high CPU usage - not malware

Status
Not open for further replies.
Am just running out so just a quick note...

1. Have you verified the versions you're running of the two dll's noted for explorer?... something like schwap.dll and stobject i mentioned in prior post

2. if u felt like doing the event log clear/reboot/etc., save and post the .evt files for Application and System (note this was edited to fix Security should say System) i'd take a look when back home later

3. the questions on firewall, router connection had to do w/whether you could just leave ALG disabled but not an issue now as you said you tried it when disabled and no diff.
 
LookinAround

SHLWAPI.dll is in the windows\system32 directory, is 463 kb, was created on August 4, 2004, and was modified on April 18, 2007. The file version is 6.0.2900.3121. Is it suspicious this file was modified in 2007?

stobject.dll is in the windows\system32 directory, is 119 kb, was created on August 4, 2004, and the modification date also shows August 4, 2004. The file version is 5.1.2600.21800.

I clear the event logs, rebooted, played around with Process Explorer a little, then ran Event Log Explorer. There a no events under Application, Security or System other than information events.

I am really suspicious of that April 2007 modification of SHLWAPI.dll. I am going to look for a known legitimate version on the web and download it. I won't install it until I have your comments.

Roy
 
Interesting....

I am using SHLWAPI.DLL 6.0.2900.2995 last modified Sept, 2006

but don't try to change it yet until we figure out what's going on/why is different (it may just be one file of a set of things need occur, for example)

fyi. i apply MS updates unless they sound useless for my configuration. so do want to see why you might be more recent then mine (or if it's bogus)
 
Are you using Internet Explorer 6???? At least i know where your dll came from then. Tho it's a good suspect to pursue still don't know if that's your issue yet or not. Does the KB below show up in add/remove (be sure to check Show Updates at the top)? If so try uninstalling it.

I may not be back at my computer for awhile... but will check back in when i can.

btw, you can't simply overwrite a .dll (if that's what you were thinking). Don't know if you're familiar with SFC? System File Checker? it will keep putting the system version back.

windowsxp-kb933566-x86-enu.exe
Affected products and service packs:

Internet Explorer 6
- Windows XP Service Pack 2
Download update >>>
4.4 MB

File Changes:

file new date new version
%winsys%\shlwapi.dll 2007-04-18 6.0.2900.3121
%winsys%\browseui.dll 2007-04-18 6.0.2900.3121
%winsys%\cdfview.dll 2007-04-18 6.0.2900.3121
%winsys%\dxtmsft.dll 2007-04-18 6.3.2900.3121
%winsys%\dxtrans.dll 2007-04-18 6.3.2900.3121
%winsys%\extmgr.dll 2007-04-18 6.0.2900.3121
%winsys%\iepeers.dll 2007-04-18 6.0.2900.3121
%winsys%\inseng.dll 2007-04-18 6.0.2900.3121
%winsys%\jsproxy.dll 2007-04-18 6.0.2900.3121
%winsys%\mshtml.dll 2007-05-04 6.0.2900.3132
%winsys%\mshtmled.dll 2007-04-18 6.0.2900.3121
%winsys%\msrating.dll 2007-04-18 6.0.2900.3121
%winsys%\mstime.dll 2007-04-18 6.0.2900.3121
%winsys%\pngfilt.dll 2007-04-18 6.0.2900.3121
%winsys%\shdocvw.dll 2007-04-18 6.0.2900.3121
%winsys%\urlmon.dll 2007-04-18 6.0.2900.3121
%winsys%\wininet.dll 2007-04-18 6.0.2900.3121
 
Amazing what else one can find once knowing what to look for!

The file date you see on that shlwapi.dll version .3121 is April 18, 2007 but it was just released as part of a cumulative install june 12, 2007! So the problem would have just started about 4 weeks back.
MS07-033: Cumulative Security Update for Internet Explorer, KB933566

Seems some people have crashed clicking on folders, some found installations won't work and/or TCP/IP port creation fails (you sure no entries appeared in that event log?)

Maybe you had port creation problems as well. Like I had said other day, when i ran Process Monitor and looked for similar tcpip messages i was flooded with those messages tho still running normal. It sounds like maybe you had a tsunami and i couldn't tell from reading the post online!

Hope this works for you.
 
LookinAround

I'm sorry I don't understand, but what is it you hope works for me?
Are you telling me to load that security update?

Roy
 
No problem.

I found
  1. Shwapi.dll version 6.0.2900.3121 was released as part of a MS security update kb933566
  2. That particular update was packaged along with several other updates and released by MS mid-June as Cumulative.... (see post i made couple posts back)
  3. I'm pretty certain based on version number you downloaded and installed that Cumulative package (which includes kb933566). When u installed the cumulative you got that one which put the new .dll on your computer
  4. Still don't know that that particular version is your problem but i have seen others reporting problems (tho not same as yours) when installing that particular Cumulative patch
  5. So i think it's worth the try to remove the kb933566 update(which should revert the dll's it gave you) using Add/remove programs per my earlier post. Later should u want the patch reapplied, i would thnk you should find it on MS website, download it and reapply.
In fact, would you say the problem might have first started mid-June?
 
LookinAround

Actually, I think I picked up that version when I recently ran the latest SP2 update for windows. I had read some threads that indicated SP2 fixed some issues related to high CPU usage, so I downloaded and installed the latest version. I already had SP2, but was unsure if there had been updates that would make it worthwhile to re-install it so I did. I had the high CPU usage problem prior to doing this.

Roy
 
First, so around when did your problem first start (as best you remember)

Second, the system spec you listed way back when is XP SP2 v5.1 build 2600 (which is typical). It was released Aug, 2004.
  • When you said
    I already had SP2, but was unsure if there had been updates that would make it worthwhile to re-install it so I did
  • Are you saying you reinstalled SP2, the entire Operating System?? And the problem was there even before reinstalling the entire Operating System? Or you mean you reinstalled specific updates? you remember around when u did this by chance?
  • How do you typically look for SP2 updates? Do you use Windows Update (now Microsoft Update)? Do you do Express or do you do Custom Updates?
You can see the what/when for each install by going to the the windows or microsoft update page as usual. then click review update history u'll see on the left of the window
 
Status
Not open for further replies.
Back