Solved Explorer.exe 20% cpu usage when idle

[Hollander25]

Hey guys,

My sister recently noticed a drop in performance from her laptop.
She asked me for help and I tried to fix it but it seems I lack knowledge about the problem.
So here I am asking for help from anyone who might know how to fix this.

When on her laptop I did the following things:
I closed all programs in the taskbar and went to the processes tab.
There I found out about explorer.exe using 20 percent of the cpu.
I searched the internet for a fix for the problem.
I have scanned her computer with Microsoft Security Essentials and also tried CMD sfc scannow.

I ended up using Process Explorer. With that program I managed to kill the explorer.exe thread that uses the 20 percent of the cpu. So while that fixed the problem, every time she restarts the laptop the problem comes back.

So I hope someone can tell me how to permanently fix this without completely reinstalling Windows.


Thanks.

 

[VistaKing]

Hollande25

Run DDS to see what you have running

Click here DDS

:ar: Click on Download Now button

:ar: When the download is complete . Drag the DDS program from the Downloads folder to your Desktop

:ar: Right-click the DDS icon on the Desktop choose Run as administrator to run the tool.

:ar: Place a check next to attact.txt and click Start . When done, DDS will open two logs
DDS.txt
Attach.txt

:ar: Save two logs onto your desktop and upload them with your reply

:note: Don't zip the Attach.txt file even though it says to :note:

 

[Hollander25]

Thank you for your quick reply,

I have used DDS and got the following 2 files attached with this message.
I'm not sure about the run as administrator part though. I could not find the option to do so.

I really hope you can help me out with this.

Thanks again

-Hollander25

 

[VistaKing]

Hollander25

Remove Ilivid from the browsers

:ar:

• In the url field type in “about:config” (without the quotes)
• Type “Keyword.url” in the search box.
• Right click it & reset it.
• Type in “browser.search.defaultengine” in the search box.
• Right click it & reset it.

:ar:

• Click wench icon on the browser toolbar
• Select 'Settings'
• Select 'Basics' -> 'Manage Search engines'
• Remove ILivid from list

:ar:

• Open Internet Explorer, click on the gear icon at the top (far right), then click again on Internet Options.
• In the Internet Options dialog box, click on the Advanced tab, then click on the Reset button.
• In the Reset Internet Explorer settings section, check the Delete personal settings box, then click on Reset

Then run AdwCleaner

Click here AdwCleaner

:ar: Click on Download Now button

:ar: Save to the Desktop

:ar: Right-click on AdwCleaner.exe and choose Run as administrator

:ar: Click the Search button

:ar: Upload the AdwCleaner[Sn].txt in your reply.

   Note

The log file is at C:\AdwCleaner[Sn].txt

 

[Hollander25]

I followed your steps and also removed Ilivid from the program list.
I've attached the adwcleaner file.

I really appreciate what you are doing for me.

I look forward to hearing from you.

 

[VistaKing]

Run the Delete

:ar: Close all open programs.

:ar: To run the program, right-click AdwCleaner.exe and select Run as administrator

:ar: Click on Delete and confirm the prompt.

:ar: After it finishes, the computer is restarted.

Upload the log saved at C:\AdwCleaner[S1].txt

 

[Hollander25]

I did as you told again. It seems to have removed some trash, so that's good. Attached the log again.
However the 20 percent are still there

I just noticed the logs are in Dutch so sorry for that I hope it doesn't bother you too much.

So what can I do next?

 

[VistaKing]

When you scanned the PC with MSE did it find anything ?

 

[Hollander25]

I remember finding something. I think it was a Java exploit. I did remove it.
I will scan again this night, just in case.

Thanks for helping me so far. My sister will leave tomorrow so I will not be able to look at the laptop with the problem till Friday/Saturday. So I can't really do much till than but I will definitely look again next weekend so any suggestions are welcome.

