Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Telegram Desktop converts a paste into an attachment


  • Please log in to reply

#136
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

I have moved the divx.dll into a folder on the desktop - if there are no untoward consequences for a week or so, I'll delete it. I'm intrigued by the double date you quote - I can see only the 2003.

 

Networx is only rarely of use. I'll consider re-installing when I feel the need.

 

'they appear to be normal sized now' - behaviour is almost 'perfect', which is much better than when I started this thread. How faults accumulate over time ! (like my body !)

 

Thank you for sharing your 'precious' time with me.


  • 0

Advertisements


#137
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP

Put divx.dll

in the Search box for FRST

and hit Search Registry.

 

You will get one file.  Please post.


  • 0

#138
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

'ere it is

Attached Files


  • 0

#139
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP

The first date is the date the file was placed on the hard drive.  The second was the date the file was originally created.

 

I have found references to divd.dll in an old forum on divd 5 (2002).  Apparently it used to be part of the DIVD player at the time tho from installing the latest version that is no longer the case.

One of the registry entries FRST found is odd.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions]
"divx.dll"="1"

Apparently means the divx.dll file wants to bypass DEP: Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. ... DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools.

 

This is a rather suspicious thing to ask since you should not be bypassing DEP if you are a well behaved program.  Makes me wonder if we have some malware pretending to be a codec.  Can you submit the file divd.dll to virustotal.com?

 

Go to

https://www.virustotal.com/gui/

click on Choose file

point it at the file and hit Open.  It will think for a few seconds or even a minute and then come back with the results from submitting the file to a bunch of anti-virus companies.

 

Seems like the DIVD player used to come with adware.  Here they are removing a DIVD 2 installation manually from the registry:

 

https://www.trendmic...are/adw_gator.a

 

This line in the registry is what activates the dll file:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.DIVX"="DivX.dll"

 

This entry is not in my Win 10.  All I have is:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"
"midi"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"vidc.i420"="iyuv_32.dll"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wave"="wdmaud.drv"
"wavemapper"="msacm32.drv"
"msacm.l3acm"="C:\\Windows\\System32\\l3codeca.acm"
"aux1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"wave1"="wdmaud.drv"
"aux2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"wave2"="wdmaud.drv"
"MSVideo8"="VfWWDM32.dll"


  • 0

#140
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

https://www.virustotal.com/gui/ gave the result in the attachment.

 

Your post beyond the above request went straight over my head.

Attached Thumbnails

  • security.JPG

  • 0

#141
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP

OK.  Good to know.  Let's look at the registry entry I cited earlier and see if there is anything funny there:

 

This is just going to look.  It won't require a reboot.

 

Download the attached fixlist.txt to the same location as FRST

Attached File  fixlist.txt   336bytes   4 downloads

Run FRST and press Fix
A fix log will be generated please post that


  • 0

#142
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

'ere it is.

 

You astound me with your array of tools.

Attached Files


  • 0

#143
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP

Thanks.  I've been doing this for at least 25 years so I've picked up a few tricks.

 

The other entries in the registry are legit.

 

 

Attached is a divd.reg file. 

 

Attached File  divd.reg   266bytes   3 downloads

 

If you download and save it then right click and Merge, it will remove the entry in the registry that Windows uses to find the file.  If it breaks anything it will be easy to restore the entry with another .reg but I expect it won't.  I think your splitter program is lazy and just loads all of the codecs just in case it needs one.


  • 0

#144
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

I did not get notification of your reply.

Sad to report that THIS PC is misbehaving again. It often does so in different ways. Today's tantrum was a fully populated left pane, and nothing in the right pane. 'Not responding' at top.

I've run the divd.reg .


Edited by Basty, 05 April 2021 - 11:54 PM.

  • 0

#145
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP

Run VEW and post the logs.  Perhaps something new will show up in the VEW logs.


  • 0

Advertisements


#146
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

Done

 

I've deleted the 'quarantined' divx.dll

Attached Files

  • Attached File  VEW.txt   12.43KB   4 downloads

  • 0

#147
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP

Log: 'System' Date/Time: 06/04/2021 8:27:42 AM

Type: Warning Category: 0
Event: 157 Source: disk
Disk 4 has been surprise removed.
 
Log: 'System' Date/Time: 06/04/2021 7:56:07 AM
Type: Warning Category: 0
Event: 157 Source: disk
Disk 4 has been surprise removed.
 
