high CPU usage - not malware

Status
Not open for further replies.

2kg4u

Posts: 46   +0
My computer has slowed right down, and task manager shows abnormally high CPU usage. When the system is idle, with no applications other than Task Manager running, CPU usage is 15%, with explorer.exe at 11% and taskmgr.exe at 4%. I had a thread open in the Security and the Web forum for the past ten days, and with the help of the resident experts there we cleaned any and all nasties off my system. This did not resolve the high CPU usage problem, so it was suggested I start a new thread here.

Some symptoms:
- CPU usage in Safe Mode is normal, 1% for taskmgr.exe, 99% System Idle
- opening any application (in normal mode) immediately spikes CPU usage up to 100% for several minutes

When I use Sysinternal's Process Explorer to see what processes are running beneath explorer and taskmgr, I get the following:

- explorer.exe ........ 6% SHLWAPI.dll ....... 5% stobject.dll
- taskmgr.exe ........... 4% taskmgr.exe+0x5944

When I run Process Monitor, the following 9 lines keep repeating continuously:

7378 1:07:15.3898193 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind SUCCESS Type: REG_MULTI_SZ, Length: 132, Data: \Device\{DE0FFF0F-625E-41E2-821C-885989DB4024}, \Device\NdisWanIp
7379 1:07:15.3938388 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind SUCCESS Type: REG_MULTI_SZ, Length: 132, Data: \Device\{DE0FFF0F-625E-41E2-821C-885989DB4024}, \Device\NdisWanIp
7387 1:07:15.5072602 AM Explorer.EXE 1340 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE 0FFF0F-625E-41E2-821C-885989DB4024} SUCCESS Desired Access: Read
7388 1:07:15.5096666 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE 0FFF0F-625E-41E2-821C-885989DB4024}\EnableDHCP SUCCESS Type: REG_DWORD, Length: 4, Data: 1
7389 1:07:15.5136968 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE 0FFF0F-625E-41E2-821C-885989DB4024}\LeaseObtainedTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1184473772
7392 1:07:15.6255741 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE 0FFF0F-625E-41E2-821C-885989DB4024}\LeaseTerminatesTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1184525336
7393 1:07:15.6295721 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE 0FFF0F-625E-41E2-821C-885989DB4024}\DhcpServer SUCCESS Type: REG_SZ, Length: 24, Data: 192.168.1.1
7394 1:07:15.6334997 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE 0FFF0F-625E-41E2-821C-885989DB4024}\DhcpServer SUCCESS Type: REG_SZ, Length: 24, Data: 192.168.1.1
7395 1:07:15.7086749 AM Explorer.EXE 1340 RegCloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE 0FFF0F-625E-41E2-821C-885989DB4024} SUCCESS

What is this process that explorer.exe keeps opening?

I have disabled most of the unnecessary services, uninstalled all applications I don't use, deleted all unnecessary files, reinstalled the latest SP2, and updated most of my drivers.

My system specs:
- Windows XP5.1 (build 2600) Service Pack 2
- IE 6.0.2900.2180
- 2048 Mb RAM ( 2 X 1024 Mb DDR-SDRAM 166.7 Mhz (PC2700))
- Intel Pentium 4 CPU 1.80 Ghz
- AiS 7012 Wave sound card
- NVIDIA GeForce3 Ti 200 display adapter
- SiS 900 PCI Fast Ethernet Adapter
- ECS M935LR Mobo with SiS 650 + 85C503/5513/961 chip set
- American Megatrends BIOS, version 07.00T, released 04/02/01

Any and all help / advice is appreciated.

Roy
 
It appears something is trying to work your TCP/IP connection - the usual suspects here are update programs run amuck.
 
how do I fix that?

How do I un-amuck them? Can I temporarily disable TCP/IP to test the theory?

Roy
 
The thing is, the TCP/IP isn't causing it - the updaters might be.

I don't run much of that kind of thing so someone else will have to guide you here.

Check msconfig and HijackThis for running updaters, etc .

gl

:)
 
updater?

CCT

If you mean automatic updates, I disabled all of them a while back .... windows, AVG, Java, etc.

Roy
 
Sorry - I have limited knowledge about this issue beyond update problems - jobeard is one of the network gurus's here - pm him.

Failing that, try a post at Windrivers - some great people there also.

