High CPU usage in explorer.exe / ntdll.dll

[Pathogenix]

Hi, I'm having persistent high-cpu usage problems with explorer.exe -
the process slowly creeps up until it eats all the available resources,
the problem is intermittent and I can't find any obvious causes.

Process Explorer shows that ntdll is the thread responsible; restarting
explorer.exe provides a temporary fix. Interestingly, when I tried to
view the stack for ntdll (out of idle curiosity), the machine hung
badly, and when I killed process explorer my CPU usage flatlined again.

Currently running Windows XP SP 2.0 with all patches applies, the
machine checks out clean for malware. Any suggestions?

 

[Gerry Cornell]

A thought. Are you sure it is ntdll.dll? Where is the ntdll.dll shown as
being
located when seen in Process Explorer?

Go to Start, Control Panel, Folder Options, View, Advanced Settings and
verify that the box before "Show hidden files and folders" is checked and
"Hide protected operating system files " is unchecked. You may need to
scroll down to see the second item. You should also make certain that the
box before "Hide extensions for known file types" is not checked. Next in
Windows Explorer make sure View, Details is selected and then select
View, Choose Details and check before Name, Type, Total Size, and
Free Space.

Now using Windows Explorer search for "ntdll.exe". If you get a result
you are most likely looking at a worm. The normal windows file is
ntdll.dll!

Otherwise are you getting any Warnings / Error Reports in Event Viewer

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Pathogenix]

Just managed to catch the bug in the wild, and yes, it's ntdll.dll. As
I said, I'm 99.9% positive that my box is malware free.

Specifically, it's calling ntdll.dll!RtlAllocateHeap+0x18c

Nothing interesting in the event logs barring the usual ASP.Net
unhandled exceptions (must get round to building the exception handler)
and the application hang for procexp.

Cheers for your help,

-- Bob

 

[Gerry Cornell]

Could it be an element of customisation working against you?
This link made me wonder:
http://snipurl.com/nq97

and this:
http://snipurl.com/nq9f

Are you using Fastfind?

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Pathogenix]

The only heavy shell extension I've got installed is for Tortoise's
Subversion client. I'll have a look at RegMon and see if it points out
any more useful information.

Most of the useless services that ship with Bloatware XP are disabled
on this machine, and I've been careful to keep installs to a minimum,
'cos I dual-boot in to Linux when I want to play and use XP for work
only.

Cheers for taking time to help

 

[Ron Martell]

Hi, I'm having persistent high-cpu usage problems with explorer.exe -
the process slowly creeps up until it eats all the available resources,
the problem is intermittent and I can't find any obvious causes.

Process Explorer shows that ntdll is the thread responsible; restarting
explorer.exe provides a temporary fix. Interestingly, when I tried to
view the stack for ntdll (out of idle curiosity), the machine hung
badly, and when I killed process explorer my CPU usage flatlined again.

Currently running Windows XP SP 2.0 with all patches applies, the
machine checks out clean for malware. Any suggestions?

High CPU usage by Explorer.exe is almost always associated with a
Sypyware/Trojan infestation.

What malware prevention and/or removal software are you using?

Try at least one of the following free online scanners to get a
"second opinion" regarding your system:
Trend Micro http://housecall.trendmicro.com
Kaspersky Online Scanner http://www.kaspersky.com/virusscanner
Panda ActiveScan http://www.pandasoftware.com/activescan
WindowSecurity.com TrojanScan http://windowssecurity.com/trojanscan
Webroot http://www.webroot.com/

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://onlinehelp.bc.ca

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

 

[Pathogenix]

Sorry for the delay - I had used a free online scanner to back up my
scans with Ewido and Spyware S&D. There was no malware. The problem
stopped as suddenly as it had begun - no idea about the cause, no idea
what the fix was, but my CPU is behaving itself. Weird.

 

[herbzee]

Sorry for the delay - I had used a free online scanner to back up my
scans with Ewido and Spyware S&D. There was no malware. The problem
stopped as suddenly as it had begun - no idea about the cause, no idea
what the fix was, but my CPU is behaving itself. Weird.

Getting in on the thread; I suspect hi CPU usage in my machine, how does
one tell?

 

[Pathogenix]

ctrl-alt-del

Task manager will give you some basic info on CPU usage, memory usage
et al. For a much nicer experience all round, I recommend Process
Explorer available from www.sysinternals.com

Set it to replace Task Manager and it will sit in your system tray so
you can keep a real-time eye on CPU usage. It's nice because it makes
it much easier to narrow down the potential culprits for resource
gobbling, and lets you kill processes owned by other users (note to
girlfriend: please close apps when you log off, my compile times are
slow enough already)