Heuristics Driver, bhdrvx86, sonar and tamper protection get disabled

Norton Security | Norton Internet Security
1

I am a intermediate to advance user.  So I have looked at what could be the most obvious issues.  What happens is that when my computer boots up after a few minutes, the Sonar Protection flips over to the red disabled on the main screen in NIS 2011.  If you go into settings you will see that Product Tamper Protection is already in the red disabled mode.  Trying to re-enable it fails once you hit apply.  If you go into the device manager and look at the non plug and play drivers you will see a yellow ! point on Symantec Heuristics driver.  If you go and try to start the driver up it says it has incorrect parameters.

 

Now I know the primary solution always provided is uninstall and reinstall to fix this.  However that is like throwing in the towel without trying to find out the issue.

 

I have let both Norton and Malware Bytes run full scans and nothing was found.  I have ran NPE and nothing was found.  I have uninstalled Malware Bytes, done a restore before the error message started showing up in the event viewer and still nothing seems to solve it.

 

I ran hijack this, nothing out of the ordinary that I don't recognize.

 

In the event viewer it says that the bhdrvx86.sys failed to load at boot.  What is weird is the driver started showing first as a entry by itself in the non-plug and play section of device manager/hardware.  It now is gone and is showing as the Symantec Heuristics Driver.

 

I would normally suspect that there is something wrong on this system (Win XP SP3 - 32bit).  However the same problem appeared about a month ago on my laptop which is running Windows 7 SP 1 64 bit.  Being that they both have different hardware/parts/drivers, it would seem to eliminate these as the issue (xp is a homebuilt system, laptop is alienware).  Have done a ccleaner of all temp files/etc.  I have clicked on autoupdate until it will no longer show any updates.  There are no other security programs on this system.  Nothing is showing up in the history logs of Symantec to say anything is wrong either.

 

In comparing 2 other computers running XP SP3 32bit, I noticed there is a missing registry entry in the currentcontrolset, 001 and 002:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{67F2A318-C8F7-4087-9F88-C4B434D41719}]
"Class"="BHDrvx86"
"NoDisplayClass"="1"
"NoUseClass"="1"

 

When I try to insert these into the registry the currencontrolset will not save it into the registry, while 001 and 002 of the currentcontrolset does.

 

Also the bhdrvx86 under the HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BHDRVX86 shows an error data not present in the others:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,\
75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,\
00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,6c,00,6c,00,20,00,55,00,\
73,00,65,00,72,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,\
00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4e,00,6f,00,72,00,\
74,00,6f,00,6e,00,5c,00,7b,00,30,00,43,00,35,00,35,00,43,00,30,00,39,00,36,\
00,2d,00,30,00,46,00,31,00,44,00,2d,00,34,00,46,00,32,00,38,00,2d,00,41,00,\
41,00,41,00,32,00,2d,00,38,00,35,00,45,00,46,00,35,00,39,00,31,00,31,00,32,\
00,36,00,45,00,37,00,7d,00,5c,00,4e,00,49,00,53,00,5f,00,31,00,38,00,2e,00,\
31,00,2e,00,30,00,2e,00,33,00,37,00,5c,00,44,00,65,00,66,00,69,00,6e,00,69,\
00,74,00,69,00,6f,00,6e,00,73,00,5c,00,42,00,41,00,53,00,48,00,44,00,65,00,\
66,00,73,00,5c,00,32,00,30,00,31,00,32,00,31,00,30,00,33,00,30,00,2e,00,30,\
00,30,00,32,00,5c,00,42,00,48,00,44,00,72,00,76,00,78,00,38,00,36,00,2e,00,\
73,00,79,00,73,00,00,00
"DisplayName"="BHDrvx86"
"DependOnService"=hex(7):53,00,79,00,6d,00,45,00,46,00,41,00,00,00,46,00,6c,00,\
74,00,4d,00,67,00,72,00,00,00,53,00,79,00,6d,00,44,00,53,00,00,00,53,00,79,\
00,6d,00,49,00,52,00,4f,00,4e,00,00,00,53,00,52,00,54,00,53,00,50,00,58,00,\
00,00,00,00
"Description"="SONAR Engine Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Enum]
"0"="Root\\LEGACY_BHDRVX86\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Instances]
"DefaultInstance"="BHDrvx86"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Instances\BHDrvx86]
"Flags"=dword:00000000
"Altitude"="365100"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Parameters]
"SettingsPath"="C:\\Documents and Settings\\All Users\\Application Data\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS_18.1.0.37\\BASH"
"KCFile"="C:\\Documents and Settings\\All Users\\Application Data\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS_18.1.0.37\\BASH\\12111397.kc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\ErrorData]
"ErrorCode"=dword:80641006
"BinVersion"="7.1.2.6"
"FileNameIndex"=dword:00000006
"LineNumber"=dword:00000184

 

The Symantec Auto Fix fails to fix the Sonar issue and doesn't mention the Product Tampering issue at all.

 

I don't want to reinstall when I have over 1200 firewall rules (some custom some generated by Symantec).  I don't want to upgrade to 2013 (which is suppose to finally import your custom firewall rules) as the product has only been on the market for about 2 months and after the program control issue in 2012 that took more than 8 months to fix, I don't want to be an early adopter again.

 

So what am I perhaps not seeing that is causing the issue.  As I said I restored back to a date where the error wasn't showing up in the event viewer log and the problem did not go away.

