I am helping my father with his ultra slow PC running Windows 7 professional 32 bit. He complained of slow speeds and when I checked it out I found that there were anywhere from 7 to 12 instances of exlplorer.exe running at any given time. In looking through the file structure, I found a user account for someone named wangzhisong. I removed the account and scanned with MALWAREBYTES and it looked like I got it but then noticed during the free trial period for the real time protection, that there was almost non-stop activity as indicated by the popups on the lower right of the screen with the software blocking access to various web sites from around the globe. After a couple of weeks, this activity stopped so we thought maybe we had gotten it.
The PC ran exceptionally well for a couple of weeks then slowed down again and the multiple instances of exlplorer.exe were running again consuming nearly 100% of the RAM and CPU. With some web searching, I found this site and others with a various approaches and followed the processes that seemed to have been working for others. Eventually, I ended up downloading Microsoft Security Essentials and Microsoft Safety Scan.
When running Microsoft Safety Scan’s quick scan option, it found and deleted 2 or 3 viruses/malware items including Rovnix.c and made mention of Rovnik.W which it said it had partially removed – recommending a full scan. I rebooted in safe mode and began the scan. This scan took 30 hours or so with 3.8million files. I noticed that while it was scanning, it was scanning files I could not find on the hard drive. I thought I had unhidden these files but it was scanning temporary internet files in my dad’s user profile that did not appear to exist. I had cleaned them out.
Another symptom is that the system is nearly at the hard drive capacity of 80GB with about 1GB available. When I look to see what is taking all the space, I find that by looking at the user profile for my dad, the total is 47.5 GB. He has 5.5GB of documents etc. in his “my documents” files but there seems to be nothing else visible that could consume all that space. His Windows directory on the C: drive is 16GB too.
We did buy a new hard drive and cloned the disk when we thought everything was fine but now that I realize all is not well, I realize we most certainly duplicated our problem and have not used the new 500GB disc at all. The power and data cables remain unplugged until we solve this issue.
He bought the PC from a local PC recycler with a good reputation. He brought the virus in himself when he opened a cleverly titled email. He remembers doing it. The hard part is that the licensing for the Windows as well as the MS office 2010 that is on the system does not permit fresh installs from media so I think we will have to work with the clone once we clean this up. He is on a fixed income so I am trying to learn all I can to eliminate this without any cost to him. He has even considered throwing in the towel and going after a new PC with Windows 7 since they can still be bought from Tiger direct and he does not want to learn yet another version of Windows at 78years old. He would still have to buy office again since the licenses for the software are still tied to the infected PC.
Any suggestions or help would be appreciated.
Edited by hamluis, 29 August 2014 - 11:44 AM.
Moved from Win 7 to Am I Infected - Hamluis.