Excessive CPU usage by explorer.exe

[anantchowdhary]

I am using a 2.8Ghz Intel Dual core CPU and I've got Windows Vista

Now...after a start my computer...a thread executes itself .The threads name is
nxaEA8A.tmp...

This uses upto 60% of the CPU acc to Process Explorer

When i kill the thread my CPU usage comes back to normal.

Any ideas on how to prevent the thread from running...or y the thread runs in the first place!

Thnx

 

[russ_watters]

Have you run a virus scan and an AdAware scan?

 

[austriolia]

:-) yes, you can get it with adaware, I used to run into the same problem but with different filename. :-)
You should also pay attention to what other files are running too when this tmp is on. I know this file rotation to consume tiny memories at leisure time...

 

[dimensionless]

I'm not sure that explorer.exe can be stopped. explorer.exe definitely should not be using 60% of your CPU time though. I would suggest verifying that your Windows installation has the most recent updates.

 

[anantchowdhary]

Ive just installed a fresh copy of Windows Vista...But still...i acnt get rid of the problem...and i don't think i hav a virus

 

[russ_watters]

If you don't think you have a virus, that means you probably have a virus (or adware/malware). It means you haven't checked and don't actually know. Run a virus scan and an adware scan.

 

[robphy]

Is your hard-drive light active at the same time as this high-cpu-usage thread?
Might it be indexing your files?

 

[anantchowdhary]

No...the hard drive light(red) duznt blink..Ive also tried a scan but its of no hlp:(

 

[BoredNL]

Did you do a fresh installation (formatting) or did you install without formatting?

Try to locate the file and scan it with an online anti-virus scanner before anything else. If it comes upnd clean, then that doesn't mean it isn't a virus or trojan, because it might be a brand new virus/trojan that isn't recognized yet. I don't know anything about windows Vista, so I don't know if the WinXP way of disabling a file from running is the same. The easiest, but unclean way to stop the file from running at boot up is to simply rename the file (after you've stopped it in Task Manager). I usually add ".disabled" to the end of the file and voila, it won't run anymore. If you forget where the file is, just run a search for "*.disabled" and it'll show up. I don't recommend deleting the file, it might be doing something real.

The following is not a complete way to analyze the problem, because I am short on time right now, but here's are a few things you can try:

I couldn't find any information on "nxaEA8A.tmp." I'm guessing that it is a randomly named file. TMP files can be all sorts of different types of files also, so figuring out what type of file it is could reveal some information about it. The next step would be to figure out what is starting the program and for what purpose. Use http://mark0.net/onlinetrid.aspx" to try and figure out what type of file it is (perhaps it's a .dll file, or an .exe, I don't know).

Next I would say to try to figure out how it is running and what it's behavior is. Window's XP's tools for this include regedit (to look at/modify the startup section of the registry that msconfig doesn't look at), msconfig, and CTRL + ALT, DEL. A previous thread in this forum had some excellent recommendations for much better alternatives which will yield a lot more useful information and I would tell you to use these to gather more information and to track down the source of this file.. But I can't remember what the programs are, what thread they're listed in, and I'm at my g/f's on her laptop so I can't just look at the programs. Hmm.. They might not even work on Windows Vista either.

You might just either have to hang tight, rename the file, or reinstall windows vista. (making sure to do a completely free install, to rule out a virus)

Have you tried just letting it run through to completion though? Perhaps it's a legitimate file.

 

[Manchot]

I think people are missing the obvious. Though I have no personal experience with it, from what I understand, Vista is SLOW (even on most new machines).

 

[ukmicky]

What happens if you rename nxaEA8A.tmp does the machine run ok if so try running it for a few days without it.

 

[Gib Z]

How much RAM do you have might be a reasonable question, 60% of 512 megs typical of a 3 year old 2.8 Ghz computer is more than expected running vista..

 

[anantchowdhary]

No...as soon as i kill the thread...my computer runs pretty well!so i guess there's no prob with my PC.and yea..i formatted my disk and hav installed vista!

 

[chaoseverlasting]

I don't know if this will work on vista, but on xp, if you want to configure the boot up process, you go to run and type in "msconfig". There, on the services/start up tabs, you can configure your system boot settings.

I used to have a virus on my comp that did something similar. Usually, its hackers who jack your comp and make it a part of a global network, I forget what this process is popularly called by.
Anyway, try shutting the internet down, maybe that makes the process inactive. In any case, if you can get msconfig to open up, you can directly force this process to not run.

 

[anantchowdhary]

Ive tried everything.I know abt msconfig and it works on vista.But still its of no help.Would you like a screenshot of the thread as seen on process explorer?

Thnx

 

[BoredNL]

In Windows XP there's three separate ways a file can be run. You will want to check all of these places to see where this file is running from to disable it cleanly. To simply find out where the file is so that you can rename it, use http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx"" or you can do it manually if AutoRuns doesn't work for you.

