Internet access drops, d3d9caps.dat updating, ran R&RMF already

Hi, I have been having some strange problems with IE losing connection occasionally, as well as sluggishness. I was recently unable to connect to a remote computer with PCAnywhere (blocked by the firewall) which had not happened before either.
I try to keep things pretty well locked down on 4 computers (geek alert), so this is a bit of a surprise. I tried the usual stuff and I feel that there's still something lurking in the background that is pretty well hidden.
I noticed a file that was being updated when the system was not being used, C:\WINDOWS\system32\d3d9caps.dat - searching on this indicated it was bad, but there was no indication what program uses it. It's really hard to tell if the problem is gone since you have to try some things and then wait overnight. I did try deleting the file and it came back, so something is writing it. I also tried trapping access to the file name through filemon, but (of course) the file was not updated while I was watching.
Anyway... I ran as many of the steps as possible. Description follows.
0. Nothing in the add/remove looked suspicious or something I had not installed.
1. I deleted all the Norton protected files and quarantine files.
2. I did this (actually, I run this way most of the time).
3. Not an issue. I am running Zone Labs Internet Security Suite, but have run different ones in the past (Norton, etc.) That is a subject for a different post ;-)
4. Downloaded all of the programs and installed them where recommended.
5. Restarted in safe mode, no networking, unplugged network cable. Ran Ccleaner. Ran Spybot per instructions. No problems found. Ran Counterspy in safe mode, so no view option, and no log was created that I could find. There was a later scan and the log is posted in the third post.
6A. Restarted in safe mode with networking. Reconnected network cable. Ran bitdefender on the entire machine (6 hours!) and found some problems in Outlook messages. Manually deleted these and reran bitdefender only on Outlook folders; this scan was clean. Both logfiles are attached. Tried to run Panda but something hung during the running (it seemed to be connected to ZoneLabs automatic update failing to find a network connection) so had to restart several times to fix networking issues. In any case, I was not successful in running it.
6B. Restarted in normal mode, ran getrunkey.bat and shownew.bat (logs attached to following messages).
6C. Ran combofix.exe (logs attached), ran HJT per instructions (logs attached). Tried rerunning Panda but it still got stuck on network access.
I hope I used the correct runmefirst (t=35407) - let me know if not and I will try rerunning things.
I need to put in a new hard drive and would like to make sure the problem does not just migrate from the old installation to the new one. If necessary, I will just do a fresh install of WinXP and all the apps. The computer is about 3 years old and (so far) I have not had to do this. I guess it's about time.
The system has been unusable for several days due to all the scanning etc. and I need to get it fixed soon.

Jman9

 

more attachments

 

Found a CounterSpy scan from last night (was automatically scheduled)... log attached. Took 217 minutes... glad I was asleep ;-)
Jman9

 

Hi Jman9!
Welcome to Major Geeks!
Please go to add/remove programs and uninstall all your old javas.

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1

After you've uninstalled ALL of the above, please REBOOT your computer.

After you've rebooted, please install Java Runtime Environment vs. 6.3

There is no obvious evidence you are running ZoneAlarm's Security Suite, but your comptuer is full of Symantec. ??
abri

 

Hi abri, thanks for the almost instant response!
I am now uninstalling the Java as you mentioned. It's nice to have a second computer available while you are working Will post results from that when it's done... so far, it's still running very slowly.
The Symantec stuff is PCAnywhere, Norton GoBack, and Norton SystemWorks. I gave up on NIS a while ago when the subscription ran out, so tried some other programs to get real-world experience. There may still be some Norton trash left over in the registry though.

 

OK, I finished the steps mentioned, and it seems to be running faster, but I had to do the uninstall from a second admin account I keep around just for cases like this. I had at least one restart during the uninstall that I did not request. That account seems to be faster than my main account. Also, I won't know for a while if the d3d9caps.dat file problem has been solved. Please let me know the next steps here. Also, should I uninstall CounterSpy, CCleaner, or any of the other tools I put on to help fix this problem? Thanks.
Jman9

 

Hi Jman!
Please forgive the long wait. We are having a discussion about this. You are right that the d3d9caps.dat file is hard to get rid of. Whether it's related to the problems you're having or not isn't clear. In any case, your thread has not been abandoned.

While you're waiting, please do the following:

1) For further information, could you tell me if you installed TCp Spy and if it is something you want running on your computer?

Secondly, WinPcap was damaged when you ran ComboFix. It can be restored by Combofix but it might be easier to simply reinstall it.

And for my own information, how did you delete your infected Outlook files? Did you remove whole folders or do you know a way to delete them individually?

