Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

D3d9caps.dat Being Updated In Standby


  • Please log in to reply
5 replies to this topic

#1 Jman9

Jman9

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 24 October 2007 - 10:31 PM

Hi, I have been trying to fix some problems, and most of them seem to be gone, but I still have a nagging problem. There is a file, c:\windows\system32\d3d9caps.dat, that seems to be updated about once a second if the computer is in standby for a while with a user logged in. I have run a bunch of stuff (smitfraudfix, combofix, various online scans, etc.) and did not really have much infected, but this file still updates in the background. Online searches indicate others who are infected with something also have this file. I have some opinions that say it's part of Direct3D, but there is no 3D stuff running that I know of. I am not a big gamer either.
I am running WinXP Pro SP2, fully patched, 3GB RAM, etc. Zone Labs Internet Security Suite for AV/AS/FW/etc.
I have 4 other computers and none of them have this file, even a gaming machine.
Any ideas on what I should look for? Other scans to run?
Thanks for any advice you have to offer.
Jman9

BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:56 AM

Posted 24 October 2007 - 10:42 PM

See if you can upload the file to Jotti or Virus Total. The name implies that the file is part of DirecX, however, it could be a ZLOB Trojan variant. None of my XP, 2000, or NT machines have this file anywhere. They all have the latest version of DirecX. The only way I know to be sure about this file is to scan with several malware programs.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:56 AM

Posted 25 October 2007 - 08:19 AM

When doing a search on the net for d3d9caps.dat, you will find a lot of reports about it. The file shows up on numerous systems and is suspected to be part of DirectX Direct3D. I have not been able to confirm that but from what I'm finding, the file does not appear to be malware related either.

I will have to do some more investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Jman9

Jman9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 29 October 2007 - 11:43 PM

Thanks for the good ideas. Jotti and VirusTotal both found nothing in the file (it's only 5416 bytes long). I also found lots of references to the file name on the web, and I don't think it's part of Direct3D. It's only on this computer.
I did find some interesting things about it since I posted.
It seems that Juice 2.2 is downloading new podcasts on a certain schedule. When it does, and hands the file off to iTunes, and the computer is in standby, then this file is created and updated. It seems to be connected to iTunes trying to find cover artwork for the podcast. It's possible that the network communications is down during standby, so the update does not happen until the user logs back in and the connection is restored. I have moved all my podcast updates to iTunes directly and eliminated the automatic checking, which (so far) seems to have kept this file from updating.
However, a quick log check shows at least a few more cases of the file being updated, so I guess I will have to investigate further. It may just be tied to any time iTunes tries to update cover artwork.
Jman9

Edited by Jman9, 29 October 2007 - 11:52 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:56 AM

Posted 30 October 2007 - 07:15 AM

Keep us updated as to anything else you find out.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Jman9

Jman9
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 30 October 2007 - 10:17 PM

Found some more interesting stuff. After eliminating Juice from the equation, now the file is also being updated when the screen saver starts to run (I'm just using a blank, nothing fancy). It doesn't happen every time. Also, sometimes the computer freezes up and I can't do anything. It appears to be happening at random times, according to the GoBack restore log. Still troubleshooting... will keep you all informed if something interesting comes up.
Jman9




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users