Spyware, Viruses, & Security

General discussion

Unknown Device Installed

by danawenco / February 16, 2009 1:06 PM PST

Hi, I had an "Unknown Device Installed" window coming up at start up, and hope to get some advice here.

Here's what I did:

- I tried to remote log in to my other computer via logmein.com (I've been using it for a long time)
- I was prompted to grant user account control rights to install an active x control, so I did that
- Then another pop up came up saying that "A website wants to open web content using this program on your computer". The program is an AVG scanning module (avgcsrvx.exe) that belong to my AVG, so I clicked allow.

After that, I rebooted my PC, and once it's been rebooted I see a window titled "Driver Software Installation", with the content:

Unknown Device installed
The software for this device has been successfully installed.
Unknown Device Ready to use

I haven't initiated any installation, and the only devices I have connected are my mouse and my scanner, both of which have been installed for a long time.

I restarted in Safemode to look at my system restore points, no installation/updates are reported for today.
I ran Spybot & Destroy, as well as Malware Bytes, and nothing came up.

Is there any way to find out what unknown device was installed on my machine?
And, does this look like a malware?

I have Windows Vista, using IE7.

Many thanks for your help! Really appreciate it.

Post a reply
Discussion is locked
You are posting a reply to: Unknown Device Installed
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Unknown Device Installed
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
How about your "Device Manager"
by Donna Buenaventura / February 16, 2009 1:47 PM PST

Hi,

1. Please check if there's unknown device status in Device Manager of Vista.

2. If nothing in the device manager, you can also look into the "Device Install Log" by opening setupapi.app.log file in C:\Windows\inf folder

Double-click the setupapi.app.log file. Notepad will open to display the content.

You should see something like this:

"[Device Install Log]
OS Version = 6.0.6001
Service Pack = 1.0
Suite = 0x0100
ProductType = 1
Architecture = x86

[BeginLog]

>>> [DIF_REMOVE - ROOT\LEGACY_MSDSM\0000]
>>> Section start 2009/01/08 17:52:57.052.."

3. If the date is not recent, please try to do this:

Scan using SUPERAntispyware

SUPERAntispyware (SAS) http://www.download.com/SUPERAntiSpyware-Free-Edition/3000-8022_4-10523889.html
You can also download it from http://superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

+++++ Installation & Configuration instructions: The installer will prompt you to choose your language and to update the detection definitions. Please choose your language and allow the update to be installed. The SAS icon in your notification area (aka System tray) will appear. There is NO need to double-click the icon of SAS in your desktop because SAS will open automatically.
The SAS setup wizard will run to offer you to protect the home page from being changed. Select Protect home page. SAS main window will open. Click the "Preferences" button the select "Scanning Control" tab and ensure the following is checked (leave others as unchecked):
-- Close browsers before scanning
-- Scan for tracking cookies
-- Terminate memory threats before quarantining
-- Scan Alternate Data Streams
-- Use Kernel Direct File Access
-- Use Kernel Direct Registry Access
-- Use Direct Disk Access
-- Display scan option in Explorer context (right-click) menu
Click Close button when done. Proceed in running a QUICK scan for Drive C (this is where your OS is installed).
Let SAS fix the detected items. (Note: SAS automatically quarantine detected items and you will be notified after the fix). Reboot the when done and re-scan again.

NOTE: If scanning with SAS hangs uncheck these in Preferences>Scanning tab: (Please do not uncheck these items if you have no problem in scanning. The kernel technology of SAS will help find hidden files added by malware e.g. rootkit infection)
-- Use Kernel Direct File Access
-- Use Kernel Direct Registry Access
-- Use Direct Disk Access
Click Close button then re-scan the system again using SAS.

