1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Windows restart seems to cause configuration reset [HJT log]

Discussion in 'Malware and Virus Removal Archive' started by Daanii, 2005/03/17.

Thread Status:
Not open for further replies.
  1. 2005/03/17
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Windows restart seems to cause configuration reset

    I'm running Windows XP Home. Due to problems with my video card and sound card drivers (outlined elsewhere on this bulletin board), I've had to replace the drivers. Doing that has caused a strange problem.

    I can get everything squared away with the drivers. But when I log off, and then later restart, my configuration seems to have changed. For example, my audio driver is no longer there. Another program that launches on startup says it needs to be reinstalled.

    This reminds me of the movie Groundhog Day. Every time I start up my computer, it's back to this configuration from days ago. It's not a big problem, in that I can change everything back in five minutes. But it's annoying.

    Strange.
     
  2. 2005/03/17
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    Try restarting Windows immediatley after making changes.

    I do not think just logging off will do it properly.

    Just logging off may not allow the changes to get recorded in the Registry properly.

    BillyBob
     

  3. to hide this advert.

  4. 2005/03/17
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Thanks for the reply.

    I did restart immediately after making the changes. The problem is that after I do that restart, some of the changes have disappeared.

    And then again any time after that when I log off and then log on again, the changes are still not there. If I make the changes again (mainly installing again the audio driver), and then restart, the changes (mainly the audio driver) are gone again.

    Somehow any restart is resetting the configuration back to what it was before I made the changes. I can't figure out why that is happening, and how to stop it. So every time I log back on, I have to reinstall the audio driver.

    Any more ideas?
     
  5. 2005/03/18
    BillyBob Lifetime Subscription

    BillyBob Inactive

    Joined:
    2002/01/07
    Messages:
    6,048
    Likes Received:
    0
    HHMMMM !!

    I am lost for answers now. Apparently I have been fortunate enogh to not have the problem.

    A THOUGHT. Could an Anti Virus or Spyware program running have any effect ?

    BillyBob
     
  6. 2005/03/18
    JoeHobart

    JoeHobart Inactive Alumni

    Joined:
    2004/05/19
    Messages:
    919
    Likes Received:
    1
    I am curious if you are running any goback, or system state protection software. If you dont know, grab a Hijackthis log and lets see whats running.
     
  7. 2005/03/19
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    I don't know of any goback or system state protection software. But I did run HijackThis and got the following log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:20:34 AM, on 3/19/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VNICMon.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\vsnpstd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\CTSVCCDA.EXE
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\WinPortrait\floater.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    N3 - Netscape 7: user_pref( "browser.startup.homepage ", "www.google.com "); (C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\8ee1zhoi.slt\prefs.js)
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Ed\Application Data\Mozilla\Profiles\default\8ee1zhoi.slt\prefs.js)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O4 - HKLM\..\Run: [NIC Monitor] VNICMon.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe "
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
    O4 - HKCU\..\Run: [ATI Launchpad] C:\Program Files\ATI Multimedia\main\launchpd.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Personal Coach.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/058618a00d1461530622/netzip/RdxIE601.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/polarbowler/install.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXE
    O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
     
  8. 2005/03/19
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,889
    Likes Received:
    386
    HJT log posted - moved to Removing Spyware & Viruses forum
     
  9. 2005/03/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Don't see any software that might be causing the revert, but I do have a couple of recommendations of things to fix.

    Scan again with HijackThis, place a check next to the following entries, close all other windows and click fix.

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.6.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...ler/install.cab

    Delete the MyWay folder in C:\Program Files if present.
    End task on the realsched.exe process in task manager, then open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old

    Open a browser window and paste the following command into the address bar, then hit enter.

    javascript:navigator.userAgent

    Copy and paste the text of the resulting window into your next reply. It will be something similar to this; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)

    What startup program reports the drivers missing? Are they actually missing? Have you tried another program to test? Go directly into the control panel>sounds and audio devices>sounds tab, highlight a program event and click the play button to verify the card is working, right after reboot when the drivers are reported missing.
     
  10. 2005/03/19
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Thanks for taking a look at the HijackThis log. I did the steps you suggested. For the last step, the data I got was:

    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

    As to the driver reset, when I start up my computer, there is no sound. When I go to Control Panel and click on Sounds and Audio Devices, the "Volume" tab in Sounds and Audio Devices Properties says "No Audio Device ". If I install the audio drivers (my sound is on the motherboard instead of a separate sound card), everything works fine until I shut down the system and later start it up again.

    Now the only program that seems to get reset on startup is the audio driver. Another program, called PivotPro, also used to need to be re-installed on startup. It would say "Configuration changed, PivotPro needs to be reinstalled." But I deleted PivotPro and re-installed it, and it works fine now.

    The problem with the audio driver may be due to some sort of conflict with the ATI video card drivers that have been causing a separate issue. But I don't see how that could cause this particular problem of reseting the configuration on startup.

    So right now I'm stuck with re-installing the audio driver every time I start up the computer. Not the end of the world, but not ideal either. As I said, I feel like Bill Murray in "Groundhog Day," wondering how I ever got back here again.

    Thanks for the help.
     
  11. 2005/03/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I would try uninstalling the sound card from device manager and rebooting. If you have onboard video also, shut down and physically remove the ATI card, hookup to the onboard, startup and remove the sound, reboot. Shut down again and put the video card back in.
     
  12. 2005/04/22
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Thanks for the advice, NoahDFear. I finally found the time to turn off the audio and video (using the Device Manager), remove the video card, and re-install all the drivers. That seems to have solved the problem.

    Still do not know what exactly was happening or why. But as long as it works now, I am not complaining.

    Thanks for your sound advice.
     
  13. 2005/04/22
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That's great! Thanks for posting back. :)
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.