Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe processes leak memory, handles, and CPU


  • Please log in to reply
16 replies to this topic

#1 captainsiberia

captainsiberia

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 March 2014 - 04:42 PM

Ever since yesterday, I get instances of Explorer.exe randomly generating and sucking up CPU cycles, memory, and handles. I don't know where it's coming from. But it seems that a couple instances of ctfmon.exe always appear before it happens. I've run AVG, Spybot, and MBAM to try to track this down. I've tried starting the system with only Microsoft services. I'm no closer to a solution.

I can't troubleshoot this one on my own. Help.

Windows 7 64 bit, Gigabyte motherboard.

HJT log included. Mod Edit:  Removed HJT log, not used in this forum, not allowed, not needed for system issues - Hamluis.


Edited by hamluis, 02 March 2014 - 09:51 AM.


BC AdBot (Login to Remove)

 


m

#2 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 01 March 2014 - 04:59 PM

Download Anvir Task manager free portable if you don`t want to install it - http://www.anvir.com/download.htm

Unzip it and double click on Anvir icon.It will start application.Click on tab - Processes.Select one of these randomly generating instances and with right click choose option check online.A webpage from VirusTotal will be opened.Post the link of this page.


Edited by Alex&Vanko, 01 March 2014 - 05:00 PM.


#3 captainsiberia

captainsiberia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 March 2014 - 05:16 PM

It's clean. https://www.virustotal.com/en/file/6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0/analysis/



#4 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 01 March 2014 - 05:20 PM

Download Minitoolbox - http://www.bleepingcomputer.com/download/minitoolbox/

Start the application and set ticks everywhere and click GO button.After scanning is over a log will appear.Save and attach it here.



#5 captainsiberia

captainsiberia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 01 March 2014 - 06:00 PM

Here.

Attached Files



#6 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 PM

Posted 01 March 2014 - 06:30 PM

C:\Windows\SysWOW64\mswsock.dll

Go here in drive C: ,open folder windows,after that SysWoW64 and find this file mswsock.dll

You can manually upload it to VirusTotal.

https://www.virustotal.com/

You have too much software installed on your computer.Incompatible software also may reflect on your system stability and explorer.exe is one of the indicators when conflict is there.



#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:28 AM

Posted 01 March 2014 - 07:20 PM

Please download AdwCleaner and run it.
 
An image like the one below will open, click on Scan.
 
adwcleaner11_zps48314883.png
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  
 
You will receive a message telling you that all programs will be close so that the infections can be removed.  Click on Ok.
 
When cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your next post.
 
 

Please download Junkware Removal Tool.
 
Open your browser and go to Downloads, then click on the Junkware Removal Tool to install it.  
 
Click on Run to initiate the installation.
 
To avoid potential conflicts, temporarily disable your antivirus and firewall.  You will want to be offline when you do this.
 
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select Run as Administrator.
 
The tool will open and start scanning your system.
 
Please be patient as this can take a while to complete depending on your system's specifications.
 
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.  Copy and this and then post this in your topic.
 
 
 
Double click on the download and choose to run the program.
 
A screen similar to the one below will open, click any key to run the program.
 
securitycheck_zpscfb86945.png
 
When the scan is finished there will be a log, copy and then paste your log in your next post.

Edited by dc3, 01 March 2014 - 07:21 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:28 AM

Posted 01 March 2014 - 07:23 PM

If you have a memory leak you should be able to find it using the Task Manager.  Look at processes and look specifically for a process or service continually growing is use of resources.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#9 captainsiberia

captainsiberia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 03 March 2014 - 01:44 AM

C:\Windows\SysWOW64\mswsock.dll

Go here in drive C: ,open folder windows,after that SysWoW64 and find this file mswsock.dll

You can manually upload it to VirusTotal.

https://www.virustotal.com/

You have too much software installed on your computer.Incompatible software also may reflect on your system stability and explorer.exe is one of the indicators when conflict is there.

 

Also clean.

