Mystery hardware

[Andy]

On each bootup, Windows tells me that it found new hardware and wants to reboot.

I have a few disabled drivers.

How do I find out what Windows is "finding."

Andy

 

[Paul]

On each bootup, Windows tells me that it found new hardware and wants to reboot.

I have a few disabled drivers.

How do I find out what Windows is "finding."

Andy

Try looking at the end of "setupapi.log".

There will be several files with similar names. The
file rolls over when it gets to a certain size.

Each entry is date stamped. There might be 20 lines or so per section,
to give you some idea how long an entry might be. (That's an average
figure.)

This is the last entry in my file. This is probably a disk I plug in
occasionally.

[2013/06/28 07:15:39 1072.8 Driver Install]
#-019 Searching for hardware ID(s): storage\volume
#-198 Command line processed: C:\WINDOWS\system32\services.exe
#I022 Found "STORAGE\Volume" in C:\WINDOWS\inf\volume.inf;
Device: "Generic volume";
Driver: "Generic volume";
Provider: "Microsoft";
Mfg: "Microsoft";
Section name: "volume_install".
#I023 Actual install section: [volume_install]. Rank: 0x00000000. Effective driver date: 07/01/2001.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [volume_install] in "c:\windows\inf\volume.inf".
#I320 Class GUID of device remains: {71A27CDD-812A-11D0-BEC7-08002BE2092F}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-166 Device install function: DIF_INSTALLDEVICEFILES.
#I124 Doing copy-only install of "STORAGE\VOLUME\1&30A96598&0&SIGNATUREE09035E5OFFSET15F00000LENGTH745AC00000".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [volume_install.Interfaces] from "c:\windows\inf\volume.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.
#I123 Doing full install of "STORAGE\VOLUME\1&30A96598&0&SIGNATUREE09035E5OFFSET15F00000LENGTH745AC00000".
#I121 Device install of "STORAGE\VOLUME\1&30A96598&0&SIGNATUREE09035E5OFFSET15F00000LENGTH745AC00000" finished successfully.

Now, on Win2K at least, if it discovered a new volume, it would
tell you to reboot. (But I think if you didn't reboot,
everything was fine anyway.) I don't think WinXP is quite
as demanding. This entry in my file, would not have been
accompanied by a suggestion to reboot. But there could always
be something, where it insists.

Other kinds of device installations, there might have been
more useful info in terms of figuring out what it is.

Paul

 

[Andy]

On each bootup, Windows tells me that it found new hardware and wants to reboot.

I have a few disabled drivers.

How do I find out what Windows is "finding."

Andy

Try looking at the end of "setupapi.log".



There will be several files with similar names. The

file rolls over when it gets to a certain size.



Each entry is date stamped. There might be 20 lines or so per section,

to give you some idea how long an entry might be. (That's an average

figure.)



This is the last entry in my file. This is probably a disk I plug in

occasionally.



[2013/06/28 07:15:39 1072.8 Driver Install]

#-019 Searching for hardware ID(s): storage\volume

#-198 Command line processed: C:\WINDOWS\system32\services.exe

#I022 Found "STORAGE\Volume" in C:\WINDOWS\inf\volume.inf;

Device: "Generic volume";

Driver: "Generic volume";

Provider: "Microsoft";

Mfg: "Microsoft";

Section name: "volume_install".

#I023 Actual install section: [volume_install]. Rank: 0x00000000. Effective driver date: 07/01/2001.

#-166 Device install function: DIF_SELECTBESTCOMPATDRV.

#I063 Selected driver installs from section [volume_install] in "c:\windows\inf\volume.inf".

#I320 Class GUID of device remains: {71A27CDD-812A-11D0-BEC7-08002BE2092F}.

#I060 Set selected driver.

#I058 Selected best compatible driver.

#-166 Device install function: DIF_INSTALLDEVICEFILES.

#I124 Doing copy-only install of "STORAGE\VOLUME\1&30A96598&0&SIGNATUREE09035E5OFFSET15F00000LENGTH745AC00000".

#-166 Device install function: DIF_REGISTER_COINSTALLERS.

#I056 Coinstallers registered.

#-166 Device install function: DIF_INSTALLINTERFACES.

#-011 Installing section [volume_install.Interfaces] from "c:\windows\inf\volume.inf".

#I054 Interfaces installed.

#-166 Device install function: DIF_INSTALLDEVICE.

#I123 Doing full install of "STORAGE\VOLUME\1&30A96598&0&SIGNATUREE09035E5OFFSET15F00000LENGTH745AC00000".

#I121 Device install of "STORAGE\VOLUME\1&30A96598&0&SIGNATUREE09035E5OFFSET15F00000LENGTH745AC00000" finished successfully.



Now, on Win2K at least, if it discovered a new volume, it would

tell you to reboot. (But I think if you didn't reboot,

everything was fine anyway.) I don't think WinXP is quite

as demanding. This entry in my file, would not have been

accompanied by a suggestion to reboot. But there could always

be something, where it insists.



Other kinds of device installations, there might have been

more useful info in terms of figuring out what it is.



Paul

Thanks Paul.

That file has a number of these in it.

I have been installing\experimenting with Linux and have been creating partitions.

Is that why Windows is installing drivers for the "new volume" that it finds ?

Andy



#-198 Command line processed: C:\WINDOWS\system32\services.exe
#I022 Found "STORAGE\Volume" in C:\WINDOWS\inf\volume.inf; Device: "Generic volume"; Driver: "Generic volume"; Provider: "Microsoft"; Mfg: "Microsoft"; Section name: "volume_install".
#I023 Actual install section: [volume_install]. Rank: 0x00000000. Effective driver date: 07/01/2001.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [volume_install] in "c:\windows\inf\volume.inf".
#I320 Class GUID of device remains: {71A27CDD-812A-11D0-BEC7-08002BE2092F}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-166 Device install function: DIF_INSTALLDEVICEFILES.
#I124 Doing copy-only install of "STORAGE\VOLUME\1&30A96598&0&SIGNATURE49614960OFFSET397D400000LENGTHBB700000".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [volume_install.Interfaces] from "c:\windows\inf\volume.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.

 

[Paul]

Thanks Paul.

That file has a number of these in it.

I have been installing\experimenting with Linux and have been creating partitions.

Is that why Windows is installing drivers for the "new volume" that it finds ?

Andy

#-198 Command line processed: C:\WINDOWS\system32\services.exe
#I022 Found "STORAGE\Volume" in C:\WINDOWS\inf\volume.inf; Device: "Generic volume"; Driver: "Generic volume"; Provider: "Microsoft"; Mfg: "Microsoft"; Section name: "volume_install".
#I023 Actual install section: [volume_install]. Rank: 0x00000000. Effective driver date: 07/01/2001.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [volume_install] in "c:\windows\inf\volume.inf".
#I320 Class GUID of device remains: {71A27CDD-812A-11D0-BEC7-08002BE2092F}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-166 Device install function: DIF_INSTALLDEVICEFILES.
#I124 Doing copy-only install of "STORAGE\VOLUME\1&30A96598&0&SIGNATURE49614960OFFSET397D400000LENGTHBB700000".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [volume_install.Interfaces] from "c:\windows\inf\volume.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.

Well, if that's the one, then that's a starting point for you.

You can find some of the numeric fields in the "STORAGE" line
in the Registry.

But I'm not good enough, to use those numbers to identify
the actual disk.

Everest Free Edition can give you some disk signatures.
But again, you might not be able to line them up and
figure out which disk is doing it.

I think the data I snipped, is for a drive not currently
connected. I have two permanent drives, and four external
drives, and only the permanent ones are connected at the moment.
So I can't see a device matching my entry, because I probably
unplugged it.

