[Heritage34]

Ok, I did the safe mode start up. I ran msconfig and took off everything in the services and start up tabs except the microsoft services. It didn't start up. I went back to safe mode and somehow a program named "PsExec" had rechecked itself. Once I took that off, the computer started back up normally. I have since deleted all AVG programs in order to able to download the McAfee Internet Suite I bought. It says my computer doesn't have enough memory to be able to download. However, I have deleted most of my programs and I do have the memory, it just won't download. I am also having a constant "work offline or try again" error come up. There is also a screen saver that is coming up that has bugs crawling on the screenand their path turns blue. Is there any way I can get my computer to download the McAfee so I can get it cleaned off?

[AcaCandy]

Not sure why you want McAfee

That program psexe seems to be linked to a keyboard program? Do you switch languages, or anything like that?

Also, it sounds like you still have a virus.

Can you put a check mark on everything via msconfig again, then post a hijack this log?

[Heritage34]

Yes, I will post the log. I can't get on the internet on that computer so I am having to get on the computer at work/other places, print out instructions, and go home and try. Thank you for your patience.

I bought McAfee for the work computer and it did well that's why I have it.

[Heritage34]

I cannot use the McAfee program because my computer only has 128 mb RAM. I did not switch languages unless a virus and/or other program did it. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:34, on 2008-05-11
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\All Users\Application Data\pcjurkds\dcnazehy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Prestwood Family\Start Menu\Programs\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Prestwood Family\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Prestwood Family\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O21 - SSODL: RamAlrt - {acf55052-a469-4fe2-9a9c-b2a84a48dc02} - C:\WINDOWS\Installer\{acf55052-a469-4fe2-9a9c-b2a84a48dc02}\RamAlrt.dll
O21 - SSODL: tbZRZOthou - {C0858AAE-6A2F-2004-D895-1EBCA9D8C829} - C:\WINDOWS\system32\bn.dll

[Heritage34]

Something I don't understand is if I recheck everything on the msconfig then I will not be able to start up or get on the internet to post a log.

[AcaCandy]

Why do you not have SP2 (service pack 2) installed?

And I don't see AVG installed.

And I can't believe you are running XP with only 128 megs of ram

[Heritage34]

Well, my computer has what came on it.
I took off AVG to put McAfee on.
More RAM is what I'm looking into today.

[AcaCandy]

More ram is good, but, do you do Windows updates?

[Rollin' Rog]

These Hijackthis entries indicate the presence of malware; you may need further security help, but for now check and "fix" them in HijackThis, then reboot and post another scanlog:


F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O21 - SSODL: RamAlrt - {acf55052-a469-4fe2-9a9c-b2a84a48dc02} - C:\WINDOWS\Installer\{acf55052-a469-4fe2-9a9c-b2a84a48dc02}\RamAlrt.dll
O21 - SSODL: tbZRZOthou - {C0858AAE-6A2F-2004-D895-1EBCA9D8C829} - C:\WINDOWS\system32\bn.dll


http://www.what-is-exe.com/filenames/ntos-exe.html

After rebooting see if you can find and delete each of the above files manually.

If you still have problems we need to call in Cookiegal or one of the other Security moderators for specialized help.

[AcaCandy]

Thanks Rog, I was indeed looking for Cookiegal earlier.......

[Cookiegal]

Do you still need help with this?

[Heritage34]

Hi, I ordered more RAM (512 mb additional, now have 640 mb total) from dell and installed. I installed McAfee. I can now get on the internet but that is it. It appears I have the Swen virus. I cannot access any .exe programs. I can choose (by right click) to scan my drives but cannot bring McAfee up after the scan is complete. I cannot run Hijack This or any other program on my computer. My task manager is disabled, registry editing is disabled, and every time I try to open any programs, I receive this message:

"Windows cannot find 'program name' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and the click search."

I have researched how to fix but cannot run any of the fixes/tools because of .exe being disabled.

[Heritage34]

I also downloaded all the Windows Updates available today. I know it has taken a while. Thank you all for your help thus far. : )

[Cookiegal]

Follow these steps:

Download the file UnHookExec.inf from the following link and save it to your desktop.

http://securityresponse.symantec.com...UnHookExec.inf

Note: The tool has an .inf file extension.

Locate the downloaded file on your desktop.

Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)


Reboot and you should be able to run exe files. Then post a new HijackThis log please.

[Heritage34]

Logfile of HijackThis v1.99.1
Scan saved at 02:28, on 2008-06-10
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Documents and Settings\All Users\Application Data\pcjurkds\dcnazehy.exe
C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6145\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsmap.exe
C:\Documents and Settings\Prestwood Family\Start Menu\Programs\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {22342b44-5b98-4b30-9d53-c182ad8df217} - (no file)
O2 - BHO: McAntiPhishingBHO - {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [BMc3b6b99e] Rundll32.exe "C:\WINDOWS\System32\dxgdqqjp.dll",s
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Prestwood Family\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6145\SiteAdv.dll
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: nnnklml - nnnklml.dll (file missing)
O20 - Winlogon Notify: ybbdinng - ybbdinng.dll (file missing)
O21 - SSODL: RamAlrt - {acf55052-a469-4fe2-9a9c-b2a84a48dc02} - C:\WINDOWS\Installer\{acf55052-a469-4fe2-9a9c-b2a84a48dc02}\RamAlrt.dll (file missing)
O21 - SSODL: tbZRZOthou - {C0858AAE-6A2F-2004-D895-1EBCA9D8C829} - C:\WINDOWS\System32\bn.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
O21 - SSODL: PreBootCheck - {741a08bb-438c-44f1-9f97-8c7a0ea43f4b} - C:\WINDOWS\Resources\SysCheck.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (mcnasvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (msk80service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service (siteadvisor service) - Unknown owner - C:\Program Files\SiteAdvisor\6145\SAService.exe