 

https://www.virustotal.com/en/file/d00c7e0d665e467b712c68a446cc5be14fda743a2301878b3ceb72cdd0a8b8e7/analysis/


If you have a memory leak you should be able to find it using the Task Manager.  Look at processes and look specifically for a process or service continually growing is use of resources.

 

No no, we're already there. It's explorer.exe. We've already established this.



#10 captainsiberia

captainsiberia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 03 March 2014 - 01:58 AM

 

Please download AdwCleaner and run it.
 
An image like the one below will open, click on Scan.
 
adwcleaner11_zps48314883.png
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  
 
You will receive a message telling you that all programs will be close so that the infections can be removed.  Click on Ok.
 
When cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your next post.
 
 

Please download Junkware Removal Tool.
 
Open your browser and go to Downloads, then click on the Junkware Removal Tool to install it.  
 
Click on Run to initiate the installation.
 
To avoid potential conflicts, temporarily disable your antivirus and firewall.  You will want to be offline when you do this.
 
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select Run as Administrator.
 
The tool will open and start scanning your system.
 
Please be patient as this can take a while to complete depending on your system's specifications.
 
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.  Copy and this and then post this in your topic.
 
 
 
Double click on the download and choose to run the program.
 
A screen similar to the one below will open, click any key to run the program.
 
securitycheck_zpscfb86945.png
 
When the scan is finished there will be a log, copy and then paste your log in your next post.

 

Don't think it really helps. Adw seems to get a whole lot of false positives. JRT doesn run: apparently can't find the "file specified." Security Check also "cannot find the file specified."



#11 captainsiberia

captainsiberia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 03 March 2014 - 03:25 AM

There is another piece of the puzzle. Apparently, Explorer wants to use bandwidth. Lots of bandwidth. Bandwidth to unknown places. And occasionally I have seen ads flash across the screen very quickly when shutting down, I think. I had some bitcoin-related viruses recently, and I wonder if something might be hiding from me.


Edited by captainsiberia, 03 March 2014 - 03:27 AM.


#12 captainsiberia

captainsiberia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 03 March 2014 - 04:06 AM

I may have gotten it. May have. (And I may be speaking too soon.) I researched the problem of Explorer taking up bandwidth, and a number of existing discussions recommended RogueKiller. So I got that and ran it. It advised me that it found ZeroAccess; it was very adamant. So I ran its cleaning routine. For now, I am symptom free.

 

AND NO SOONER DO I POST THIS THAN IT STARTS BACK UP AGAIN!!! HELP!!!


Edited by captainsiberia, 03 March 2014 - 04:08 AM.


#13 hamluis

hamluis

    Moderator


  • Moderator
  • 54,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:09:28 AM

Posted 03 March 2014 - 08:24 AM

It advised me that it found ZeroAccess; it was very adamant. So I ran its cleaning routine. For now, I am symptom free.

 

AND NO SOONER DO I POST THIS THAN IT STARTS BACK UP AGAIN!!! HELP!!!

 

Please...follow instructions 6-8 of Preparation Guide, Before Using Malware Removal Tools and Requesting Help - http://www.bleepingcomputer.com/forums/topic34773.html and initiate a new topic in the forum containing the Prep Guide.Submit the requested DDS log with a concise account of your last post here and the folks in that forum will attempt to assist you.

 

Once you have done that, this topic will be closed and you should not make any changes to your system...or other posts...except in response to your new topic in the proper forum.

 

Thanks :).

 

Louis



#14 captainsiberia

captainsiberia
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 03 March 2014 - 01:28 PM

Update: TDSSKiller found a Cidox rootkit and removed it. Could this have been the source of my problems? I'll find out after I reboot.



#15 hamluis

hamluis

    Moderator


  • Moderator
  • 54,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:09:28 AM

Posted 03 March 2014 - 01:40 PM

Please...do as I previously suggested.  This forum does not attempt to deal with malware issues...in deference to those in the forum I directed you to...who are trained to assist in malware issues.

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users