For manual removal of startup items in Windows XP a startup program/file can be located in:
1. The startup folder in the "Programs" or "All Programs" dropdown folder in the start bar. (You'd disable the file from running by deleting the shortcut or moving it elsewhere)
2. In the msconfig utility, there are the "services" and the "startup" tab (you uncheck the file from running).
3. From the registry (This for both local and all users - I'm not sure if this is the same in windows vista - You would disable the file by deleting the registry key). I'll list a full list below with descriptions for WinXP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– these programs automatically start when any user is logged in. It is used for all users on this computer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
– The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
– The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished. Also the RunOnceEx registry key does not create a separate processes. The RunOnceEx registry key also support a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
– these programs automatically start when the system is loading before the user logs in. It is used for service applications - antivirus, drivers etc. In Windows NT/2000/XP it could be canceled by admin to use other service startup sections. Read more at services startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
– these programs automatically start only once when the system is loading as service application and items are deleted after the Windows boot process have finished.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– The programs here automatically start when the current user logs in. It is used only for current logoned user.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
– The programs here automatically start only once when the current user logs in and it will be deleted after the Windows boot process would have finished.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– The programs here automatically will be copied into HKEY_CURRENT_USER\...\Run for every new user account.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
– The programs here automatically will be copied into HKEY_CURRENT_USER\...\RunOnce for every new user account.Well, I hope this helps. :)

Edit: The forum added the spaces in "CurrentVersion" for some reason, they are not there in the registry or in the text I wrote here.

 

[anantchowdhary]

thanks for all the help.But i am referring to a thread run by explorer.exe!

Anyways Ill try out ur recommedations

 

[BoredNL]

It might not be window's explorer, it could be a virus or trojan pretending to be.

Don't rename "c:\windows\explorer.exe"

Explorer is used for a variety of things. You can open files with explorer.exe (such as text files. If I try to open an extremely large file with it, it might behave in the same manner that yours is). You can use the "bring to front" option in Process Explorer to see which window is giving the problem.

 

[BoredNL]

Oh, something else you might find useful:

When using "Process Explorer" locate the instance of explorer that is eating up all your resources, right click on hit, and hit "suspend." This will put the program on hold without closing it. You can resume at any time.

 

[anantchowdhary]

so how will suspend help me in removing that thread forever?

 

[robphy]

Ive tried everything.I know abt msconfig and it works on vista.But still its of no help.Would you like a screenshot of the thread as seen on process explorer?

Thnx

Yes, show a screenshot.

I'm not sure if this is helpful for stopping the process: pskill
http://www.microsoft.com/technet/sysinternals/utilities/pskill.mspx
You could write a small batch file that can be run from the "Start Up" folder.

 

[ukmicky]

when you rename nxaEA8A.tmp and restart your machine does explorer exe create a new file with the same name , if it dosent and your pc is running fast with it renamed then just leave it with its new name so it not accessed anymore and in few weeks or months delete it unless you experience problems..

 

[BoredNL]

You can find out more information about what explorer.exe is running while it is suspended without having to deal with it slowing the computer down at the same time.

It sounds like you might have a startup entry somewhere starting the .tmp file, which is why I said for you to disable that. To find out where the .tmp file is located, you might be able to use the programs I listed to find it easily, or you can just use your windows search to find it. Once you find it, kill the explorer.exe that is causing the problem and rename the .tmp file. Then report back here with the results of doing so. We need to know what happens when you do that to assist you further.

Process Explorer will tell you more information about the .tmp file than CTRL + ALT + Del (Windows Task Manager), such as giving a tree view of processes. You might see that another program is running alongside with the explorer.exe and .tmp file and so identify the program causing the problem.

 

[anantchowdhary]

thnx fr all the help...heres the link to the screenshot...and i can't find the tmp file http://img2.freeimagehosting.net/uploads/d11387a1ad.jpg

 

[robphy]

I think you get the path of the file if you click on "Module" or "Stack"... i forget which.

Googling Nmudp... yields some results that look associated with networking.. in delphi or pascal.
Run tcpview (or possibly study the "TCP/IP" tab) to see if it's connected to an external port.

 

[anantchowdhary]

Thnx a lot.I found the tmp file but i can't delete it even after i kill the thread!

 

[robphy]

What was the path of the .tmp file?

Did you see (using TCPView http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx ) if it was connected to an outside network port?

Either http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Handle.mspx or http://ccollomb.free.fr/unlocker/ might help identify what is preventing the deletion and then help free the program and let you delete it. Otherwise, you might have to either reboot, boot to DOS, or boot to linux (via a Knoppix LiveCD) to delete it.

 

[anantchowdhary]

thnx a lot for ur help!

 

[BoredNL]

I have a very easy and simple solution to removing a file that won't go away.

First open notepad. Write the following into notepad (replacing "-directory-" with the actual directory that the .tmp file is in):

@cd -directory-&ren nxaEA8A.tmp nxaEA8A.tmp.disabled

(if the file is located in "c:\windows\system32", then the line should look like this:
@cd c:\windows\system32&ren nxaEA8A.tmp nxaEA8A.tmp.disabled

In notepad, save the file as "c:\rentmp.bat"

Then go to "start", "run" and type in "Regedit". Run the program. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and right click on the right side of the window. This will open a dropdown menu, hit "new" and select "string value". It looks like you created a file and can change the name. Name it whatever you want then hit enter. Right click on it and hit "Modify." In "value data:" put "C:\rentmp.bat"

Close regedit and reboot your computer. After you've started again, browse to the directory. If the file is gone and you see "nxaEA8A.tmp.disabled" then just delete "C:\rentmp.bat". If it's still there, let us know.

 

[anantchowdhary]

I deleted the file using Safe Mode.Thnx a lot everyone fr ur help!