Registry changes and Re-appearing programs in system start up

[Guest]

I have a recurring entry in my system start up that won't go away even when I
delete it from MSConfig (and Ace Utilities, even CCleaner shows it, and it
keeps re-appearing when I delete with this apps, too). At first it was just
an empty space in the startup list, with a reference to the following
Registry folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then I checked the binary data of this re-appearing key -- the key that will
not die! -- and noticed it had a 0000 00 00 entry instead of the 0000 entry I
saw on most every other "Run (Default)" key, so I changed the 0000 00 00 to
just 0000 (like the others), and now the start up folder has a double entry
for one of the other applications that starts: first, it was the
Fingerprint software (this is on a laptop), then after I un-installed and
re-installed the fingerprint app, the startup duplicate went to my
mouse/touchpad start up; now it is off that and onto the firewall startup.

I'm no expert on modifying the Registry so I'm looking for some
knowledgeable insight.


--

 

[Gary S. Terhune]

You need to run a formal malware scan. Start here:
http://aumha.org/a/quickfix.htm

 

[Guest]

Yes, I've already done that. I have always had a resident AV (Eset nod32)
and I run regular anti-spyware scans with Super-Antispyware, AVG
Anti-Spyware, A-Squared Anti-spy, and Spybot S&D. (I used to run Lavasoft's
Ad-Aware SE but it hasn't flagged anything in over a year, so I dropped it a
few weeks ago.) I run behind a hardware touter, I used Firefox with
No-Script, and surf very conservatively.

I think the problem is with some tweaking I did about a month ago. I got
Uniblue's Registry Booster, a Registry Cleaner, to check it out. I think it
may have taken out some registry key(s) that had referenced my startup
folder. I also did some tweaking around that time on my startup programs
via Ace Utilities startup manager. I think I disabled something in my
startup folder and it got axed by the registry cleaner of the other program.

Can HijackThis help me???



//

 

[Gary S. Terhune]

I think you've identified the problem, and this is why we regulars tell
people, over and over, not to EVER use a Registry Cleaner/Optimizer, etc.
Sorry, I don't know the answer. I've never heard of this behavior. Yes, I've
seen empty Run items, but deleting them once is all that it takes.

You say you are now getting duplicates, not empty entries? Are both
duplicates enabled? You can't have exact duplicates in the Run key.
Something must be different about the entries.

 

[Guest]

Since I changed the binary data back to what it was when this issue first
came up about ten days ago, it's back to just an empty entry on the system
start up list. It is in MSConfig (as well as a couple of other utilities I
use). There is a complete blank but still a reserved entry spot in the
start up. There is no reference to any file or program/application that put
it there. If I delete the entry, it just re-appears when I do a refresh.

The registry entry looks totally innocuous, just like many of the other
first entries under (Default). There is no listing under the "edit string"
for the key, and the "binary data" entry is:

< 0000 00 00 .. >

which a lot of other first (Default) entries have in many other registry
folders.

Seems like some other program or application is setting up this entry into
the system start up, but I don't know which prog or app it is.

I do have one last resort: I have a backup of the registry from a month
ago, before all this happened. It is from the ERUNT registry backup I
sometimes use. Fortunately I made a backup about a month ago. I've
hesitated using it until now because it will set many registry items back to
what they were and that's going to take time to tidy up.

 

[Gary S. Terhune]

In the Registry Run key, there should be no binary data. They are String
data (REG_SZ). Name and command line, nothing more. Right there, you've lost
me.

 

[Guest]

OK, my terminology may be off -- sorry if it is. When using regedit I can
see the "Run" folder, then the cointents of the folder, starting with the
first entry "(Default)".

That "(Default)" entry ("key"?) has nothing entered on the regedit browser;
the "REG_SZ" is blank, as I believe you are mentioning. It is only when I
right-click on the "Default" entry that I get a choice to modify the entry
contents, modify the binary data (which is as I last mentioned: 0000 00 00
.. ); a third option is to delete the key entirely.

I've tried changing the binary data from the above to simply " 0000 ", but
that just makes the entry re-appear but with the same reference to another
"Run" program, chosen either at random or another reason. Instead of the
startup in MSConfig saying that the entry has no reference to any prog/app,
the entry will show reference to one other startup app, but with nothing in
the "startup" or "command" columns, only a reference to the registry location
in the "Location" column.


//

 

[Gary S. Terhune]

You don't want to modify the binary data of a string value. Just modify the
string. The proper data for the (Default) entry is "value not set", binary
data 0000. Sorry I didn't catch that earlier. When I try to modify the
original (default) binary data, I can't. I also can't delete it entirely. I
can only modify the string. When I do that, the binary data is changed and I
can then delete it, but it is immediately replaced with a new (default)
(value not set).

But the Default value shouldn't show up in MSCONFIG. If I understand you
correctly, that isn't the problem, anyway. You have phantom/duplicate
entries in MSCONFIG, and yes, I wouldn't put it past some "registry
optimizer/booster/cleaner to do something really strange like that.
..
Remember that the same entry can't appear in the same Key (Run key, in this
case). There can be no true duplicates, something must be different about
them, either in the name, the data or the location.

When you talk of the Startup folder, you don't mean the one in
Start>Programs, do you? You mean the Startup tab of MSCONFIG? Have you
uninstalled all that crap you say you used?

No, unless there's a nasty in your system, an analysis of your HJT logs
won't help. Then again, there might just be a nasty there, or whatever the
Registry cleaner crap you installed is doing might get spotted there. So go
ahead. NOTE!!! DO NOT try to analyze the HJT log yourself. Lots of what HJT
logs is SUPPOSED to be there. ONLY, ONLY post the log to an appropriate
forum (not here!) and let them tell you what to do. Otherwise, get ready for
reinstall.

Hope that helps you figure things out. If you want, go to System Information
(MSINFO32), Software Environment, Startup, press Ctrl-A to select all,
Ctrl-C to copy it, then paste it into a reply here (Ctrl-V). Then, Export
the Run key to a REG file, open that to Edit, and copy/paste that into the
message also. Maybe I can see what's going on, or at least be sure we're
talking about the same thing. Also, list the items in Start>Programs>Startup
folder.

 

[Guest]

Yes, let's make sure we're on the same page so we can get to the bottom of
this. I will paste the three items you requested:

1. from SysInfo I see the following. This is an exact copy and paste of
the information shown in the shell:


All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BLOG rundll32 c:\progra~1\thinkpad\utilit~1\batlogex.dll,startbattlog All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DLA c:\windows\system32\dla\dlactrlw.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DS Clock "c:\program files\ds clock\dsclock.exe" LENOVO-A3ECC532\GZard
HKU\S-1-5-21-3942663255-3160304959-3873833068-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Digital Line Detect c:\progra~1\digita~1\dlg.exe All Users Common Startup
IBM Warranty Notification "c:\program files\ibm\acp\erts0749\erts0749.exe
/nointro" All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
JeticoPFStartup "c:\program files\jetico\jetico personal
firewall\fwsrv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LPManager c:\progra~1\thinkv~2\prdctr\lpmgr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logitech Utility logi_mwx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PSQLLauncher "c:\program files\thinkvantage fingerprint
software\launcher.exe" /startup All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PWRMGRTR rundll32
c:\progra~1\thinkpad\utilit~1\pwrmgrtr.dll,pwrmgrbkgndmonitor All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Skype "c:\program files\skype\phone\skype.exe" /nosplash
/minimized LENOVO-A3ECC532\Gunnard
Johnston HKU\S-1-5-21-3942663255-3160304959-3873833068-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh c:\program files\synaptics\syntp\syntpenh.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr c:\program files\synaptics\syntp\syntplpr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPHOTKEY c:\progra~1\lenovo\pkgmgr\hotkey\tphkmgr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TVT Scheduler Proxy c:\program files\common
files\lenovo\scheduler\scheduler_proxy.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TpShocks tpshocks.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe NT
AUTHORITY\SYSTEM HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe LENOVO-A3ECC532\Gunnard
Johnston HKU\S-1-5-21-3942663255-3160304959-3873833068-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru
ctfmon.exe c:\windows\system32\ctfmon.exe .DEFAULT HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini All Users Common Startup
nod32kui "c:\program files\eset\nod32kui.exe" /waitservice All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


This is not very pretty -- it doesn't paste the way it looks in the MSInfo
shell -- but the one key point is that at the very beginning of my MSInfo
view you can see there are empty fields under the "Program" and "Command"
columns. All of my other entries in this Run Key have references to things
like "Skype", "desktop", and "BLOG" in those columns; only this first entry
in the key is totally empty in those two columns. In fact, after this first
entry (first line) of the key, everything else looks perfectly normal.

2. This is an exact copy/paste of the key, using Regedit:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TpShocks"="TpShocks.exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"PWRMGRTR"="rundll32
C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"JeticoPFStartup"="\"C:\\Program Files\\Jetico\\Jetico Personal
Firewall\\fwsrv.exe\""
@=""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"LPManager"="C:\\PROGRA~1\\THINKV~2\\PrdCtr\\LPMGR.exe"
"PSQLLauncher"="\"C:\\Program Files\\ThinkVantage Fingerprint
Software\\launcher.exe\" /startup"
"Logitech Utility"="Logi_MwX.Exe"
"TVT Scheduler Proxy"="C:\\Program Files\\Common
Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"
"IBM Warranty Notification"="\"C:\\Program
Files\\IBM\\acp\\ERTS0749\\ERTS0749.exe /nointro\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


3. Finally, the contents of my START->ALL PROGRAMS->STARTUP folder is only
one application: my Drive Letter Access (DLA) program. That's it. [It
may be of interest to know that this Startup folder was always completely
empty until recently. Not sure when this reference to DLA first appeared, or
why it suddenly appeared. I don't know why it now suddenly has appeared in
the Startup folder; nor do I know why it is the *only* item in my startup
folder. Could *this be the culprit??? I mean the adding of this entry in
my startup folder? No, that doesn't sound right... ]

GZard

//

 

[Gary S. Terhune]

DAL is a Roxio packet writing application -- lets you treat CDs and DVDs as
normal drives (using rewritable disk.) I strongly recommend against such
apps. I'd use the Roxio installer to uninstall that part of your Roxio
Suite. Don't just disable it, get rid of it altogether.

I will reassemble the rest of your post and see what I can see. Will take a
while, but I should get it done later today.

--
Gary S. Terhune
MS-MVP Shell/User
www.grystmill.com

Yes, let's make sure we're on the same page so we can get to the bottom of
this. I will paste the three items you requested:

1. from SysInfo I see the following. This is an exact copy and paste of
the information shown in the shell:


All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BLOG rundll32 c:\progra~1\thinkpad\utilit~1\batlogex.dll,startbattlog All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DLA c:\windows\system32\dla\dlactrlw.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DS Clock "c:\program files\ds clock\dsclock.exe" LENOVO-A3ECC532\GZard
HKU\S-1-5-21-3942663255-3160304959-3873833068-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Digital Line Detect c:\progra~1\digita~1\dlg.exe All Users Common Startup
IBM Warranty Notification "c:\program files\ibm\acp\erts0749\erts0749.exe
/nointro" All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
JeticoPFStartup "c:\program files\jetico\jetico personal
firewall\fwsrv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LPManager c:\progra~1\thinkv~2\prdctr\lpmgr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logitech Utility logi_mwx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PSQLLauncher "c:\program files\thinkvantage fingerprint
software\launcher.exe" /startup All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PWRMGRTR rundll32
c:\progra~1\thinkpad\utilit~1\pwrmgrtr.dll,pwrmgrbkgndmonitor All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Skype "c:\program files\skype\phone\skype.exe" /nosplash
/minimized LENOVO-A3ECC532\Gunnard
Johnston
HKU\S-1-5-21-3942663255-3160304959-3873833068-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh c:\program files\synaptics\syntp\syntpenh.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPLpr c:\program files\synaptics\syntp\syntplpr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPHOTKEY c:\progra~1\lenovo\pkgmgr\hotkey\tphkmgr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TVT Scheduler Proxy c:\program files\common
files\lenovo\scheduler\scheduler_proxy.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TpShocks tpshocks.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe NT
AUTHORITY\SYSTEM
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe LENOVO-A3ECC532\Gunnard
Johnston
HKU\S-1-5-21-3942663255-3160304959-3873833068-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe c:\windows\system32\ctfmon.exe .DEFAULT
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini All Users Common Startup
nod32kui "c:\program files\eset\nod32kui.exe" /waitservice All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


This is not very pretty -- it doesn't paste the way it looks in the MSInfo
shell -- but the one key point is that at the very beginning of my MSInfo
view you can see there are empty fields under the "Program" and "Command"
columns. All of my other entries in this Run Key have references to
things
like "Skype", "desktop", and "BLOG" in those columns; only this first
entry
in the key is totally empty in those two columns. In fact, after this
first
entry (first line) of the key, everything else looks perfectly normal.

2. This is an exact copy/paste of the key, using Regedit:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TpShocks"="TpShocks.exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"BLOG"="rundll32
C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"PWRMGRTR"="rundll32
C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"JeticoPFStartup"="\"C:\\Program Files\\Jetico\\Jetico Personal
Firewall\\fwsrv.exe\""
@=""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"LPManager"="C:\\PROGRA~1\\THINKV~2\\PrdCtr\\LPMGR.exe"
"PSQLLauncher"="\"C:\\Program Files\\ThinkVantage Fingerprint
Software\\launcher.exe\" /startup"
"Logitech Utility"="Logi_MwX.Exe"
"TVT Scheduler Proxy"="C:\\Program Files\\Common
Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"
"IBM Warranty Notification"="\"C:\\Program
Files\\IBM\\acp\\ERTS0749\\ERTS0749.exe /nointro\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


3. Finally, the contents of my START->ALL PROGRAMS->STARTUP folder is
only
one application: my Drive Letter Access (DLA) program. That's it.
[It
may be of interest to know that this Startup folder was always completely
empty until recently. Not sure when this reference to DLA first appeared,
or
why it suddenly appeared. I don't know why it now suddenly has appeared
in
the Startup folder; nor do I know why it is the *only* item in my startup
folder. Could *this be the culprit??? I mean the adding of this entry
in
my startup folder? No, that doesn't sound right... ]

GZard

//

You don't want to modify the binary data of a string value. Just modify
the
string. The proper data for the (Default) entry is "value not set",
binary
data 0000. Sorry I didn't catch that earlier. When I try to modify the
original (default) binary data, I can't. I also can't delete it entirely.
I
can only modify the string. When I do that, the binary data is changed
and I
can then delete it, but it is immediately replaced with a new (default)
(value not set).

But the Default value shouldn't show up in MSCONFIG. If I understand you
correctly, that isn't the problem, anyway. You have phantom/duplicate
entries in MSCONFIG, and yes, I wouldn't put it past some "registry
optimizer/booster/cleaner to do something really strange like that.
..
Remember that the same entry can't appear in the same Key (Run key, in
this
case). There can be no true duplicates, something must be different about
them, either in the name, the data or the location.

When you talk of the Startup folder, you don't mean the one in
Start>Programs, do you? You mean the Startup tab of MSCONFIG? Have you
uninstalled all that crap you say you used?

No, unless there's a nasty in your system, an analysis of your HJT logs
won't help. Then again, there might just be a nasty there, or whatever
the
Registry cleaner crap you installed is doing might get spotted there. So
go
ahead. NOTE!!! DO NOT try to analyze the HJT log yourself. Lots of what
HJT
logs is SUPPOSED to be there. ONLY, ONLY post the log to an appropriate
forum (not here!) and let them tell you what to do. Otherwise, get ready
for
reinstall.

Hope that helps you figure things out. If you want, go to System
Information
(MSINFO32), Software Environment, Startup, press Ctrl-A to select all,
Ctrl-C to copy it, then paste it into a reply here (Ctrl-V). Then, Export
the Run key to a REG file, open that to Edit, and copy/paste that into
the
message also. Maybe I can see what's going on, or at least be sure we're
talking about the same thing. Also, list the items in
Start>Programs>Startup
folder.

 

[Guest]

DLA is now apparently owned by Sonic, who supplies to Lenovo/IBM. But,
anyway, I took your advice and removed this app from my system. Let's see
what happens.

And, yes, indeed I would like to see what you can make of the info I sent
you. I still want to know *what* is causing this entry in my RUN key to be
so odd.

GZard


//

 

[Gary S. Terhune]

Sorry, but it's not going to be today. Wife shanghaied me for another
project. Maybe tomorrow.

 

[Guest]

Sounds familiar

Anyway, I finally mashed my registry beyond repair, so I have to do a
re-install. I'm using the family computer now.

Just to let you know, I thought maybe the problem was an app named
NTWrapper, that allows my firewall (Jetico 1) to run as a service; thought
might have caused the "double entry" in startup. But it wasn't. I
uninstalled NTWrapper and the next time I booted I got double entries for
"BLOG" (a battery log app), another startup app. So, clearly there was an
anomaly in my registry. Whether by virus/trojan/enamelware or by my messing
up the registry by monkeying with it to cavalierly, it got trashed. I did
find a trojan downloader and a strange file <x.exe> with a log by the same
name, so I'm going for a full reload.

Thanks for your help!!


GZard

 

[Gary S. Terhune]

Good luck with the reinstall.

 

[Guest]

Thanks for your time and effort.

GZard