Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe using 1.2gb of RAM when plugged into the network.


  • Please log in to reply
1 reply to this topic

#1 hellbringer616

hellbringer616

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 15 October 2013 - 10:46 AM

I am having a baffling issue that has to be virus related, However MBAM, MBAR, Super Antispyware, and RogueKiller all comeback clean, rkill doesn't detect the explorers as viruses to close them out either.

 

Basically the issue is when plugged into the network only explorer.exe seems to load multiple instances of itself and begines to consume RAM and CPU cycles. within 5 minutes i have 7 or 8 explorer.exes in the task manager ranging from 1.2GB consumed down to as low as 22mb (which i'm guessing is the real one).

 

Now i've scanned with the above software and found nothing, When digging through the %appdata%/local/temp folder i find a few files with random names always begining with ~ and ending in .dat, then two folders i cannot delete or open unless i take ownership of them, with random 5 or 6 letter names. deleting them does nothing as they just come back. So i am guessing it's a rootkit, However it goes undetected by mbar, mbam, roguekiller, and tdss killer. So to be frank, I am stuck..

 

As per the normal regulations i've not run combofix yet, the logs have nothing useful in them (that i am aware of) so i've not attached them to this post, If needed however i will be more than happy to respond with them.



BC AdBot (Login to Remove)

 


#2 hellbringer616

hellbringer616
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 17 October 2013 - 09:05 AM

Well, good news and bad. I've done some research and it turns out this is rovnix.l I can find removal instructions for rovnix.d but those instructions don't have any effect...

 

Any ideas?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users