Trouble with DVD drive - done the 8 steps

Status
Not open for further replies.

narcodave

Posts: 11   +0
Originally posted under post "Matshita DVD-RAM UJ-850S ATA Device". Advised by Kimsland to move it to this thread.

have an ACER 5100 with Vista home Premium. I have recently had problems with the above CD/DVD device. One day it is working perfectly, another day it does not appear in MY COMPUTER at all. When not working the computer seems to try to read the drive on startup as normal but then nothing happens. I have read many posts detailing problems with this device and have followed the steps to remove the Upper and Lower filters mentioned in numerous posts. This has not solved the problem.

I have also followed the steps in the link : UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and have included the logs as requested.

I have also followed by advice by Kimsland and removed bittorrent and AVG and installed Avira.

Any further advice would be greatly appreciated. I am living in Southern Thailand and can not just go to the local computer repair shop so am praying for a solution.

Thanks in advance.

P.S. today my drive has reappeared again after missing for 2 days.
 
Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end. And the folowing entry.
O4 - HKCU\..\Run: [?????????] ??????????????e

Another run indicated!

The last scan required a reboot so do that now if you have not already.

OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan with both will likely find more. So UPDATE MBAM and SAS and run again. We are after clean logs.

Only after the above and any required boot are done do the below.

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
Mflynn Thanks for the quick reply. After putting machine on standby and powering up again my DVD drive has disappeared again!

I followed your advice and reran Hijack and applied all the fixes. I restarted the machine and ran a quick scan for Malware. What I want to know is what should I do next as the same 5 trojans appeared again and are not removed after rebooting. I see you say I should aim for clean logs. I enclose the new log showing the stubborn trojans and await any advice you may have. Thanks again for the help
 
I have now run all the programs again, including installing and running the combofix. All logs are included. Super anitspyware was clear but malware still unable to clean 5 trojans. Thanks once again for your time.
 

Attachments

  • ComboFix.txt
    24.5 KB · Views: 7
Did you do this?

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end. And the folowing entry.
O4 - HKCU\..\Run: [?????????] ??????????????e

The below should finish us up.
Go here Download DrWeb https://www.techspot.com/vb/post724044-3.html

Then....

Boot to Safe Mode only! Not with Networking and run...

DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

The first Virus it finds select Cure and it will use this as the default automatically for all the rest. What it can't fix will be Quarantined!

This will take a while based on CPU and HD speed and size, but is worth it!

As soon ad DrWeb has finished reboot and run another MBAM (update it) and last post a new HJT log.

Mike
 
Re:
Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end. And the folowing entry.
O4 - HKCU\..\Run: [?????????] ??????????????e

I did this, installed combifix and this found and deleted the following:

fwnet.dll;C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe;Trojan.Popuper.5509;Deleted.;
HoldemGenius.exe;D:\Program Files\Holdem Genius;Probably BACKDOOR.Trojan;Incurable.Deleted.;

Rebooted, updated and reran MBAM, all clear now, then reran Hijack this. The problem now is the line:
O4 - HKCU\..\Run: [?????????] ??????????????e
Keeps appearing. I highlight it, select fix this but when I run the program again it is still there.

My drive has returned again so thats a plus.

I have included the log as requested. Once again thanks for your time on this.

Sorry meant to write Dr Web found and deleted the two items, not combifix. hope this makes sense.
 
OK but I did not know this. Keep me informed and we will fix all.

So no mention of the DrWeb?????

I am not there remember!

Mike
 
Hi Mike

Sorry for any confusion, to clarify:

I installed DrWeb
Booted to Safe Mode only not with Networking and ran DrWeb..
DrWeb did an Express Scan then did a full scan.
DrWeb found the following

fwnet.dll;C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe;Trojan.Popuper.5509;Deleted.;
HoldemGenius.exe;D:\Program Files\Holdem Genius;Probably BACKDOOR.Trojan;Incurable.Deleted.;

Rebooted.

Ran MBAM, now clear, 5 trojans gone.
Ran HJT, the following line still appears:

O4 - HKCU\..\Run: [?????????] ??????????????e

Ticked it and select Fix and included log.
When rerunning HJT the line is still there.

