Explorer.exe 100% CPU usage after login (webcpl.dll)
January 12th, 2006 at 04:32pm
Explorer.exe started using 100% CPU about 5 minutes after login. The user had run Spybot, Ad-Aware, and Trend Micro scans and nothing showed up. I took a look at the startup items with msconfig and couldn’t find anything myself. I first ran Process Explorer and couldn’t find anything obvious that was hooked into explorer.exe that would cause the problem (moral of the story: I didn’t know how to use Process Explorer). I ran TCPView and noticed that at login, explorer.exe was trying to connect to an intercage.com IP address (which didn’t respond to pings). As soon as the TCP connection died, explorer.exe CPU usage jumped to 100%. If I end-tasked explorer.exe and re-ran it, it wouldn’t try to make the connection again and it would never use 100% CPU again. If I booted up without a network connection, everything was okay. Once I connected though, explorer.exe would try to make the TCP connection with the mysterious IP again.
After tons and tons of troubleshooting (Filemon, Regmon, SFC, etc.) and searching for solutions (”explorer.exe 100% cpu”, “explorer.exe 99% cpu”, “explorer.exe 90% cpu”, “explorer.exe syn_start”, “explorer.exe close_wait”, “OMG!”), I took a deeper look at Process Explorer’s features. I thought all I could do with the program was look at (and close) the open handles of a process with the main window but if you right-click on a process and go to Process Properties, there’s also a useful Threads tab. In this tab, I was able to find a thread which was created by (right?) webcpl.dll and was using 100% CPU. I was able to kill the thread and voila! Explorer.exe was acting normal again. I found the culprit in %windir%\system32. I opened the file up in Notepad and I found a reference to the IP that TCPView showed. I deleted the file, found one reference in the registry to the DLL, and deleted that (probably should’ve unregistered it instead?).
Now everything is happy. Explorer.exe is no longer trying to connect to the IP and it doesn’t use up the CPU. I searched for more information about the DLL but all I could find was a forum thread about Panda Antivirus detecting it as the Downloader.GRG trojan and not being able to delete it. Panda’s site didn’t have much information about it though. Oh well.
Entry Filed under: computers
31 Comments Add your own
1. tomas | February 15th, 2006 at 12:55 pm
ewido anti-malware 3.5 detected and removed webcpl.dll
2. muzzy100 | March 8th, 2006 at 1:41 pm
THANK YOU! YOU ARE A LIFESAVER.
3. Pete | March 8th, 2006 at 2:21 pm
Thank you for your help. Many an hour has been spent on this “sucker” and you were right on the money. Easy to fix too.
4. Frank | March 17th, 2006 at 2:01 pm
I found it using Process Explorer from System Internals but I was not sure if it was malicious… Thank you for posting your comment it was very usefull… I have Norton Antivirus and Microsoft Spyware and they didn’t work to detected.
5. Richard Davis | March 25th, 2006 at 10:36 am
I fought this problem for two days. I had located the fact that if I disabled the DHCP service, the problem went away, of course I had no network access. I also found if I pulled the CAT5 before boot up no problem, but as soon as I plugged it back in explorer would hit 99% CPU usage. The temporary fix of course was end task on Explorer.exe and re-start it, the system would run great till the next boot. I could not find the problem. On the 21st of March AVG sent an update file and the problem went away. I saw the file it found was WebCPL.dll, I searched the WEB and found your article. Just wanted to say thanks for the explanation of the problem. I wished I had found it sooner, sure would have saved many hour of frustrated troubleshooting.
Thanks,
Richard Davis
6. Don | April 1st, 2006 at 6:29 pm
You’re a genius. I’ve been chasing this around off and on for 2 weeks now. I was able to temporarily fix the problem by denying explorer.exe internet access through Zonealarm settings but I didn’t feel comfortable leaving the issue unresolved. Does anyone have any idea why explorer.exe was accessing the internet?
7. Hoteldeals | August 24th, 2006 at 1:34 pm
After struggling with this for a week came across your post. Downloaded both programs ran the updates, and bingo, things are bact to perfect (well at lest as perfect as things can be in an MS world) Thanks a million for your post.
8. EMF | November 8th, 2006 at 11:51 am
Thanks. I had this problem for several days and not only did I find webcpl but also ddaya.dll hogging all the CPU.
9. x-clusive | November 16th, 2006 at 10:25 pm
i soo owe you thank you soooooo f**ken much. Ive been having a similar problem i did most of what you said… but the thread that was causing me trouble was nnnkhhh.dll I dont know if that was important but i got rid of it and now my cpu usage is back to normal…. i almost came to tears seriously THANX SOOO MUCH… shot g
10. Roy | December 10th, 2006 at 9:03 pm
Please help.