2) Please look in Add/Remove Programs for the following and uninstall them if found..

Then delete the below folders which may be left behind by the uninstall:

C:\Documents and Settings\John Mahony\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

4) Do you know what this is? If not, please add it to the items to be fixed by HijackThis below.

5) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) After you have completed the above, please attach the following log.

• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

Hi Jman!
I would like to add to my previous post. Coming back to your question regarding the d3d9caps file, I have it on the highest authority that this file is hard to delete because it's part of a legitimate program called Direct3D. It appears to be showing up when installing Xfire. It's possible it's being used by some program other than this one, but in any case, it does not seem to be a bad file. You can find more information on it at the following McAfee website. It appears in the second scroll window towards the bottom.
http://www.siteadvisor.pl/sites/xfire.com/downloads/5910856/

The PC Anywhere being blocked could be the result of a program update. Whenever a program is updated, the firewall generally wants new permission for it to run. This happens sometimes and is nothing to worry about.

Thanks to Chaslang for this information.
abri

 

Hi abri, sorry for the delay. I have two 160GB drives that are getting pretty full, so I wanted to put in a 500 GB drive, but Dell seems to have shipped a WinXP Home disk instead of a WinXP Pro disk :-( I have requested new disks, so maybe they will ship the right disks this time. I spent a bunch of time backing up data in preparation for this move. Note to self... buy a really big HD for my next computer ;-)
Anyway... here are the answers for your recommendations.
1. I ran tcpspy a few times to try to troubleshoot some problems with Outlook not connecting to the mail server when NIS was running. I will probably get rid of these items using one of the removal tools. Do you have a recommendation for this?
I tried several TCP/IP capture programs while working on this problem. I can reinstall WinPCap if I need it.
To get rid of the infected Outlook messages, I opened the .pst files, found the messages by name/sender, deleted them, and then compacted the .pst file (Properties > Advanced > Compact File). If you don't do that, they are not really gone, and the scans will still pick them up. You can just select the folders with the Outlook .pst files to make the scanning go faster.
2. I already uninstalled CounterSpy and the computer seems to be running faster. I also deleted the files you mentioned. The only one that remained was in the Documents and Settings\JM\Application Data\Sunbelt Software, and there was only one file in there.
3. I ran shootthemessenger already (does this work?), but I can stop WinMessenger again.
4. I know this url. I put it in to download data from the USGS to make topographic maps. If it's not there, the download would not work.
5. Done.
6&7. These appear to be duplicates, so I only did it once ;-)
8. Rescanned, log attached.
Regarding d3d9caps.dat, I don't have this file on any of four other computers in the house (3 personal and one work machine) so I am suspicious. I also don't recall downloading Xfire. Does this get installed automatically when you visit some web sites? I was also suspicious since it seemed to be updated only when nothing else was running (computer in standby), and then it's updated very frequently.
I am not sure the PCAnywhere problem was due to an update, unless Symantec updated something automatically. I have been running 11.0.1 for some time and nothing has changed for some time. I will have to look around for more ideas on this one.
Thanks for all of the help on this!
Jman9

 

Hi Jman,

Yes, sorry for the duplicate instructions!

The d3d9caps.dat seems to be part of Direct3D which is part of DirectX which is a component used in many things that have to do with graphics. It can be part of a screensaver. You have a lot of photo-related software on this computer. I spent quite a bit of time looking for this and one of the places I always look first is at this website to see if it came up in an earlier post. I found it in this post: http://forums.majorgeeks.com/showthread.php?t=115208

If you have the time to look at this thread in more detail, what you'll see is that it was removed very early on in Safe Mode. After that, it came back and was never dealt with again. However, somewhere between the second to the last newfiles.txt and the very last newfiles.txt it disappeared. That means something in the last posts was taken out of the computer which also took out that file. It appeared in the newfiles.txt log in post 49, but in post 64 it was gone from that log. Nothing was done in that time expressly to remove that particular file, so it had to have been removed with something else.

The msmsgs removal tool should work. The Windows Messenger is still appearing in your hijackthis log.

I would like to post our final cleaning instructions to remove the tools and logs we've been using, reset a clean restore point and give you information about how to protect yourself from malware. I know you're still concerned about this one file and I would ask you to please look at the thread I mentioned and see if it gives you a clue what program on your computer might be using it. Since it's not a known virus and since I've only found it removed as a suspicious-looking file but not pertaining to any malware, and since it does seem to be part of Direct3D which is a valid program, I can't justify spending more time on it even though I would like to. It's an old file. One reference I found to it at a malware site was from 2005. If it were a known malware issue, it would have come up as something more than being a suspicious-looking file since then. I would be grateful, if you happen to track down what it relates to in your computer, if you'd tell us. It could help us in future encounters with it.