Not sure if relevant but when I run CCleaner "registry" I get the following come up:

Unused File Extension {80b8c23c-16e0-4cd8-bbc3-cecec9a78b79} HKCR\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}

When I tick "fix selected issues" I get the message "issue fixed" yet running CCleaner again it is still there.

Annoyingly after powering down and rebooting my computer my DVD drive has disappeared once more.

Hope all is clear, thanks once more

Dave
 
Hi Dave

I feel we are Malware and virus free so am switching to get this last item and tackling the DVD issue.

Reboot to safe mode and try deleting if there.

Then watch this post as I am preparing something else to clear it and an another few steps fro the DVD.

Mike
 
Hi

Please continue to follow the excellent advice from mflynn but let me just throw in some info and let mflynn decide how / when / if to process it

If you continue to have problems with DVD, may be worthwhile to double check your filter drivers again (as bad / stale filter drivers can create quite the nuisance)
1. If you removed them before, have you re-installed any of your DVD related software yet (e.g. CD/DVD burning software?)
2. Here's a tool makes it easy to view / report your current filter drivers. Download Filter Driver Load Order. Simply select your DVD drive to see its current filter data. Click Clipboard to copy that data. You can paste into a post if mflynn would like me to take a quick look
 
Hi Dave

First forget the File Extension if Vista wants to keep it let it have it!

Download unzip and/or install all

http://www.mlin.net/files/StartupCPL.zip

http://www.hoverdesk.net/freeware.htm (RegSeeker)

http://www.uwe-sieber.de/files/drivecleanup.zip

If trying to clean the ?????? in Safe mode failed then Run Startup Ctl and if found there then Rt click delete, reboot to see if gone.

Run RegSeeker click Find in registry and paste
??????????????e
into the searck block. It should find the entire [?????????] ??????????????e. If it does select it and delete.

For the DVD issue unplug all external USB devices including Flash drives and printers. Then Boot to Safe mode and run Drive cleaner.

Note if the drive is or is not present in Explorer/My Computer. And try to see any difference in Drivecleaner when the drive is present and when not present.

And LookinAround is right on so it would be a good idea to do the same with his post. Run it when drive is there and clean and also when missing to see the difference.

At this point we need to see these results to go farther. Hopefully between DriveCleanup and Devfilter we not need to go farther.

Mike
 
I couple more comments i can throw in

1) Re: Unused File Extension {80b8c23c-16e0-4cd8-bbc3-cecec9a78b79} HKCR\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79
The GID appears to be associated with Avira so, in worst case, as mflynn indicates, it isn't terrible if it's not removed. But my guess is if you boot into safe mode and try CCleaner then, it can be removed.

2) As regards your pesky DVD player, in addition to all else.. i think there's a method to check if the fundamental issue is device/hardware related or is due to filters, malware or some other software bug.
Find your DVD player in Device Manager. (Look in its CDROM category). I believe it will appear there as long as the DVD hardware is physically present and detected. Other software issues can impact its appearing / disappearing at the higher levels of My Computer / Explorer but hardware detection and the driver is all that's need to appear in Device Manager. Does it appear / disappear in Device Manager as well?​
 
This is MS info on just removing the Upper and Lower filters in Vista (whatever they currently are)
http://support.microsoft.com/kb/929461/en-us

just a note: OP noted in post #1 they already tried removing the filters and their problem persists So thought is worth a quick and easy look to
1) See if any filters are still there (or maybe they're still gone)
2) If any are now there, take a quick look at what filters are there / have returned
 
Once again thankyou for all the advice. Here is where I am at.

First in relation to the DVD drive. I have not installed any software relating to the DVD player. When the DVD is shown as present it also appears in My Devices. When it is not present in My Computer there is no CD/DVD rom tag at all in MY Devices.

On startup this morning the DVD drive was missing in both "My Computer" and no DVD/CD rom drive tag was shown in "Device Manager". I rebooted in safe mode and it was present under "My computer" and "Device Manager".

I ran CCleaner and as you thought the stubborn registry was able to be removed.

I rebooted and the DVD drive had returned in both My Computer and My Devices. I checked the REGEDIT upper/lower filters. The upper filter had reappeared. It had the value:
GEARAspiWDM. I deleted the upper filter.

I installed the 3 programs mentioned and ran StartupCPL.
It found the ??????????? under tab HKCU/RUN and right-clicked/deleted it. It is shown under the deleted tag. It still remains under the HKCU/RUN tag.

I ran Regseeker and on completion it shows:
HKEY_CURRENT_USER
Software\mlin\StartupCPL\Deleted
???????????? ???????????e.

If I double click the above, REGEDIT opens to the DVD/CDROM drive address.

The annoying thing is when I run HJT the entry remains and I still cannot remove it when I highlight it and click Fix.

I installed and ran filter driver, selected DVD drive. It states
No Upper Filter Drivers specified for this device.
No Lower Filter Drivers specified for this device.


I used to have an entry in Startup programs that contained Chinese characters. I notice this has now gone. Could this be related?

That is all the information I can give. Hope this helps.
Thanks Dave
 
OK!!!!!!!

Good job Dave!

So you are saying that when you click the ?????? e entry in regedit it opens to a CD/DVD registry entry. I just need to confirm that is what you are saying!

If that is true it may mean there really is a software or driver issue at work here and not hardware and it is likely this ?????? e that is causing the problem, and this should be fixable without a trip to a shop.

OK Dave here is what I want you to do.

1. Boot to Safe Mode.

2. In Device manager Rt click and uninstall/remove the DVD drive.

3. Shutdown

4. Remove case unplug the Ribbon or Sata cable from the DVD drive (actually unplug power also).

5. With drive completely disconnected boot up computer to normal mode and back to device mgr and rt click computername at very top of tree and click "Scan for hardware changes".

6.Now reboot to Safe mode

7. First delete the ??????? e entry from the deleted items in Startupctl.

8. Search and try to find the entry in RegSeeker and try to delete it. If found and you delete it rescan with RegSeeker again hopefully it will be gone.

9. Gone or not check with HJT and remove again if there. If there and you had to remove it then reboot to normal and recheck with HJT again.

If all gone shutdown and reattach cables to DVD unplug the controller end and replug to confirm a tight connection.

Good luck,
Mike
 
Hi all

If i could suggest/add some info

If need be, an alternate method to identify/remove the ????? thing
Install Autoruns. (It's pretty darn good at finding most everything that gets loaded and or started plus it can check digital signatures of stuff that it finds).

Double click the autoruns.exe file to start it. Notice its status in lower left corner of window
  • Hit ESC key (your upper left on keyboard) to stop scanning
  • Click Options Check Verify Code Signatures. Also check Hide Microsoft Entries. Other options should be unchecked
  • Click File->Refresh to start scanning
  • Wait for status in lower left says Done.
  • Once it's done, scroll though to see if you should see the ???? entry, uncheck the item and it will no longer load
  • You can also rt click the item to select to Delete the item. Or, if you want to us to have a look at it first, click File->Save As, save to a text file and attach back here

Your DVD filters
GearAspiWDM is a standard CD/DVD filter. Probably gets re-installed normally when it's missing and you reboot.

Your quirky DVD
I'm inclined to think if your DVD appears/disappears in Device Manager, it's indicative there's a hardware issue. I'll explain
  • Windows doesn't use or need drivers to detect hardware. The detection process is fundamental to Windows and how plug-and-play works in the first place
  • So when the hardware is present and detected, SOMETHING shows up in Device Manager for the device
    • If windows finds a driver for the hardware and the driver installs/runs OK you see a human friendly device name in Device Manager with a device status=Working Properly
    • If windows finds a driver for the device but the driver doesn't fully install or run, you see the device name in Device Manager and a device error status (with one of those yellow icons)
    • If windows can't find any driver for the hardware detected, the device still appears in Device Manager but is listed with a device name of "Unknown" or "Other" device
  • So, bottom line if it's physically attached and powered, it is "present". And all "present" devices should appear in Device Manager (even if they appear as "Unknown" etc.)
So what happens if, for example, you have a bad cable making/breaking the connection? Your DVD appears when "present" and disappears when non-present (i.e. no longer hardware detected). To my knowledge, issues of bad filters, malware, etc. may affect applications and what you see in Explorer and My Computer but don't affect the fundamental hardware detection process (and once detected, your device appearing in device manager as something.. even if the wrong thing)