I also am having this probem and cant get rid of it. I have run Ewido smartswite and Antivirus, Dr Web Cure IT, Cleanup, Adaware, and nothing picks it up. Whenever I use explorer and browse through folders it uses up 99% CPU and stays there.
I have also run Process Explorer but I dont really know what to do with it. I just finished setting up my laptop so i really dont want to rebuild it
11. tom | January 9th, 2007 at 11:09 pm
hi, I am having the same problem, My cpu usage for explorer.exe is going to 99% about 30 min to 1hour into using my computer. I solve this tempoarly by restrarting. I was reading what you were explaning and i got quite xonfised so if anyone can please help me on this id much appreciate it.
12. chuonthis | January 10th, 2007 at 9:27 am
It looks like Ewido’s anti-spyware can clean this spyware up now. I’m not 100% positive this will work but give their free online scan a try. Just go to http://www.ewido.net/en/onlinescan/ with Internet Explorer and you can scan for spyware for free. Hopefully that will detect and clean the problem.
13. Andrew | January 28th, 2007 at 2:27 pm
Thanks alot! I have had this problem for a long time! I have been doing as you said- cancelling the explorer process and restarting it after a few moments. I just never restart my computer! This is great. I found the file name in Norton Antivirus but it was unable to delete it. So I searched for it and found it in System 32 folder. I rebooted in safe mode w/ot networking, deleted the file and restarted. Now, everything is running great!
14. Alan B | January 31st, 2007 at 1:05 pm
Beautiful! My problem was a little different, but your solution led me to the thread in Explorer that was doing the damage. Client Side Cache was flogging the CPU!
15. gamerwill253 | February 10th, 2007 at 12:24 am
OMG FREAKING THANKS OMG I WAS GOING INSANE CUZ OF THIS PROB AND U FIXED IT FOR ME :DDDDDDD
16. Matt Staff | February 20th, 2007 at 10:13 pm
Well, I must say, your recommendation for Process Explorer is by far the most powerful tool related to what shouldn’t be such a simple problem and now I’m afraid I’ll use it to break my windows in teh future!!!
… Woot
17. Greg | March 8th, 2007 at 2:33 pm
I seem to be having the same problem but I can not locate the webcpl.dll I have downloaded both TCPView and Process Explorer. In order to get it working do I close out explorer and then restart the computer? Then it will work until I restart it again? I’m just a novice on computers, not real super smart like you guys seem to be. :) If you guys can help me out and maybe walk me through this a bit that would be awesome. Thanks.
18. chuonthis | March 8th, 2007 at 2:50 pm
@ Greg, have you tried right-clicking on explorer.exe and then selecting Properties? There is a Threads tab which will allow you to see any suspicious threads and the CPU usage of each thread. If you see one that is using 100% CPU, then that is the culprit (although it may not be webcpl.dll in your case). Email me and we can try to figure it out. chuonthis@hotmail.com :)
19. davey jones | March 16th, 2007 at 2:05 pm
Also worth mentioning is the program regcure.
Use it to scan,reair & optimize your pc.
I ran it yesterday and picked up over 800 errors 47 on dll files!
repaired the files and now my pc is running sweet.
i had the same issue with explorer.exe 100%cpu usage.
It seems ok now, but i havent had long enough to confirm its definitely worked.
worth a try before you go deleting dlls?
20. Djhg | April 15th, 2007 at 4:23 pm
In Task manager, if I select view>update speed>high (instead of normal) all displays correctly, and there’s no evidence of high mem usage at all. On my mahcine, that’s all it took. IN “normal ” the guage stays stuck at the highest levels on one of my computers (but not on the other.)
21. Davide! | April 23rd, 2007 at 2:18 am
Id just like to say thanks. I have been trying to fix this thing for DAYS!!
There are many people with this problem Ive been searching for solutions on google for about 38 hours Now such a bastard thanks ever so much!:D:D
22. Doug Johnson | April 28th, 2007 at 6:32 pm
This problem manifested itself on my PC yesterday. I have tracked it down to gebyx.dll, a thread under Explorer.exe, however, it is also running as a thread under WINLOGON, thus won’t let me delete it, even in SAFE mode. I created a bootable CD and booted from it, but I get “Invalid Directory Specified”, even though I was in c:\windows\system32.
If I go in with Process Explorer and kill the thread, Explorer then behaves itself.
Any ideas most welcome…
Regards,
DougJ
23. chuonthis | April 30th, 2007 at 2:07 pm
Just in case anyone reads this, it looks like Doug’s DLL (gebyx.dll) is from the Virtumonde or Winfixer spyware. It looks like the popular tool for removing it is VundoFix available here: http://www.atribune.org/content/view/24/2/
If you Google for Virtumonde or Winfixer, you’ll see many links from the reputable anti-virus/spyware companies with removal tools and instructions.
