Problem persists (Explorer.exe hogs CPU - HJT Log)

Problem persists (Explorer.exe hogs CPU)

Hi

I've got a problem that nobody can solve it seems. It's been posted on this forum and others but without success.

My explorer.exe program hogs the cpu at 99% and slows my machine down so that all i can do is manually delete the program from the task manager and then re-run it again. Explorer starts hogging the cpu after a windows explorer screen is displayed.

These are the things i've tried:

norton antivirus (up-to-date)
norton firewall (up-to-date)
windows xp pro sp1 (up-to-date)!!
online virus scan
mcafee stringer
sasser removal tools etc...
ie fix and sfc

can't be a worm, trojan or virus can it after the above found nothing, can it?

any ideas?

my last resort is a re-install, but a like my weekends.

 

Are you certain that you are running the genuine explorer.exe file?

Consider this or some variation of this:

Post back what you find based on that. Also search for explorer.exe and see how many and what size versions show up. It might yield a clue.

 

search results for explorer.exe are as follows:

explorer.exe - c:\windows
explorer.exe - c:\windows\$NtUninstallKB820291$
explorer.exe - c:\windows\Driver Cache\i386
explorer.exe - c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989


result of HijackThis:

Logfile of HijackThis v1.99.0
Scan saved at 10:11:06, on 26/02/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iRiver\iHP100\iHPDetect.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\iHP100\iHPDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093551226671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E6DDE4D-61F4-4C6C-9155-F06705F66C51}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E6DDE4D-61F4-4C6C-9155-F06705F66C51}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

That log looks rather clean to me.
What if u stop the CTHELPER.EXE process?
Does this happens only when u open a directory containing avi files?
If the window u open is a shortcut, check if the shortcut address is correct.

What other people adviced u already?
have u tried to reinstall explorer?

 

Does this problem also occur in Safe Mode?

If not, try disabling your startups one at a time to try and isolate the culprit.

Also look at the processes running in Safe Mode versus those in standard mode and use Task Manager to disable them one at a time to attempt to isolate the culprit.

You can test a different copy of explorer.exe by doing the "End Process" on the one running and then browsing to one of the other copies and running it, just for a test. Might yield a clue.

Post back what you find.

ps. I noticed Iexplorer.exe was running in your log. Can you justify that?

 

Possibility.

There may be a connection between the above and below.

I just looked through the files in the folder refered to and I see no sign of EXPLORER.EXE.

I will checked again as soon as I close out here and get offline.

BillyBob

 

I just checked a different way and Explorer.exe did show up in TWO files in the Soft Dist/Download liles.

But other than that it only showed as being in C:\Windows and the Service Pack files ( i386 folder )

BB

 

I had the same exact problem untill I uninstalled all Norton (Symatec) software. My task mananger also showed explorer.exe using all the resources when this would happin.

And just like magic the problem went away and has not returned.

And it's nice to not have to Kill explorer.exe every half hour cause the systems locked up.

I now use and really like F-Prot Antivirus. It states right on their website that the software is configured to use as little resources as possible and can be run on all windows platforms. I've also ran into 3 network managers who use F-Prot for the network they maintain.

Good Luck
Rockit

 

Norton can be a bear at times. It's often just doing what is asked but some systems won't tolerate all that it can do and some users don't realize what they have asked.

At any rate, killing it in Task Mgr. will determine that.

 

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


Information below about this process, running on your machine, taken from answersthatwork.com. C:\WINDOWS\System32\nvsvc32.exe

NVIDIA Driver Helper Service which gets installed under Windows NT4/2000/XP/2003 by the NVIDIA drivers for some of their graphics cards (or graphics cards based on an NVIDIA chipset). We do not at this stage know what this process does except consume memory ! And we also have no idea as to what a "Driver Helper Service" is supposed to do !!

Recommendation :
This service is often responsible for various glitches, from significant shutdown delays to excessive memory usage. Disabling it, however, does not result in our experience in any ill-effect in regards to the proper operation of your NVIDIA or NVIDIA chipset graphics card, so we recommend that you definitely set the Startup Mode of this service to Disabled. You can do this by going to start>run, type services.msc, hit enter. Locate the service in the list and right click>properties. Stop the service, then disable, apply and OK out.


Reboot and see if the problem persists.


From answersthatwork.com
CTHELPER is a background task that is a plug-in manager for Creative drivers. It first appeared with Creative’s SoundBlaster Live and Audigy soundcards. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. One of the very first uses of this interface has been for InterVideo’s WinDVD in the shape of a fix called "WinDVDPatch" and, at the time of writing 12-Jan-2003, there have not been other uses for it yet.

Recommendation :
Given its purpose CTHELPER would normally be classified as a "leave alone" background task. Unfortunately, as with many other Creative background tasks in these pages, there are often problems with CTHELPER. The most common complaint is random excess CPU utilization, up to 100% ! We have also had complaints of PCs freezing when CTHELPER is around, although that is probably also 100% CPU utilization. Additionally, on PCs running Intel’s Pentium 4 Hyper-Threading CPUs, the sound stutters. In short : CTHELPER is far more trouble than it is a help.

Added by soundcard software to remind you to update. Not needed at startup.
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE

Splash screen with sound on every boot up. Installed with a Sound Blaster Audigy soundcard. Not needed at startup.
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

Added by sound card software for auto detection of headphones. Not needed at startup.
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "

 

this problem does kick in when viewing avi files...yes!

is there a files size limit for directories for winXP?...some of my directories are 7gb in size. have since created directories in these directories to spread out the file size(s). seemed to help a little.

 

the main problem lies in my shared folder directory which is 1.5gb in size. this directory has a file in it that won't delete. have posted a seperate quiry reguarding that in main windowsXP forum.

i try to just look in that directory and the problem kicks in...

 

Try using Move-on-Boot to delete that file. Once installed, you will have a new option to Delete on the next boot when right clicking a file. Tag it for deletion and reboot.

Folder size shouldn't present much of a problem, however, the number of files within a folder could have some bearing as to how quickly it loads. Another factor with large numbers of files would be the view setting, eg; Thumbnail vs list.

 

AVI preview in explorer (left panel) is a known issue.

click start > run
and type
regsvr32 /u shmedia.dll

Tell us if ur pb is fixed with that.

After u've delete the corrupted file you mentionned, re-enable the preview :
regsvr32 shmedia.dll

 

have deleted this avi file that was the main reason for this slow down and my computer is by and large slow down free via explorer.exe

just one more question.

i've got msmsgs.exe running in the background and i've disabled that in services. any ideas why it should be there?

p.s

i've got norton anti-virus uptodate, so W32.Alcarys.B@mm worm shouldn't be the problem.

 

That's Windows Messenger you have running in the background. It has no relationship to the Messenger Service that you disabled.

If you don't use Windows Messenger, you can disable it as follows: Start -> Programs -> Windows Messenger -> Tools -> Options -> Preferences. Uncheck "Run this program when Windows Starts ".

 

what's already unticked, so shouldn't be there.

the program isn't in the task bar, but in the task manager!

 

Check in OE also since it has an option related to Windows Messenger.

If you'd like to completely dump it from your drive, Doug Knox has a tool for that.