Explorer.exe High CPU Usage, probably not malware, can't find the problem

keneedy

Beta member
Messages
4
Location
Brazil
Hi!

Recently I realized that explorer.exe was using too much cpu, floating between 30% to even 70% of CPU's overall usage, even if nothing but explorer is open. Even if I close the explorer's windows themselves, explorer.exe runs in high percentages in background, even though I do absolutelly nothing.

explorer.png

(sorry, I'm brazilian so my windows it's in portuguese - also, sorry, English isn't my first language, feel free to correct me.)

So I scanned my pc with MalwareBytes, SuperAntiSpyware and even Avast Free. No malwares was found.
Then I ran a system check inside SuperAntiSpyware and looked for potencially harmful programs, registry, rootkits, whatever. Also, I checked system's integrity with sfc /scannow, all was right.
Finally, I thought that it may be due to junk files, temp and so on, so I cleaned up with ccleaner, and although it deleted like 8gb, nothing changed in explorer's performance. All was right, except explorer's performance.

So I downloaded microsoft's Process Explorer to explore what the heck was using it, and found that the highest cpu's consuming threads, like 99% of the high cpu usage we see in explorer's cpu's usage, it's this Audioses.DLL+0x1141b0.

2.png


I scanned audioses.dll in virustotal, nothing was found. Also scanned my explorer.exe in virustotal and nothing still.

When I double-click audioses.dll, it appears this list of threads:

AUDIOSES.DLL+0x2a0cd
AUDIOSES.DLL+0x2a507
AUDIOSES.DLL+0xad1b
AUDIOSES.DLL+0xa766b
AUDIOSES.DLL+0x114538
AUDIOSES.DLL+0x114241
KERNEL32.DLL!BaseThreadInitThunk+0x14
ntdll.dll!RtlUserThreadStart+0x21

Don't know when this started, but it's been a while already, like several months now.

I updated my sound driver, nothing changed.

I went to look which program was using audioses.dll and found something rather odd. It was listed two times in process explorer...

8RraYTH.png

In resources monitor I found this AudioSes.dll.mui associated with chrome.exe PID 8672.

So I went to look what else was associated with this chrome.exe PID 8672, and about a hundred dll's are associated with it. Is this normal?
3PqFLQi.png


So... can anyone please help?
I've already posted on two other forums, and they couldn't help me. One user referred me this forum, said i should ask for help here.

Don't know if it is allowed here, but i can link the original thread here so you can get a better look.
 
Make sure you disable the setting for Chrome to run extensions/apps in the background when Chrome is closed. It's under the Advanced options in Chrome's settings.
 
Oh that makes sense.

How should i check for coin miners?
I already tried full scan with malwarebytes and superantispyware... Well, i'll try both again in safe mode.

Do you think 'scan at reboot' from avast would be helpful?
 
Might want to check for a Coin Miner in the Chrome browser, Use an Ad Blocker to prevent this for the future too
https://researchcenter.paloaltonetworks.com/2017/10/unit42-unauthorized-coin-mining-browser/
A simple ad-blocker wouldn't work; it would have to block scripts as well.

Oh that makes sense.

How should i check for coin miners?
I already tried full scan with malwarebytes and superantispyware... Well, i'll try both again in safe mode.

Do you think 'scan at reboot' from avast would be helpful?

Install one of the blocker extensions to Chrome. AntiMiner or MinerBlock.

That said, the mining that happens on websites should only happen when those specific websites are actually open and have the JavaScript loaded to do so.
 
I went to perform a clean boot, but noticed that this internet banking 'protection' service refused to stay disabled, so i decided to uninstall it. GBPlugin, very annoying 'plugin' that looks more like a rootkit. Had to boot ubuntu from cd and manually delete it, then clean up the registry...
then i thought it would be interesting to run a scan from bitdefender cd boot, just in case.

Surprisingly, turns out there was 5 malwares going unnoticed by MalwareBytes and Superantispyware, and one of them was audioses.dll

audioses.dll was infected with Gen:Application.Heur2.WdW@baaaaaaab
then there was other 4
couple of old emails with Gen:Trojan.Downloader.imGfaWU4Xef and Gen:Trojan.Heur.DP.bmGfaq!l@U (files: 'elvispresley0027674.avi outlook.zip' and 'dsc11072013.avi.zip')
avast's 'gvma64.dat' with Gen:Trojan.Heur.Tp.bmW@bCZc7ih
qbittorrent.exe with Gen:Variant.Jaik.14304

So i deleted them, and problem is gone. Explorer's cpu levels are just regular now.

In any case, i installed anti-mining and adblock extension for Chrome, and i'll run junkware removal and anti-rootkit tools from malwarebytes just to make sure.

But i think that's it! System looks fine, initialization was a bit faster also.


Thank you all very much for helping me.
 
In any case, i installed anti-mining and adblock extension for Chrome, and i'll run junkware removal and anti-rootkit tools from malwarebytes just to make sure.

But i think that's it! System looks fine, initialization was a bit faster also.


Thank you all very much for helping me.

I suggest uBlock Origin. Uses same list sets (and more) that Adblock Plus does, but also doesn't automatically white-list certain ads (like ABP does).
 
Back
Top Bottom