PDA

Просмотр полной версии : explorer.EXE intercept? I/O other always increasing



James007Long
04.04.2008, 02:35
Hi AVZ,

I have a problem with explorer.EXE.

in task manager, the "I/O Other bytes" always increases by 4k every time task manger refreshes. all the time.


if I disconnect from the internet, it stops. the I/o is not reported or visible as network but I'm sure that is where its going. I suspect a hidden device sends my computer information out to the internet. this looks like a hidden trojan, but I am not an expert. but I am technically advanced.

my system is pretty clean except for uphclean which is resident. I have unloaded that and the problem still exists.

as long as the machine is connected to the internet, or a switch, or a router, the i/o other keeps increasing.

I have run with no page file and no restore. same problem.

problem does not happen in safe mode.
problem does not happen in safe mode with networking.

I followed all your instructions.
also scanned with mcafee stinger.
scanned with spybot 1.5 and ad-aware 2007 free.
I cant find it.

please give me a hand, I'm out of ideas.
Thank you,
James

Rene-gad
04.04.2008, 09:58
Hello
Do you know this domain?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jewelconsulting.org
O17 - HKLM\Software\..\Telephony: DomainName = jewelconsulting.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jewelconsulting.org
If not - fix these records over Hijackthis.
I couldn't find any really bad thing in your logs.
Pls. run this script

begin
QuarantineFile('C:\WINDOWS\system32\Drivers\uphcle anhlp.sys','');
RebootWindows(true);
end.
after reboot load the quarantine here up: http://virusinfo.info/upload_virus_eng.php

James007Long
04.04.2008, 13:36
Yes, that is my domain, jewelconsulting.org.
The win2k3 Domain Controller is in the next room.
This computer {polaris} is a domain member.

Many times I run with the DC off, so I set a different DNS IP on polaris,
and sometimes, even though I set dhcp leases to permanent, polaris does not keep the assigned ip, so i just just set a manual static IP. Thats how polaris operates without the domain, as a standalone computer.
{the dc runs dns}.

An interesting thing happened. I changed the shell to blackbox bblean, and made it the default shell. it also shows "i/o other" increasing by just under 4k every refresh!! odd, dont you think? I have a couple of jpg screen shots of just task manager showing the problem, would you like them?

Thanks,
James

Добавлено через 8 минут

Uphclean is from microsoft. it allows registry keys in use to be remapped if they are being unloaded, as when the machine is shutting down. this is a very common problem with XP and is why settings arent saved. the hive is busy when shutting down so it goes back to the previous version.
Uphclean is a kernel mode util that intercepts unloadkey. close enough.
I uninstalled it and the problem remains. I prefer to have my settings saved so i reinstalled it.

Rene-gad
04.04.2008, 13:45
I have a couple of jpg screen shots of just task manager showing the problem, would you like them?Yes, it would be interesting. You can upload the pictures to your webspace and link them here, can't you?

James007Long
04.04.2008, 14:01
I pasted that script to custom scripts and ran it.
the quarantine folder was created but no file appeared there.

I must be Own3d. here are the links.

http://i150.photobucket.com/albums/s89/computerpros/taskmgr1.jpg

http://i150.photobucket.com/albums/s89/computerpros/taskmgr2.jpg

look at i/o other. these two screen shots are only a few seconds apart.
the machine was idle except to copy to clip, paste, and save the files.

Thanks,

James

Rene-gad
04.04.2008, 14:16
I cannot find any anomaly in these sreenshots :)

James007Long
04.04.2008, 15:01
I uploaded "program files" contents for uphclean folder and the installer.


if you do the math subtracting for system overhead,
you will see i/o other for explorer has increased much more than systm overhead required to generate and save the two screenshots.

If I shell a copy of explorer (as in unix) so it runs as a separate process,
the shelled copy generates i/o other count, and the first copy does not.

If I go to safe mode, I/o other is not generated by explorer at all period.
I have been watching task manager all the way back to windows 95
and I am just letting you know there is an abnormal increase in the
number of i/o other bytes being generated,
AND its taking 2 cpu now. it was ALWAYS at zero.

I wish you could sit here and watch this thing climb steadily. there is
no end to it. it will go into the terrabyte range in a day.
this never used to happen.

