[SOLVED] Explorer.exe high idle CPU usage

Status
Not open for further replies.

slaphawk99

Reputable
May 26, 2018
13
0
4,520
Hello everyone, I have been dealing with this problem for months now, and I really hope you guys can help me out!

Problem
The process "explorer.exe" is using extremely high CPU resources on select threads continuously. Upon starting the computer, I have monitored abnormally high temperature readings from my CPU along with the aforementioned high (100%) usage of threads on the CPU during idle operation. However, very weirdly when task manager is opened CPU usage and temperatures go to normal and stay normal until task manager is closed again. As though the process were avoiding the task managers use. Upon further investigation, and the use of the program Process Lasso to monitor running processes to avoid the use of task manager, it can be seen that the sneaky process using CPU resources is "explorer.exe" ran by the SYSTEM. Using Process Lasso, I am able to navigate to the location of the program explorer.exe and it appears to be the same process located in the C:/Windows directory. However, after using Process Lasso to close the process the CPU usage returns to the normal idle operating load, and the problem does not reoccur until the PC is restarted.
This problem arose out of nowhere, no known software has been downloaded recently, I use this PC mostly for CAD work and Gaming, and do not visit any sketchy sites.

Solution Attempts
After discovering this problem I had immediately thought it was a virus or trojan using my systems resources, so I had performed multiple virus and malware scans:
-Bitdefender is my antivirus software of choice, I have performed 'Quick', 'System' and 'Vulnerability' scans of the entire C: drive, some taking overnight to complete. All of which came up clean
-Malwarebytes Premium was also used to perform Quick and Full scans of my C: drive, both coming up clean as well.
-Malwarebytes Rootkit scanner and remover of the C: drive, also coming up blank (thankfully).
-Malwarebytes Adware remover also showing no signs of viruses.

After these processes I had also assumed that perhaps Windows was corrupt so I ran the following Windows tests:
-DISM full system check/restore health processes.
-SFC system integrity check.
-Disk Cleanup and Disk Error checker.
-Windows Memory Diagnostics check.
All of these had found no problems, and after restarting in between tests, the problem had still preceded.

Disabling of overclocks and cleaning of the PC:
-XMP profiles were disabled.
-CPU overclocks were disabled.
-GPU overclocks with MSI afterburner were disabled.
-PC was fully cleaned and dusted to ensure it was working properly, thermal paste was reapplied and cooler was checked for working condition.

I was told that it could be a problem with windows indexing so I did the following as well:
-Rebuilt index cache multiple times.
-Completely disabled indexing, unchecking my hard drive and anything else under indexing.

Finally, explorer autoruns using the windows autoruns utility:
-Prevented all processes from using explorer.exe.

PC specifications and Windows information
-CPU: AMD Ryzen 2600
-GPU: PNY GTX 1080
-PSU: 500W EVGA silver
-RAM: 32Gb T-Force 3000mhz
-M.2 SSD: Intel 660P series M.2 2280 2TB

-Windows 11 Pro
-Version: 21H2
-OS build: 22000.739

Any and all help is appreciated thank you! :)
Attached are the readings from HWmonitor and Process Lasso
 

Feren142

Reputable
Jul 14, 2019
99
14
4,565
Does the problem persist even if booted in safe mode? Do you have the option of backing up an image then restoring to windows 10 or just a fresh install to rule out some weird w11 issue with your rig?
 

slaphawk99

Reputable
May 26, 2018
13
0
4,520
@Feren142 Just booted into safe mode and that does seem to fix the problem! Weird.. I would like to avoid doing a fresh install of Windows if possible, as I have a lot of files and it would take a long time to re-set everything up.
@Colif I will try doing a repair install of Windows 11 and keep you updated if it fixes my problem!

Thank you both for your help so far!
 

Colif

Win 11 Master
Moderator
The process "explorer.exe" is using extremely high CPU resources on select threads continuously. Upon starting the computer, I have monitored abnormally high temperature readings from my CPU along with the aforementioned high (100%) usage of threads on the CPU during idle operation. However, very weirdly when task manager is opened CPU usage and temperatures go to normal and stay normal until task manager is closed again. As though the process were avoiding the task managers use.
i have seen something like that a few times this year now, processes that vanish when you open file explorer.
Wonder if any unusual temp files showing up?