Here are the final instructions.

abri

 

Hi abri, thanks for the detailed reply.
I checked out the other thread, and I think the reason d3d9caps.dat is not in the last newfiles.txt scan is that it became older than 90 days. It was created on Nov. 13 and the later scan was done on Feb. 12.
I just looked at my Norton GoBack advanced restore log, and this file is still being updated (about once per second) if the computer is in standby for a while. I am still suspicious, but maybe I should not worry too much about it. I will see if I can find the program that makes this file update. I was going to try running ntfilemon and filtering on access to this file name. That would show me what process was accessing it, but it may be too stealthy and hide if it detects a file monitor running.
I could not find a lot of references to the file either, but will let you know what I find out.
Everything else seems to be running much better.
For your cleanup steps:
1-2. I didn't have to do these steps.
3. I have deleted these.
4. Will do next. I think I did this somewhere along the way.
5. Will do next.

I was not successful in creating a fresh 500GB system disk since I found that I did not have the right Windows disk. Dell shipped me a WinXPHome disk but marked it as WinXPPro !! I'm still running the old 2x160 GB disks temporarily until I get the replacement CDs.
Thanks again for the advice!
Jman9

 

Your welcome.
Look for d3d9caps in programs that have Direct X or Direct 3D. One place these are used is in gaming software. I'm expecting it to be in a program that uses 3D graphics.
abri

 

Hi abri,
filemon found what was going on (finally!!) - it's not what you'd expect.
There are several processes that are accessing this file, but only one or (maybe two) that are writing to it. They are:
DFRGNTFS.EXE (the first process that I caught, but only open/query)monitor.exe
svchost.exe (but I would have to dig a bit to find what was actually running inside this)
ScanningProcess (no .exe listed in the process list)
WMIPRVSE.EXE

and now for the surprise one... iTunes.exe is creating d3d9caps.tmp and then renaming it to d3d9caps.dat... after that happens, the revised file apparently is saved by the Norton Protected Recycle Bin and also shows up in Norton GoBack.

Unless you think any of these programs are a problem, I guess the mystery is more understood. I still don't know why some of my other machines don't have the d3d9caps.dat file on them, though. One of them is running iTunes and that one is also running GoBack and Norton SystemWorks. Go figure.
Guess I'll try stopping iTunes to see if the problem stops, or check with Apple about it.
I can post the log file if you want to have a look at it.
Jman9

 

Hi jman!
Thanks for posting this information back to us. The processes you mention all seem like legitimate ones. The first one is part of the Windows defrag program. The second belongs to Windows Management Instrumentation (WMI) and the third is iTunes. The file name is unfortunate. I appreciate the effort that went into figuring this all out and want to thank you for letting us know what you found.
abri

 

Hi abri,
I haven't totally given up, as sometimes the file seems to be updated when the screen saver starts running (sigh). I finally have a WinXPProSP2 disk and I'm going to put in a new hard drive and load a fresh version of Windows. If I find anything interesting I will post it here (maybe under a new thread).
It's still remotely possible there is something (rootkit?) lurking that is hosing things up... but who knows? I thought the iTunes thing would fix it, but noooo.
Jman9

 

I didn't realize you were still hoping to delete it. It seems like Norton's is trying desperately to save it for you. I think it's a file which is regenerating itself, because it is needed for different programs, iTunes being one of them. It would be really nice if there were a Wikipedia of file names.

abri

 

Hello abri,
I have not posted until now, since I have been installing a new 500GB hard drive and reinstalling everything from scratch. Plus, I wanted to take it a little bit at a time and see if the problem reappeared. So far, I have reinstalled iTunes but not Juice, and I have not seen the file reappear. I still suspect it (or some hidden process) was doing something, but I will be happy if it just stays away.
I am also holding off on Norton GoBack. Even though I have had few problems, others don't like it, and it modifies the MBR and volume identifier so that you can't see the drive contents if you install another drive and then try to copy the files. I guess that's how they get the GoBack screen to pop up
To fix it, you have to turn off/uninstall GoBack plus maybe run a removal tool. Ah, Symantec... if you can't figure out how to fix a problem, just make people uninstall/reinstall your software.
I think I'm OK at this point. I will post another topic if I still run into something strange. Thanks for the help!
Jman9

 

Your welcome jman!
Thanks and happy surfing!
abri