+++++ If SuperAntispyware will not install, please download and run the alternate version of the install package:
Get the alternate installer of SUPERAntiSpyware FREE Edition from http://downloads.superantispyware.com/downloads/SAS_FREE.EXE
Proceed by installing the alternate version of the installer.
See also: http://www.superantispyware.com/supportfaqdisplay.html?faq=71

+++++ If SuperAntispyware will not run, download RUNSAS.EXE to launch SUPERAntiSpyware:
RUNSAS.EXE - http://www.superantispyware.com/downloads/RUNSAS.EXE
See also: http://www.superantispyware.com/supportfaqdisplay.html?faq=71

+++++ If you will have problem updating SuperAntispyware, download the definitions installer from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE
See also: http://www.superantispyware.com/definitions.html

+++++ If you want to re-install SAS but encounter issue with re-installation, use first the SuperAntispyware Uninstallation Assistant by downloading it from http://www.superantispyware.com/downloads/SASUNINST.EXE then proceed to re-install SAS Free.

Let us know how it goes.

Collapse -
I found an unknown device...
by danawenco / February 16, 2009 2:40 PM PST

Hi Donna. Thanks so much for your help!

I did find an "unknown" device under my Device Manager, not sure if it's the one that was installed today. It's under the "Universal Serial Bus Controllers" categoy, and has the following description.

-------------------------------------------------------
Unknown Device

Device type: Universal Serial Bus Controllers
Manufacturer: (Standard USB Host Controller)
Location: Port_#

Device Status

No drivers are installed for this device

Driver Provider: Microsoft
Digital Signer: microsoft windows
---------------------------------------------
plus some other information that I thought might be irrelevant. Should I uninstall it?


I also found quite a number of entries in my Device Install Log dated today. Frankly I am having a hard time understanding them. I compared some keywords with earlier entries, some are the same, some are not, and I am unable to come to any conclusion. Is there any tricks to look at the log?

My connection is very slow so I will have to wait till tomorrow before I can try the Superantivirus.

Thanks again Donna!

Collapse -
Try this
by Donna Buenaventura / February 16, 2009 3:45 PM PST

If it's a problem with the device because there's no driver or you allowed a not signed driver(that is when you allow the "A website wants to open web content using this program on your computer")

I suggest to do this any of this:

1. Start>Run then type sysdm.cpl
Hit OK. Select "Hardware" tab.
Click "Windows Update Driver Settings"
Select "Check for drivers...(recommended)"
Click OK. Click Apply

2. Open the Device Manager again. Try to install the driver by selecting "Update driver" for the "unknown device"
Select "automatically search for device" (this will try to connect to Windows Update)
See if Windows Update will be able to find a driver for that device.

3. If the above will not work... Use again the logmein to remotely access your computer. See if Vista will try to find anything to install after it identified the "network connection" component of your connection using logmein.

4. If no device to install or nothing is detected by Vista:

Open Device Manager then right-click the offending device. Open the properties. Under "General tab" look at "Device Status".
Look for error #: Do you see Error Code 1 or Error Code 10?

5. If no error code, just disable the device (do not uninstall until you're sure that you do not have device that is related to that entry)

Reboot.

Can you please check also your IE>Tools>Manage Add-ons
Please post here what add-ons is installed.

Collapse -
Unknown Device
by danawenco / February 17, 2009 12:40 AM PST
In reply to: Try this

Thanks Donna for the detailed instructions.

I will follow these steps when I get home tonight.

Actually I repeated step 3, and nothing was found to be installed. And for step 4, I don't think there's any error code on the Device Status tab.

I will post more information tonight. Thanks again!

BTW, does it sound like a malware to you?

Collapse -
I don't think it's malware related
by Donna Buenaventura / February 17, 2009 4:02 AM PST
In reply to: Unknown Device

but we can only determine that if you will try to scan another tool. Try SUPERAntispyware (see my guide in earlier post in this thread).

Also, is there anything new in the IE's add-on manager? I asked because you wrote in your first post that you allowed a web content whether it's a plug-in or not, it might be there in your add-on.

You're welcome and yes, let us know how it goes.

Collapse -
Sorry this is long
by danawenco / February 17, 2009 11:46 AM PST

Hi Donna,

I restarted my PC today and don't see that "Unknown Device" on my Device Manager anymore! I didn't count the number of devices I had yesterday so I can't tell if the unknown has become known, or if it's gone.

I do see new entries on my setupapi.app log dated today. I've included some of them below (don't want to clutter up this post so I've excluded some of them that don't seem to be meaningful).

cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
dvi: No class installer for 'USB Root Hub'
dvi: No CoInstallers found
dvi: Default installer: Enter 18:17:19.997
dvi: Default installer: Exit

cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
dvi: Default installer: Enter 18:17:59.231
dvi: Default installer: Exit

dvi: Using exported function 'USBHubPropPageProvider' in module 'C:\Windows\system32\usbui.dll'.

cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
dvi: No class installer for 'USB Root Hub'
dvi: No CoInstallers found
dvi: Default installer: Enter 18:25:48.635
dvi: Default installer: Exit

cmd: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
dvi: Default installer: Enter 18:25:54.204
dvi: Default installer: Exit


Below is the list of add-ons on my IE (Name and file). I have selected to show "Add-ons that have been used by Internet Explorer"

Name (publisher), file

Ask Toolbar(Ask.com), askBar.dll
AVG Security Toolbar(AVG Technologies), AVGTOO~1.DLL
AVG Security Toolbar(AVG Technologies), AVGTOO~1.DLL
McAfee SiteAdvisor BHO(McAfee), mcieplg.dll
McAfee SiteAdvisor Toolbar(McAfee), mcieplg.dll
Research, <File blank>
Send to OneNote , <File blank>
Spybot - Search & Destroy, <File blank>
SSVHelper Class (Sun Microsystems), ssv.dll
Sun Java Console, npjpi160.dll
Adobe PDF Link Helper, AcroIEHelperShim.dll
AskBar BHO(Ask.com), askBar.dll
AVG Safe Search(AVG), avgssie.dll
Spybot-SD IE Protection, SDHelper.dll
Shockwave Flash Object(Adobe System), Flash10a.ocx
Remote Access ActiveX Client(LogMeIn), RACtrl.dll
Performance ViewActivex Control (LogMeIn), RACtrl.dll
InformationCardSigninHelper Class, icardie.sll
Windows Media Player, wmp.dll
XML DOM Document 4.0, msxml4.dll
XML HTTP 4.0, msxml4.dll
XML DOM Document, msxml3.dll
Adobe PDF Reader, AcroPDF.dll
XML DOM Document 3.0, msxml3.dll
XSL Template 3.0, msxml3.dll
Free Threaded XML DOM Document 3.0, msxml3.dll
XML DOM Document 6.0, msxml6.dll
get_atlcom Class, gp.ocx
Java Plug-in 1.6.0, npjpi160.dll
Java Plug-in 1.6.0, npjpi160.dll

I scanned again according to your instructions, and nothing showed up.

Thanks again Donna.

Collapse -
The setupapi.app log
by Donna Buenaventura / February 17, 2009 12:43 PM PST
In reply to: Sorry this is long

contains log info only when you opened the Device Manager and that it can't find the installer for your device.

Glad to hear that there is no more "Unknown Device" each time you startup Windows. If ever it will appear again, you will need to hunt which of your devices do not have driver.

Thanks for posting your IE add-ons info. Nothing unusual but:
Ask Toolbar(Ask.com), askBar.dll
AskBar BHO(Ask.com), askBar.dll

Did you install this Ask Toolbar yourself or you allow its installation together with another software? Do you use this Ask Toolbar?
If not, you can remove it using Add/Remove Programs.

Also:
Research, <File blank>
Send to OneNote , <File blank>
Spybot - Search & Destroy, <File blank>

Are the above still installed in your computer?
Research is added by Microsoft Office products like OneNote, Outlook, Word etc.

Collapse -
Cheers
by danawenco / February 17, 2009 1:27 PM PST
In reply to: The setupapi.app log

Thanks Donna!

No I didn't install the Ask toolbar myself. I suspect that it came with my Toshiba. I only included the IE toolbar add-ons when I installed my AV programs, and don't think Ask.com was part of them.
I will remove that. Yes I believe the Research, Send to OneNote, and Spybot S&D still show up on my IE add on list, under "currently installed", although I don't find them on my Add/Remove window.

Is it likely that the unknown device is disguising itself as something else?

Thanks again for your helpful advice! Now I know what the setupapi.app is for Happy

Collapse -
Can't tell unless
by Donna Buenaventura / February 17, 2009 1:46 PM PST
In reply to: Cheers

any scanner will find anything or suspicious. I suggest that you run other scanners that you have not use.
Example: SUPERAntispyware, A2 Free, Stinger

You can also try standalone rootkit scanners (to see if any malware/rootkit is hiding)
1. Avira AntiRootkit - http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html
2. GMER - http://www.gmer.net/files.php
3. F-Secure Blacklight - http://www.f-secure.com/security_center/
4. Panda Anti0rootkit - http://www.download.com/Panda-Anti-Rootkit/3000-8022_4-10717196.html

>>Now I know what the setupapi.app
You're welcome!
If only it log more then it'll be a handy file Wink

Collapse -
Set Network Location window keeps comeing up
by danawenco / February 19, 2009 12:57 AM PST
In reply to: Can't tell unless

Thanks Donna.

I scanned with SAS in Safemode and it reported the following:

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

I googled it and read it somewhere that it has to do with Ask.com toolbar. I let SAS delete it and scanned again and it seems to be gone.

However, I've been seeing the Vista "Set Network Location" window popping up twice within 2 hours without me doing anything. Once for an existing location, once for a new one. It's the one that says "Select a location for the xxx network" (Home, Work, Public location). I cannot attach the screen shot of the "Set Network location" window to this post (in case you are not sure what I am referring to) but I found an image at the following link.

http://www.wi-fiplanet.com/img/2007/06/vista02.jpg

I am not able to run F-Secure for some reasons, but I will try the other anti rootkits tonight.

Thanks again for your help.

Collapse -
Please Help, blue screen crash from running gmer
by danawenco / February 19, 2009 10:44 AM PST

Sorry to keep coming back.

I downloaded gmer.zip, unzipped it to a temporary location, ran gmer.exe from the temp location, it started to run and was scanning. I came back 5 minutes or so and saw a window saying that gmer has been stopped do you want to check for online solution. I closed that window, copied gmer.exe from the temp location to my desktop, restarted it, and then saw a blue screen (please see below for details).

I restarted windows in safe mode and restored my PC, and it seems to be okay now. Is there anything I can do at this point? The blue screen was pretty frightening.

Many thanks.


Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1000008e
BCP1: C0000005
BCP2: 993BEA48
BCP3: A68B4BF0
BCP4: 00000000
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
-> These files are no longer present

Collapse -
Re: Please Help
by Carol~ Forum moderator / February 19, 2009 11:06 AM PST

Hi danawenco..

From what I read Donna isn't around today. Since Mark/"garmanma" is already helping you with the problem, maybe he can help, until Donna comes back. He seems to be giving you sound advice and is willing to help.

When you pointed out the "Set Network Location" prompts to Mark, he wanted you to let him know if they continue. Since they have, I would stress the point with him, and let him know how often you're getting the prompts. I found, "Choosing a Network Location", which should explain what they're about, but I really don't know much more about it. Sad

Let us know how you make out..
Carol

Collapse -
Yes they are safe to use in Vista
by Donna Buenaventura / February 21, 2009 9:35 AM PST

>>>I've had problem in the past scanning with f-secure, and I haven't been able to find any system requirements info on f-secure nor Avira. Is there any way to find out if they are Vista Safe?

The choose network connection window didn't come up yesterday, but I was mostly working in safe mode so I suppose they couldn't come up anyway. I am going to try again today.

After my system restore I haven't been able to find the gmer files. I will need to dig further.

Thanks again for your help.


I personally tried F-Secure Blacklight on my Vista but I have not try Antivir Antirootkit in Vista. To check it out, I downloaded Antivir Antirootkit and run it on my Vista....

So far so good. It ran withuot issue just like Blacklight.

Note: If UAC is enabled, you will need to right-click the program then choose "Run as admininstrator".

As to removing Gmer:
Start C:\WINDOWS\gmer_uninstall.cmd script and reboot.

Hope the network location prompt has stopped. If not, let us know again.

Collapse -
BTW, you can choose
by Donna Buenaventura / February 21, 2009 9:52 AM PST

"Fast Scan" in Avira Antivir Antirootkit before you hit "Start scan"

Again, if UAC is enabled in your Vista, please right-click the Avira AntiRootkit Tool then choose "Run as Administrator".

If Avira Antirootkit find anything, click "view report" and copy/paste here the result.

My result on Vista is:

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Sunday, February 22, 2009 - 9:48:32 AM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [X] Fast scan
- Working disk total size : 283.03 GB
- Working disk free size : 246.22 GB (86 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/0
Registry items: 0/0
Processes: 0/0
Scan time: 00:00:00
--------------------------------------------------------------------------------------------------------
Active processes:
========================================================================================================
- Scan finished Sunday, February 22, 2009 - 9:48:32 AM
========================================================================================================

Collapse -
FunWebProducts/Adware MyWebSearch
by Donna Buenaventura / February 19, 2009 2:04 PM PST

>>I googled it and read it somewhere that it has to do with Ask.com toolbar. I let SAS delete it and scanned again and it seems to be gone.

Sorry for the delay. Good you've cleaned it up with SAS.
Yes, it has to do with Ask Toolbar. It's known to be spyware by some malware scanners last time while others will detect it as Adware. Few malware scanners will detect it now or others will only detect it as PUPs (Potential Unwanted Programs).

>>However, I've been seeing the Vista "Set Network Location" window popping up twice within 2 hours without me doing anything. Once for an existing location, once for a new one. It's the one that says "Select a location for the xxx network" (Home, Work, Public location). I cannot attach the screen shot of the "Set Network location" window to this post (in case you are not sure what I am referring to) but I found an image at the following link.

Like Carol's advice, please choose your network connection. If after selecting, it prompt again, please let us know.

{{Thanks Carol!}}

>>I restarted windows in safe mode and restored my PC, and it seems to be okay now. Is there anything I can do at this point? The blue screen was pretty frightening.

As to GMER and bluescreen, it is probably the driver conflict in Vista and GMER's driver Sad
Glad though that your Vista is unaffected after the restart. Please delete GMER and try to use another, anti-rootkit scanner:

F-Secure Blacklight: http://www.f-secure.com/security_center/ (scroll down the page to get the rootkit scanner)

Avira Anti-rootkit: http://www.free-av.com/en/tools/4/avira_antirootkit_tool.html

Let us know how it goes.

Collapse -
Thanks Donna.
by danawenco / February 20, 2009 6:48 AM PST

Thanks Donna Happy

I've had problem in the past scanning with f-secure, and I haven't been able to find any system requirements info on f-secure nor Avira. Is there any way to find out if they are Vista Safe?

The choose network connection window didn't come up yesterday, but I was mostly working in safe mode so I suppose they couldn't come up anyway. I am going to try again today.

After my system restore I haven't been able to find the gmer files. I will need to dig further.

Thanks again for your help.

Collapse -
Cheers.
by danawenco / February 23, 2009 12:47 AM PST

Thanks so much for trying it out for me Donna! Really appreciate it.

F-Secure still wouldn't run for me, so I scanned with Avira. It did start, but for some reasons it started to hang after a while. Tried it again and got the same response.

I really didn't feel secure so I reformatted my PC. I should still scan with one of the anti-rootkits tools you had suggested, coz I remember reading somewhere that some rootkits can survive a system reformat.

As for the Network Connection window problem. I called my ISP and we did some testing. We didn't arrive at any conclusion but he suggested that it might be my network card, coz he did see some loggings on their side at the times when my problems occurred (he explained to me something that I didn't understand).

Thanks again for your help Donna!

Collapse -
You're welcome! We're happy to help :)
by Donna Buenaventura / February 23, 2009 1:14 AM PST
In reply to: Cheers.

Not sure why Avira rootkit scanner hang in your previous system (before you reformatted) but I thought I'll mention... that it did not hang here. I hope it won't hang when you try it again in the new system. Just don't forget to right-click it and choose "run as admin" Happy

I tried F-Secure Blacklight here and it worked also in Vista.

Glad your ISP is working with you. Hope the system will not give you the same problem.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the holiday

Find recipes for July 4 with these foodie apps

The Fourth of July means fireworks, fun and food. If you're planning on a barbecue this weekend, we've got the apps to help you find holiday-inspired recipes.