Inactive Explorer.exe is hogging memory

Status
Not open for further replies.
Sorry about that- my bad!

Download SyatemLook-x64.exe and save to desktop.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    exlorer.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

I think the directions should be the sam.
 
You missed the 'p' from explorer.exe, so I took the liberty of adding it. Here are the results:

SystemLook 30.07.11 by jpshortstuff
Log created at 15:55 on 27/08/2011 by Gareth
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\Restored\explorer.exe --a---- 2870272 bytes [22:10 09/08/2011] [06:23 26/02/2011] 0862495E0C825893DB75EF44FAEA8E93
C:\Windows\explorer.exe --a---- 2871808 bytes [13:47 28/04/2011] [06:19 25/02/2011] 332FEAB1435662FC6C672E25BEB37BE3
C:\Windows\ERDNT\cache86\explorer.exe --a---- 2871808 bytes [14:21 19/08/2011] [06:19 25/02/2011] 332FEAB1435662FC6C672E25BEB37BE3
C:\Windows\SysWOW64\explorer.exe --a---- 2616320 bytes [13:47 28/04/2011] [05:30 25/02/2011] 8B88EBBB05A0E56B7DCC708498C02B3E
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe --a---- 2868224 bytes [23:56 13/07/2009] [01:39 14/07/2009] C235A51CB740E45FFA0EBFB9BAFCDA64
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe --a---- 2868224 bytes [05:09 16/07/2010] [05:09 16/07/2010] F170B4A061C9E026437B193B4D571799
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16434_none_addea9f19345cd81\explorer.exe --a---- 2868736 bytes [05:09 16/07/2010] [05:09 16/07/2010] 6D4F9E4B640B413C6F73414327484C80
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe --a---- 2870272 bytes [05:09 16/07/2010] [05:09 16/07/2010] 9AAAEC8DAC27AA17B053E6352AD233AE
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25\explorer.exe --a---- 2870272 bytes [13:47 28/04/2011] [06:23 26/02/2011] 0862495E0C825893DB75EF44FAEA8E93
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe --a---- 2868224 bytes [05:09 16/07/2010] [05:09 16/07/2010] 700073016DAC1C3D2E7E2CE4223334B6
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20542_none_ae5b763cac6d568e\explorer.exe --a---- 2868736 bytes [05:09 16/07/2010] [05:09 16/07/2010] CA17F8620815267DC838E30B68CB5052
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe --a---- 2870272 bytes [05:09 16/07/2010] [05:09 16/07/2010] B8EC4BD49CE8F6FC457721BFC210B67F
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9\explorer.exe --a---- 2870784 bytes [13:47 28/04/2011] [06:26 26/02/2011] E38899074D4951D31B4040E994DD7C8D
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe --a---- 2872320 bytes [12:27 21/06/2011] [13:24 20/11/2010] AC4C51EB24AA95B77F705AB159189E24
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe --a---- 2871808 bytes [13:47 28/04/2011] [06:19 25/02/2011] 332FEAB1435662FC6C672E25BEB37BE3
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe --a---- 2871808 bytes [13:47 28/04/2011] [06:14 26/02/2011] 3B69712041F3D63605529BD66DC00C48
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe --a---- 2613248 bytes [23:41 13/07/2009] [01:14 14/07/2009] 15BC38A7492BEFE831966ADB477CF76F
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe --a---- 2613248 bytes [05:09 16/07/2010] [05:09 16/07/2010] B95EEB0F4E5EFBF1038A35B3351CF047
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16434_none_b8335443c7a68f7c\explorer.exe --a---- 2613248 bytes [05:09 16/07/2010] [05:09 16/07/2010] FC89FACA0473641CB625EDA9277D0885
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe --a---- 2614272 bytes [05:09 16/07/2010] [05:09 16/07/2010] 2626FC9755BE22F805D3CFA0CE3EE727
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_b816eb59c7bb4020\explorer.exe --a---- 2614784 bytes [13:47 28/04/2011] [05:33 26/02/2011] 2AF58D15EDC06EC6FDACCE1F19482BBF
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe --a---- 2613248 bytes [05:09 16/07/2010] [05:09 16/07/2010] 9FF6C4C91A3711C0A3B18F87B08B518D
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20542_none_b8b0208ee0ce1889\explorer.exe --a---- 2613248 bytes [05:09 16/07/2010] [05:09 16/07/2010] 00B0358734CAA32C39D181FE6916B178
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe --a---- 2614272 bytes [05:09 16/07/2010] [05:09 16/07/2010] C76153C7ECA00FA852BB0C193378F917
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_b8ce9756e0b786a4\explorer.exe --a---- 2614784 bytes [13:47 28/04/2011] [05:51 26/02/2011] 255CF508D7CFB10E0794D6AC93280BD8
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe --a---- 2616320 bytes [12:26 21/06/2011] [12:17 20/11/2010] 40D777B7A95E00593EB1568C68514493
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe --a---- 2616320 bytes [13:47 28/04/2011] [05:30 25/02/2011] 8B88EBBB05A0E56B7DCC708498C02B3E
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe --a---- 2616320 bytes [13:47 28/04/2011] [05:19 26/02/2011] 0FB9C74046656D1579A64660AD67B746