I can think of one other instance where I saw this problem.
a long time ago I hacked a few xp installations to make a new
key and if the key was not right, this would happen.
maybe i'm insane but I look for stuff like this. it lets me know
the system is not straight.:(


Thanks,
James

XP user
04.04.2008, 16:55
@ James:

Don't you think that could be related to your Graphics Editing Program (LViewPro)? In screenshot #2 I see it's using 90% of your system resources.

Paul

James007Long
05.04.2008, 02:10
No, It's not related to lview pro. that was invoked to paste the clip into and then saved from. I've had lview pro for years and when it is not running there never was a problem before this new problem of i/o other started about 2 months ago.

the i/o other constantantly increases when nothing is running. no lview, no outlook. the drive is defragged to the max and even the pagefile is contiguous. this is an older dell laptop with bigger pipes and is still very snappy under xp pro. like i said, in safe mode, io other is dead stopped
while running task manager unless you go for files or folders.

been to myspace a lot lately on this box. yep what have I been smokin.
i'm sure thats part of the problem.

to clean up this box i do things most users dont have a clue about
and I fix pc's for a living. but this little spy has me stumped.

another problem - I can't run sysinternals regmon.
it reports its already running.

I looked thru the registry and found a legacy regmon701 and deleted it.
also deleted all other references to regmon in the registry,
then deleted it from the drive and redownloaded it and ran it again and it says the same thing. so thats probably related.

in procmon from sysinternals, if i watch registry activity for Explorer.EXE
{IS THAT FILENAME CORRECT?? note the case} the registry is pretty much stuck on the DHCP and TCPIP parameters of my card all the time while idle. dont make sense to me.


I made a manual full memory dump and i'll do a kernel dump.
but even though i know assembly language (I was a game programmer),
I dont know what I'm looking for and I dont know the windows api.
all i know well was the bios,vectoring interupts and ship like that.
it was before windows. so even getting the symbols and stepping thru all that is probly not going to enlighten me quicky.

but its definately here. i know these boxed by feel. and its talkin to the world. it just bypasses the normal route. i do in fact realize that all the protocols necessary to such a thing are in the box and that since the patriot act and even before, information is the holy grail.

all I want is my box to act normal, root kit or no. maybe some lamer programmer should have done a better job. I can always reload and
hope I dont stumble into that one again.

now this f**cker is on all my boxes and is on my win2k3 server but not as bad, only 200 bytes at a time there.

I appreciate all the help so far and thany you all very much
and am really open to more help and glad to answer every question.

James

Добавлено через 14 минут

no matter which utility i would use to get a screen shot, and save it,
it would be additive to i/o other.

just looking at another box i have, its explorer.exe i/o other count is up to 60 meg and its been on for 2 hours.

XP user
05.04.2008, 09:47
@ James:

OK. A couple of ideas (actually I don't think you have malware):

* It seems to me that regmon's driver was not unloaded - it's still in your system and active in memory, although you may not see it in the Task Manager. AVZ didn't flag it because it's in the Trusted Database. I believe the driver is called REGSYS701.SYS. I suggest you do a search for that one in Safe Mode (probably system32 folder) and kill it. Only then should you delete any sysmon registry keys (they're probably still there).

* Did you try inserting your XP install disc and 'Start' - 'Run' - cmd - sfc /scannow?
Explorer might be corrupted, you know. Sometimes this happens after people install IE7.

* Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix), for example, might be able to fix this (link to instructions).

P.S.: UPHClean is certainly not to blame. I'd suggest putting that back. ;)

Paul

James007Long
06.04.2008, 07:15
No its definately not malware. It's spyware/rootkit/idontknow.
It's hooked in good, but there it is in front of my face.

Thanks for the info on the regmon driver. I had to kill the file then rekill the legacy driver entry in the registry and make myself a debugger user and reboot before it would work. And now it does! Thank you for that. one less thing in the suspect list.


I considered {heavily} explorer was damaged in some way. through some research I was able to determine there are multiple versions of explorer. mine is a version which was issued to solve some race condition with notification balloons. I am able to verify size date time version... for my copy but can't verify its internal ntegrity...checksum or md5 or other means.

I ran that scf /sannow and It does not have a clue where to get files from. my stuff is in servicepackfiles and there is no reason to go for the cd. My cd is original before sp1 and Im not going that way ever again.

The closest I would come is to reinstall sp2.


I ran the combo fix but never got a log in an applet as they indicate,
what I got looked like boot.ini in a text file named CF-RC.txt.
That was clean. Combo-fix created some new folders with a bunch of
stuff in them, AND I now have a restore console from safe mode.
nifty. Also inherited two side affects, the clock format changed,
and it disabled the nic card. Those were easily fixed.
I didn't feel like joining another forum for that because
I've already described it all right here.

Thanks
James

XP user
06.04.2008, 07:51
@ James007Long

OK. I still have some ideas left, although I'm pretty sure AVZ would have spotted spyware/rootkits. It's my guess that it's some genuine program running in memory, and probably having some explorer-extension of some kind.

Could you please run Rootkit Revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)? Download link down the page. Show the log, please.

I see you have the Ad-aware program in your system - I suggest you remove that one; don't want to offend anyone, but except for cookies it doesn't catch anything. Removing its service will do your system good. A more than worthy replacement would be SUPERAntiSpyware, which you can find here:
http://www.superantispyware.com/
Pick the free version on the left. Install, update and do a full scan. Show the log, please.

Generally, it's not a good idea to have anti-spyware programs in memory running all the time - manual scans are good enough. That's why I would like you to disable *ANY* real-time options in the program (same goes for Spybot Search & Destroy). Just update your database regularly and the same applies to scanning your system - manually and manually only. A solid cookies and scripts policy in your browser is much more effective than two, three, or more anti-spyware programs, believe me.

To check hashes you could use Hash by Robin Keir - no install needed. You can find it here:
http://keir.net/hash.html

And why don't you send explorer.exe or explorer.EXE, whatever to different anti-virus labs? Or check it on virustotal.com?

Did you try any general-purpose cleaning tools like CCleaner (http://www.ccleaner.com/download/builds/downloading-slim)? (direct download link to a version *without* the dreadful Yahoo Toolbar)

Paul

James007Long
06.04.2008, 11:42
Paul

HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
C:\$AttrDef 2/28/2006 12:41 PM 2.50 KB Hidden from Windows API.
C:\$BadClus 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2/28/2006 12:41 PM 27.95 GB Hidden from Windows API.
C:\$Bitmap 2/28/2006 12:41 PM 894.24 KB Hidden from Windows API.
C:\$Boot 2/28/2006 12:41 PM 8.00 KB Hidden from Windows API.
C:\$Extend 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$LogFile 2/28/2006 12:41 PM 64.00 MB Hidden from Windows API.
C:\$MFT 2/28/2006 12:41 PM 50.19 MB Hidden from Windows API.
C:\$MFTMirr 2/28/2006 12:41 PM 4.00 KB Hidden from Windows API.
C:\$Secure 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$UpCase 2/28/2006 12:41 PM 128.00 KB Hidden from Windows API.
C:\$Volume 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.

------------------------

HKU\.DEFAULT\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)


firsrt of all I should tell you I already did this. the first set does not have the metafiles hidden. according to popular opinion, SAC and SAI are supposed to show up. The international and GEO im going to guess because the default clock format was changed, and now I have it some other way.


I agree that Ad-Aware (free 2008) has become lame and does nothing more than delete a few cookies. Hasta La Vista.

working on the other log for you now {scanning} and i'm taking the rest of your advice. oh yes; you could not pay me to take the google toolbar.
or any other freekin bar. computers dont drink, so no bars.

Thank you
James

XP user
06.04.2008, 12:28
HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
C:\$AttrDef 2/28/2006 12:41 PM 2.50 KB Hidden from Windows API.
C:\$BadClus 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2/28/2006 12:41 PM 27.95 GB Hidden from Windows API.
C:\$Bitmap 2/28/2006 12:41 PM 894.24 KB Hidden from Windows API.
C:\$Boot 2/28/2006 12:41 PM 8.00 KB Hidden from Windows API.
C:\$Extend 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$LogFile 2/28/2006 12:41 PM 64.00 MB Hidden from Windows API.
C:\$MFT 2/28/2006 12:41 PM 50.19 MB Hidden from Windows API.
C:\$MFTMirr 2/28/2006 12:41 PM 4.00 KB Hidden from Windows API.
C:\$Secure 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$UpCase 2/28/2006 12:41 PM 128.00 KB Hidden from Windows API.
C:\$Volume 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.

------------------------

HKU\.DEFAULT\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
Nothing out of the ordinary there. :)

Paul

James007Long
06.04.2008, 12:32
Paul

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/06/2008 at 05:16 AM
Application Version : 4.0.1154
Core Rules Database Version : 3432
Trace Rules Database Version: 1424
Scan type : Complete Scan
Total Scan Time : 00:44:12
Memory items scanned : 282
Memory threats detected : 0
Registry items scanned : 3838
Registry threats detected : 0
File items scanned : 14395
File threats detected : 2
Adware.Tracking Cookie
C:\Documents and Settings\JLong\Cookies\jlong@yadro[1].txt
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\W01C4433.INI

these things always find some bs the first time just to impress us.

I like spybot and the resident feature. been using that for a long time.
one side affect- using the SD Helper bad download protecter-
this make your host file huge and does slow you down, even
getting folders on your own machine.

doing a ccleaner now.


Thanks
James

XP user
06.04.2008, 12:39
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\W01C4433.INI
This may be a false positive. Could you check the contents of that .ini file? You can open it in Notepad. Might be a hidden file. If you deem it appropriate, you may copy and paste the contents here.
I also advise you to check your computer for any autorun.* files (ANY drives, especially of the removable type).

Paul

James007Long
06.04.2008, 14:36
Hey CCleaner is nice!

superspywarecleaner toasted that file, and rebooted me.

no autorun.ini is present on my thumb drive or hard drive.

autoruns.exe in my utilities folder
a hidden AutorunsDisabled in c:\documents and settings\all users\start menu\programs\startup
autoruns.exe in systinternals
autorunsc.exe in sysinternals
autoruns.chm in sysinternals
and they show up in the zip again.


Analyzing explorer.exe v 6.0.2900.3156 now.
ok its virus free.
I checked it against the one in dllcache using HASH. (NICE!) TY. identical.

I have the 6.0.2900.3156 gdr version. dont have an off system one to check against here,
they all exhibit same behavior.
close enough for me.
explorer does whats its supposed it- its extensible.
my boxes all have the same same hook.


Thanks Paul,
James

Добавлено через 1 час 25 минут

ok I use task manager on fast update. if I used "normal" or "slow"
the amount that is added to i/o other bytes for explorer.exe would be
even bigger.

I invite everyone to look at this and tell me its normal.

http://i150.photobucket.com/albums/s89/computerpros/taskmgr3.jpg

look at i/o other bytes (column) for explorer.exe. The machine had been
up long enough to do the work in the preceding message above. I'd say about 2 hours.

Thanks,
James

XP user
06.04.2008, 15:10
I invite everyone to look at this and tell me its normal.

http://i150.photobucket.com/albums/s89/computerpros/taskmgr3.jpg

look at i/o other bytes (column) for explorer.exe. The machine had been
up long enough to do the work in the preceding message above. I'd say about 2 hours.
It doesn't seem that high to me - actually my rate is a lot higher (my machine has been up for quite some time now - something like 8 hours). I suspect that's Norton GoBack, my recovery program... :)
So, it *must* be one of your legitimate drivers communicating intensively with its I/O Manager, otherwise AVZ would have spotted it.

Paul

James007Long
06.04.2008, 17:37
well it isnt any service, I can stop all those {sans rpc and a very few}
and the problem still persists.

Would you believe I've aleady been here too? got a bootlog of everything loaded and startup state. but could use a tool that sees which drivers
are actually used and then I can decide if I want to disable them...pretty dangerous, but hey I now have a recovery console to re-enable any that were needed...

was all over msinfo32

and performance counters

thought about autoruns but it shows them all even if not used on this box.

The feeling I get is a driver slaps data outbound to the internet; Because having disconnected the connection it stops dead right there, and the cpu useage of explorer.exe goes back to zero as well.

I agree that AVZ is a very well writen tool. I've never seen _anything_ do what it does before.

let me ask you something. you say your i/o other count is close. but is it dynamically updating while
you watch it, while the machine is idle, other than the task manager?
mine did not used to. only when I went for files/folders or invoked things did it change,
but never sitting there doing nothing.

my windows is a build 2600.xpsp_sp2_gdr.070227-2254.






Thanks
James


James

XP user
06.04.2008, 22:25
@ James007Long

Maybe it makes sense to have a look at your Windows services? For example, I see you have the Application Layer Gateway Service (alg.exe) running. On SP2 it is no longer needed, but it keeps at least one port open...
To answer your question about I/O - Yes, it's updating while I'm watching it in the task manager. Maybe you need a tool like Process Explorer (http://download.sysinternals.com/Files/ProcessExplorer.zip) (a more than nice replacement for the Windows Task Manager) to see what is linked to explorer.exe - at least there you can see all the threads and handles displayed in the process properties. It *must* be an application that has a driver + an extension in explorer.exe, I'm pretty sure about this...

Paul

James007Long
07.04.2008, 02:03
Yes its most likely a driver. I already tried disabling all the services.
i'm looking at the drivers.

James.

James007Long
08.04.2008, 08:01
these were disabled with no effect on i/o other inceasing:

akbus,akpcsc,smusic,dmkaud,ipnat,kmixer,maestro,ol camudp,
parpart,pfc,redbook,serial,aec,audstub,cdrom,cmbat t,compbatt,
fdc,flpydisk,irda,mskssrv,nwlnkflt,nwlnkfwd,ptilin k,raspti,
mspclock,mspqm,rasirda,smcirda,splitter,swmidi, (sysaudio.

where its not:
battery, dvd/cd, floppy, ir devices/port, parallell/direct parallel,
audio card and probly serial.

narrowing down whats left I'm looking at networking protocols.

Добавлено через 7 часов 47 минут

Hi,
Would like to a try a rescan,
Where do I find the latest version AVZ english?

tkx
James

btw used msconfig to bring up windows minimum with network,
and problem still there. as soon as networking is involved the problem
is apparrent. not surprising as what makes i/o other stop increasing is to
disconnect the network connection.

Добавлено через 12 минут

I've prevented dhcp from loading in services. assigned static ip and dns.
regmon show this for explorer.exe:

the f242xxxx is my nic.


78.83390808 explorer.exe:1652 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind SUCCESS "\Device\{F24256B3-E315-466B-AED3-3228EE8BA90F}"
78.83427429 explorer.exe:1652 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F} SUCCESS Access: 0x20019
78.83430481 explorer.exe:1652 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F}\EnableDHCP SUCCESS 0x0
78.83433533 explorer.exe:1652 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F}\DhcpServer SUCCESS "255.255.255.255"
78.83436584 explorer.exe:1652 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F}\DhcpServer SUCCESS "255.255.255.255"
78.83439636 explorer.exe:1652 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F} SUCCESS
79.83440399 explorer.exe:1652 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW
79.83443451 explorer.exe:1652 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW

its ALWAYS here! why? is that normal?

1. why is it STILL looking for a DHCP server?
2. what are the OVERFLOW's about in Linkage?


tks
James

XP user
08.04.2008, 09:26
1. why is it STILL looking for a DHCP server?
I haven't got the faintest idea - I'm actually a bit crazy (:D), so in my system, (except for 45 other useless Windows services), I completely removed the DHCP Client service - still the OS is looking for something in that direction.

2. what are the OVERFLOW's about in Linkage?
The same answer, I'm sorry. I can't provide you with any sensible answer. This is only known to Microsoft...

Paul

James007Long
08.04.2008, 09:26
using procexp.exe from systinternals, I got properties on the the explorer.exe threads and was able to suspend/allow them.

when I suspend these, the problem goes away!


1. stobject.dll!DLLCANUNLOADNOW + 0x1f55

presumably this had to do with tweakmanager causing windows
to unloading unused dlls,
I dont know, and could use help with it.

I had made that setting
in tweakmanager then later thought better of it. problem was tm
left the key there, and deleted the value. sometimes windows
procedes on the presence of a key alone. so I deleted the key
as well.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Explorer\AlwaysUnloadDLL

ok this thread has 3 sometimes 4 threads but I pause the one with
the most context switches and my problem goes away.

2. SHLWAPI.DLL ordinal505+0x37a
not sure what this is could use some help, but guesing the ldap
protocol implementation is hiding in here, which means ldap
is snarfing my registry like crazy.

can anyone tell me what these are?
thanks
James

XP user
08.04.2008, 09:40
Hi, James!

The library file stobject.dll, is required by Windows and is used to provide functionality to the System Tray. Windows cannot operate without stobject.dll. I wouldn't touch it if I were you.

shlwapi.dll is a library which contains functions for UNC and URL paths, registry entries, and color settings. I would leave that alone as well. :)

The AlwaysUnloadDLL registry key: Windows Explorer caches DLLs (Dynamic-Link Libraries) in memory for a period of time after the application using them has been closed. This can be an inefficient use of memory on low memory systems, and may cause problems or delays for programmers developing with Windows DLL files. Set the default value to equal '1' to disable Windows caching the DLL in memory. Actually this is really only useful in older systems (Win98 for example).

Paul

James007Long
08.04.2008, 17:26
shlwapi.dll is a library which contains functions for UNC and URL paths, registry entries, and color settings. I would leave that alone as well. :)

no, i dont plan on deleting dll files, just finding a cause/fix.

casting aside stobject for the moment.....

"registry entries" in shlwapi.dll? you say? hmmmmmmmmmmmmmmm
really wierd..if i suspend that thread, the problem goes away.

i/o other ceases to increase while sitting idle.

I wonder if anyone knows what function/code is at the entry point
SHLWAPI.DLL ordinal505+0x37a ?

just an overview of that section would be great.

is there a reason why
pausing this thread should stop i/o other from increasing?


thanks
James


Thanks James

XP user
08.04.2008, 22:09
I wonder if anyone knows what function/code is at the entry point
SHLWAPI.DLL ordinal505+0x37a ?
There is quite some info about this entry in Google. Most of the topics are about explorer crashing, and after that only the ordinal505+0x37a is left. Seems to have something to do with desktop and folder context menus.

Paul

James007Long
09.04.2008, 01:27
Thanks, Paul.

working on network monitor under XP, I want to see what all the traffic is about.

and, I disabled the following wan miniports:
IP,L2TP,PPOE,PPTP and nothing changed, i.e. i/o other still increases.

These *may* have come from questionable sources via bittorrent
anyone ever had any problems with these?
winrar 3.51 corporate edition no key necessary registered to darketernal
isobuster 1.6.0.19
nero 7


ok got netmon running under xp. I dont see i/o that would be
commensurate with i/o othe bytes, and dont see anything else.

how strange is it that if I disconnect the connection it stops?

even tried this on a hardwired client, with the cable connected to
a hub and with no conection to the intrnet, i/o other increases
at a constant rate while idle. unplug the cable from the hub
and i/o other stops dead while idle.

what protocol does that? not tcp/ip.

XP user
09.04.2008, 07:38
@ James007Long

I have no immediate answer to your questions. I must say I'm puzzled by the explorer DHCP queries all the time, especially since my machine doesn't need it and the service itself no longer exists. So I dug up an 'old' sysinternals tool for you that will show you that explorer.exe is doing something all the time - TDImon. Explorer.exe must be communicating with any of these:
* afd.sys
* tcpip.sys
* netbt.sys

It's probably worth checking the difference between Net 'On' and Net 'Off'. Unfortunately, since Microsoft's takeover of sysinternals, they don't release this wonderful tool anymore. I wouldn't be surprised if Microsoft had a compelling reason not to support its development any longer.
Here it is for you [see attachment].

So, what we have deduced so far:
* it must be something that communicates through or with a driver
* it must be something that has an explorer extension (most likely a context menu application handler)
* it must be something that uses your network somehow

Here's a tiny fragment from the TDIMon's log entries:

8:46:56 explorer.exe:106 829182C8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX
8:46:56 explorer.exe:106 8293B900 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX

which lead me to this:
http://www.osronline.com/ddkx/kmarch/k113_0hiq.htm
http://msdn2.microsoft.com/en-us/library/ms796116.aspx
This may very well contain the answer you're looking for...

Paul

James007Long
17.04.2008, 05:38
All my boxes do it now. it wasn't this way. kinda like remembering when there wasnt a deposit on bottles. anyway, I give up.

Thanks for all your help Paul, and everyone on the forum.

James