Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bizarre behavior in PowerDVD and netflix/silverlight


  • This topic is locked This topic is locked
27 replies to this topic

#1 Phr3d

Phr3d

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 10 November 2009 - 03:25 PM

EDIT: after reading more of the repairs here, I saw that anti-malware was often used and I had already run it. I included the report of what it removed. I then ran gmer in report mode in case it might speed the process - it found a "noname -- hidden" module, which doesn't sound very pleasant. I re-ran DDS and RootRepeal in case it would be different & I will stop now.


I have a new to me, wiped corporate Dell Precision M65 laptop/2GHz core duo/2GB/100GB. I purchased this laptop primarily as a movie viewer, which is the one thing that it cannot do.
I have IE6 with silverlight for my netflix viewing, and PowerDVD v 6.x (stolen from another older precision) for DVDs, both disc and rip. I installed avast, vlc, MPClassic, enabled OE, firefox, photoshop, bestcrypt and DVD shrink.

At some point that I cannot determine, and have no useful restore points available, I began having problems watching netflix. Task Manager shows CPU usage all over the place, 50% kernel, and it is nearly impossible to use the computer for approx 10 minutes, where the cpu usage drops back to its normal 1% idle, and I can return to the netflix window and continue watching for another ~15 min, when it starts again.
This also occurs when I watch something on PowerDVD, though it does not -seem- to occur if I do a clean boot of windows with everything (namely wifi) turned off. and that is what led me to you folks, I have searched everywhere and other people are having these problems, but firefox gets blamed, etc. - whichever program shows the highest cpu usage. After weeks of experimentation, I see spikes of 40% cpu from -task manager- when this occurs, there is no rhyme or reason to which application is the 'problem'. I have attached a cpu graph that illustrates the severity (I changed to single cpu for legibility). The 76% shown is not mirrored by the processes tab, the numbers there cannot keep up with the jumping around.

If this is NOT malware, I am at the end of my rope. 90-day-old Clean computer, clean Dell XP-SP3 install disk, few programs, little usage, only visit well-known forums. I boot-time scanned, and also removed the HD and scanned on another computer with avast, no infections.

logs follow:



DDS (Ver_09-10-26.01) - NTFSx86
Run by user at 20:37:10.71 on Tue 11/10/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1696 [GMT -6:00]

AV: avast! antivirus 4.8.1356 [VPS 091110-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\PROGRA~1\bc\BCResident.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\user\Desktop\1st_dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] d:\program files\java\jre6\bin\jusched.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bestcr~1.lnk - d:\program files\bc\BestCrypt.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - d:\program files\java\jre6\bin\npjpi160_17.dll
Trusted Zone: microsoft.com\www.update
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
AppInit_DLLs: hplun.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\fzxcl5c6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - prefs.js: keyword.enabled - false
FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\real alternative\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-20 114768]
R1 BC_3DES;BC_3DES;c:\windows\system32\drivers\bc_3des.sys [2007-1-25 26984]
R1 BC_BF128;BC_BF128;c:\windows\system32\drivers\bc_bf128.sys [2007-1-25 21224]
R1 BC_BF448;BC_BF448;c:\windows\system32\drivers\bc_bf448.sys [2007-1-25 21224]
R1 BC_BFish;BC_BFish;c:\windows\system32\drivers\bc_bfish.sys [2007-1-25 21224]
R1 BC_CAST;BC_CAST;c:\windows\system32\drivers\bc_cast.sys [2007-1-25 29800]
R1 BC_DES;BC_DES;c:\windows\system32\drivers\bc_des.sys [2007-1-25 26728]
R1 BC_Gost;BC_Gost;c:\windows\system32\drivers\bc_gost.sys [2007-1-25 16872]
R1 BC_RC6;BC_RC6;c:\windows\system32\drivers\bc_rc6.sys [2007-1-25 23272]
R1 BC_RIJN;BC_RIJN;c:\windows\system32\drivers\bc_rijn.sys [2007-1-25 42216]
R1 BC_SERP;BC_SERP;c:\windows\system32\drivers\bc_serp.sys [2007-1-25 29160]
R1 BC_TFISH;BC_TFISH;c:\windows\system32\drivers\bc_tfish.sys [2007-1-25 28264]
R1 bcbus;BestCrypt bus driver;c:\windows\system32\drivers\bcbus.sys [2007-1-25 46952]
R1 fsh;fsh;c:\windows\system32\drivers\fsh.sys [2007-1-25 18920]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\cyberlink\powerdvd\000.fcl [2009-8-20 6656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-20 20560]
R3 mhk;mhk;c:\windows\system32\drivers\mhk.sys [2007-1-25 14312]
R3 moh;moh;c:\windows\system32\drivers\moh.sys [2007-1-25 9704]
S0 cerc6;cerc6; [x]

