Registry Changes Don't Stay

E

Ed Katzman

Hi:

First what I've tried to resolve this:

I've run Ad-Aware and Norton AV, with updated definitions, in both
regular and safe mode and have found no problems. I've also run HiJack
This (log below) which looks OK to my untrained eye. And I've used both
regedit and regedt32. I am logged in as Administrator, the only user on
the machine.

I'm running Win XP SP-2 with all critical updates installed.

Here are the problem details:

Somehow, maybe after "Windows has just recovered from a serious error"
message showed up, within the registry key HLM\Software\Microsoft
\Windows\CurrentVersion\Run, an entry disapeared. It had been
Name: Paperport PTD Type: REG_SZ Value: "C:\Program Files\ScanSoft
\PaperPort\pptd40nt.exe"

When I try to add the line back to the registry in regular mode, I can
add a new StringValue named "New Value #1", but when I try to rename it
ar add value data I get messages like: "Cannot rename New Value #1.
Error while renaming value."

In safe mode, I can add the value and edit it to be correct, but then
this happens: After reboot, AdAware reports that the registry
modification that I made was detected, but if I then look at the
registry the entry is missing again. It seems to disappear somehow and
the pptd40nt.exe program is not started.

Here is the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 5:21:53 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\E_SSRP05.EXE
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/
*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:
\Program Files\Copernic 2001 Basic\Search Bar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =

R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} -
C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:
\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} -
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Watson BHO - {B85B5D0E-E7C3-11D2-9ECF-00104BFF1A51} - C:
\Program Files\Intellext\Watson\BHOIEAdapter.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:
\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT
\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:
\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} -
C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared
\ccApp.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus
\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines
\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files
\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:
\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:
\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RemindU - file://C:\Program Files
\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:
\Program Files\Copernic Agent
\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} -
C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-
4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-
00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-
11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync
\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Program Files\Siber Systems\AI RoboForm
\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-
C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm
\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI RoboForm
\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-
C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm
\RoboFormComSavePass.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} -
C:\WINNT\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-
445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI RoboForm
\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-
9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm
\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
(no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {0A827F60-64CA-4D3C-AD8E-AF42967B3F5E} -
http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} -
file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
(file missing) (HKCU)
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} -
file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
(file missing) (HKCU)
O9 - Extra button: ComcastHSI - {30A7DD59-C8CE-433E-9FD9-4E2156702BBB} -
http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {B1E4CDD0-69FB-4098-AF91-116FDD67F061} -
http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: (no name) - {B46F2A6A-3216-461c-BEEA-FBE442469812} -
(no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins
\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {05CE4481-8015-11D3-9811-C4DA9F000000} -
http://www.topmoxie.com/external/builds/upromise/upromise_moxie0.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} -
http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=
39204
O16 - DPF: {50D05FAC-D462-4795-8818-738FCF776FBC} - https://myemail.t-
mobile.com/html/web/client_tools/TMobile-PwpClient.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/
muweb_site.cab?1127000734437
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe)
- hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1}
(StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} -
http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetu
p.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1}
(XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program
Files\Backup995\res\ntservice.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:
\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON STM Service05 (EPSON_PM_RPC_05) - SEIKO EPSON
CORPORATION - C:\WINNT\System32\E_SSRP05.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS
(file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation
- C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:
\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT
\System32\Tablet.exe



Any ideas?

Thanks. Ed
 
R

Rock

Ed said:
Hi:

First what I've tried to resolve this:

I've run Ad-Aware and Norton AV, with updated definitions, in both
regular and safe mode and have found no problems. I've also run HiJack
This (log below) which looks OK to my untrained eye. And I've used both
regedit and regedt32. I am logged in as Administrator, the only user on
the machine.
Click to expand...

<snip>

Ed, please don't post Hijackthis logs here. There are specialty forums
for that purpose.

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problems with pops ups 6
Blank Page- windows Internet Explorer 2
Help!!!! 2
software installation problem ( complicated) 3
Slow Computer 2
SVC host problem 3
PLEASE HELp.. i can not get rid of this bug on my computer 2
Desktop virus help 3

Top