Explorer.exe 100% CPU usage

[Saravan]

I have a Celeron 2.5Ghz 512mb RAM e-machine on my network.

It runs on Windows XP Professional and is part of the domain.
The system freezes up sporadically.

The CPU usage shoots up to 100% and the system gets hanged with the EXPLORER.EXE making the highest mem usage.

If system is restarted, then everything is normal again for a while; but it occurs again.

I have done a Symantec virus check and a spyware check with nothing getting detected.

I browsed through some forums and found that some bad avi files could cause that problem. But the system does not have any avi files except the regular files inside the Microsft Works folder.

Is there any other workaround/patch/solution available?

Thanks,
Saravan

[dunedin]

Hi Saravan and welcome to VirtualDr

Work your way through this list

Spybot Search and Destroy
http://www.safer-networking.org/inde...&page=download
Get it to remove all the RED entries

Ad-aware
http://www.lavasoft.de/support/download/

Update both of the above before running them

Hijack This
http://mjc1.com/mirror/hjt/
Make a special folder to download it to. Set it to "Scan" and then to create its "Log". This will be long, but copy all of it into Notepad and post it to be checked.

Elaine

[Saravan]

Thanks Dunedin..

I will work on this and get back to you with the message.

Saravan

[Saravan]

Hi..

I have run spybot and lavasoft and removed all that were detected.

I am attaching the hijackthis log file.


Thanks,
Saravan


Logfile of HijackThis v1.98.2
Scan saved at 1:55:07 PM, on 9/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\System Diagnostics\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...83/mcinsctlO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = b-alert.net
O17 - HKLM\Software\..\Telephony: DomainName = b-alert.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = b-alert.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = b-alert.net

[dunedin]

Pretty clean as far as I can see
1. Run HijackThis again and get it to remove the following

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

2. There are a few things running at startup which don`t need to,
Go here to check them out. It will tell you which entries in msconfig can be disabled.
Start/Run/ msconfig then go to link below.

http://www.sysinfo.org/startupinfo.html

Read the Key at foot of page, then click on “Here” at top. Use the Search box to check all your entries

3. There will also be unneeded Services running which you can turn off.
Scroll down to Windows Services on the left hand side and follow instructions carefully.

Black Viper
http://www.blackviper.com/index.html

Is it fixed yet?

Elaine

[SeaJay]

I have a similar problem here at work with Win2K workstations.

My symptoms:
1. Web response gets VERY sluggish.
2. IE uses 99% of CPU resources.
3. When I checked Tools-->Options-->Settings, the current location for temporary internet files was blank, and the amount of disk space to use for disk cache was zero.
4. Couldn't reset the amount of disk space without getting "Please select a value between 1 and 0 for how much disk space temporary internet files may use."
5. Couldn't change the location without getting, "There won't be enough space in the new location for the currently downloaded content. Please either delete these files first and try again, reduce the size of the folder, or pick another location." Plenty of space on the disk.

The only way I could rectify it was to delete the user's local profile and let it recreate itself the next time the user logged in.

No idea what could be causing it in XP, but figured I'd throw this out there.

Cj

[dunedin]

I think you should run all the spyware removal programs in previous post.

Maybe your cache is overflowing.
This is the way to empty it in XP

1.Open an Explorer folder window (for example, double-click My Computer). From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".

2.Start Internet Explorer and click Tools / Internet Options / General tab / Settings / View Files.

3.IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.

4.You should see a series of four folders with random eight-character names like ADOZMZS1. Go into each folder and delete all the files they contain. Do not delete the folders.

Elaine