Now windows loves to hide things (unless you know the magic words! :D) And we can add the magic words such that Windows displays both present and nonpresent devices (see this MS KB. It's for XP but same is true for Vista (setting it from either the command prompt each time or modifying your system environment variables so it applies everytime you open Device Manager)

Once this is done, check View Hidden Devices in Device Manager and nonpresent devices will appear with a transparent icon. Now you should always see your DVD (with a solid or transparent icon). But you may need to refresh Device Manager to see the change. Click View->Scan for Hardware Changes to refresh the Device Manager display​
 
Yes yes all good!

But Dave after what you have been thu I would do this in Safe Mode after doing all my steps first. I use Autoruns myself and thats what I would do just didn't think of it.

Thanks LookinAround its nice to have genuine meaningful help unlike others trying to show off and unsuccessfully trying to push my buttons.:D

Mike
 
mflynn

You're most welcome. and a thx as well! I've certainly appreciated your (helpful!) assistance as well in other threads. :)
 
Once again thanks for all th advice, I would be totally helpless without this.

Ok,so here is where I am at.

I rebooted to safe mode and the DVD drive was present. I uninstalled it in Device manager, removed the drive.

I can run startupcpl program in safe mode but the startup link in control panel is not shown in safe mode, only on a normal boot.

I ran regseeker and the ???????? is not shown.

It is still present in HJT and still remains after highlighting it, selecting fix and rerunning the program.

I reconnectd the drive and booted normally. The computer found the new hardawre and reinstalled the correct driver. DVD drive shown in my computer and device manager.

Ran HJT again but the pesky ???????? e entry still remains.

Next time I rebooted the computer the DVD drive had disappeared again from my computer and device manager. All the time I am able to open the drive and it receives power, spins etc; ie it makes all the sounds as if it is working correctly but it just not recognized by the computer.

After reading LookinArounds post 10.27 this morning I installed Autoruns and removed the ???????? entry from the scan.

Ran HJT but it still appears there and refuses to budge.

I followed the steps for showing present and nonpresent devices but no DVD devices shown. The command prompt brought up the Device manager window, I selected view hidden devices, no change. I scanned for hardware changes, no change.

That's all I can report back. Hope this helps.
Thanks again for all the help, very much appreciated.
 
Do a window search. For files and folders in Search Options activate Advanced Options and click system hidden and subfolders.

search for *e

This should find all files that end in e without an extension.

Delete only if you are positive it is our file!

Some how I had a space after the last ? like ???????? e if you searched for that, in Regseeker then search for ??????????????e

Some other things to do:

Clean and tweak services

In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

Nothing is un-installed or deleted only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can
also disable

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Mike
 
Next time I rebooted the computer the DVD drive had disappeared again from my computer and device manager.
Hmm.... To be sure i understand.. Does your DVD disappear / appear status remain the same over the life a reboot OR does its appear / disappear status change after Windows has already restarted (i.e. it might appear / disappear while you are running and between reboots)?

Re: your ????? issue
I have a guess why it can hide and/or not get deleted. Two thoughts:
=> First, You should Run autoruns again. Is it still there? If yes, this time do the File->Save As (per my last post) so we can see what autoruns reports about it
=> Second, The ???? text we see might include embedded null characters which we don't see (it's a trick that makes most regedit tools fail as well).
Download RegDelNull. Install it in your C:\Windows\system32 directory. From an elevated command prompt window enter each of the following lines to see if it finds/prompts you to delete anything
Code:
regdelnull hklm -s
regdelnull hkcu -s
 
If it helps any, I had none :)
Yes quite good option at deleting these null entries :grinthumb (very impressed :))
I've saved the info
 
Status
Not open for further replies.
Back