The customer contacted us and said his laptop had been running very slowly the past week or two. He told us the process, explorer.exe was hogging a lot of memory, sometimes up to 4 gigabytes of it! I connected and began troubleshooting his problem and soon came to the conclusion that malware was definitely the culprit for making his laptop run slowly. I will list my steps and what I tried, bear with me if I’m kind of scattered. I went down a lot of dead-end streets before killing the malware.

Step One: Download Process Explorer and Process Monitor. These tools were immensely helpful in identifying what processes were using up memory and processor.

I ran Processor Explorer and soon saw the parent Explorer.exe process had a sub process hiding underneath it called Explorer.exe. I became suspicious that the sub process explorer.exe was malicious. I right clicked on the suspicious process and selected Properties. Underneath properties I selected the TCP/IP tab, and soon noticed weird network activity. All kinds of IP addresses and websites were being accessed underneath the process explorer.exe. Just to verify that I wasn’t going off the deep end, I went to the TCP/IP tab on the parent Explorer.exe process. There were no websites or weird IP addresses being accessed. I was positive I had the process the virus was using for a disguise. I watched the malicious explorer.exe process. It would randomly eat memory and processor. It would also go through the temporary internet files and try to upload them to some random server. I also noticed underneath the malicious explorer.exe process there was another process called cfmon.exe .

I ran Malwarebytes and Sophos Internet Security. Malwarebytes detected a couple malicious items but nothing that was associated with the Explorer.exe virus.

I tried killing the process using Process Explorer. The process would end but would come return within 30 seconds.

Step Two: Download Autoruns. Disable anything unnecessary that is starting up.  I ran Autoruns and disabled everything that was unnecessary or that I thought may have been malicious. However, explorer.exe kept using my cpu and memory.

Microsoft Security Essentials was the antivirus software installed on the infected laptop. I opened it up and went into its history. I noticed in its history it had quarantined a couple trojans. I can’t remember what exactly they were but I remember the one had “Backdoor” in its name. I decided to do a full system scan with Microsoft Security Essentials, it didn’t pick up anything.

After studying the virus for a couple hours and trying to find the source of what was causing the infection, I was about at my wits end. I Googled the virus and tried to find some troubleshooting help but I was running dry. Then I decided to Google one of the sites that explorer.exe was uploading information to. I “Googled” s13.sinarohost.com:http. Boom! I was in luck. I found a Microsoft forum thread depicting the exact same virus. Many thanks to _Sam_  for his troubleshooting tips. From what I can tell this virus, is pretty new and most antivirus engines are not detecting this as a threat.

Since I couldn’t kill the process with Process Explorer and no antivirus engines could detect the virus I had to dig deeper. I went into C:\ProgramData and found a weird folder called {9A88E103-A20A-4EA5-8636-C73B709A5BF8} . However, there was only one file in the folder. I changed my view to show hidden files and folders.

Once I enabled that view I saw a suspicious dll called rdpencom.dll. The rdpencom.dll is actually a legit dll in Windows. However, you will find this dll underneath C:\Windows\System32 not under C:\ProgramData.  I right-clicked the rdpencom.dll and went to details. The file description said it was an Internet Connection Wizard. That was bogus, the rdpencom.dll  file description is RDPSRAPI COM Objects. The thing that really convinced me that it was a virus was the original file name. The original file name was ICWPHBK.DLL . If this was a legit dll it would have said rdpencom.dll .

When I right-clicked on the malicious explorer.exe and clicked on properties. Next I went to Threads and then Stack. Under Stack I saw the following.

ntoskrnl.exe!KeWaitForMultipleObjects+0xc0a
ntoskrnl.exe!KeAcquireSpinLockAtDpcLevel+0x732
ntoskrnl.exe!KeWaitForSingleObject+0x19f
ntoskrnl.exe!_misaligned_access+0xba4
ntoskrnl.exe!_misaligned_access+0x1821
ntoskrnl.exe!KeAcquireSpinLockAtDpcLevel+0x93d
ntoskrnl.exe!KeWaitForMultipleObjects+0x26a
ntoskrnl.exe!NtWaitForSingleObject+0x40f
ntoskrnl.exe!NtWaitForSingleObject+0x77e
ntoskrnl.exe!KeSynchronizeExecution+0x3a23
ntdll.dll!NtWaitForMultipleObjects+0xa

The two threads I highlighted in bold looked suspicious.

I needed to delete the registry keys from this virus. I went into Process Monitor and captured the computers processes and events for a couple seconds. I narrowed down the events until I found the explorer.exe process that was opening and closing the registry. I clicked jump to and it took me to the location in the registry. The location was HKEY_CURRENT_User\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}. Underneath that folder I found another folder named InprocServer32. In that folder there was a registry key pointing to  C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\rdpencom.dll . I backed up the registry then deleted the whole {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} registry folder.

Update 12/26/2014: Search your entire registry for references to this folder {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} . Here are a couple more locations I found that had references to F6BF8414-962C-40FE-90F1-B80A7E72DB9A}. Do a backup of your registry then delete these files and folders.

HKLM\Software\Classes\Drive\shellex\FolderExtensions\ {F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached – Under Cached you will find a {F6BF8414-962C-40FE-90F1-B80A7E72DB9A} reference.

HKCR\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

I then went back to the C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} folder and tried renaming it. However, it said the action couldn’t be completed because the folder or a file was open in another program. I found this great program, called Unlocker. I browsed to the rdpencom.dll and clicked rename and then killed it. The program renamed the file and I was able to delete the folder. Once I deleted the folder I rebooted the computer.

I opened Process Explorer again and checked on the malicious explorer.exe process. The process was nowhere to be seen. I then ran ccleaner to clean the registry for any residual files. I ran Malwarebytes and Kaspersky. Malwarebytes found one object and Kaspersky came back clear. After monitoring the laptop for a little, I believe I got the whole virus removed.

I hope these tips point you in the right direction. Please let me know if you have any other tips on how to remove this malware. I will update this post if I find more troubleshooting tips. Best of luck!

Here is a site or two that may help you if my following tips didn’t remove the virus. Malwarebytes Forum ; Microsoft Thread

Update: 12/26/2014

According to Tigzy on Twitter on December 17, he said Rogue Killer will be able to remove this virus by December 25th. I haven’t tried it myself but it may be worth a try if you can’t manually remove the virus. Please be advised, do this at your own risk.

Also according to Tigzy, the malware we are trying to remove is Rozena (Trojan.Wind64.Rozena).

This was posted by techspeeder.