-Hollander25

 

[Hollander25]

Scan found nothing, still looking for a way to get rid of the 20% explorer.exe :huh:

 

[VistaKing]

Run these programs


Download

HitManPro on a clean PC

32-Bit Version OS :ar:
Download



64-Bit Version OS :ar:
Download



:ar: Save to a USB Flash Drive then plug the USB Flash Drive to the issue PC and drag the file from the USB Flash Drive to the Desktop

:ar: Right click on HitmanPro.exe and choose Run as administrator

:ar: When HitmanPro opens up click on the Next button

:ar: Click on No, I only want to perform a one-time scan to check this computer on the Setup page . Click Next once done .

:ar: Let it scan the PC once its done Click Next

:ar: Click Activate free license to start the free 30 days trial and remove all the malicious files from your computer then click Next

RogueKiller for 32bit or RogueKiller for 64bit

:ar: Click on one of the links above that goes with your Windows 7 bit versions

:ar: Save to the Desktop.

:ar: Close all windows and browsers

:ar: Right click on

and choose Run as Administrator

:ar: Press: SCAN

:ar: provide the RKreport.txt (Mode: Scan) in your reply.

 

[Hollander25]

So my sister and her laptop are back.

I downloaded the programs from the links you provided (btw it seems the HitmanPro links got mixed up)
and I did Run them as Administrator.

HitmanPro found a trojan: Sinowal.cp
I removed it.

RogueKiller found msseedir.dll which I found very interesting since it shows it has something to do with explorer.exe

Thanks again for helping me out, I attached the report.

 

[VistaKing]

Run RogueKiller again and press scan and then press Delete .

Once done . Grab FRST 64 below and follow the instructions

   Warning

You will need a USB FLASH DRIVE

   Tip

Download the Tool from a non infected PC

Download Farbar Recovery Scan Tool

Choose one that goes with your OS bit version . Save the file to a USB Flash drive

32-bit Version OS :ar: Farbar Recovery Scan Tool

64-Bit Version OS :ar: Farbar Recovery Scan Tool x64

   Note

Click the rb: button and right-click Computer .Select Properties . Look for System Type: which will say 32-bit Operating System or 64-bit Operating System

Plug the flash drive into the infected PC.

Enter System Recovery Options.

:ar: To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select Repair Your Computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

:ar: To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

:ar: On the System Recovery Options menu you will get the following options:

• Startup Repair

• System Restore

• Windows Complete PC Restore

• Windows Memory Diagnostic Tool

• Command Prompt

Select Command Prompt

In the command window type X:\FRST.exe (for x64 bit version type X:\FRST64.exe) and press Enter

   Note

Replace letter X with the drive letter of your flash drive.

   Tip

Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Diskpart
List volume

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file
Please copy and paste both logs in your reply.(FRST.txt and Addition.txt)

 

[Hollander25]

I deleted with RogueKiller and used FRST64 from my USB.
Only got the FRST.txt from it though. So I tried with the optional scans, but still only got FRST.TXT not additional.txt

I attached the FRST.TXT

 

[VistaKing]

Copy the highlighted text below . Open notepad . Click on Edit and choose Paste . Save the file as Fixlist.txt and save it to your desktop .
start
C:\ProgramData\FullRemove.exe
C:\Windows\Tasks\SA.DAT
S3 tmlwf;
S3 tmwfp;
end
Download a new copy of Farbar Recovery Scan Tool x64
and save it to your desktop
Right-click on FRST64.exe choose

When the tool opens click Yes on disclaimer.
Press the FIX button .
Once done it will create a FIXLOG.txt file on your desktop . Upload the log with your reply .

Restart PC

When you get back into Windows . Run ESET Online Scanner

On

Hold down Control and click on ESET Online Scanner to open ESET OnlineScan in a new window
Click the

button
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.
On

or

Click on http://download.eset.com/special/eos/esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
Right click on

choose

on your desktop
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

 

[Hollander25]

That took some time, but it did find some more it seems.
Attached the files again.

 

[VistaKing]

How's the PC running ?

 

[Hollander25]

Oh wow, after you asked that. I restarted the laptop and went to check the CPU usage.
It's now like 0% when idle!

Thanks so much for all your help.

If there's anything I can do to return the favor, please do tell.

 

[VistaKing]

No just a thank you would be great

 

[Hollander25]

Me and my sister thank you