Log: 'System' Date/Time: 06/04/2021 12:54:06 AM
Type: Warning Category: 0
Event: 50 Source: Ntfs
{Delayed Write Failed} Windows was unable to save all the data for the file \Device\HarddiskVolume1 .. dmother-scene-5.540p.mp4. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
 
Log: 'System' Date/Time: 06/04/2021 12:54:06 AM
Type: Warning Category: 0
Event: 50 Source: Ntfs
{Delayed Write Failed} Windows was unable to save all the data for the file \Device\HarddiskVolume1 .. dmother-scene-5.540p.mp4. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
 
Log: 'System' Date/Time: 06/04/2021 12:54:02 AM
Type: Warning Category: 0
Event: 153 Source: disk
The IO operation at logical block address 0x19d2f3e88 for Disk 5 (PDO name: \Device\0000008f) was retried.
 
Log: 'System' Date/Time: 06/04/2021 12:54:02 AM
Type: Warning Category: 0
Event: 153 Source: disk
The IO operation at logical block address 0x19d2f3d88 for Disk 5 (PDO name: \Device\0000008f) was retried.
 
Log: 'System' Date/Time: 06/04/2021 12:54:02 AM
Type: Warning Category: 0
Event: 153 Source: disk
The IO operation at logical block address 0x19d2f3c88 for Disk 5 (PDO name: \Device\0000008f) was retried.
 
Log: 'System' Date/Time: 06/04/2021 12:54:02 AM
Type: Warning Category: 0
Event: 153 Source: disk
The IO operation at logical block address 0x19d2f3b88 for Disk 5 (PDO name: \Device\0000008f) was retried.

 

 
 
 
What happened here?  Did you unplug a USB connected Drive or did the USB adapter fail?  The times are usually GMT rather than your local time.
 
If you unplugged or turned off a USB adapter you need to tell it ahead of time by clicking on the Safely Remove Hardware and Eject Media button.  This is an icon near the clock but usually hidden.  To unhide it, 
  1. Select the Start button, and then select Settings > Personalization > Themes.
  2. Under Themes > Related Settings, select Desktop icon settings.
  3. Choose the icons you would like to have on your desktop, then select Apply and OK.

 

You should also search for

device manager

hit Enter

click on the arrow in front of Disk Drives

Locate the drives that are USB connected (by the name and part number the order they are shown is deceptive) and right click and select Properties then the Policies tab.  You want it to look like this:

 

hdpolicy.jpg

 

 


  • 0

#148
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

The first two 'surprise removals' would have been me shutting off power from two SATA connected SSDs I clone to on a weekly basis.

 

The second two around 1am refer to activity involving the editing of videos - about which I have NO concerns whatsoever.

 

The last four look identical to me but are a about a non-event as far as I am concerned.

 

"What happened here?" I am not sure what you mean by here, but suggest they do NOT touch on the occasional misbehaviour of THIS PC - that latter is the only thing I am still hoping can be corrected.

 

Is there some test I should run and show you, straight after THIS PC misbehaves again ?


Edited by Basty, 07 April 2021 - 08:28 AM.

  • 0

#149
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP

You are losing data.  The default mode for a connected drive is to write to memory first because it's faster then write to the drive as time permits.  The problem is that then if the drive disappears before the data in the memory gets written to the drive then the data gets lost.   This can corrupt the data on the drive.  That's why you need to make sure that any drive that may go away is set up the way I showed you in my last post.  That way the data is written directly to the drive. 

 

The last four errors indicate a problem with either the adapter or the drive.  The PC is trying to write some data but the drive is not reporting that the data was written.  This is a bit more than a non-event.


  • 0

#150
Basty

Basty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 179 posts

The attachment shows the Disk entry of Device Manager, the fist three are SATA connected - NOT USB; and the USB stick is permanently connected. I forgot to do the attachment before posting, and when I tried to Edit I could find no 'attach' option.

 

The two SSD to which I clone are, SATA connected (not by USB) - are powered ON for cloning to, and OFF afterwards.

It seems to me none of those qualify for the treatment you suggest.

 

 

There are other drives and USB sticks that I connect to as required - I have checked in the Policies of their Properties - they ALL have 'quick removal' ticked.

 

I will post this and then post the attachment.


Edited by Basty, 07 April 2021 - 03:52 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP