Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Difficult Infection - Explorer.exe using a lot of RAM


  • This topic is locked This topic is locked
8 replies to this topic

#1 homepcsi

homepcsi

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 23 January 2015 - 12:05 PM

I have a computer that appeared to be showing signs of infection. I've ran all of the usual programs that one would for a typical system clean. I found and removed several infections in the computer but there is one that is proving to be difficult.
 
Avast! Free Antivirus reports every so often that is blocks a malicious web address from executing and the process is from C:\Windows\System32\Explorer.exe
 
Upon checking the Task Manager to view Processes, I can see that there are two instances of explorer.exe and one of them steady climbs in both Memory and CPU usage until the computer ultimately grinds to a halt. Upon killing the offending explorer.exe, I can continue scanning/using the computer, but within a few minutes, it comes right back. As of this writing, it hasn't happened in a long time now, so I may have fixed the issue already. I'd just feel more comfortable if someone more experienced than I looked at some of my logs.
 
Some background:
 
I have ran and removed any infections found (if applicable) with the following programs:
  • CCleaner
  • MalwareBytes
  • HitmanPro
  • Junkware Removal Tool
  • AdwCleaner
  • FRST64
  • RogueKiller
  • ComboFix
  • GMER 
  • TDSSKiller
  • OTL
At this point, the programs I am running aren't finding any infections, but the issues still persist. I will attach a few logs. Hopefully someone can see something in these logs that I can't. Thanks

BC AdBot (Login to Remove)

 


m

#2 homepcsi

homepcsi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 23 January 2015 - 12:15 PM

And here is a screenshot of what I am referring to. It only climbs higher and higher if I allow it to continue.

 

CrtPuxs.png



#3 iangcarroll

iangcarroll

  • Malware Study Hall Senior
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:22 AM

Posted 23 January 2015 - 12:52 PM

According to the rules of this section, we are not allowed to use OTL/DDS logs. I must also strongly urge you not to run any more tools; you are lucky ComboFix and the rest of the tools did not corrupt your system. Do not attempt to write a fix for OTL/DDS, FRST or ComboFix either.

 

From what you have provided it seems like it's a system issue and not malware.


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#4 homepcsi

homepcsi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 23 January 2015 - 01:17 PM

So where should I go from here?



#5 iangcarroll

iangcarroll

  • Malware Study Hall Senior
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:22 AM

Posted 23 January 2015 - 01:26 PM

Did you install the "grep" and "zip" tools? As well as the MBR and PEV executables?


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#6 homepcsi

homepcsi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 23 January 2015 - 01:31 PM

I'm not sure I follow, but I don't believe so.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 23 January 2015 - 01:57 PM

I edited your first post and removed the OTL log as they are not permitted in this forum.

Further...since you already ran Combofix due to possible malware infection, its log should be thoroughly reviewed by trained experts in order to ascertain what was detected/removed and what malware you're dealing with. A log should have been created and saved to the root directory, usually C:\ComboFix.txt.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running running running FRST which will create two logs.
When you have done that, post your logs to include your ComboFix log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
-- ComboFix logs are also not permitted in this forum. If no log was created by ComboFix or you cannot post its log, then ignore this part and just post the other requested log(s) as follows.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 homepcsi

homepcsi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 23 January 2015 - 02:13 PM

Thank you for guiding me in the right direction. Here is the new topic in the proper location: http://www.bleepingcomputer.com/forums/t/564220/possible-malware-slowness-and-explorerexe-hogging-ramcpu/



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 23 January 2015 - 02:15 PM


Now that your new topic is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the information or any log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers but your topic will be reviewed and answered as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

I advise checking your new topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users