question

Mukesh_Kumar avatar image
Mukesh_Kumar asked

Performance Issue

Dear Sir, Recently I notice on my Database server which running on windows server 2008 Ent. 64bit. Mrolsmc.exe is running and it consume 95-99% CPU usage when i manually end this process then cpu usage reduce upto 14-20% but after few minuts it is again restarted. and cpu usage reached upto 99%. I can't recognize it what is this. and why its running on my system. I discuss about this Mroslmc.exe with Antivirus support team. they have not its idea. its location in system is C:\Windows\SysWOW64\coep\Mroslmc.exe Please guide me how to fix this issue. Warm Regards Mukesh Kumar
performancecpu
1 comment
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

This site works by you voting. Please indicate all helpful answers by clicking on the thumbs up next to those answers. If any one answer led to a solution, indicate this by clicking on the check mark next to that answer.
1 Like 1 ·
rubba.chikin avatar image
rubba.chikin answered
I've just discovered this at my site on some very unmaintained VMs running on our clusters. It's only recently been thrown at me to look after and some of these look like they haven't been updated since they were originally installed probably 1-2 years ago :/ Full of trojans and assorted other malware. I'm presuming this is how this application got there in the first place. Anyway onto the more interesting news, that application is mining bitcoins, or more precisely bitmonero using cyrptonote. If you look in the folder that the executable resides you'll see the log... here's a small excerpt: > 2014-May-28 17:18:17.063304 bitmonero v0.8.8.1.1(0.1-g3b887de) > 2014-May-28 17:18:17.063304 Module folder: c:\windows\SysWOW64\coep\Mrolsmc.exe > 2014-May-28 17:18:17.092307 Initializing p2p server... > 2014-May-28 17:18:17.119310 Binding on 0.0.0.0:18080 > 2014-May-28 17:18:17.122310 Net service binded on 0.0.0.0:18080 > 2014-May-28 17:18:17.122310 Attempting to add IGD port mapping. > 2014-May-28 17:18:21.131711 No IGD was found. > 2014-May-28 17:18:21.131711 P2p server initialized OK > 2014-May-28 17:18:21.131711 Initializing cryptonote protocol... > 2014-May-28 17:18:21.131711 Cryptonote protocol initialized OK > 2014-May-28 17:18:21.131711 Initializing core rpc server... > 2014-May-28 17:18:21.132711 Binding on 127.0.0.1:18081 > 2014-May-28 17:18:21.132711 Core rpc server initialized OK on port: 18081 > 2014-May-28 17:18:21.132711 Initializing core... > 2014-May-28 17:18:21.133711 Loading blockchain... > 2014-May-28 17:18:29.400538 Blockchain initialized. last block: 55002, > d4.h3.m26.s56 time ago, current difficulty: 150702439 > 2014-May-28 17:18:29.400538 Core initialized OK > 2014-May-28 17:18:29.401538 Starting core rpc server... > 2014-May-28 17:18:29.402538 Run net_service loop( 2 threads)... > 2014-May-28 17:18:29.413539 [SRV_MAIN]Core rpc server started ok > 2014-May-28 17:18:29.414539 [SRV_MAIN]Starting p2p net loop... > 2014-May-28 17:18:29.415539 [SRV_MAIN]Run net_service loop( 10 threads)... > 2014-May-28 17:18:30.415639 [P2P8] If you use a process explorer or similar you'll find that Mrolsmc.exe is spawned by RtChest.exe. Killing Mrolsmc.exe only causes it to respawn again a few seconds later. If you kill RtChest.exe it'll nuke it all and will stop it running. You should remove the entire folder /coep/. You'll also need to address the trojan or infection which the external party used to install the miner on your system, otherwise you'll find it just comes back again and again as your system is still open and vulnerable to the outside world or the original infection still exists somewhere on your system. This appears to be a new attack too as this post was the only thing I could find via Google. Seeing this was the only one I figured I may as well post up and help you out if you haven't figured out what's going on already.
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

DenisT avatar image
DenisT answered
Well, if you don't know what it is, Google doesn't show it as a legit Windows EXE file, and your antivirus people don't know what it is... Remove it from the startup and reboot the server! If you are familiar with Sysinternals tools -- [Process Explorer][1] and [Autoruns][2] will help you to get rid of this. I'd be very concerned if something was consuming almost all of my server's CPU. Plus the behavior is very specious! BTW, if you're not familiar with Sysinternals tools, highly recommend you to do so! Read a couple of Mark's blogs on how to use them -- [Mark's Blog Index][3] [1]: http://technet.microsoft.com/en-us/sysinternals/bb896653 [2]: http://technet.microsoft.com/en-us/sysinternals/bb963902 [3]: http://technet.microsoft.com/en-us/sysinternals/bb963890.aspx
1 comment
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

+1 I did a search on that executable and it didn't return anything at all. I'd be extremely concerned about that running on one of my servers.
1 Like 1 ·
Fatherjack avatar image
Fatherjack answered
totally support the answer and comment above. I would also add the following points: searching for just the directory UNC (C:\Windows\SysWOW64\coep\) bring up lots of results of people searching for help with virus issues. You need to do several things. Not necessarily in this order but all of them* and very soon - alert your network admin that you think there is a chance you have a virus on your server. they should have a process to follow to scan the network, review their logs etc - Locate all your existing backups and keep then safe, then backup all your databases - virus scan your server - remove the offending executable - either via your virus solution or via manual steps - run consistency checks on all the databases on that server - preserve all the existing system logfiles and search them for possible entries that suggest how this exe might have arrived on your server or what it might have been doing \* there are probably more things but I want to hit send on this so you can start
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

mksonline avatar image
mksonline answered
Hi , First of all you should check which process is consuming the Processor at top .Once you identify the process you can work on that . The Process could be some Service,antivirus,msexchange or SQL Server . Thanks Mahesh kumar
3 comments
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

excuse the question based on the assumption that your name is the same as the person that asked the question but why have you answered your own question from a different account? If you have lost your login details we can reset it so you can use the login again.
0 Likes 0 ·
@FatherJack. yes. it could be confounding. but, the names are of different persons :-) Mahesh Kumar and Mukesh Kumar. These are common Indian names :)
0 Likes 0 ·
Ah! Thank you for the clarification and thank you for joining our forum and contributing answers.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.