 

Any help will be greatly appreciated.

2

I am a intermediate to advance user.  So I have looked at what could be the most obvious issues.  What happens is that when my computer boots up after a few minutes, the Sonar Protection flips over to the red disabled on the main screen in NIS 2011.  If you go into settings you will see that Product Tamper Protection is already in the red disabled mode.  Trying to re-enable it fails once you hit apply.  If you go into the device manager and look at the non plug and play drivers you will see a yellow ! point on Symantec Heuristics driver.  If you go and try to start the driver up it says it has incorrect parameters.

 

Now I know the primary solution always provided is uninstall and reinstall to fix this.  However that is like throwing in the towel without trying to find out the issue.

 

I have let both Norton and Malware Bytes run full scans and nothing was found.  I have ran NPE and nothing was found.  I have uninstalled Malware Bytes, done a restore before the error message started showing up in the event viewer and still nothing seems to solve it.

 

I ran hijack this, nothing out of the ordinary that I don't recognize.

 

In the event viewer it says that the bhdrvx86.sys failed to load at boot.  What is weird is the driver started showing first as a entry by itself in the non-plug and play section of device manager/hardware.  It now is gone and is showing as the Symantec Heuristics Driver.

 

I would normally suspect that there is something wrong on this system (Win XP SP3 - 32bit).  However the same problem appeared about a month ago on my laptop which is running Windows 7 SP 1 64 bit.  Being that they both have different hardware/parts/drivers, it would seem to eliminate these as the issue (xp is a homebuilt system, laptop is alienware).  Have done a ccleaner of all temp files/etc.  I have clicked on autoupdate until it will no longer show any updates.  There are no other security programs on this system.  Nothing is showing up in the history logs of Symantec to say anything is wrong either.

 

In comparing 2 other computers running XP SP3 32bit, I noticed there is a missing registry entry in the currentcontrolset, 001 and 002:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{67F2A318-C8F7-4087-9F88-C4B434D41719}]
"Class"="BHDrvx86"
"NoDisplayClass"="1"
"NoUseClass"="1"

 

When I try to insert these into the registry the currencontrolset will not save it into the registry, while 001 and 002 of the currentcontrolset does.

 

Also the bhdrvx86 under the HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BHDRVX86 shows an error data not present in the others:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,\
75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,\
00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,6c,00,6c,00,20,00,55,00,\
73,00,65,00,72,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,\
00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4e,00,6f,00,72,00,\
74,00,6f,00,6e,00,5c,00,7b,00,30,00,43,00,35,00,35,00,43,00,30,00,39,00,36,\
00,2d,00,30,00,46,00,31,00,44,00,2d,00,34,00,46,00,32,00,38,00,2d,00,41,00,\
41,00,41,00,32,00,2d,00,38,00,35,00,45,00,46,00,35,00,39,00,31,00,31,00,32,\
00,36,00,45,00,37,00,7d,00,5c,00,4e,00,49,00,53,00,5f,00,31,00,38,00,2e,00,\
31,00,2e,00,30,00,2e,00,33,00,37,00,5c,00,44,00,65,00,66,00,69,00,6e,00,69,\
00,74,00,69,00,6f,00,6e,00,73,00,5c,00,42,00,41,00,53,00,48,00,44,00,65,00,\
66,00,73,00,5c,00,32,00,30,00,31,00,32,00,31,00,30,00,33,00,30,00,2e,00,30,\
00,30,00,32,00,5c,00,42,00,48,00,44,00,72,00,76,00,78,00,38,00,36,00,2e,00,\
73,00,79,00,73,00,00,00
"DisplayName"="BHDrvx86"
"DependOnService"=hex(7):53,00,79,00,6d,00,45,00,46,00,41,00,00,00,46,00,6c,00,\
74,00,4d,00,67,00,72,00,00,00,53,00,79,00,6d,00,44,00,53,00,00,00,53,00,79,\
00,6d,00,49,00,52,00,4f,00,4e,00,00,00,53,00,52,00,54,00,53,00,50,00,58,00,\
00,00,00,00
"Description"="SONAR Engine Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Enum]
"0"="Root\\LEGACY_BHDRVX86\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Instances]
"DefaultInstance"="BHDrvx86"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Instances\BHDrvx86]
"Flags"=dword:00000000
"Altitude"="365100"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Parameters]
"SettingsPath"="C:\\Documents and Settings\\All Users\\Application Data\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS_18.1.0.37\\BASH"
"KCFile"="C:\\Documents and Settings\\All Users\\Application Data\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS_18.1.0.37\\BASH\\12111397.kc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86\ErrorData]
"ErrorCode"=dword:80641006
"BinVersion"="7.1.2.6"
"FileNameIndex"=dword:00000006
"LineNumber"=dword:00000184

 

The Symantec Auto Fix fails to fix the Sonar issue and doesn't mention the Product Tampering issue at all.

 

I don't want to reinstall when I have over 1200 firewall rules (some custom some generated by Symantec).  I don't want to upgrade to 2013 (which is suppose to finally import your custom firewall rules) as the product has only been on the market for about 2 months and after the program control issue in 2012 that took more than 8 months to fix, I don't want to be an early adopter again.

 

So what am I perhaps not seeing that is causing the issue.  As I said I restored back to a date where the error wasn't showing up in the event viewer log and the problem did not go away.

 

Any help will be greatly appreciated.