:)
 
don't know what the problem is but can tell you

Out of curiousity i just ran Process Monitor on my system and set the filter to trap all entries with "tcpip" in the path (all ur msgs u show are set as such) and I am flooded with similar messages and while my computer is running as usual.. so the entries you're worried about may be a red herring and not the problem (they are occurring and certainly not a problem on my computer)
 
you bet... here's a couple other things u might do/look at (if u haven't already)

  1. Make sure your anti-virus and spyware definitions are up to date and run a full scan of your computer
  2. Look in the event logs and see if any interesting looking messages are in there. fyi.. freeware tool Event Log Explorer is a handy way to take a look and filter out all the INFORMATION type messages (use View/Filter)
  3. The Microsoft presentation you;ll find at this link is several years old but still a good checklist for things to look for. Certainly pay attention to possible disk errors or virtual memory issue as they're two areas which can cause problems as you describe (tho certainly not the only things that can cause it)
p.s. do look in event log but i've learned to take things in there with a "grain of salt". i've seen things happen that aren't logged and some things labeled WARNING or ERROR are not necessarily problems. But certainly take a look and see.
 
When you look at msconfig, under Services shut off the Windows view and look carefully at what is left - uncheck ALL the boxes as a temporary measure and reboot.

Any change? If so, re-enable a couple at a time until you find the culprit. If not, re-check the boxes and then look under Startup. Uncheck 4 at a time and reboot and see if the problem stopped. Alternate until you have gone through the whole lot.
 
thanks LookinAround and CCT

LookinAround,

In response to your suggestions:
1. I ran a thread in the malware forum for about 10 days before I started a thread here. After numerous scans of all types, and evaluation of my HJT logs, I was given a clean bill of health by the tech experts in that forum. I'm not saying it can't possibly be malware, but if it is, it is hidden too well.
2. I ran the program you gave me for looking a event logs. After filtering out information type messages, I have 212 system errors, and 42 application errors. Having this information is like having a date with a beautiful woman; you know its a good thing to have, but now that you have it you don't know what to do with it. What should I look for?
3. I pretty much have already covered all the points in that article you had me read.

CCT,
I already had tried shutting off all but Windows services, and it did not improve CPU usage. I tried it again tonight and the CPU usage with all non-Microsoft services turned off is the same as in full normal mode. However, armed with the knowledge that CPU usage is normal in safe mode, and the fact that non-MS services seem to not be the problem, I like your idea of alternating which MS services I shut down between reboots to see if I can find the culprit. That may take a couple of days, so I will get back to you on the results.

In the meantime, if you guys, or anyone else, have and other thoughts or ideas, fire them my way.

Thanks for taking the time to try to help.

Roy
 
did it already

I probably ran through Howard's full process at least 3 times if not more, in addition to running a host of other malware detectors.

Roy
 
shut down services

CCT,

I shut down services 6 at a time (except essential services) and the one that made the most difference (when shut down) was Network Connections.

Cpu usage before shutting down Network Connections:
Explorer 9%
Taskmgr 3%

CPU usage with Network Connections shut down:
Explorer 2%
Taskmgr 3%

Cpu usage in safe mode:
Explorer 0%
Taskmgr 1%

Therefore, there is still something using CPU.

Next I am going to try shutting down services 6 at a time again, but this time with Network Connections shut down all the time. I am looking to see if another service shut down at the same time as Network Connections gets me to lower CPU usage.

No more tonight though. Bed time.

Roy
 
if u're cpu is being used for the network which it is and more if u have an onboard network card it will be working any time there is anything on the network working
 
network usage

nickc,

I pretty much assume that just because Network Connections is the service that is using the CPU doesn't mean it is the problem. Now I have to find out what is accessing the network through Network Connections, when there shouldn't be anything.

Does anyone know of a way to find out which applications are accessing the network at any given time?

Roy
 
Here's some thoughts. You;d have to take a look and see how suitable they might be to helping in your situation.
  1. Keeping an eye on active ports check out freeware tools
    • Currports from nirsoft.net
    • TCPview from sysinternals.com (or whatever Microsoft is calling it after buying it, i forget the new name)
  2. Trying to determine service usage using process explorer again
    • Select the busy CPU process. Right click for Properties and click Thread tab
    • Order the threads by CPU usage
    • Look at the names on the stack of the busy threads. You can sometimes figure out the service name or what else it might be based on symbols in the stack
 
processes running under explorer.exe

I will try those tools for monitoring internet activity when i get home tonight.

