It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)
I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.
Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)
I'll just go to Google it ...
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010
Hmm. Done so; it seems to be something to do with System Restore, or
similar. And at least one other person encountered it while doing a
system scan - though no-one (that I've found so far) has explained
either (a) why it's popping up at random, or (b) why, if it's a
Microsoft thing anyway, it says it hasn't been checked.
(AVIRA finished a scan, and is now doing another one - or, is scanning a
different part of the system. It says it's found 2 "Detections", the
last being "HTML/Rce.Gen", which it says isn't very dangerous. I can't
ask it what the other one is - could be just the EICAR test virus which
I know I have on here somewhere and is by definition harmless. Avira
says 24.3% done on this pass.)
"J. P. Gilliver (John)" <G6...@soft255.demon.co.uk> wrote in message
news:HxYlvWDJ...@soft255.demon.co.uk...
As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.
It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).
==
Cheers, Tim Meddick, Peckham, London. :-)
"J. P. Gilliver (John)" <G6...@soft255.demon.co.uk> wrote in message
news:UinRbZC0...@soft255.demon.co.uk...
What puzzles me are:
o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it doesn't then.)
o Why does it see it as new hardware?
o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why hadn't it
popped up when it did those.
o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
<Squawk> Pieces of eight!
<Squawk> Pieces of eight!
<Squawk> Pieces of nine!
<SYSTEM HALTED: parroty error!>
1. I don't do "forums".
2. This isn't just Avira.
>
>"J. P. Gilliver (John)" <G6...@soft255.demon.co.uk> wrote in message
>news:HxYlvWDJ...@soft255.demon.co.uk...
>> In message <UinRbZC0...@soft255.demon.co.uk>, "J. P. Gilliver (John)"
>> <G6...@soft255.demon.co.uk> writes:
>>>I'm doing a complete system scan at the moment (AVIRA is my AV). I'm doing
>>>it after a restart, because my email-and-news software (Turnpike, quite
>>>old) behaved oddly once or twice.
>>>
>>>It may have nothing to do with that fact, but twice a "new hardware found"
>>>popup has appeared, and when I let it proceed to the point where it tells
>>>me what the new hardware actually is, it has said "Generic volume shadow
>>>copy". (I cancel it at that point.)
[]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
<Squawk> Pieces of eight!
But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.
I would question the effectiveness of my Anti-Virus / Anti-Malware software
if such a genuine element of the Window's OS is being returned as in any
way bogus by it!
Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....
(An example of this below...)
http://blogs.technet.com/b/mmpc/archive/2010/11/09/msrt-tackles-fake-microsoft-security-essentials.aspx
==
Cheers, Tim Meddick, Peckham, London. :-)
"J. P. Gilliver (John)" <G6...@soft255.demon.co.uk> wrote in message
news:0jrJbSeG...@soft255.demon.co.uk...
You're a lazy HoopleHead.
No, not at all: the AV didn't object to it at all. It's just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next
stage, it (again, the normal Windows self-protecting thing) said that
what I was about to allow - i. e. the driver it had found for this
phantom new hardware - wasn't Microsoft signed. That latter is
particularly puzzling, this Shadow Copy thing being as you have
explained part of the system. (From what I found on line, others get the
same thing, though.)
>
>Such behaviour of "spotting" viruses / malware where there isn't any is
>a feature of Malware itself.....
[]
(No, that wasn't what was happening.)
(FWIW all AV found were two instances of some HTML code that matched
some Trojan.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
The fool doth think he is wise, but the wise man knows himself to be a fool.
This is because it hadn't happened to me recently, and I have to be able to
reproduce the sequence of events that lead to getting a particular
errormessage in order for me to investigate it.
This is so I can then query the system to which processes are involved and
what software/hardware conflicts may be happening. I can only do such
things while the error is "in progress".
But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it's cause for you.....
==
Cheers, Tim Meddick, Peckham, London. :-)
P.S. I must assure you, however, again, that the service "Volume Shadow
Copy" or VSS (Volume Snapshot Service) is definitely a normal part of every
version of Windows since WinXP Service Pack 2 and Server 2003.
"J. P. Gilliver (John)" <G6...@soft255.demon.co.uk> wrote in message
news:agIyruQN...@soft255.demon.co.uk...
In news:ichg6o$bhu$1...@news.eternal-september.org,
Harden Thicke <har...@hthicke.invalid> typed:
Have you tried any of the many spyware and malware programs around? Search
back on this group for recommendations or simply ask the question for whiich
ones people use.
Avira, IMO is only mediocre in itis reliability and tends to false
positives IME, which are still repeatable in my last testing of it. It wants
to delete a legtimate setup.exe which lives in an unexpected folder and
that's the ONLY reason it wants to delete it. I notified them, they agreed
wtih me, promised to fix it, and never did.
AVG or AVAST are a couple decent freebies you can try out for AV work
that's better than Avira. There are other freebie AV programs too and a good
chance some will pipe in to offer their suggestions, same as with malware
detectors.
Having read all your reponses to date here, it sounds very much like you
have malware aboard. Regardless of how "safe" you think you are with
surfing, there are just too many ways to become infected; safe hex alone
just won't do it. A good firewall (ZoneAlarm?), a good AV package (not
Avira) and good malware detectors are the "norm" for protection. Some will
claim that programs like Super AntiMalware & such are all that's needed;
don't beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.
HTH,
Twayne`
Generic Volume Shadow Copy is a windows program that allows the backing
up/manipulation of files that are "in use" by taking a snapshot of them.
Most archiving, backup and imaging programs require it in order to work.
It is a service that should be started automatically every time you boot
up unless you are an expert at manipulating its use. Check to see if it's
set to "automatic" under Services.
Unless the file is a phony, no AV or malware program should find it. If
it's a phony, it was placed there by malware. Or the original file was
overwritten with the phony.
WinPatrol Says:
Manages and implements Volume Shadow Copies used for backup and other
purposes. If this service is stopped, shadow copies will be unavailable for
backup and the backup may fail. If this service is disabled, any services
that explicitly depend on it will fail to start.
and
the executable is at:
C:\WINDOWS\System32\vssvc.exe
... Administrative Tools; Services will open a window in XP where you
can start/stop the service, and set whether it starts "automatic", "Manual"
or Never.
I don't give a path for the admin tools because the user can change it
after it's installed. Search your boot drive for vsssvc.exe if necessary.
Check to see that it's set to "automatc" and that the setting sticks
(stays after a Restart).
HTH,
Twayne`
If vegetarians eat vegetables,..beware of humanitarians!
Are you sure you have done so, because:
1. it is not my AV, but the OS's own trap, that is objecting. You know
how when you add new hardware, and the system asks for a driver, and you
load the driver that came with it, as often as not you get a popup
warning you that said driver is not "Microsoft signed" or something like
that. What was happening was that - despite not having added any new
hardware - the "new hardware found" thing was popping up (saying the new
hardware was this "... shadow copy"), and when I let it find drivers for
it, the "not signed" box popped up.
2. I already had several restore points present; presumably the shadow
copy thing must have already been there in order to make those. So why
is it popping up again?
[]
>just won't do it. A good firewall (ZoneAlarm?), a good AV package (not
I have a firewall (plus what's in the routers of course).
>Avira) and good malware detectors are the "norm" for protection. Some will
>claim that programs like Super AntiMalware & such are all that's needed;
>don't beleive them. Many programs may catch many of them, but no single
>program yet will catch all of them; there are just too many of them and
>increasing every day.
Agreed. (How many of each [AV, firewall, detector] - and which ones - do
_you_ run?)
>
>HTH,
>
>Twayne`
>
>
>
>
>
(Why the lines at the end?)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
If vegetarians eat vegetables,..beware of humanitarians!
This would explain the behaviour.
What service pack are you running - if you have not already done so, would
you consider upgrading to service pack 3 ??......
Windows XP Service Pack 3 Network Installation Package for IT Professionals
and Developers (316.4MB)
http://www.microsoft.com/downloadS/details.aspx?familyid=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en
Windows XP Service Pack 3 - ISO-9660 CD Image File (544.9MB)
http://www.microsoft.com/downloads/details.aspx?FamilyID=2fcde6ce-b5fb-4488-8c50-fe22559d164e&displaylang=en
==
Cheers, Tim Meddick, Peckham, London. :-)
"J. P. Gilliver (John)" <G6...@soft255.demon.co.uk> wrote in message
news:sTjPXcF8wh8MFw$5...@soft255.demon.co.uk...
==
Cheers, Tim Meddick, Peckham, London. :-)
"J. P. Gilliver (John)" <G6...@soft255.demon.co.uk> wrote in message
news:sTjPXcF8wh8MFw$5...@soft255.demon.co.uk...
Router Gateway: Westell 327W & comes with NAT - almost as good as a firewall
Firewall: Norton 2010
AV: Norton's AV (real time monitoring) and AVG (used separately, is NOT set
to real time monitor.
Backup: Norton Ghost 14: Full once/month, incrementals nightly.
Spyware/Malware: *WinPatrol;
SuperAnti Spyware; Spybot Search & Destroy; Norton Internet Security;
Adaware; Malware Bytes. Probably a couple others I've missed.
*WinPatrol isn't per sae a scanner, but it WILL stop ANY application it
hasn't seen before from running, so it needs a short training course as you
use your machine. It does so many other things too that I won't go into
them; see their web site if interested.
I run the malware detectors in the approximate sequence as listed, first
one first run. Unless I have a really nasty problem I stop after usinig
Norton Internet Security. I've had both Adaware and MalwareBytes catch
something all the others miss, but not very often. Thus, I keep them around.
I keep AVG around likewise; just a tool for comparisons sometimes but
Norton's AV always catches, historycally, everything and more than AVAST and
AVG. Its heuristics are better than any other I've tried, and their new,
smaller memory footprint makes them faster and useful for the smaller
machines that always had speed complaints.
A not on AV programs: If they find something and fix it for you, run them
again. There is a possibbility the removal may have exposed something else
that was previously hidden. Always run them until they find nothing.
My only claim to "success" with these applications are that I have not had a
viral infection in almost three years now so I'm doing something right. Ymmv
of course because different grographic areas get different knds of viruses
quite often. The last problem I had was a GAIN infection that I stupidly
downloaded myself in another application. I now check reputations for any
sites I haven't visited before and I also use Google's attributes about
various web sites.
HTH,
Twayne`