If You Could See My StartUp list...You'd know why I'm here!

Per instructions here is a bit of what i'm up to! I didn't attach a HJT.log since this is my first post, although instructions for BFU say to post after running and attach one.

Attempting to work through and have read your malware removal instructions...I had previously tried to get rid of some malware, but it still shows in StartUp and elsewhere so decided to try your suggestions.

Began with the Special Removal Procedures and Brute Force Uninstaller to remove SurfSideKick. I ran BFU in Normal StartUp mode and Normal Boot w/internet connection enabled. Didn't see anywhere saying to run in Safe Mode, though end of instructions say to reboot to Normal Mode...
Received these errors after computer restarted:
mnyexpr.exe faileld to start, msvcrtdm.dll not found
error loading C:\Windows\System32\rwfrscmw.dll, module not found
error loading C:\Windows\System32\ilvhpfbe.dll, module not found

Also, a shortcut was created on my desktop for SmitfraudFix.exe. Not being sure i should use it and not being able to post to board [lost password], i deleted it. Will download same from your site, as i do believe i have SmitFraud, after a response to this post.

I then ran HJT and created a log. Did not make any changes to the scan. Didn't run a HJT scan before running BFU. I do have one from the 22nd, but it was ran with Selective StartUp and many changes have been made since then!

Ran CCleaner and disk CleanUp.

Will wait to hear from you, before continueing with SmitFraud removal instructions.

Thanks for any help you can offer!
BJ

 

Some of the spyware removal programs i had run previously [before posting here] showed smitfraud and surfsidekick, among numerous other infections [virtumondo, winantispyware...]. I thought i was following the Read and Run Me First procedures, by doing the things listed under Special Removal Procedures...Sorry for my misunderstanding.

Should i delete the BFU and smitfraud removal programs and any files they might have saved? If so, anything special i need to know about doing so or since neither is listed in Add/Remove programs, do i simply try to locate the folders/files they created and delete them?

Also, the BFU instructions say to run cleanmgr. I tried, but this program will no longer run...the window pops up, but nothing happens. It worked properly a few days prior to running BFU [not blaming BFU!].

Will follow your advice and start with the XP removal procedures tomorrow.

Thanks much for your time and consideration!

BJ

PS
A bit of history...
Much of the malware on this thing was spotted by various removal programs a couple of years ago and i attempted to remove it. Also used msconfig [i know now this is a no no!] to remove from the startup list. While following MGs' instructions to enable everything in startup, well of course some of them have reappeared. Tis mighty tempting to delete them through HJT or other means, but will patiently work through the steps and let one who is much more knowledgable than myself guide me!

 

Tried to work through the first part of R&RM. Didn't update Java...had a problem trying to update it a few days ago, so did a sys restore to date before then and now i've really got a mess as it kept the new files also! Looks like, from reading the java site, that tis quite an ordeal to undo all i've done, so hope it's OK to wait til i have time to mess with it.

Ran CCleaner [already had]

Downloaded:
SAS [already had]
SpybotSD [already had it, but it got messed up same time as java mess above, so deleted and re-downloaded]
MBAM
MGTools [already had]

Upon trying to run SAS got error:
SAS.exe unable to locate compponent, ap failed to start msvcrtdm.dll not found. Clicked "X' 5-6 times to close window.

SAS opened and i updated then ran it, hopefully following all instructions! QUESTION: under scan options should ignore system restore volume be left unchecked? I did not check it. When told to reboot, chose yes, but had to manually do it. After reboot got error messege: msvcrtdm.dll failed to load and C:\Windows\system32\rwfrscma.dll and ilvhpfbe.dll modules not found.

Reconnected to internet. Attached SAS log.

Thanks again!

BJ

PS
I get the msvcrtdm.dll, rwfrscmw.dll and ilvhpfbe.dll errors quite often when opening programs, but after clicking the messege off 5-6 times the program usually opens.

Can not open the "system" folder in control panel.

Can not change time [get the msvcrtdm.dll error].

 

OK, guess i've read the instructions wrong...I'm tryin to get it right! But they are a bit confusing!

At the end of the SAS instructions it says "Please attach the Scan Log results to your next reply. " Well...i took this to mean that i should post a reply and send that log after running just that scan. Sorry.

Am i to run all of the scans, then if still infected, start a new post and ONLY THEN attach all of the logs [as stated in Step 3. Yes, I'm still having problems]?

Geez...i'm bound to get it right sooner or later!

Thanks

BJ

 

I'm slowly catchin on! Again, sorry for the misunderstasnding [at this point ya probably think i'm i real dummy!]. I was planning to continue with running the rest of the programs, just misunderstood about sending the SAS log. Anyway, on with the show!

Still running slower than normal and receiving pop-ups without a blocker on. Still getting the msvcrtdm.dll, etc errors as ,mentioned earlier, can't change clock, can't access "system" file in control panel and in my scheduled tasks [have it disabled] are about 24 tasks that i didn't put in there [it says they have all failed to start]. Also lots of things in my startup/task manager that i know are no good.

Anyway 2 logs are attached [attached SAS log to earlier post], correctly i hope! No SpyBot log needed, right?

I do thank ya for your help!

BJ

 

Thanks for assisting!

Sorry for not in "Normal StartUp"...kids had changed it and i didn't think to check.

Ran Disable/Remove Windows Messenger

Attempted to remove all Java via Add/Remove. Not certain it is all gone.

Ran C:\MGtools\analyse.exe, but [ya know i gotta mess up somewhere!] out of habit i chose do a scan and save a log. Didn't find:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
or
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" in the analysis.

fixME.reg, i copied and pasted into notepad, saved to desktop, type all files. Save window also asked what type of encoding. It is set on ANSI so i left it at that. When double clicking the file on desktop, window opens asking what program i want to open it with. Can you help me with that, because i don't have a clue! Not fond of messin with things i don't know i.e. registry!

I'm going to stop at this point and wait for your reply in re the fixME.reg file.

Thanks again

BJ

 

Ran RegFix.reg and FixMe.reg with no probllems. Thanks!

Downloaded and ran avenger. After reboot got error message "mnyexpr.exe - Unable to locate component, application failed to start because msvcrtdm.dll not found", but avenger log did open.

Downloaded and installed latest java version then rebooted. When i goto IE/tools/SunJava Console it places java icon in taskbar. If i double click taskbar icon or right click and choose "open console" nothing happens. If i choose "open control panel" i get error "java virtual machine launcher, could not find main class, program will exit". If i goto sun java or other java installation checking website and click verify installation, i get error: microsoft visual c+ + runtime library, runtime error, program C:\program files\internet explorer\ieexplore.exe, this application has requested the runtime to terminate in an unusual way, please contact...", i click "ok" and IE window closes. If you've suggestions, i'd be more than happy to hear them or perhaps this is more of a software issue and should be asked in that forum?

Ran CCleaner.

Ran C:\MGtools\GetLogs.bat.

Took a deep breath!

Attached requested files.

Haven't done much surfing/computing since these fixes, but haven't noticed errors other than those mentioned above. There are a couple of strange[?] files in c:\documents and settings\[usename]\, created same day and time: pww.txt and zzz.exe. zzz.exe is by company named XTC.
The pww.txt shows:
Resource Name : http://webmail.central.cox.net/
Resource Type : AutoComplete Passwords
User Name/Value : [my username/email address]
Password :

Also, as mentioned earlier, i have 24 tasks in task scheduler that we didn't set up. They are scheduled to run daily and it shows "created by: NetScheduleJobAdd and Run As" NT Authority\System". Possibly put ther by malware? Is it safe to delete these?

Tis nice to see a StartUp list without all that malware in it! Hope our problems are solved!

Hopefully i've completed the required steps and i'll let you guide me the rest of the way!

Many thanks

BJ


PS
You've done such a good job, i think i'll be back and let you take a look at the mess on the other computer!

 

Took 2 deep breaths...and attempted to correctly follow your instructions. Log attached.

Yes, Cox is my ISP.

Errors i am receiving or things not working correctly:

Can't change clock settings from taskbar. No response.

From Control Panel i can't access Date and Time, Java, Regional and Language Options or System. No response.

Looks like you are working on correcting the msvcrtdm.dll error, but thought it might help to know when i receive it. When trying to access Help Center or any Help file get error "HelpCtr.exe-Unable to load component, msvcrtdm.dll etc." Help Center opens behind the message, but have to click it off 5-15 times before it goes away, then as soon as i click in the Help window the same error and again the clicking off routine 5 or 6 times then finally the message quits popping-up. I have received the msvcrtdm.dll error when opening other programs, but have not noted them...

Tons of changes to Start Menu/.../System Information, all made at same time to Software Environment, changed from NT Authority to Default and a few added/removed changes that i recognized as ones we had done. This may be normal...

When visiting random websites i get the error: microsoft visual c+ + runtime library, runtime error, program C:\program files\internet explorer\ieexplore.exe, this application has requested the runtime to terminate in an unusual way, please contact...". IE shuts down.

Probably others that i'm not thinking of or have mentioned previously!

Thanks again for your time. I know you folks are extremely busy, but i was beginning to wonder if i missed part of the R&RM so went back to see if i was doing things correctly and saw Step 3. says to start a new thread, which i didn't do, so was just about to do so when i saw you had responded to my last post! At this point should i simply continue in this post rather than start a new thread?

Thanks again

BJ

 

Piece of cake!

Requested file is attached as asked. I shall reboot and let you know what happens!

Thanks

BJ

 

Yeah!!!

So the Control Panel errors mentioned below were related to malware [W32/Crimea.dr]... I had thought perhaps it was caused by file corruption not related to such...Hadn't mentioned that Word Perfect and some other word processor programs weren't working..Now they are! Many thanks!

All of the below are working properly! Even my Java installation!

Haven't noticed this one appearing yet, but haven't had time to do a lot of surfing. My guess is that it is also fixed!

The below may be normal?

Cox is my ISP. These caught my eye because of the odd names [pww.txt and zzz.exe]. They are still there.

Think i have covered all and most has been answered/repaired.

Many thanks for your time! I've been pretty much ignoring the mess for a year or so, other than disabling in msconfig, which didn't do much!

BJ

 

Will do.

None [!] noticed so far. Thanks!

Yessir, Boss!!!

I do appreciate you taking your time to clean up my system. Many thanks!

BJ

 

All seems to be in proper working order!

I've attempted to follow the steps in your above post.

Is it safe to remove all references i see to java versions prior to 6 update 5 and Norton? Even those found in the registry [i may be getting too brave here!]?

Once again, i can't thank you enough for taking your time to help me repair this system!

Hope its not to much to ask for help in removing any found malware on another home desktop? Hate to wear out my welcome!

BJ

 

Yikes...

Hadn't tried Start/Run/type regedit/click OK until now and i get error message:

Regedit.exe - Application Error, The application failed to initialize properly {0xc0000005}. CLick OK to terminate the application.

Have to click the message 3-4 times before it closes.

Any ideas?

Thanks

BJ

 

Aah...It worked, THANKS!!! My heart was pounding, thinking that after all you had done to fix things, i had messed it up by deleting something while in the process of cleaning up the programs/files created to remove the malware!

Thanks again!
BJ