Some files can harm your computer. SUSE AutoYaST setting X keyboard layout to German

Explorer.exe 100% CPU usage after login (webcpl.dll)

January 12th, 2006 at 04:32pm

Explorer.exe started using 100% CPU about 5 minutes after login. The user had run Spybot, Ad-Aware, and Trend Micro scans and nothing showed up. I took a look at the startup items with msconfig and couldn’t find anything myself. I first ran Process Explorer and couldn’t find anything obvious that was hooked into explorer.exe that would cause the problem (moral of the story: I didn’t know how to use Process Explorer). I ran TCPView and noticed that at login, explorer.exe was trying to connect to an intercage.com IP address (which didn’t respond to pings). As soon as the TCP connection died, explorer.exe CPU usage jumped to 100%. If I end-tasked explorer.exe and re-ran it, it wouldn’t try to make the connection again and it would never use 100% CPU again. If I booted up without a network connection, everything was okay. Once I connected though, explorer.exe would try to make the TCP connection with the mysterious IP again.

After tons and tons of troubleshooting (Filemon, Regmon, SFC, etc.) and searching for solutions (”explorer.exe 100% cpu”, “explorer.exe 99% cpu”, “explorer.exe 90% cpu”, “explorer.exe syn_start”, “explorer.exe close_wait”, “OMG!”), I took a deeper look at Process Explorer’s features. I thought all I could do with the program was look at (and close) the open handles of a process with the main window but if you right-click on a process and go to Process Properties, there’s also a useful Threads tab. In this tab, I was able to find a thread which was created by (right?) webcpl.dll and was using 100% CPU. I was able to kill the thread and voila! Explorer.exe was acting normal again. I found the culprit in %windir%\system32. I opened the file up in Notepad and I found a reference to the IP that TCPView showed. I deleted the file, found one reference in the registry to the DLL, and deleted that (probably should’ve unregistered it instead?).

Now everything is happy. Explorer.exe is no longer trying to connect to the IP and it doesn’t use up the CPU. I searched for more information about the DLL but all I could find was a forum thread about Panda Antivirus detecting it as the Downloader.GRG trojan and not being able to delete it. Panda’s site didn’t have much information about it though. Oh well.

Entry Filed under: computers

35 Comments Add your own

  • 1. tomas  |  February 15th, 2006 at 12:55 pm

    ewido anti-malware 3.5 detected and removed webcpl.dll

  • 2. muzzy100  |  March 8th, 2006 at 1:41 pm

    THANK YOU! YOU ARE A LIFESAVER.

  • 3. Pete  |  March 8th, 2006 at 2:21 pm

    Thank you for your help. Many an hour has been spent on this “sucker” and you were right on the money. Easy to fix too.

  • 4. Frank  |  March 17th, 2006 at 2:01 pm

    I found it using Process Explorer from System Internals but I was not sure if it was malicious… Thank you for posting your comment it was very usefull… I have Norton Antivirus and Microsoft Spyware and they didn’t work to detected.

  • 5. Richard Davis  |  March 25th, 2006 at 10:36 am

    I fought this problem for two days. I had located the fact that if I disabled the DHCP service, the problem went away, of course I had no network access. I also found if I pulled the CAT5 before boot up no problem, but as soon as I plugged it back in explorer would hit 99% CPU usage. The temporary fix of course was end task on Explorer.exe and re-start it, the system would run great till the next boot. I could not find the problem. On the 21st of March AVG sent an update file and the problem went away. I saw the file it found was WebCPL.dll, I searched the WEB and found your article. Just wanted to say thanks for the explanation of the problem. I wished I had found it sooner, sure would have saved many hour of frustrated troubleshooting.
    Thanks,
    Richard Davis

  • 6. Don  |  April 1st, 2006 at 6:29 pm

    You’re a genius. I’ve been chasing this around off and on for 2 weeks now. I was able to temporarily fix the problem by denying explorer.exe internet access through Zonealarm settings but I didn’t feel comfortable leaving the issue unresolved. Does anyone have any idea why explorer.exe was accessing the internet?

  • 7. Hoteldeals  |  August 24th, 2006 at 1:34 pm

    After struggling with this for a week came across your post. Downloaded both programs ran the updates, and bingo, things are bact to perfect (well at lest as perfect as things can be in an MS world) Thanks a million for your post.

  • 8. EMF  |  November 8th, 2006 at 11:51 am

    Thanks. I had this problem for several days and not only did I find webcpl but also ddaya.dll hogging all the CPU.

  • 9. x-clusive  |  November 16th, 2006 at 10:25 pm

    i soo owe you thank you soooooo f**ken much. Ive been having a similar problem i did most of what you said… but the thread that was causing me trouble was nnnkhhh.dll I dont know if that was important but i got rid of it and now my cpu usage is back to normal…. i almost came to tears seriously THANX SOOO MUCH… shot g

  • 10. Roy  |  December 10th, 2006 at 9:03 pm

    Please help.

    I also am having this probem and cant get rid of it. I have run Ewido smartswite and Antivirus, Dr Web Cure IT, Cleanup, Adaware, and nothing picks it up. Whenever I use explorer and browse through folders it uses up 99% CPU and stays there.

    I have also run Process Explorer but I dont really know what to do with it. I just finished setting up my laptop so i really dont want to rebuild it

  • 11. tom  |  January 9th, 2007 at 11:09 pm

    hi, I am having the same problem, My cpu usage for explorer.exe is going to 99% about 30 min to 1hour into using my computer. I solve this tempoarly by restrarting. I was reading what you were explaning and i got quite xonfised so if anyone can please help me on this id much appreciate it.

  • 12. chuonthis  |  January 10th, 2007 at 9:27 am

    It looks like Ewido’s anti-spyware can clean this spyware up now. I’m not 100% positive this will work but give their free online scan a try. Just go to http://www.ewido.net/en/onlinescan/ with Internet Explorer and you can scan for spyware for free. Hopefully that will detect and clean the problem.

  • 13. Andrew  |  January 28th, 2007 at 2:27 pm

    Thanks alot! I have had this problem for a long time! I have been doing as you said- cancelling the explorer process and restarting it after a few moments. I just never restart my computer! This is great. I found the file name in Norton Antivirus but it was unable to delete it. So I searched for it and found it in System 32 folder. I rebooted in safe mode w/ot networking, deleted the file and restarted. Now, everything is running great!

  • 14. Alan B  |  January 31st, 2007 at 1:05 pm

    Beautiful! My problem was a little different, but your solution led me to the thread in Explorer that was doing the damage. Client Side Cache was flogging the CPU!

  • 15. gamerwill253  |  February 10th, 2007 at 12:24 am

    OMG FREAKING THANKS OMG I WAS GOING INSANE CUZ OF THIS PROB AND U FIXED IT FOR ME :DDDDDDD

  • 16. Matt Staff  |  February 20th, 2007 at 10:13 pm

    Well, I must say, your recommendation for Process Explorer is by far the most powerful tool related to what shouldn’t be such a simple problem and now I’m afraid I’ll use it to break my windows in teh future!!!

    … Woot

  • 17. Greg  |  March 8th, 2007 at 2:33 pm

    I seem to be having the same problem but I can not locate the webcpl.dll I have downloaded both TCPView and Process Explorer. In order to get it working do I close out explorer and then restart the computer? Then it will work until I restart it again? I’m just a novice on computers, not real super smart like you guys seem to be. :) If you guys can help me out and maybe walk me through this a bit that would be awesome. Thanks.

  • 18. chuonthis  |  March 8th, 2007 at 2:50 pm

    @ Greg, have you tried right-clicking on explorer.exe and then selecting Properties? There is a Threads tab which will allow you to see any suspicious threads and the CPU usage of each thread. If you see one that is using 100% CPU, then that is the culprit (although it may not be webcpl.dll in your case). Email me and we can try to figure it out. chuonthis@hotmail.com :)

  • 19. davey jones  |  March 16th, 2007 at 2:05 pm

    Also worth mentioning is the program regcure.
    Use it to scan,reair & optimize your pc.
    I ran it yesterday and picked up over 800 errors 47 on dll files!
    repaired the files and now my pc is running sweet.
    i had the same issue with explorer.exe 100%cpu usage.
    It seems ok now, but i havent had long enough to confirm its definitely worked.
    worth a try before you go deleting dlls?

  • 20. Djhg  |  April 15th, 2007 at 4:23 pm

    In Task manager, if I select view>update speed>high (instead of normal) all displays correctly, and there’s no evidence of high mem usage at all. On my mahcine, that’s all it took. IN “normal ” the guage stays stuck at the highest levels on one of my computers (but not on the other.)

  • 21. Davide!  |  April 23rd, 2007 at 2:18 am

    Id just like to say thanks. I have been trying to fix this thing for DAYS!!

    There are many people with this problem Ive been searching for solutions on google for about 38 hours Now such a bastard thanks ever so much!:D:D

  • 22. Doug Johnson  |  April 28th, 2007 at 6:32 pm

    This problem manifested itself on my PC yesterday. I have tracked it down to gebyx.dll, a thread under Explorer.exe, however, it is also running as a thread under WINLOGON, thus won’t let me delete it, even in SAFE mode. I created a bootable CD and booted from it, but I get “Invalid Directory Specified”, even though I was in c:\windows\system32.

    If I go in with Process Explorer and kill the thread, Explorer then behaves itself.

    Any ideas most welcome…

    Regards,

    DougJ

  • 23. chuonthis  |  April 30th, 2007 at 2:07 pm

    Just in case anyone reads this, it looks like Doug’s DLL (gebyx.dll) is from the Virtumonde or Winfixer spyware. It looks like the popular tool for removing it is VundoFix available here: http://www.atribune.org/content/view/24/2/

    If you Google for Virtumonde or Winfixer, you’ll see many links from the reputable anti-virus/spyware companies with removal tools and instructions.

  • 24. amccarl  |  May 4th, 2007 at 8:01 am

    Vundofix seems to have fixed my problem.

  • 25. hello  |  May 21st, 2007 at 10:59 pm

    where is Process Properties?

  • 26. Scott  |  June 18th, 2007 at 10:34 pm

    Thanks for the great recommendation. Found this site after searching now that my explorer.exe is hanging out at 99% cpu usage.

    Ran the Process Explorer app. and when looking at properties, it ended up leading me to a file called checkweb.dll that is hidden deep within my c:\windows\system32\dllcache directory.

    Problem is I cant delete it!

    it keeps saying the file is in use or write protected. I killed it from Process Explorer and any little file assoc. with checkweb.dll (there were about 5 in the Properties tab of explorer.exe that had checkweb.dll as part of its name).

    Any suggestions of how to delete this from my comp so I dont have to kill it on every boot?

    Id love to just trash the damn thing.

    Thanks

  • 27. chuonthis  |  June 19th, 2007 at 10:06 pm

    Scott, if you can’t find the offending executable that’s holding onto the file, there are a couple of things you can try. The easiest way is probably just to boot up into safe mode and delete the file. In most cases, the file will not load in safe mode. The next easiest is to just try renaming the file. Oftentimes, you can rename an in-use file even though you can’t delete it. If the file isn’t recreated, then reboot and it will fail to load on the next startup since it is a different filename. Then you can delete it.

    Also, I found this semi-useful link on Google about the DLL: translated link

  • 28. bob  |  September 13th, 2007 at 1:20 pm

    I am having an identical problem as described at the top of this page. Problem exists on multiple laptops (but not desktops) at my company.

    Sometimes after restarting the problem will not come back. Every time a user shuts down and turns laptop back on the problem exists — explorer.exe is at 0-3% until you try to open my computer or windows explorer. then it just hangs at 99%

    I ran Process Explorer and found that BrowseUI.dll!ordinal138 is the culprit thread.

    Here is the stack for that thread:

    ntoskrnl.exe+0×48f3
    ntoskrnl.exe!ZwYieldExecution+0xb0f
    ntdll.dll!KiFastSystemCallRet
    WININET.dll!InternetTimeFromSystemTimeA+0×1bbc
    WININET.dll!InternetCanonicalizeUrlW+0×180
    SHDOCVW.dll!Ordinal174+0×2d
    BROWSEUI.dll!Ordinal136+0×26680
    BROWSEUI.dll!Ordinal136+0×126e2
    BROWSEUI.dll!Ordinal136+0×12cb0
    BROWSEUI.dll!Ordinal138+0×555e
    BROWSEUI.dll!Ordinal138+0×5a33
    BROWSEUI.dll!Ordinal136+0×1444e
    SHDOCVW.dll!Ordinal147+0×17ae
    BROWSEUI.dll!Ordinal113+0×28c9
    BROWSEUI.dll!Ordinal103+0×1672
    BROWSEUI.dll!Ordinal138+0×6e68
    USER32.dll!GetDC+0×6d
    USER32.dll!GetDC+0×14f
    USER32.dll!DefWindowProcW+0×184
    USER32.dll!CallNextHookEx+0×1a3
    ntdll.dll!KiUserCallbackDispatcher+0×13
    USER32.dll!CreateWindowExW+0×2a7
    USER32.dll!CreateWindowExW+0×33
    SHLWAPI.dll!Ordinal55+0×5f
    BROWSEUI.dll!Ordinal138+0×7833
    BROWSEUI.dll!Ordinal138+0×7b45
    kernel32.dll!GetModuleFileNameA+0×1b4

    Can anyone help?
    -Bob

  • 29. Zahed  |  November 19th, 2008 at 1:42 pm

    This will fix it:

    The obnoxious bug in XP that causes Explorer to read the entire contents of broken AVI files before allowing any access to them is caused by bad behavior of shmedia.dll.

    This problem manifests itself by causing Explorer to read the entire contents of an AVI file, regarless of its size or location any time the mouse pointer is hovered over it, or an attempt is made to access it in windows explorer. This causes ‘permission denied’ errors when trying to simply move, copy or delete these files as they cannot be changed while Explorer has an open handle on them.

    This also causes a DoS situation where large AVI’s are stored on remote shares and Explorer keeps reading the files from beginning to end each time they are accessed.

    To correct this misbehavior in Windows XP, remove the following registry key.

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D62D94-71B3-4b9a-9489-5FE6850DC73E}\InProcServer32

    This will prevent Explorer from loading shmedia.dll in response to file property queries on these files. This will not effect your ability to play files, get file attributes, or even view thumbnails. Say goodbye to all explorer.exe 100% CPU issues.

    And Solution #2 (basically does the same thing, except you are inactivating the file attributes option)…But it WORKS–No more locked .avi files:

    Well windows seem to have a REALLY big problem when it comes to reading AVI files. It seems that when you click on an AVI file in explorer, it’ll try to read the entire AVI file to determine the width,height, etc. of the AVI file (this is displayed in the Properties window). Now the problem with Windows is that if you have a broken/not fully downloaded AVI file that doesnt contain this info, Windows will scan the entire AVI file trying to figure out all these properties which in the process will probably cause 100% CPU usage and heavy memory usage.

    To solve this problem all you have to do is the following:

    1. Open up regedit
    2. Goto HKEY_CLASSES_ROOT\SystemFileAs
    sociations\.avi\shellex\PropertyHandler
    3. Delete the “Default” value which should be “{87D62D94-71B3-4b9a-9489-5FE6850DC73E}”

    Please note that this will no longer provide you with the windows properties displaying the AVI file information such as width, height, bitrate etc. But its a small price to pay for saving you resources.

    Source: Spywareinfo.com

  • 30. Michael  |  January 9th, 2009 at 12:53 pm

    How do I fix this on Vista?? I can’t even open Process Explorer :(

  • 31. Michael  |  January 9th, 2009 at 2:12 pm

    Oops , I just downloaded Process Explorer , I suspended then MURDERED the thread , but how exactly do I find and delete it , it won’t show up on search.

  • 32. chuonthis  |  January 9th, 2009 at 2:53 pm

    Did you note the name of the culprit DLL file? If you did, it is usually at %windir%\system32 (which in most cases is C:\Windows\System32). You may have to turn on hidden files or system files to see it. (how to view hidden and system files and folders in vista)

  • 33. joe  |  February 3rd, 2009 at 1:24 am

    HI, I am fixing a computer for my girls boss. I thought I was done when all of a sudden, when I try to search via start menu or right click on start button, explorer.exe takes all cpu in taskmanager and I tracked a thread call shdocvw.dll+0xd4a29 with process explorer that is the culprit. I looked up this dll and it is a windows file? The computer is xp sp3 and this only happens when I search. Also, the taskbar is disabled and all buttons on it? If anyone has suggestions that would be great.

  • 34. Ryan  |  February 17th, 2009 at 7:38 am

    I took a screenshot of the virus.
    http://img19.imageshack.us/my.php?image=newxt8.jpg

    Whenever i try to go to system32 , explorer.exe stops responding and restarts :(

    What should I do?

  • 35. Billy Bob  |  June 1st, 2009 at 5:01 pm

    Thx Alot!!
    I HAVE BEEN LOOKING HOW TO DO THIS FOR SOOOO LONG.
    ^^ Big Help.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed


Calendar

January 2006
S M T W T F S
« Dec   Feb »
1234567
891011121314
15161718192021
22232425262728
293031  

Most Recent Posts