[SATAN[sS]]

I checked Hijack This after I removed them in safe mode and they still didnt go away.

[Advertisements]

OK. So I am completely clear on this.

You rebooted into safe mode. Fixed the items I listed.

Then you shut down HijackThis and ran it again.
After the scan the kitems where still there?

If so, could you please post that log?

Regards,

[Metallica]

OK. So I am completely clear on this.

You rebooted into safe mode. Fixed the items I listed.

Then you shut down HijackThis and ran it again.
After the scan the kitems where still there?

If so, could you please post that log?

Regards,

[SATAN[sS]]

Thats correct. Here is the log again.

Logfile of HijackThis v1.99.1
Scan saved at 3:25:10 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Microsoft\security\services.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Documents and Settings\walt and robin\My Documents\My Music\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\WALTAN~1\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\Microsoft\security\services.exe
O4 - HKLM\..\RunOnce: [explorer] C:\WINDOWS\system32\Microsoft\security\services.exe /RunOnce
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Musicmatch\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113234282218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

[Metallica]

Can you do this please?

Click Start > Run > and copy this command:
regedit.exe /e C:\HKLMrun.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
then click OK

Doing this will create the file C:\HKLMrun.txt
Find that file and post its content.

Regards,

[SATAN[sS]]

I can't find that file anywhere. I tried Start -> Search and it found nothing. I even looked in the C:\ folder.

[Metallica]

You are doing something wrong I'm afraid.

Execute the command I posted and the file will be created.

Regards,

[SATAN[sS]]

I'm doing exactly as you say, I still can't find that file.

[SATAN[sS]]

I don't think I have much time before my computer breaks, its starting to "roar" more often when I start it up. So we have to fix it fast, I don't mean to pressure you though.

[Metallica]

Copy the code below into notepad and save it as lookup.bat
Set Filetype to "All files"

dir %Systemdrive%\regedit.* /a h /s > files.txt
start notepad files.txt

Start the file by doubleclicking lookup.bat
That will open a file called files.txt. Post the content of that file.

[SATAN[sS]]

It had this, I was looking at other posts on the site and found something called Dr. Watson Debugger and I remembered seeing a send error report message for this on my computer. Is this a bad file?

Volume in drive C has no label.
Volume Serial Number is 941E-41EE

Directory of C:\WINDOWS

08/04/2004 03:56 AM 146,432 REGEDIT.COM
08/04/2004 03:56 AM 146,432 regedit.exe
2 File(s) 292,864 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/29/2002 03:41 AM 134,144 regedit.exe
1 File(s) 134,144 bytes

Directory of C:\WINDOWS\Help

09/18/2001 04:22 PM 46,684 regedit.chm
09/18/2001 04:22 PM 12,886 regedit.hlp
2 File(s) 59,570 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 03:56 AM 146,432 regedit.exe
1 File(s) 146,432 bytes

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 03:56 AM 146,432 regedit.exe
1 File(s) 146,432 bytes

Total Files Listed:
7 File(s) 779,442 bytes
0 Dir(s) 26,440,970,240 bytes free

Edited by SATAN[sS], 23 October 2005 - 09:34 AM.

[Metallica]

Absolutely no reason why the command wouldn't work unless there is something actually blocking regedit.exe

Please try this

Start > Run > C:\WINDOWS\regedit.exe /e C:\HKLMrun.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" > OK

Then the same procedure for this command:
notepad C:\HKLMrun.txt

Let me know if the textfile opens on your screen and if so, copy the content into your next post.

Regards,

[SATAN[sS]]

I did what you said, and it brought up Notepad but it was blank.

[Metallica]

OK. I suspect that regedit.exe is indeed being blockewd by something.

Can you try this command instead?

regedt32.exe /e C:\HKLMrun.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Let me know if C:\HKLMrun.txt gets created and if so, what's inside.

Regards,

[SATAN[sS]]

I tried that command and it still did not create that file.

[Metallica]

Hmm. let's see if we can circumvent this block:

Please donwload and install the free trial for Registrar Lite:
http://www.resplendence.com/reglite

Run the program and paste this path in the address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Then click "Go"

In the left pane you will see one "folder" shown in blue.
Select it and click File > Export
Save the file to a place where you can find it.

Then fiind it and rightclick the file. Then select Open with .... Notepad

Post the content of the file.

Regards,