Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really could use your opinion on this


  • Please log in to reply
3 replies to this topic

#1 smak451

smak451

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 10 November 2010 - 01:53 PM

Hey guys -- I'm running Win 7 64x and did my 3rd clean install after having alot of trouble before. I made the idiotic mistake of connecting to the internet to download updates in an Admin account, thinking that I was okay for those few minutes behind both NAT router firewall & software firewall. After that things got worse and worse -- Prevx stopped updating (logs say Prevx stopped unexpectedly -- "the pipe has ended." Avira won't update, and after a while of looking at this site for help all of a sudden I could not reach Bleep's site. I'm using about every protection I've learned here -- update several times daily using Secunia, router is hard-wire config only, no remote access, printer/file sharing off, Netbios over Tcip disabled, using Open DNS, long randomized passwords on everything, NoScript, Adblock, HOSTs, etc. I noticed as soon as I connected my Print Spooler started running and I logged a "router error" about 2 min after connecting -- I know there was a vulnerability there that was patched after this incident. More to the point, I have an unidentified device and have collected all the characteristics of it as follows in the hopes someone could help me with a professional opinion; the device hardware profile reads as follows:

Location: On intel ICH10R LPC Interface Controller - 3A16

No Drivers are required or have been installed

Hardware IDs: ACPI\ATK0110
*ATK0110
Config Flags:00000040
CONFIGFLAG_FAILEDINSTALL

Physical Device object name:
\Device\00000054

Capabilities:
00000030
CM_DEVCAP_UNIQUEID
CM_DEVCAP_SILENTINSTALL

Enumerator: ACPI

Power Data: Current Power State: D3

Power Capabilites: 00000009
PDCAP_D0_SUPPORTED
PDCAP_D3_SUPPORTED
Power state mappings:
S0->D0
S1->D3
S2->UNSPECIFIED
S3->D3
S4->D3
S5->D3

Removal Policy: 00000001

Removal Policy Default: 00000001

Install State: 00000002

Base Container ID: {00000000-0000-0000-ffff-ffffffffffff}

Device Instance Path: ACPI\ATK0110\1010110

DevNodeStatus:
01802400
DN_HAS_PROBLEM
DN_DISABLEABLE
DN_NT_ENUMERATOR
DN_NT_DRIVER

Problem Code: 0000001C

Parent: PCI\VEN_8086&DEV_3A16&SUBSYS_82D41043&REV_00\3&11583659&0&F8

siblings:
ACPI\PNP0000\4&844a824&0
ACPI\PNP0200\4&844a824&0
ACPI\PNP0100\4&844a824&0
ACPI\PNP0B00\4&844a824&0
ACPI\PNP0800\4&844a824&0
ACPI\PNP0c04\4&844a824&0
ACPI\PNP0700\4&844a824&0
ACPI\PNP0c02\2e
ACPI\PNP0c02\10
ACPI\PNP0103\4&844a824&0
ACPI\INT0800\4&844a824&0
ACPI\PNP0c02\3
ACPI\PNP0c02\0

Container ID:
{00000000-0000-0000-ffff-ffffffffffff}

Class Icon Path:
%systemRoot%\system32\setupapi.dll,-18

Lower Logo Version:
6.0

I almost feel foolish asking "is something to worry about," but before making any hasty moves I'd really appreciate some expert opinions! This was all taken down after I just had done a wipe with DBAN on all drives and then the clean install. Thanks a lot, -- S

Edited by smak451, 10 November 2010 - 01:56 PM.


BC AdBot (Login to Remove)

 


#2 smak451

smak451
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 11 November 2010 - 07:38 PM

Hey -- I posted this yesterday but haven't anything and am really sweating so please help me with this. I just did a clean install (4th one in as many months) and have an "Unknown Device" that keeps reappearing after every re-boot when I uninstall it. The characteristics of this device I've copied below. It's attached to the Interface Controller (please see below). I've exported all my logs as no matter what precautions I take I am geting very weird events as follows (starting even after a clean install) -- "Windows cannot delete the profile directory C:\Users\Administrator. This error may be caused by files ...being used by another progra." "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards -- DETAIL 1 user registry handle leaked from ....Process 580(\Device\HarddiskVolume1\Windows\System32\winlogon.exe has opened key \REGISTRY\USERS\...ETC." I got the last error all the time in my last install, with many reg handle leaks. Also this "winlogon notification subscriber <GPClient> was unable to handle a notification event." "DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server:{DD522ACC...etc.). The properties of this Unknown Device I've re-listed below. Can someone please give me a learned opinion on this? This just doesn't seem normal, and after every clean install and re-format I was re-infected almost instantly. I don't go anywhere suspect, don't use P2p or do anything risky. Please give me some feedback on this; is this normal behavior? Is there anything else besides this unknown device that wont uninstall that could be causing this? Thanks.

Location: On intel ICH10R LPC Interface Controller - 3A16

No Drivers are required or have been installed

Hardware IDs: ACPI\ATK0110
*ATK0110
Config Flags:00000040
CONFIGFLAG_FAILEDINSTALL

Physical Device object name:
\Device\00000054

Capabilities:
00000030
CM_DEVCAP_UNIQUEID
CM_DEVCAP_SILENTINSTALL

Enumerator: ACPI

Power Data: Current Power State: D3

Power Capabilites: 00000009
PDCAP_D0_SUPPORTED
PDCAP_D3_SUPPORTED
Power state mappings:
S0->D0
S1->D3
S2->UNSPECIFIED
S3->D3
S4->D3
S5->D3

Removal Policy: 00000001

Removal Policy Default: 00000001

Install State: 00000002

Base Container ID: {00000000-0000-0000-ffff-ffffffffffff}

Device Instance Path: ACPI\ATK0110\1010110

DevNodeStatus:
01802400
DN_HAS_PROBLEM
DN_DISABLEABLE
DN_NT_ENUMERATOR
DN_NT_DRIVER

Problem Code: 0000001C

Parent: PCI\VEN_8086&DEV_3A16&SUBSYS_82D41043&REV_00\3&11583659&0&F8

siblings:
ACPI\PNP0000\4&844a824&0
ACPI\PNP0200\4&844a824&0
ACPI\PNP0100\4&844a824&0
ACPI\PNP0B00\4&844a824&0
ACPI\PNP0800\4&844a824&0
ACPI\PNP0c04\4&844a824&0
ACPI\PNP0700\4&844a824&0
ACPI\PNP0c02\2e
ACPI\PNP0c02\10
ACPI\PNP0103\4&844a824&0
ACPI\INT0800\4&844a824&0
ACPI\PNP0c02\3
ACPI\PNP0c02\0

Container ID:
{00000000-0000-0000-ffff-ffffffffffff}

Class Icon Path:
%systemRoot%\system32\setupapi.dll,-18

Lower Logo Version:
6.0

Edited by Orange Blossom, 13 November 2010 - 05:47 PM.
Merged topics. ~ OB


#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:48 AM

Posted 13 November 2010 - 05:59 PM

Try not using OpenDNS, and rely on your ISP's DNS and see if the issues go away.

What kind of installation media are you using, and where did you get it?

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:48 AM

Posted 13 November 2010 - 09:48 PM

The "unknown" device you refer to is the ATK0110, which references your motherboard. ATK stands for AsusTek. The ATK0100, which is a pseudo-interface for the AI Booster program, keeps looking for a driver and, evidently, you forgot to install this during your re-installation.

You should have a CD from ASUS with something called "AI Booster. Install it, update that driver and your pop up should go away. If it continues to bother you, just disable it via device manager. You don't need to use it, everything will work just fine without it (AI Booster that is).

As security conscious as you obviously are, I have serious doubts that you've infected that machine. The 64 bit Windows, especially 7, is rather difficult to infect on accident...one almost needs to do this on purpose with that system. It's what I run and I tested it before it was released. Then, and now I can say, it is fairly bullet proof.

Your issue sounds to me all to be driver related. For example...when you re-install your operating system, have you made certain to disconnect all other peripheral devices? For a proper re-install, you need only to have the monitor, keyboard and mouse connected.

Let's say, to facilitate this example, that you forgot to remove the usb connections for your printer. On a freshly installed system with no software installed for the printer, your BIOS will substantially slow down boot time while it searches for instructions as to what it is supposed to do with the attached printer.

Disconnect the printer and boot time speeds back up to where it should be, or of course, just install the software for the printer and the BIOS then doesn't need to take all the time looking for instructions. You get the idea.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users