Regarding your other suggestion I already used Sysinternal's Process Explorer to see what processes are running beneath explorer and taskmgr, and I got the following:

- explorer.exe ........ 6% SHLWAPI.dll ....... 5% stobject.dll
- taskmgr.exe ........... 4% taskmgr.exe+0x5944

As far as I can tell by googling, these are legitimate applications. Do you read anything into this?

Roy
 
Don't see anything jumping out as wrong but
  1. I did look quick online and see shlwapi.dll has been involved in a number of different Windows bugs/issues
    • Use Process Explorer to see what version of shlwapi.dll you have loading and being used by Explorer. I have v6.00.2900.2995 which i believe is correct version
    • Search the drive for shlwapi.dll. I'm assuming you know how to use Explorer to set file options such that you make sure all system and hidden files are displayed so the search looks at everything. should just find one in /windows/sys32 with the right version
    • Do same for stobject.dll too just for yucks. I have 5.01.2600.2180
  2. Try Event Explorer one more time. This time
    • Clear each of the logs out
    • Reboot your machine
    • Let machine come up, get stable and run its usual busy CPU. Now go look in the logs again filtering out INFORMATION. Still too much to look through or too much to post System and Applications post after u cleared them and reboot
 
btw... as i see u mentioned some change w/disabling the network connection service, have you tried leaving the network connections service running but Disable each network connection showing in the net connection applet?
 
network connections

LookinAround,

No, I haven't tried disabling the network connection, but I did disconnect the cable to the router. Didn't make a difference. I will try various things when I get home tonight.


Roy
 
TCPView

Lookinaround,

I attached a TCPView text file taken with the computer at idle and no IE windows open. I don't know what to look for. Do you see anything out of line?

Roy
 
Hey there.

This could be a long shot but it worked for me when I noticed my PC slowing dramatically and high CPU usage was the bane of my life:

https://www.techspot.com/vb/topic79860-2.html

It was nothing to do with malware, updates or any other such 'problem'. My PC had simply decided to change one of it's most important settings!

Got to be worth a try. If it's not your problem then good luck with finding out whatever is.

G
 
Nothing out of line, but

  1. When you said
    NO IE windows open
    I wanted to make sure we're in sync with some terms we're using As I recall, your previous data kept referencing explorer.exe (which is Windows Explorer) and not IE (Internet Explorer or iexplore.exe)
  2. Not stands out but.... but alg.xe is Application Layer Gateway. Would like to see you try running with ALG service disabled. What is it set at now? Do you use Windows Firewall or someother firewall? (better if not windows firewall).
    Do you have a simple computer-> router -> calbe to/from Internet? Or different arrangement?
 
Gazington, LookinAround, CCT

Gazington,

I hadn't read that article, but I had seen another that explained basically the same process. When I checked, I was already set to Ultra DMZ Mode 2. Thanks for the suggestion.

LookinAround,

You assumption is correction. I understand that explorer.exe (which is the process using high CPU) is windows explorer which manages desktop functions, as opposed to IE or Iexplorer.exe which is the internet browser. The only reason I mentioned IE in my post was because I provided a log from TCPView which would have shown an entry if IE was running, so I told you it was not.

I disabled the Applications Layer Gateway service, rebooted, and there is no noticable effect on CPU usage. It is still showing explorer.exe at 8% and taskmgr.exe at 3%. I will now re-enable ALG.

This computer is a desktop, and is set up right next to my wireless router. It is hard wired from a port on the wireless router to an ethernet port on the desktop. I am hard wired from the ISP modem to the wireless router to this computer. All the other other computers in the house are wireless, this one is not.

I am currently using the Windows firewall. I used Zone Alarm for a few weeks and found it intrusive. I can try switching back to Zone Alarm if you think that would help, but I don't think that decision is related to the CPU usage problem.

CCT,

Did you see my previous note where after selectively shutting down all services, the only one that made a significant difference was Network Connections. When I shut that down, explorer.exe CPU usage dropped from 9% to 2%.

Thanks everyone for all your suggestions. Even the ones that don't improve the CPU usage situation are teaching me a lot about my puter.

Roy
 
Status
Not open for further replies.
Back