Paul

 

[Andy]

On each bootup, Windows tells me that it found new hardware and wants to reboot.



I have a few disabled drivers.



How do I find out what Windows is "finding."



Andy

I working on a new "challenge."

I found a trojan and cleaned it with MBAM, but Windows Firewall keeps getting turned off.

The key below is a new one to me for starting up programs.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Antivirus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winav"
"hkey"="HKLM"
"command"="C:\\winav.exe" <---Trojan !!!!
"inimapping"="0

Win Defender did not find anything.

 

[Buffalo]

"Andy" wrote in message

On each bootup, Windows tells me that it found new hardware and wants to
reboot.



I have a few disabled drivers.



How do I find out what Windows is "finding."



Andy

I working on a new "challenge."

I found a trojan and cleaned it with MBAM, but Windows Firewall keeps
getting turned off.

The key below is a new one to me for starting up programs.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
Tools\MSConfig\startupreg\Windows Antivirus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winav"
"hkey"="HKLM"
"command"="C:\\winav.exe" <---Trojan !!!!
"inimapping"="0

Win Defender did not find anything.

Some info here.
http://www.file.net/process/winav.exe.html

 

[Paul]

"Andy" wrote in message

On each bootup, Windows tells me that it found new hardware and wants
to reboot.



I have a few disabled drivers.



How do I find out what Windows is "finding."



Andy

I working on a new "challenge."

I found a trojan and cleaned it with MBAM, but Windows Firewall keeps
getting turned off.

The key below is a new one to me for starting up programs.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
Tools\MSConfig\startupreg\Windows Antivirus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winav"
"hkey"="HKLM"
"command"="C:\\winav.exe" <---Trojan !!!!
"inimapping"="0

Win Defender did not find anything.

Some info here.
http://www.file.net/process/winav.exe.html

If you want real info, upload the winav.exe file
to virustotal.com . That way, you'll get a name for the
trojan, and that will make it easier to track down
a solution. The virustotal.com site has AV scanners,
which it runs against your file submission. There is
a relatively generous limit on upload file size (at least 64MB
as of today). (There were some people making malware
on purpose, a little larger than the upload size, so
people wouldn't be scanning them.)

If there is "good quality" malware on your machine, it
will block attempts to reach the well-known anti-malware
sites... In which case, you carry the "winav.exe" over
to your Linux machine, and upload to virustotal.com from there.
(Even your Macintosh would do... )

MBAM is good for some flavors of problems, while
adwcleaner and hitman pro exist for "potentially unwanted applications".

http://en.wikipedia.org/wiki/Malwarebytes (use the free one-time-scan version)
http://www.bleepingcomputer.com/download/adwcleaner/
http://en.wikipedia.org/wiki/HitmanPro

And if you have a name for the trojan, then Googling that,
and looking at efforts to remove it on Bleepingcomputer,
might give you some idea what to do. There are a number
of sites, that offer advice on removal. Just don't trust
every site that shows up in a search, as they're not all
legit.

And for its comedy value, here is a rating for bleepingcomputer.
There are web sites that offer a review of a site. But they
don't always give good info. When they allow user reviews,
malicious individuals can post bad reviews (just for laughs).
A rating here, consists of mechanical scanning, as well as a
chart for user reviews (at the bottom).

http://www.siteadvisor.com/sites/bleepingcomputer.com

The "comments" button at the bottom, gives the text of the
reviews. And you can see not all the reviews are serious.
You should really read the review text, rather than trust
the summary graph.

http://www.siteadvisor.com/sites/msgpage/bleepingcomputer.com

Paul

 

[Andy]

On each bootup, Windows tells me that it found new hardware and wants to reboot.



I have a few disabled drivers.



How do I find out what Windows is "finding."



Andy

I think I got the "mess" cleaned up.

I had winav.exe -> Trojan

and kernel.exe -> Virus or Malware

I will upload what I have so they can study it.

I may study it with a hex editor under Linux.

Andy