24. amccarl | May 4th, 2007 at 8:01 am
Vundofix seems to have fixed my problem.
25. hello | May 21st, 2007 at 10:59 pm
where is Process Properties?
26. Scott | June 18th, 2007 at 10:34 pm
Thanks for the great recommendation. Found this site after searching now that my explorer.exe is hanging out at 99% cpu usage.
Ran the Process Explorer app. and when looking at properties, it ended up leading me to a file called checkweb.dll that is hidden deep within my c:\windows\system32\dllcache directory.
Problem is I cant delete it!
it keeps saying the file is in use or write protected. I killed it from Process Explorer and any little file assoc. with checkweb.dll (there were about 5 in the Properties tab of explorer.exe that had checkweb.dll as part of its name).
Any suggestions of how to delete this from my comp so I dont have to kill it on every boot?
Id love to just trash the damn thing.
Thanks
27. chuonthis | June 19th, 2007 at 10:06 pm
Scott, if you can’t find the offending executable that’s holding onto the file, there are a couple of things you can try. The easiest way is probably just to boot up into safe mode and delete the file. In most cases, the file will not load in safe mode. The next easiest is to just try renaming the file. Oftentimes, you can rename an in-use file even though you can’t delete it. If the file isn’t recreated, then reboot and it will fail to load on the next startup since it is a different filename. Then you can delete it.
Also, I found this semi-useful link on Google about the DLL: translated link
28. bob | September 13th, 2007 at 1:20 pm
I am having an identical problem as described at the top of this page. Problem exists on multiple laptops (but not desktops) at my company.
Sometimes after restarting the problem will not come back. Every time a user shuts down and turns laptop back on the problem exists — explorer.exe is at 0-3% until you try to open my computer or windows explorer. then it just hangs at 99%
I ran Process Explorer and found that BrowseUI.dll!ordinal138 is the culprit thread.
Here is the stack for that thread:
ntoskrnl.exe+0×48f3
ntoskrnl.exe!ZwYieldExecution+0xb0f
ntdll.dll!KiFastSystemCallRet
WININET.dll!InternetTimeFromSystemTimeA+0×1bbc
WININET.dll!InternetCanonicalizeUrlW+0×180
SHDOCVW.dll!Ordinal174+0×2d
BROWSEUI.dll!Ordinal136+0×26680
BROWSEUI.dll!Ordinal136+0×126e2
BROWSEUI.dll!Ordinal136+0×12cb0
BROWSEUI.dll!Ordinal138+0×555e
BROWSEUI.dll!Ordinal138+0×5a33
BROWSEUI.dll!Ordinal136+0×1444e
SHDOCVW.dll!Ordinal147+0×17ae
BROWSEUI.dll!Ordinal113+0×28c9
BROWSEUI.dll!Ordinal103+0×1672
BROWSEUI.dll!Ordinal138+0×6e68
USER32.dll!GetDC+0×6d
USER32.dll!GetDC+0×14f
USER32.dll!DefWindowProcW+0×184
USER32.dll!CallNextHookEx+0×1a3
ntdll.dll!KiUserCallbackDispatcher+0×13
USER32.dll!CreateWindowExW+0×2a7
USER32.dll!CreateWindowExW+0×33
SHLWAPI.dll!Ordinal55+0×5f
BROWSEUI.dll!Ordinal138+0×7833
BROWSEUI.dll!Ordinal138+0×7b45
kernel32.dll!GetModuleFileNameA+0×1b4
Can anyone help?
-Bob
29. Christian | January 15th, 2008 at 2:12 pm
you guys kick *ss! my wife picked up this gebyx.dll and google led me here. i’da been clueless w/out you guys. thanks!!!
30. Robis | March 30th, 2008 at 5:08 pm
I first time noticed, the explorer.abuser was downloades some porno video file, every time i was trying delete explorer.exe pop up with 99% … but i cant delete in standard mode so i go in safe mode and same thing even cant rename if u make but im not new with that and always work for me reneme like .exe or .bat at the end and after that rename is succesful and can delete… ewido and antivirus progs dont find anything, dont waste time if u have something like i have.. wish u luck ;)
31. Harry | April 10th, 2008 at 6:55 pm
i had this problem when my wife tried to log on the internet. i think the solution was to reset her defaults. but it has been so long ago can anybody tell me if this was the fix? I only ask because i upgraded from NIS 2007 to 2008 (running XP) and now MY CPU usage runs at 100% and locks the computer. I am on her account right now. tried taliking to Norton folks, but they said it was the computer’s fault - didn’t have any issues until i went to NIS 2008.
any thoughts???
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed