???
An icon popped up in taskbar, like i just inserted a usb stick…and said a new device had been installed!
I have tried various ways of attempting to find what was installed, and i can’t see it.
netstat -n showed no connections at all multiple times, so i didn’t even see what /who did this
How do i find something that wasn’t logged, and isn’t listed, but claimed to be a device that was recently installed?
:-[
The new device seen by Windows is the USB stick you just inserted.
I was using that, to describe what the icon looked like, no devices were installed by me. It was installed remotely. Smartcard exploits sometimes do this to gain access to people’s pc’s, these are apparantly installed now as part of windows live. i’m attempting to remove it now but it won’t let me. usually it has no issues, but keeps re-installing itself
If you inserted that type of USB drive for the first time in Windows it will automatically install the matching drivers. That happens only once.
It is normal and expected behaviour; thank God for this automated action. The sheer Windows message that a driver for the new USB stick has been installed is no proof of your system being compromised.
Smartcard exploits sometimes do this to gain access to people's pc's,To prevent Smart Cards and other USB devices to install autorun malware you need to set Windows to do nothing when an external device or CD/DVD gets plugged in. I am at least a bit surprised you have not already done so as you seem very keen on security.
Having CIS installed will also help because it will sandbox everything that is being run from a USB drive.
these are apparantly installed now as part of windows live.How do you know?
i’m attempting to remove it now but it won’t let me.usually it has no issues, but keeps re-installing itselfPlease be more specific here how you are doing this and what keeps on returning.
I didn’t disable the automatic instalation of drivers because i expected comodo to alert me of anything requesting internet access, or access to the hard drive, on top of UAC alerting me that something requests access to the hard drive, none of this happened.
normally when i uninstall windows live and it’s utilities, includeing silverlight, D+ doesn’t alert me to such things as root and authroot certificate modifications, or smartcard modifications. this is particularly abnormal if no smartcard hardware or software was ever installed on the pc. previous uninstalls never requested to changed silverlight either. either d+ detected things it should have before, and now i’m seeing the alerts… or this is completely different, because something changed windows live and silver light, and the various certificates.
My goal in this post is to find the “device” and see what if anything about it is not needed or abnormal. And figure out why d+ did not alert me to system changes or the fw or d+ not alerting me and allowing the processes and connections to run.
[attachment deleted by admin]
Which proofs to me that your assumtion your system is compromised is plain wrong.
The drivers for your USB drive are installed by Windows its self. Windows has sufficient rights with default settings not to ask the user for every small or big step it makes.
If CIS did not alert you when you inserted the USB stick then assume nothing came in in the first place. When in doubt run various malware scanners to see if you got infected.
normally when i uninstall windows live and it's utilities, includeing silverlight, D+ doesn't alert me to such things as root and authroot certificate modifications, or smartcard modifications. this is particularly abnormal if no smartcard hardware or software was ever installed on the pc. previous uninstalls never requested to changed silverlight either. either d+ detected things it should have before, and now i'm seeing the alerts... or this is completely different, because something changed windows live and silver light, and the various certificates.This could also show that you have not been paying attention or forgot details of when you installed WLM in the first place.
I cannot comment on what WLM installs and uninstalls as I am not sufficiently familiar with the program. I checked the D+ log and each and every line states that a Safe application bla bla bla and “This usually happens when you try to install or update an application”. In short safe applications are doing things we would expect them to do; nothing is compromised.
My goal in this post is to find the "device" and see what if anything about it is not needed or abnormal. And figure out why d+ did not alert me to system changes or the fw or d+ not alerting me and allowing the processes and connections to run.If you are looking for a device look in Device Manager. If you want to see all devices start Device Manager from the command prompt with the following two commands: set devmgr_show_nonpresent_devices=1 start devmgmt.msc Then in Device Manager set to Show hidden devices under View.
Drawing the conclusion your system is compromised without vigorouly scanning for malware first and judging that a regular program, which changes on a regular basis, shows unexpected results while uninstalling then you would expect therefor must be compromised is making too big a leap.
I have shown more than enough reasonable doubt in the above. I hope you take it serious and start questioning if the conclusions you are drawing may not be sound.
device manager no longer loads properly. And I don’t mean to be a bother, but eric is wrong. The pc has been compromised numerous times. And i continue to try to figure out how. eric and several others simply have not helped at all, and only seem to know what is wrong, and work to discredit what is provided. And then tell me, and others that nothing is wrong. ???
If there is more info i can get, please let me know exactly what i can do to get it. I only wish to improve comodo. Not ignore or refuse to find obvious problems.
Chances are it could also be a driver that was updated, and therefore reloaded/started. There is nothing you have shown to even remotely suggest you have been infected, nor that there is an actual problem, either with CIS or Windows itself.