Most antivirus programs fail to see it running too.
could try this for a 3rd opinion - https://www.hitmanpro.com/en-us
 

slaphawk99

Reputable
May 26, 2018
13
0
4,520
i have seen something like that a few times this year now, processes that vanish when you open file explorer.
Wonder if any unusual temp files showing up?

Most antivirus programs fail to see it running too.
could try this for a 3rd opinion - https://www.hitmanpro.com/en-us
I had ran a hitmanpro scan and it was able to find one suspicious file, however deleting it did nothing, it always shows back up upon restart. Weirdly enough Bitdefender also classified this symptom as a Coin miner but cannot do anything to remedy it, any suggestions? Here are the scan results.
 

slaphawk99

Reputable
May 26, 2018
13
0
4,520
See if anything unusual shows using this, since that program appears again at startup
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
run as admin - it shows everything that loads with windows.
You can stop things running from here.
you can run virustotal from within it.

strange bitdefender identifies it but doesn't auto kill it.
Can't see anything out of the ordinary at all in autoruns, under logon, explorer or even everything. It all seems normal and nothing sticks out with the virus checker
 

Colif

Win 11 Master
Moderator
what options does bitdefender show in the drop down next to file?

if its found one part of a coinminer, the rest is likely there too.

VZQC4pB.png


This result is for Generic.Application.CoinMiner.1 but remainder of the code is different to yours
https://www.virustotal.com/gui/file...051fd68052c7343e6aab440ebab65fff614/detection

It seems WR64.sys is part of Spider miner - https://reasonlabs.com/research/dont-get-stuck
if you follow the link above, backup registry first - https://neosmart.net/wiki/backup-restore-registry/
 

slaphawk99

Reputable
May 26, 2018
13
0
4,520
what options does bitdefender show in the drop down next to file?

if its found one part of a coinminer, the rest is likely there too.

VZQC4pB.png


This result is for Generic.Application.CoinMiner.1 but remainder of the code is different to yours
https://www.virustotal.com/gui/file...051fd68052c7343e6aab440ebab65fff614/detection

It seems WR64.sys is part of Spider miner - https://reasonlabs.com/research/dont-get-stuck
if you follow the link above, backup registry first - https://neosmart.net/wiki/backup-restore-registry/
Bitdefender gives the options of deleting and quarantine for the file but neither of them work.. Bitdefender doesn't give any extra information on the process either unfortunately... Also, when I terminate the rogue 'explorer.exe' process in process lasso, Bitdefender no longer finds it as a threat.

Also, after following the steps for Spider miner, I find no other symptoms similar to spider miner. There is no trace of "Services" in my registry and no trace of services in task manager or task scheduler. Here is what I see in mine.
 

slaphawk99

Reputable
May 26, 2018
13
0
4,520
is it still happening?

might need to clean install windows 11 to be sure its gone.

always possible its a new variant that is hidden better.
It is still occurring, taking up 30% of my CPU power just after startup. Seems to only hit certain cores as well. But I suppose now my only option will be to do a clean install of Windows 11 now.. Thanks for all your help @Colif !
 

slaphawk99

Reputable
May 26, 2018
13
0
4,520
Just as I post this I was finally able to solve the problem... Ultimately it was a piece of adware that I reinstalled (stupidly, by backing up my appdata folder). It was solved using Malwarebytes adware removal tool. Here is the logfile that finally found the culprate reg keys:

Code:
# -------------------------------
# Malwarebytes AdwCleaner 8.3.2.0
# -------------------------------
# Build:    03-23-2022
# Database: 2022-06-24.1 (Cloud)
# Support:  [url=https://www.malwarebytes.com/support]https://www.malwarebytes.com/support[/url]
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    08-09-2022
# Duration: 00:00:07
# OS:       Windows 10 Pro
# Scanned:  32059
# Detected: 5


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

PUP.Adware.Heuristic            C:\Windows\System32\Tasks\systemreset

***** [ Registry ] *****

PUP.Adware.Heuristic            HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{B365DD2E-90C0-4D1A-93C6-63A0D920D6E4}
PUP.Adware.Heuristic            HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B365DD2E-90C0-4D1A-93C6-63A0D920D6E4}
PUP.Adware.Heuristic            HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\systemreset

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

PUP.Optional.Legacy             AVG Secure Search

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
 
Status
Not open for further replies.