Jump to content

LARRYRB

Honorary Members
  • Posts

    70
  • Joined

  • Last visited

Everything posted by LARRYRB

  1. Yup.. separate power source on the external drive so it's not dependent upon power from the USB connection. The fact that it happens with all 3 Win7 PC's that I've connected it to, along with 3 different cables, coupled with the 15-20 minute repeatability really convinces me that its not its not a hardware/power issue. I've moved the Seagate drive to a Windows Home Server 2008 setup as a data storage drive... it seems to be working swimmingly in this capacity (I'm pretty sure WHS 2008 is based upon Win Server 2003 technology). In fact, it worked so well on the WHS that, along with my curiosity over the innards of the drive, I cracked the case open and found a 1.8 TB Seagate SATA drive inside. I threw the drive into a Rosewill USB SATA dock which effectively replaces its USB interface and plan to procure a PCI to SATA interface for it because my WHS PC doesn't support SATA (just IDE). As for progress on the original issue, I have another external USB hard drive that I'm about ready to connect to one of the Win7 PC's to see if it, too, does the disappearing act...
  2. 3rd cable in place, no change in symptoms. I even plugged the 3rd cable into a different USB port... the multimedia class scheduler service pops up in the system event log about 17 minutes after the drive was plugged in and the the cycle repeats. I can't believe three different cables could be bad, right? I guess next move is to shift the drive to another PC and see if the symptom follows... ARRRRRGGGGHHHHHH!!!!!
  3. Well, I borrowed a cable from the neighbor and it behaves the same way... drive disappears, reappears just like the first cable. He gave me two, so on the weird chance that his first cable is bad as well, I'll try his second one now...
  4. I appreciate the reply, Firefox! I'm still running the original USB cable that came with the device.. a 5 or 6 foot USB A-male at the computer end with a micro (or mini ?) USB (sorta looks like a miniature version of the standard HDMI connector) at the drive end. I don't have another one of these cables to substitute, but may go out looking for one just to eliminate the possibility of a bad cable. But I've changed ports, reseated connectors, and moved the drive quite a few times and the errant behavior never seems to change-- even moving it to a 2nd computer. With the behavior being so "scheduled" looking, with it occuring every 10-15 minutes, isn't it hard to believe that a hardware problem or cable could be the cause? My experience with hardware failures is a much more "random" appearance of the issue. I do have a 3rd Win7 machine (not running any media center) as well as an XP Pro laptop... they are perhaps next in line to meet this disk just to see if the problem follows the disk drive... Very perplexing!!!! Please keep the thoughts coming... I'll try anything possible (erm... within reason, of course)!!!
  5. Thanks for the reply, rgabbard! Good thinking, but already covered... my bad on failing to mention this in my "what I've done already" section. I'm running the Maximum performance selection, with sleep disabled in all advanced options within that scheme. I also went into device manager, USB ports and unticked "allow this device to put the computer to sleep" under the power management tabs on the USB hubs (basically, anywhere where i saw power management options, I've turned 'em off-- 4 places on one machine's USB devices, 6 places on the first machine). I've done the above to both computers, and neither shows any sign of it making a difference in the odd behavior. What's your next thought?