=============== Created Last 30 ================

2009-11-11 00:48:22 0 d-----w- c:\program files\trend micro
2009-11-10 23:10:08 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2009-11-10 23:10:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 23:10:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 23:10:02 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-10 22:42:51 0 dc----w- c:\docume~1\alluse~1\applic~1\abelhadigital.com
2009-11-10 22:42:51 0 d-----w- c:\docume~1\user\applic~1\abelhadigital.com
2009-11-07 03:05:36 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-04 14:50:45 4045 ----a-w- c:\windows\system32\NvwsApps.xml
2009-10-31 02:50:49 0 d-----w- c:\windows\nview
2009-10-30 11:27:40 325822 ----a-w- C:\Loaded with programs_IE6-silverslight_CPU graph~1hour.jpg
2009-10-28 23:08:13 0 d-----w- C:\temp
2009-10-28 22:59:15 0 d-----w- c:\docume~1\user\applic~1\AVS4YOU
2009-10-19 20:18:29 344064 ----a-w- c:\windows\system32\mmmpcdmx.ax
2009-10-19 20:18:28 315392 ----a-w- c:\windows\system32\mmmpcdec.ax
2009-10-15 09:52:23 90264 ----a-w- C:\IE6-silverslight_CPU graph~15min.jpg
2009-10-15 06:35:05 0 d-----w- c:\windows\pss

==================== Find3M ====================

2009-11-10 02:26:32 96104 ----a-w- c:\windows\system32\nvModes.dat
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 00:46:59 12499 ----a-w- c:\windows\system32\Seagate.bin
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 21:38:43 3147 ----a-w- c:\windows\mozver.dat
2009-08-14 03:07:52 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 20:37:21.43 ===============


thank you for any insight.

Attached Files


Edited by Phr3d, 11 November 2009 - 03:11 PM.

carpe` cervesi
knf


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 16 November 2009 - 07:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 Phr3d

Phr3d
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 16 November 2009 - 08:40 PM

I'm here (might know I'd go for a sandwich a minute before you replied, lol)
carpe` cervesi
knf


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 16 November 2009 - 08:53 PM

Food breaks are allowed :(

Nothing is coming up on any of the logs which makes me think this is not a malware problem straight away.

CPU issues are usually not malware at all but a number of other possibilities. Let's have a look at your processes, as with your own testing please wait until the CPU is high.

Please download and run Process Explorer

If Process explorer won't execute rename it Iexplore.exe

Under File and Save As, create a log and post here

Copy and paste the log into your next reply


Can you also take a look at this link and try and eliminate these possible non-malware causes.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 Phr3d

Phr3d
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 16 November 2009 - 09:02 PM

ok,netflix is running, I'll post in a bit with a process explorer log (after the cpu goes nuts) The hidden in gmer is not a concern?
carpe` cervesi
knf


#6 Phr3d

Phr3d
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 16 November 2009 - 09:32 PM

I've left the computer in its destroyed state in case there is anything else you want to look at -- it took five minutes for the repply window to complete so I could start typing. A reminder, firefox -looks- like it is the problem, but it is the same without firefox running, just lands on different processes (lsass, crss, explorer, etc). so the snapshot show whatever is topping out at that second.

the log is near impossible to read, good luck.

Attached Files


carpe` cervesi
knf


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 17 November 2009 - 08:09 AM

The hidden in gmer is not a concern?


We will take a look at the hidden module in a minute, just want to be sure that we're not missing something more obvious. I have read the log (eventually... :( ) and it looks fine.


Let's see what the hidden module represents then.

Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

Attach that log back here for review please (it will be pretty large, so direct posting would be a bit tough).

Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it.
Posted Image
m0le is a proud member of UNITE

#8 Phr3d

Phr3d
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 17 November 2009 - 04:32 PM

restart, avast active, wifi active, reports no hidden files.
side note - watch stargate on powerdvd overnight and on a whim, manually (switch on the side) turned off wifi, powerDVD played two full episodes without the cpu going crazy. The WMI job under svhost wasn't present - makes me go hm..
kewl tewl (radix) first time I've seen it mentioned (I've read about 1k logs, i'm kinda' OCD :( )

Attached Files


carpe` cervesi
knf


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 17 November 2009 - 08:34 PM

Looks like this has gone. Just to check let's run Avenger which finds and disables rootkits
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that both the box next to Scan for rootkits and the box next to Automatically disable any rootkits found both have ticks in them.
  • Click the Execute button.
  • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If The Avenger finds a hidden rootkit driver, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
Thanks :(
Posted Image
m0le is a proud member of UNITE

#10 Phr3d

Phr3d
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 17 November 2009 - 08:49 PM

DL successful, boxes ticked, reboot, no rootkit found

Attached Files


carpe` cervesi
knf


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 17 November 2009 - 08:57 PM

Hi Phr3d,

Only one other possibility for malware now. There is a chance that the rootkit has been removed but it has left behind some cloaked malware. In other words, an infected legitimate file.

We will run Combofix to clear that possibility. After that I have effectively ruled out malware as the problem.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#12 Phr3d

Phr3d
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 17 November 2009 - 09:19 PM

dl success,restart,disable wifi,disable avast
run CF
restore point created
(re-enable wifi for:)
recovery console install success
CF runs, 53 stages complete.
log pops up
re-enable avast

I have not restarted -
I have now restarted, I didn't see it was so close to 8pm CST (2am, your time?) when you posted

.
tried to enter following as spoiler, wouldn't work (black lines over text?)

(NOTE: Combofix, for reasons that escape me, replaces your browser preference as well as JPG, i.e., image-viewing and video-viewing preferences with M$ defaults - grrr.. please note and pass along for anyone that hates M$ media player's wide open doors, M$ viewer's inability to do anything with a picture file excepting it's uncanny ability to save into the useless PNG format, and also people whose only use for IntSexplorer is due to Netflix's requirement that they do so, due to Hollywood's requirement of SilverSlight. Do I sound bitter? Could it be that this bizarre CPU usage coincides with my silverslut install, and it now appears that I am right back to talking to Microsoft? Perish the thought, I am not naive enough to believe that M$ would release a DRM-favoring-system-(*cough*bashing*cough*)modifying software product that was not-quite-ready-for-primetime -- hell, look what they did for HD-DVD).

Attached Files


Edited by Phr3d, 18 November 2009 - 04:29 AM.

carpe` cervesi
knf


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 18 November 2009 - 07:58 AM

Sorry phr3d but I don't think this malware-related.

I would personally uninstall Silverlight and then reinstall it to see if the problem persists.

Feel free to post in Bleeping Computer's other forums for help. You can say that I have checked out the PC and you are clean.

I will leave the topic open for five days, after which you can PM me if you want to contact me about this.

Good luck with finding the problem. :(

m0le
Posted Image
m0le is a proud member of UNITE

#14 Phr3d

Phr3d
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Location:midwest
  • Local time:09:37 PM

Posted 18 November 2009 - 02:52 PM

I'm wondering if the same results from my other two computers (both x64), ran the sophos, it found spdt.sys, unknown.
guess I'll sell this thing.
I installed IE8 and silverlight on the previous laptop, it wouldn't work at all (netflix only played in Firefox). I thought it was a fluke.

much thanx for walking with me Mr. m0le.

Edited by Phr3d, 18 November 2009 - 02:57 PM.

carpe` cervesi
knf


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 18 November 2009 - 07:41 PM

One other idea...

spdt.sys is a legitimate driver from Daemon Tools but there are reports that this driver causes problems. It might be worth uninstalling the driver and see if that fixes the problem.

Good luck, and let me know what happens.

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users