Solved

High explorer.exe CPU usage

Posted on 2013-11-02
22
974 Views
Last Modified: 2013-11-07
HP Desktop with Windows 7 Home Edition SP1-64-bit  4G memory

Runs at 100% right after boot.
No malware, ran all cleaners, Malwarebytes, JFT, ADW, etc

It looks  odd in that there are 3 to 4 instances of explorer.exe sharing to run 100%.
See att.

I was going to do an Inst/Repair but figured whatever this problem is might carry over.
I'm posting on the affected PC, real slowly.

Process Exp
0
Comment
Question by:cfourkays
  • 12
  • 7
  • 2
  • +1
22 Comments
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 39618980
I don't have an obvious answer, but have you tried this in Safe Mode?  How about disabling everything through MSConfig?
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39619036
Safe Mode's fine. Running now with everything disabled.

Process Exp shows 4 instances of explorer.exe cpu like 32, 30, 21, 14, almost adding up to 100%.
Right now it's bouncing around 50, 20, 15,15.

The Task Manager's showing the same basic thing. Before it was just showing a solid 100%
Looking at Strings in Properties in Pro/Exp has a gazillion entries.
I do a lot of malware removal on costumers PC's so that was the first thing I checked. Nada.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39619055
Try (only):

Disable superfetch service (using services.msc) and see if the problem goes away.  Disable it, restart, and see what happens. If no improvement, make it automatic again.
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39619191
Wasn't there a rock group " SuperFetch"

Anyway, I thought we had it I disabled it and after restarting, everything looked normal for about 3 minutes.
Then the explorer.exe functions started showing an d its now back again.
3 explorer.exe's at the top each pulling over 25%.
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 39619196
Safe Mode doesn't show the symptom, but it does show up with everything (all startup and services, including Microsoft services) disabled?

If that is correct, then I would run sfc /scannow.  I'm suspicious of a bad OS file of some sort.  This may catch it.
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39619324
I thought the same thing when I first looked at it.
I ran the sfc twice now and it shows no errors.
Chkdsk /r OK.
I'm going to do an Inst/Repair later and see what I get.
Unless you have some other thoughts.
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39619341
Forgot to mention that the PC has that Hardware Diagnostic tool from PC-Doctor that runs a good hardware test, HDD, Memory, etc.
Ran that and came up clean.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39619608
try a system restore to a date it was running fine
it can be caused by an update
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39619993
I've done that.
Thanks for chipping away at this.
I did a lot of troubleshooting but there's probably a lot more I've missed.

I'm going to do the Inst/Repair and let you know what happens.

Pete
0
 
LVL 91

Expert Comment

by:nobus
ID: 39620058
run msconfig
in startup tab, click disable all
in services tab, click "hide MS services" then clikc disable all
reboot to test
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39620138
Hi Nobus, welcome.

OK, I forgot that one.
However, here's the result:
Here's a snip:
What interesting, to me, after a reboot, I'll start the Process Explorer and watch the first explorer.exe replace the System Idle Process, followed by 1, then 2 or 3 more explorer.exe's where they may total close up to 100%

Process Exp
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 2

Author Comment

by:cfourkays
ID: 39620336
Isn't there a way to see what's driving those explorer.exe's?

Sorry for mis-info.

Does the same thing in Safe Mode.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39620870
so you disabled all, and when starting 1 explorer -you got several? that starts looking like a severe OS corruption .
Do you know   when or how did this start ?  maybe a system restore helps then

To look for the cause, try running task management -  select performance tab
now click the Resource Monitor button, and select ram, cpu or disk, as you wish
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39624856
Can I do anything with this?
When I have my internet connected, it seems to trigger the explorer.ese's.
Just looking at another PC, I don't see the "explorer.exe" while connected the same way.
Pete
Resource-Monitor-Internet-connec.JPG
Resource-Monitor-Network-disconn.JPG
0
 
LVL 91

Expert Comment

by:nobus
ID: 39624991
you said no malware ; but that's justy how it looks to me : hijacked
run Hijackthis and post the log file
http://sourceforge.net/projects/hjt/
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39625039
Here you go.
hijackthis.log
0
 
LVL 91

Expert Comment

by:nobus
ID: 39626569
you can remove  or uninstall these to start with :
O2 - BHO: HelloWorldBHO - {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files (x86)\Common Files\Homepage Protection\HomepageProtection.dll

O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msneshellx.dll

O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0560.0\msneshellx.dll

here a bad one :  O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOBCA7~1\GO36F4~1.DLL

i suppose you have a brother device  :  O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe

there are also a variety of "updater" services - you can uninstall them, or disable them at startup (with msconfig) if you are not sure how - tell me
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39628863
I had to remove that "helloworldBHO from the Registry.
The Live search Toolbars are just part of the MSN Explorer that HP with it's Online Package puts on.
I uninstalled the program since the customer doesn't use any of it.

Here's a new HJ log.

Pete
hijackthis-1.txt
0
 
LVL 91

Accepted Solution

by:
nobus earned 500 total points
ID: 39629498
i always uninstall ALL toolbars and "updaters"
do you know how to use the hijackthis for removing these entries?
you can still remove these :  
O3 - Toolbar: (no name) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - (no file)

O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOBCA7~1\GO36F4~1.DLL

then at least all unnecessary - and strange items are gone
0
 
LVL 2

Author Comment

by:cfourkays
ID: 39630496
Hi Nobus,
I don't know which deleted entry cleared the problem but one of them did.
Had to remove the no name toolbar in the Registry. HJ would not remove either.
The 020 entry is still there but appears to have no affect. Can't find it, (yes, nothing hidden)
Here's the HJ log and a snip of the Resource Manager and Task Manager.


I'm a volunteer Malware removal guy on another Forum, (small one), and never once thought to go back to Hijackthis.
When stumped, this is where I go.

Many thanks.

Pete
0
 
LVL 2

Author Closing Comment

by:cfourkays
ID: 39630514
This one was not the normal removal for me since I went through all the latest, updated removal tools.
With nobus's  help the problem was cleared by Hijack this removals.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39630580
tx for feedback!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reset Log Generation 3 14
SCCM 2012 14 31
Why is a PSO not being set for users 2 24
How to grant explicity permission modify to a user on a child folder in windows 2012 7 33
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
In a hurry?.. scroll down to "HERE's HOW TO DO IT" Section. Greetings All, I was going to post this as question/solution, but its seems more appropriate as an article considering its length.  I felt it important to illucidate all the details c…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now