  6. I've received some excellent virus/malware help from these forums, so I'm hoping some of you computer uber-gods can shed some light on an issue I'm having (non-virus related, I think). I'm having an annoying problem on my Win7 Pro 64 bit home theater PC (HTPC) that i use as my DVR to record TV running Windows Media Center (WMC). The WMC part works wonderfully-- check it out if you're unfamiliar with it.. it blows away the DVR offerings by both DirecTV and Comcast (I've had both). But I digress... I thought that since this computer is always on, why not attach my Seagate 2TB Expansion Drive to the PC's USB port, share the drive at the root as Z: and map network drives to it on my other household PC's to have them all run periodic backups during the wee hours of the night, saving the disk images to this Seagate hosted on the HTPC. The HTPC will "trumpet" every 10-15 minutes (making the sound that removing a device makes, followed in 10 seconds by the adding device sound). Upon watching this in detail, I've caught the Seagate light turning off when the first trumpet sounds, and the light coming back on at the second trumpet 10 seconds later. Further watching shows the drive Z disappear from the list of drives under Computer, then reappear 10 seconds later. So the HTPC is dropping the drive, then re-adding it 4-6 times per hour. Every once in a while the sharing on the drive is blown away too and I find I have to reassert the share. The goose chasing I've done so far: About the time I hear the trumpet the Event viewer, Windows Logs, System shows a series of Service Control Manager Event ID: 7036 's The Multimedia Class Scheduler service entered the running state. and then 10-12 seconds later The Portable Device Enumerator Service service entered the running state. 120 seconds after the Enumerator starts, it enters a stopped state and then a couple minutes later the Class Scheduler stops as well. All of this will repeat 15 to 20 minutes later, so you can imagine what my event logs look like. Does any of the above ring bells for anyone reading this? I've moved the Seagate drive to a 2nd Win7 Pro PC and it does the exact same thing, so I'm concluding that the USB port in the HTPC isn't bad, although I've plugged the drive into several of its USB ports and see no difference in behavior. I've checked with Cetoncorp.. the folks that make the InfiniTV 4 tuner card for the DVR function that Win Media Center uses and they advise the following: I've installed the Process Monitor tool from Microsoft sysinternals but I'm a bit blown away by all the info it displays. (i.e. a powerful table saw in the hands of an amateur makes more sawdust than fine cabinetry... ;-)). I'm under the impression that this tool can show me the calling process that gooses the Multimedia Class Scheduler to wake up, but I'm not sure how to do that, or if this is even an appropriate avenue to pursue... There is a small second partition on the Seagate (I'm not sure if it was there from the factory or not) that Bit Locker errors come up for after a reboot... Event ID: 24620 -- Encrypted volume check: Volume information on \\?\Volume{27395a8b-d4b8-11e0-95cb-806e6f6e6963} cannot be read. This isn't a boot drive, but perhaps the drive was attached at some point during a Win7 setup and it received one of those special boot partitions that Win7 throws down maybe? I didn't want to nuke the partition before investigating this further, but I certainly could if you folks think that this behavior is Win7 rechecking this drive all the time. But the Bit-Locker errors only occur right after boot... not continually like the 7036 events I'm seeing with the drive dropping out/reappearing. I'm not sure if Win7 comes back every 15 minutes to check a partition that it couldn't read? And if it did, wouldn't I be seeing continual Bit-Locker errors? Any ideas on how I should proceed to track this down? I'm close to destroying the case of the Seagate, yanking out what I expect to find being a 2 TB 3.5" SATA drive inside it (hopefully a Seagate or Maxtor.. LOL), and mounting the drive into the HTPC and directly attaching a SATA cable to it to eliminate the USB interface. Yeah.. I know... it will be faster too... but i do lose the portability of the drive doing this. Anybody wanna help me beat this one into submission?
  7. Ok, and just so I can learn something from all this... By this you mean that you are going to remove the detection signature from MBAM's database that detects the malware within guidetoolsetup because you feel it does no harm? I'm assuming that your systems detected it too, but upon inspection of it you're concluding that it's harmless? Or did your systems not throw up the same warning that my MBAM did?
  8. Great! Cool! I understand... and I just zipped em up, and started a topic in the forum Rich suggested (using the same topic name as this one) to which I posted them as attachments. Thanks again!
  9. Ron, is your advice of deleting the system restore points only to keep me from possibly recovering my system sometime in the future to an earlier time when this malware was still around? Or is there some other reason to clear them?
  10. Well, if I'm reading the results properly, 2 out of 43 anti-virus programs detect the ie7prosetup_2.5.1.exe file with the commentary equally split as to goodware/malware tags. However, the reputation tags win on the goodware side 15 to 2. Here's a link to the results: My link and the other file (guidetoolsetup.exe) is only detected by McAfee (1 out of 43) with no commentary from the community... It's result link: guidetoolsetup.exe results Ron, are you implying you want me to attach them here? If you don't want them attached, shall I let each program (MBAM and MSE) eradicate their respective finds?
  11. Oh, I understand the need for both an anti-virus and the anti-malware-- I'm not disputing that in the slightest. The curiousity for me is that the detected items both seem to be of a malware classification in my eyes, so I was really thinking that both MSE and MBAM would report both of them, rather than the mutual exclusivity I'm reporting. They both have an "Adware" designation, no? Just to clarify, isn't "Adware" considered to be "Malware"? If this is the case, I'm surprised MBAM didn't pick up both of them, hence why I'm bringing this up. I.E., do the folks in the malware signatures department (engineering?) have any interest in having these files before I nuke em?
  12. This morning my Win7 Pro 64bit machine pops up a Microsoft Security Essentials (MSE) alert detailing a potential threat found in a file I had downloaded from the internet a few weeks back. The threat is entitled Adware:Win32/OpenCandy and lists these details: containerfile:D:\Common\Downloads\IE Session Managers\IE7Pro\IE7ProSetup_2.5.1.exe file:D:\Common\Downloads\IE Session Managers\IE7Pro\IE7ProSetup_2.5.1.exe->(nsis-6-ProgSenseSetup.exe)->(inno#000043) So I thought, what the heck, before I take any removal action on the threat I'd run a MalwareBytes (MBAM) quick scan to see if it detected the same issue. Well, the MBAM quick scan found zero issues. So, I thought I'd run the MBAM full scan so see if the full scan would detect what was missed during the Quick scan. Surprisingly, the MBAM full scan also didn't see the malware threat in the above IE7ProSetup_2.5.1.exe file but oddly enough, it detected something that the full scan of MSE missed entirely: Files Infected: d:\Common\downloads\media center tools\guide tool\guidetoolsetup.exe (Adware.EzSearch.Gen) -> No action taken. I've not taken the MBAM "remove selected" action yet either, thinking that the MalwareByte's crew might be interested in at least the IE7ProSetup_2.5.1.exe file since it was missed in the MBAM full scan. I'd be happy to attach one or both of the infected files... Please advise and move this post to the proper forum if I'm not already there... Larry ps I downloaded the IE7ProSetup in a, as yet still unfruitful, search for a session manager product for IE7/8 that mimics the immensely capable session saving capabilities of the Tab Mix Plus addon for Firefox. While this is unrelated to the above Malware issues, I'm very open to suggestions of products to try for IE.
  13. OK... sounds good.. I'll give those training sites a look. I'm presuming that once you close it, I'll still see it under "My Content" and be able to reference it, correct? I suspect it's going to go into the "Resolved HiJackThis Logs"? Thanks again for all your help!!
  14. Woot!!! Woot!!! No more errors in the Eventvwr related to Java! That did the trick! A quick check back in regedit looking under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key I see no more folder for JavaQuickStarterService either. I'm curious.. was the SC command (I'm assuming this means Service Controller) just a more convenient (and safer) way to delete the service than nuking the JavaQuickStarterService folder via regedit? i.e.. does WinXP read that collection of folders at startup and develop a database that gets corrupted if you just delete a registry key that feeds it? Just trying to learn (as well as educate others that are reading this thread and may have the same questions) And, to continue.. here's a re-run of DDS logs... (which I did run with Msft's Security Essentials still active, hope that's not an issue or should I repeat them with MSE realtime scanning off?) I note within the DDS log I still show the two DPF references within the Pseudo HJT Report section. Any Java references in the Attach report are for a time period before this latest work. Other than the several questions above, is there anything else I should do now to prove I'm "Clean" ??? dds_final_3.txt attach_final_3.txt
  15. Awesome... I was hoping there was a better way!!! So, via Start, Run, Cmd: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator>sc delete JavaQuickStarterService [SC] DeleteService SUCCESS C:\Documents and Settings\Administrator> Now on to a reboot and a recheck of those Event Logs...