If you are still unsure, run a different AV scan (BitDefender?), and in an elevated Command prompt, run SFC /scannow.
I’ve looked through the logs you have provided and have noticed that you are concurrently running the following applications;
Comodo Internet Security
Norton Internet Security
McAfee
I would strongly recommend that you pick ONE (don’t care which) security application, remove the other two, reboot and see how you go.
Multiple security application do not necessarily provide greater security. More often than not, they conflict or interfere with each other, because each of them will, rightly, assume that THEY are the only thing doing security.
I believe that having multiple security applications installed and running simultaneously is a major contributing factor to your problem.
Ewen 
After uninstalling don’t forget to run a clean up tool for the concerned security program. You can find a list of them here: ESET Knowledgebase .
I would also like to add that if you decide to keep CIS as your sole Security Application then I advise that you should also ensure that you choose the Configuration of COMODO Internet Security and that if you had used this Configuration previously, then you should re-import the default Configuration (COMODO - Internet Security.cfgx) from CIS’ installation folder.
This is advice is based on the examination of the CIS Alert log that you provided. This indicates that multiple system components were blocked (remembered) which led to various failures and errors (including the failure of the MMC Device Manager snap-in to load).
PS The Windows Event logs should detail what was being installed or not (device wise).
yes at the time of posting norton and comodo were the intended security programs, mcaffe has been uninstalled, or should have been. I would like to continue using these team up’s…any software that attempts to dominate over others… is suspect. The main reason i originally stopped using mcaffe.
I’ve found that mcaffe has more hidden files loaded as devices. I’ve attempted to remove them, but a single file repeatedly finds itself back on the system. I’ve also terminated it’s process and blocked it using comodo. Thank You eric, i used mcaffe un-installer from that link, much of it was removed but 5-8 files and registry’s still remained…the removeal software provided got them.
So far norton works well with comodo. But that doesn’t mean these people or software haven’t found a way to work around both, or several other protections… Now i’m using only norton, to see if it detects more by itself.
I suspect it will find much the same that comodo did, but without alerts or a paranoid mode.
comodo found ragepage.exe when norton did not.
At the time norton was not on the windows drive. comodo was still unable to completely remove this threat. And missed other unknown threats.
I suspect that comodo is also being hijacked and used to implement some of these programs, clps and updates being initiated and useing alternate shells (shell2?) or the cmd shell is what gives me this idea. Then comodo telling me that parts of itself are unknown, and being isolated, when previously they were fine. So something changed. comodo and norton is also finding keyloggers in keyboard shortcut software, samsung’s easyspeedup, and display manager. usually after these unauthorized updates, often there is an update to c:\windows\schema?? before windows boots When i attempted to submit the containing folder c:\windows\winsxs my pc crashed and windows no longer booted. I’m not sure if anything made it to comodo’s submition servers.
What did i block that caused mmc to not load?? I believe what was at that instance blocked, was “inet.cfg” which was trying to install/update an un-named un-listed device via a process that was also unlisted. So i blocked everything i could mostly via alerts. It was not something i asked for, or asked my pc to do. Nor was there any software told to auto update.
While editing this spoolersv tried to access the internet… i blocked it…it was attempting to install a device?
I go back to my previously stated advice - pick one security application - ONE - not two, not three - ONE!!!
Until you get to a moderately stable base, adding apps is adding confusion - nothing else. YOU are confusing the issue and making your own job (and ours) so much harder.
Pick one, I don’t give a rat’s which - just pick one. Ideally, go offline, uninstall all of them and reinstall the security application you’ve decided to use.
More than one security app at a time is like having two drivers in the one driving seat arguing over who’d going to turn the wheel. You’re not going to get anywhere until you do this.
What did i block that caused mmc to not load?? I believe what was at that instance blocked, was "inet.cfg" which was trying to install/update an un-named un-listed device via a process that was also unlisted. So i blocked everything i could mostly via alerts. It was not something i asked for, or asked my pc to do. Nor was there any software told to auto update.
A file named “.cfg” is not executable (this can be verified by copying notepad.exe to note.cfg and then trying to start note.cfg either by the command line or in the GUI) and therefore could not have been trying to install or update anything.
While editing this spoolersv tried to access the internet... i blocked it...it was attempting to install a device?
Every attempt to access the internet is NOT an attempt to install a driver. If that were the case, my browser would be a very busy little rascal. 
Ewen
how many years passed since you used your computer for what it was made for?
if there is really the fault on comodo and all your other security things, nearly everyone on the internet must have been hacked soon.
and when hackers are able to hack “everyone” as easy as you “seem (for yourself) to been hacked”, then they would not be so stupid, to let everyone know it. would they? they dont earn money by making you angry or afraid. they would want to use our computer silent.
as you tell us, they give BIG HINTS EACH TIME, why are you the choosen one to find all this? and no one else?