple seconds. I narrowed down the events until I found the explorer.exe process that was opening and closing the registry. I clicked jump to and it took me to the location in the registry. The location was HKEY_CURRENT_User\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}. Underneath that folder I found another folder named InprocServer32. In that folder there was a registry key pointing to  C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\rdpencom.dll . I backed up the registry then deleted the whole {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} registry folder.

Update 12/26/2014: Search your entire registry for references to this folder {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} . Here are a couple more locations I found that had references to F6BF8414-962C-40FE-90F1-B80A7E72DB9A}. Do a backup of your registry then delete these files and folders.

HKLM\Software\Classes\Drive\shellex\FolderExtensions\ {F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached – Under Cached you will find a {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} reference.

HKCR\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Registry Key

I then went back to the C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} folder and tried renaming it. However, it said the action couldn’t be completed because the folder or a file was open in another program. I found this great program, called Unlocker. I browsed to the rdpencom.dll and clicked rename and then killed it. The program renamed the file and I was able to delete the folder. Once I deleted the folder I rebooted the computer.

I opened Process Explorer again and checked on the malicious explorer.exe process. The process was nowhere to be seen. I then ran ccleaner to clean the registry for any residual files. I ran Malwarebytes and Kaspersky. Malwarebytes found one object and Kaspersky came back clear. After monitoring the laptop for a little, I believe I got the whole virus removed.

I hope these tips point you in the right direction. Please let me know if you have any other tips on how to remove this malware. I will update this post if I find more troubleshooting tips. Best of luck!

Here is a site or two that may help you if my following tips didn’t remove the virus. Malwarebytes Forum ; Microsoft Thread

Update: 12/26/2014

According to Tigzy on Twitter on December 17, he said Rogue Killer will be able to remove this virus by December 25th. I haven’t tried it myself but it may be worth a try if you can’t manually remove the virus. Please be advised, do this at your own risk.

Also according to Tigzy, the malware we are trying to remove is Rozena (Trojan.Wind64.Rozena).

This was posted by techspeeder.

 

 

15 thoughts on “C:\Windows\Explorer.exe is acting as a Virus, Windows 7

  1. Kurt

    Hey, nice write up. I just went through the same thing. Norton Power Eraser was the only program that detected and removed the issue. It also removed some firewall rule entries that had apparently been added by the malicious code.

    Reply
  2. alex l

    THANK YOU THANK YOU THANK YOU!! I’ve spent HOURS trying to get rid if this thing, identified hidden folder and registry but wasn’t able to delete neither myself. Until you pointed to the unlocking app – amazing tool. thanks again for great post! -alex

    Reply
  3. Matthew

    I’m still having issues, seems to be the exact same thing. However, I have no rdpencom.dll. I did do the steps after and that’s all the same, just not rdpencom.dll. Any ideas?

    Reply
    1. Merlin Halteman Post author

      Hello Matthew, I just updated my article a little tonight. Please take a look at the additional troubleshooting tips I submitted. According to this forum post on Malwarebytes, you malicious dll could be named umpo.dll instead. I hope this helps.

      Reply
  4. Alex Romp

    We noticed a single user on a terminal server having this issue at one client site. I was to the point of manually combing through the registry when I stumbled upon your article. In our case it was on a Citrix XenApp server and the file was named shdocvw.dll.

    THANK YOU for this write-up.

    Reply
  5. Pingback: Tips to Identify and Remove Poweliks Virus | techspeeder

  6. Rob Shore

    Hey – I was having the exact same problem. My file was also not called rpdencom.dll – I forgot what it was, but it was also a valid windows file, but in the wrong location and had a different original file name. And the files were in the same hidden directory in programdata.

    Anyway, I followed your steps and it worked perfectly. I don’t even know how long I’ve had this problem, but I can’t remember when my computer worked as well as it does now.

    I can’t thank you enough. This article was brilliant.

    Reply
  7. Tyler

    Had a client that has DSL with a max 767kbps upload. Sporadically the internet would seem to halt. Traceroutes and ping test indicated that it was the DSL dropping. Att found no issues. Customer also stated that when this happened she was also having quickbook and data access issues to and from the server.

    Remoted into her pc and discovered MASSIVE incomming/outgoing tcp connections being initiated from explorer.exe. Found a few sights that pointed me towards c:/programdata. Looked in there and found a alphabetsoup file that had a d3d10.dll (assuming this is directx) that identified it self as part of Microsoft IIS. Looked in regedit for that alphabet soup name and found an entry where inprocserver32 was calling that file. Did some searching on google and found your post. Was able to run unlocker and rename the file then deleted it. Manually deleted the entries from regedit (after backup ofcourse) then rebooted. File was gone and system has thus been back to normal. Ran malwarebytes and found other unsignificant entries (over 2000).

    Probably never would have even known the issue was there had they not had really crappy DSL.

    Good show my man. A+

    Reply
  8. Peter

    Thank you so much, been reading up on this and have had nothing but suggestions that it was a completely normal process or that deleting your temp folder would work.

    After following your method malwarebytes found a fake trojan called FntCache.dll instead of your rdpencom.dll.

    I love it when people are able to get one up on malware. You are a life saver and a genious, thanks again.

    Reply
    1. Peter

      Just gonna add some more detail in case this helps future readers.

      I first noticed this through Comodo when I saw explorer.exe sending in/out small packages of data (66B and most of it out-going) that made me suspicious. Before reading this guide i was using Comodo Killswitch instead of Process Explorer/Monitor, which showed a child program of explorer.exe called explorer.exe. The child version was using up to 800MB of memory, whereas Task Manager showed it only using approx 200MB, and around 5-10% of my CPU.

      First response, Kill and Block process: Access Denied Seek Admin Assistance/Permission (I am the admin and only user).

      Tried other things, “Set priority”, “Properties”, “Delete” all came up with Access denied.

      Then tried “Terminate Tree and Reverse” Surprisingly this was allowed, it brought the explorer.exe down to 17MB mem usage (it then began climbing again) and it also revealed the child process cfmon.exe (Mentioned in your guide).

      Poked around with this new process, couldn’t figure out what to do next. Whacked it into google along with exploere.exe and high mem usage and found this page. Followed steps and both child programs are gone.

      Reply
      1. Merlin Halteman Post author

        Peter,

        Thanks for taking time to relate your story and troubleshooting tips. I’m sure someone will find this comment very useful! It is very encouraging to me, as the author when readers comment, thanks again!

        Reply
  9. taylor

    One of our explorer.exe is 1,153,172 K in memory. We do have a folder called C:\ProgramData\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A} but it has no hidden URL’s. We have tried MSSE and Avast already. We do not have any of the above registry entries in the solution posted above. We also don’t have any duplicate .dlls of the names listed above. Any suggestions?

    Reply
    1. Merlin Halteman Post author

      Hello Taylor, thanks for submitting a comment. I have had good success removing malware using RogueKiller. Try running that program and let me know your results.

      Reply
  10. noypi

    Thank you; the manual deletion of {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} registry keys as well as of the folder worked for me.

    Reply

Leave a Reply