Archive for January, 2006

Explorer.exe 100% CPU usage after login (webcpl.dll)

Explorer.exe started using 100% CPU about 5 minutes after login. The user had run Spybot, Ad-Aware, and Trend Micro scans and nothing showed up. I took a look at the startup items with msconfig and couldn’t find anything myself. I first ran Process Explorer and couldn’t find anything obvious that was hooked into explorer.exe that would cause the problem (moral of the story: I didn’t know how to use Process Explorer). I ran TCPView and noticed that at login, explorer.exe was trying to connect to an intercage.com IP address (which didn’t respond to pings). As soon as the TCP connection died, explorer.exe CPU usage jumped to 100%. If I end-tasked explorer.exe and re-ran it, it wouldn’t try to make the connection again and it would never use 100% CPU again. If I booted up without a network connection, everything was okay. Once I connected though, explorer.exe would try to make the TCP connection with the mysterious IP again.

After tons and tons of troubleshooting (Filemon, Regmon, SFC, etc.) and searching for solutions (”explorer.exe 100% cpu”, “explorer.exe 99% cpu”, “explorer.exe 90% cpu”, “explorer.exe syn_start”, “explorer.exe close_wait”, “OMG!”), I took a deeper look at Process Explorer’s features. I thought all I could do with the program was look at (and close) the open handles of a process with the main window but if you right-click on a process and go to Process Properties, there’s also a useful Threads tab. In this tab, I was able to find a thread which was created by (right?) webcpl.dll and was using 100% CPU. I was able to kill the thread and voila! Explorer.exe was acting normal again. I found the culprit in %windir%\system32. I opened the file up in Notepad and I found a reference to the IP that TCPView showed. I deleted the file, found one reference in the registry to the DLL, and deleted that (probably should’ve unregistered it instead?).

Now everything is happy. Explorer.exe is no longer trying to connect to the IP and it doesn’t use up the CPU. I searched for more information about the DLL but all I could find was a forum thread about Panda Antivirus detecting it as the Downloader.GRG trojan and not being able to delete it. Panda’s site didn’t have much information about it though. Oh well.

35 comments January 12th, 2006 at 04:32pm


Calendar

January 2006
S M T W T F S
« Dec   Feb »
1234567
891011121314
15161718192021
22232425262728
293031  

Posts by Month

Posts by Category