-= EOF =-
 
You did good! Thank you for not raking me over the coals! I have been sitting in the corner>>:eek::eek:
That will teach me there are times it's okay to copy and paste- only if I know I spelled it right!

I've been trying to find the anomalies in the entries and there is one I'd like to ask you about:
There is a folder in your log with 2011-08-09 22:09:40 -------- d-----w- C:\Restored.

And it appears you did the following on that date:
C:\Restored\explorer.exe --a---- 2870272 bytes [22:10 09/08/2011] [06:23 26/02/2011] 0862495E0C825893DB75EF44FAEA8E93

Just what did you do- how did you 'restore'?

This is the result of the script I wrote to look into the c:\windows\Explorer.EXE file:
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
--- c:\windows\Explorer.EXE ---
Company: Microsoft Corporation
File Description: Windows Explorer
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: EXPLORER.EXE.MUI
File size: 2871808
Created time: 2011-04-28 13:47
Modified time: 2011-02-25 06:19
MD5: 332FEAB1435662FC6C672E25BEB37BE3
SHA1: 5A49D7390EE87519B9D69D3E4AA66CA066CC8255

And there is no sign if the file being infected. So we might be at the point of you sustaining the annoyance since it does not appear to be slowing the system and the system appears to be clean.

You can stop everything you don't need to start on boot and/or you can adjust the page file and see if either or both make ant difference.
 
Och, I can't believe that we are coming to the end of the things that we can do.

I booted up today and thought that the problem had miraculously sorted itself. explorer.exe was sat at 20 MB for about the first five minutes, but then it went up to 400MB as normal.

I can't be sure of exactly what it was that I did on that date you mention. I think that it was before I started talking to you. I think that I had located the explorer.exe file in c:\windows and then performed s right click -> Restore Previous Versions. The procedure did not work.

What about a fresh install of Windows 7? Is this an easy process, or should I just stick with the system that I have got, albeit running at sub-standard performance. Or what about approaching Microsoft officially?
 
Take all processes off of Startup except>> McAfee antivirus and firewall, touchpad for laptop and network process if on Cisco/Pure Magic. Use the information I gave you in my Reply #13.

Adjust the paging file if necessary: Please check HERE for suggestions and screen shots for paging file. There are some variables..

You have the system running many resource intensive processes, such as Veetle - Broadcast live streaming video in HD, update and accelerometer for the BlackBerry smartphone. The processes are all legitimate, but they use resources to run.

I don't recommend a reformat or reinstall for this problem. If there is a process that is causing this increase, you need to find it. A R/R is the very last thing a user should do and then only if it's a severe problem that cannot be handled any other way. Yous sounds more like a annoyance that you can't fix rather than a severe system problem.

Check the boot loading order. Using the Task Manager, see if any other process starts the same time as the delayed explorer.exe starts. I would also suggest you stop doing the 'adjustments' you are doing to the system in the attempt to fix this.

In reference to your subject: "Explorer.exe is hogging memory">> is it actually just running high, not hogging? Is there anything you can't do because too much RAM is being used?

We have handled minor malware- that was my job and it's been completed. The system is clean. I don't see any other way I can help with this specific matter.
 
I have disabled every single startup item except:
-IDT PC Audio
-Synaptics Pointing Device Driver
-DW WLAN Card Wireless Network Tray Applet (from Dell)
-Microsoft Windows Operating System
-Mcaffee Security Centre

I have read the TweakHound page on page file sizes; I'm not sure that I completely grasp it all, so I have left the page files as automatically managed.

Veetle was installed recently so that I could watch internet TV; I did not realise that this process was running 100% of the time. I have uninstalled Veetle to be on the safe side. What is the process that you mention relating to Blackberry phones? I don't own, and have never owned a Blackberry phone, so this process should not be on my system.

I am not sure how to check the boot loading order through the task manager; I have had a look and it isn't obvious to me. I always thought that the boot loading sequence was something done from the BIOS. But then again, I know very little.

Yet the problem persists. I have just checked a similar laptop to this one, and explorer.exe is running quite happily at 20 MB. The same process on this machine is currently running at 400MB or 1/5 of the entire RAM; this is what I mean when I say that it is hogging memory.

It seems to me that something is wrong with this machine. Maybe it's not malware, but something is definitely wrong.
 
I appreciate your frustration, but please don't take it out on me. There may very well be "something wrong" with the computer, but I don't know what it is. My job is to look for and hopefully remove malware and like many other helpers, offer tips and suggestions along the way.

I have done that. Please accept the fact that not all computer problems can be fixed online in a forum that isn't offering remote assistance. But you get our help free and the other can cost up to several hundred dollars.

I gave you suggestions in my previous post. I added information. And I'.ll do it once more:

Change order of startups

For services.
http://support.microsoft.com/default...b;en-us;193888
http://support.microsoft.com/default...b;en-us;115486

For applications.
To start applications sequentially create a shell script something like this
and place it in your \Startup directory.

-------------mystartup.cmd-------------
start "" "D:\Program Files\Microsoft Office\OFFICE11\outlook.exe"
start "" "D:\Program Files\Microsoft Office\OFFICE11\word.exe"
start "" "D:\Program Files\Microsoft Office\OFFICE11\excel.exe"
Courtesy of PCReview/UK

I suggested the above because you mentioned"
explorer.exe was sat at 20 MB for about the first five minutes, but then it went up to 400MB as normal.
Since it's not immediate, my thought was you might be able to associate the increase with which Service or app may be starting.

You might get some help with this by noticing how the icons load in the Notification Area,
=============================================
I'd like to bring your attention back to this as it's important:
I would like to point out that OTM did this: Total Files Cleaned = 926.00 mb That is a huge amount of files. And it indicates that you might not be performing adequate or frequent enough maintenance on the system.
Your system is clean. You can remove the cleaning tools:
Remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
    [o] Click START> then RUN
    [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
    [o] Double click OTCleanIt.exe.
    [o] Click the CleanUp! button.
    [o] If you are prompted to Reboot during the cleanup, select Yes.
    [o]The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  • Set a new, clean Restore Point
    [o] Click on Start> right click on Computer> Properties
    [o] Select System Protection
    [o] Click on the Create button (near bottom)
    [o] Type a name for the Restore Point
    [o] Click on Create again to save the restore point.
  • Deleting all but the most recent System Protection point in Windows 7
    [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
    [o] Click Disk Cleanup from there.
    image2.png

    [o] Click Clean up system files
    This restarts Disk Cleanup to run in elevated mode.
    [o] Click the More Options tab
    w7-srp2.png

    [o] Click the Clean up under System Restore and Shadow Copies.
    [o] Click OK.
    [o] You will get a confirmation screen> Just click Delete.
    [o] Click OK on the Disk Cleanup Screen.
    [o] Click Delete Files on the Confirmation screen.
image6.png

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin

I hope that you can find some reason for the high memory use of the process.
 
Status
Not open for further replies.
Back