remove virus causing explorer.exe to use 100% CPU

jpattdc

Honorable
Jan 21, 2014
1
0
10,510
My explorer.exe keeps multiplying and using 100% of my CPU. I used malwarebytes in safe mode and got rid of everything it found. I used hijackthis and removed the bad studd. I used Kaspersky rescue10, booting up from my CD and cleaned my hard drive from 1 virus. I used AVG antivirus which told me my drive was clean. Yet something is causing my explorer.exe file to go crazy. Help, anyone.....
 

Tradesman1

Legenda in Aeternum
In safe mode, try going to the Command Prompt as administrator and run system file check > at the command prompt type SFC /SCANNOW and hit enter, if will check the Windows files and replace any that are corrupt or changed from what they should be
 

Darkhorse0428

Honorable
Jan 24, 2014
3
0
10,510


I have now had 2 computers with the same issue at work. action taken were a virus scan in safe mode. The computers were in fact infected and then cleaned as well as all temp files other than what windows advises to skip. Upon reboot, the explorer.exe will have multiple instances running and eating up close to 100 of the cpu, and at times using more than 2gb of ram. If took the computers off the network,(aka no internet) and rebooted the issue wouldn't happen. I might have 2 explorer.exe running with no more than 2 percent cpu usage. If I put it back on the network and internet and rebooted, boom, within minutes 4 or more explorer.exe would be running in the task manager, and cpu and memory usage was through the roof. I am still searching for a solution or fix.
 

Darkhorse0428

Honorable
Jan 24, 2014
3
0
10,510
Done, twice in fact. The first cleaned out infected files, and the second confirmed that it was now clean. I found this link helpful. http://netwanlan.com/2012/03/27/explorer-exe-corrupted-or-infected/ I actually found a iexplorer.exe regestry key where it shouldn't have been. but this issue is still ongoing.
 

super7g

Reputable
Mar 16, 2014
10
0
4,510
Darkhorse, I had the same exact problem which took me hours to finally find the solution. Try running kaspersky anti virus, even just the trial version. It should take care of the problem. I tried maybe 4-5 different anti-virus programs and none of them worked except kaspersky
 

supasieu

Reputable
Mar 10, 2014
475
0
4,960
Is your Windows up-to-date?
Check your Windows Startup in msconfig or use CCleaner.

Check your registry, Start > Run and type regedit and navigate to the following hive
HKEY_CLASSES_ROOT\SystemFileAssociations\.avi\shellex\PropertyHandler

Also, try others virus/adware removal tools:
Adware-Removal-Tool 3.8 http://www.techsupportall.com/tools/
AdwCleaner, Rkill, TDSSKiller
HitmanPro
spybot-2.2
AVAST
SUPERAntiSpyware


 

DANGERRUSS

Reputable
Apr 17, 2014
3
0
4,510


Here's how you fix it....i'd get over 50 explorer.exe's rear their ugly heads on occasion....and my c.p.u would be at 100%..it sounded like my computer was going to blow up!!out of frustration i went to regedit and typed in the 'find' search box found in the 'edit' drop down menu,and started deleted whichever one popped up and BAM!! AFTER ABOUT THE 6TH SEARCH the c.p.u went to 99% to the good and my once, slow computer,(a dell inspriron 530 desktop), runs as efficient as can be. I know what someone is going to say.."That i had a virus"..nope i ran the bought and paid for version of malwarebytes, then deleted it and ran windows defender and nothing came up on either.It did take a whileto delete the explorers because i had to open each entry and change permissions for every sub-entry,(and i went ahead even after things were better and deleted every instance of explorer.exe and iexplore.exe,i also typed both in the find search box without the ".exe" to make sure everything with the explorer name got deleted.sure they say its risky messing with your regeditor ut sometimes a little gamble has a big payoff!!!...DANGER-RUSS
 

ragecram97

Reputable
Apr 17, 2014
1
0
4,510
 

DANGERRUSS

Reputable
Apr 17, 2014
3
0
4,510
 

DANGERRUSS

Reputable
Apr 17, 2014
3
0
4,510
 

gimr

Reputable
Apr 28, 2014
1
0
4,510
I have the same issue, I did the malwarebytes fix in safemode and it did not fix the problem. This is most definitely a virus. I know this because I moved two image files into drop box and within minutes my other laptop jumped to 100% memory use also.
 

joeldb

Reputable
Jun 8, 2014
1
0
4,510

This worked for me, thanks Samtt. TDSSkiller was a quick final solution. I had tried many other options, scans, virus detections including AVG and Malware Bytes. My wife's computer was running 5+ iexplorer.exe (then explorer.exe when I deleted all ie files/folders) tasks and using as much memory and cpu as available. But only when connected to the internet.

It seems like this may not be the one solution for everyone, as various forums and threads seemed to have similar symptoms with different solutions.
 

arlhts11

Reputable
Jul 22, 2014
1
0
4,510


Thank you. I had to try it 5 times, because it kept crashing, but eventually TDSSkiller found the virus.
 

PoonHound

Reputable
Aug 20, 2014
1
0
4,510
TDSS Killer worked for me as well. Tried many many different virus scanners offline and regular that did not find and kill it. The infection turned out to be Rootkit.Boot.Cidox.b
 

Darkhorse0428

Honorable
Jan 24, 2014
3
0
10,510


Sorry I haven't gotten back in a while, but this solution was spot on. It did find one more thing that the other scans missed or didn't get.. TDsskiller worked.
 

Old XPer

Reputable
Dec 6, 2014
1
0
4,510
Another solution:

The copy of explorer.exe in the windows directory is corrupt. Get a good copy from a clean machine and put it on a floppy or cd. Go into the windows repair console during bootup and delete the corrupt copy on the hard drive. Copy the clean file to the windows directory and you should be good.
I had the same problem on this machine and finally fixed today using the above solution.

Good luck
 

oddie121

Reputable
Dec 12, 2014
1
0
4,510
Norton Power Eraser is what helped solve my particular issue.

This article helped point me in the correct direction - http://www.solutionary.com/resource-center/blog/2012/12/hunting-malware-with-memory-analysis/

After searching on Shylock Trojan an article pointed me to Norton Power Eraser https://security.symantec.com/nbrt/npe.aspx?lcid=1033 or Microsoft Security Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx

After running Norton Power Ereaser it found p2pcollab.dll to be malware and not in the correct location. I found it to not be in the correct loction upon doing searches for the file location on a known good machine and google.


I did have to uncheck a bunch of the files above that were known "good" files. They were apart of a business program. I did this by clicking on each name under "risk" and reviewing the file location and what it thought the threat was. I left the AVG ones to remove as they were in the temp location and didn't seem to be doing any harm. Unpon the removal it stated that it failed to remove the p2pcollab.dll but upon inspecting further it simply failed to remove a couple of entries after the reboot.
 

quicksilverz

Reputable
Dec 19, 2014
1
0
4,510
Just wanted to pass my experience along. I got hit with this same problem. A second copy of explorer.exe would start up soon after boot up. It would then multiply until it consumed all of my RAM. I tried my anitvirus programs, AVG, and ran Malware with no luck. Downloaded Kaspersky TDSSkiller and it found nothing. However Norton Power Eraser found the problem and fixed it on the first pass. Thanks to the guy who posted this above.
 

deafelvis

Reputable
Dec 24, 2014
1
0
4,510


As a last resort, I ran combofix killed C:\programData\ntuser.pol and that may have been the piece not detected by some of the other tools.
Good Luck
 

tekwiz

Distinguished
Nov 11, 2010
10
3
18,515
Combofix is excellent in removing rootkits. I used it a couple of times years ago and it worked like a charm! I guess there is more than one type of exploit that targets the explorer.exe process. I had this problem earlier this month. In my case the pc I was trying to fix was creating at least one more explorer.exe which ate up all available memory pretty quickly and started displaying large ads covering the desktop. (It would create even more explorer.exe sometimes) It basically made the whole desktop background a giant ad display, like webpages with a bunch of "useful" links and banner ads changing every few seconds. Sometimes the background would turn just white for a while before the ads showed up. The computer became very slow and unusable. It was possible to close the explorer.exe with task manager but it kept returning within seconds if I didn't end the legitimate explorer.exe as well, which makes it hard to download software to fix the problem, but it's possible to restart "explorer.exe" from the task manager file, new task run menu. It was a pain though. I was fixing it remotely which made it more annoying too.

I was sure it must be a rootkit since system restore didn't solve the problem. Malwarebytes, the gold standard in malware removal came up with nothing. I think this rootkit can hide for a while before it starts going crazy with the ad displays. The computer was infected a month earlier and I thought I had cleaned it using system restore and Malwarebytes.

So after reading the above posts I decided to try Kaspersky TDSSKiller.exe Rootkit remover. I managed to run it and was delighted when it found a BOOT SECTOR virus "Rootkit.Boot.Cidox.b"! It removed it with no problem, and the problem was solved. No wonder no standard tools find anything, since this type of exploit writes itself onto the HD's boot sector, and that's not a file that can be scanned. In fact, I think that even re-installing windows without rewriting the boot sector, would leave this exploit intact.