  16. After rebooting I'm checking eventlogs via Start, Run, eventvwr: The application folder has no error references to Java both before I did this change, or after the change. However, In the system folder I'm still seeing a Red X 7000 event from the Service Control Manager with this description: The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified. So now I'm gonna figure out which registry keys control what tries to autostart this java service... The ============== Pseudo HJT Report =============== section of yesterday's (before the prior regedit that removed the two java keys shows: but I'm not sure what the "DPF:" prefix means, or if this should be pointing me somewhere, so that's no help... So.. a little bit more research leads me to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry entry. Within it I see a folder named: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService Would it be appropriate to delete this registry key, reboot and confirm if there will be no more eventvwr errors relating to Java? (I'm always a little bit hesitant on registry changes but I'm thinking that since I'm supposed to have no Java installed on this machine, then there should be no references to Java, correct?)
  17. Via regedit, I'm deleting the following keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216016FB} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216017FB} and then I checked C:\Program Files\InstallShield Installation Information and I see no folders for either of the above keys. Am I to assume from the above that the registry keys were leftovers from botched uninstalls/updates? And since I'm not seeing any evidence of Java in my Add/Remove programs that's why I don't see any InstallShield Installation folders for those two keys? I'm going to reboot now because I'm assuming a registry key deleting won't be recognized until reboot, and then I'll rerun DDS to see if it now shows no references to java.
  18. Hehe... ok.. the pressure's on!!! Give me a bit of time and I'll see if I can do it on my own... let's see if I learned anything!!! I'll post back my successes or frustrations.
  19. A few unanswered questions from yesterday's post: I'll see if I can get the java entrails out first.. what tool is it you use to tell that some part of Java is still installed (so I'll know if I've achieved success with removal) Does this whole thread then move to a solved forum but remains available for me to reference at a later date? How long do you keep em around? Once I go Pro, do I still work with you guys here on support issues, or is it a whole separate group that takes care of the Pro users? Thanks!
  20. OK cool!!! Just a couple more questions for you if you'd be so kind... I'll see if I can get the java entrails out first.. what tool is it you use to tell that some part of Java is still installed? Does this whole thread then move to a solved forum but remains available for me to reference at a later date? How long do you keep em around? I'm gonna talk up Malwarebytes to my friends and associates and put together a bulk order for a bunch of licenses...I've got 4+ puters myself that should really be running the pro version. Once I go Pro, do I still work with you guys here on support issues, or is it a whole separate group that takes care of the Pro users? Thanks again for all your efforts... you guys are indeed super!
  21. Since rebooting, the only red and yellow errors in the two event viewer logs relate to not being able to find the domain and not being able to find a time server (which I think is normally the server in a domain environment). Except... there is one system event:The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified. Should I get a java update? I believe I killed an old java version (17 maybe) but haven't gone after anything new for it... java.com right? And then you want me to reboot, recheck event logs to see if the Java quickstarter service stops erroring? And then, if it has stopped, I should reinstall MSE and reboot, recheck events once again?
  22. Answers to your questions before I do the DDS... Yes, I'm involved with this machine for a widowed friend of mine that's an accountant since she knows I'm a PC guy. When I get it going and give it back to her it does normally operation on a SBS2003 server based LAN. I know they use Creative Solutions, but I'm not fully familiar with it to know if the print service is still used.. I could certainly find out. I understand they used to have a Novell based network prior to SBS.. so maybe that RIP service is from that day and age? Currently uninstalling MSE... used the control panel add/remove and subsequently checked with Revo... Revo sees no evidence of it. Removed folder C:\TDSSKiller_Quarantine I'm sure I can bring in several new licenses (I'm guessing around 6 of them) for Malwarebytes Pro because they're going to get a strong recommendation from me that they need the pro version to keep themselves protected. and finally, here's the DDS logs (..final_2) ran with no virus protection installed (I did have IE v8 open while running it tho) dds_final_2.txt attach_final_2.txt
  23. The latest, and hopefully final <crosses fingers> combofix log... combofix_log_final.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.