Jump to content

Possible rootkit or other registry damage


Recommended Posts

Hello, I've been referred here from the Malwarebytes Anti-Malware support forum.

I was unable to run Malwarebytes Anti-Malware due to a runtime error 339, saying ieframe.dll or one of its dependencies is missing.

I've run dds and mbam checker. Please see the attached log files.

Some other symptoms:

- When opening folders in Windows, always opens a new window despite having the option checked under folder options to not do so. (very annoying)

- unable to run Battlefield 3 either from battlelog or Origin. It says a file is missing or it says Origin is not installed

- Unable to install internet explorer, any version

I have read on some other support forums that people with similar issues had missing system files or registry keys.

I was on the verge of reinstalling windows out of frustration, but decided I would try to see if someone could help me. I'd prefer not to reinstall if I don't have to.

Thank you for any help.

CheckResults.txt

attach.txt

dds.txt

Link to post
Share on other sites

  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

Hello Charles in Charge and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.

    Vista/Windows 7 users right-click and select Run As Administrator.

  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.

  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
----------Step 5----------------

In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Hello, DFB.

 

I downloaded and ran all the programs you listed. 

 

Attached are the results files you asked for. It seems I need to defragment my hard drive, and mshtml.dll is missing. I don't know how to restore that.

 

Thank you for your help DFB!

TDSSKiller.2.8.18.0_18.06.2013_23.19.10_log.txt

system-log.txt

mbar-log-2013-06-18 (23-21-46).txt

CheckResults.txt

ComboFix.txt

Link to post
Share on other sites

 

Attached are the results files you asked for. It seems I need to defragment my hard drive, and mshtml.dll is missing. I don't know how to restore that.

I'll help you fix the mshtml.dll issue. As for defragmenting- it isn't really a huge deal, but let's leave that off for when we get rid of all the malware on your system.

 

 

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

 

Driver::

72990191

84832315

WinRing0_1_2_0

File::

C:\Windows\System32\Drivers\72990191.sys

C:\Windows\System32\Drivers\84832315.sys

c:\users\JT\AppData\Local\Temp\tmp194A.tmp

FCopy::

c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.17824_none_8c189508afd31140\mshtml.dll | c:\windows\system32\mshtml.dll

c:\windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.17824_none_8c189508afd31140\mshtml.dll | c:\windows\SysWow64\mshtml.dll

 

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

 

Link to post
Share on other sites

Hello DFB,

I ran the script and rebooted. However, upon reboot I received an error that iernonce.dll failed to run. Now for the past 20 minutes the combofix window is flashing and cascading up and down my screen. Several background programs have crashed also, including steelseries engine and displayfusion. It seems almost like someone is continuously alt-tabbing. I don't know what to do but I am afraid of interrupting anything Combofix is attempting to do. In task manager it keeps switching between CF13294.exe, pev.3XE *32, conhost.exe, and NirCmd.3XE *332. I cannot access the log file as I am on another device writing on this forum. What should I do?

Thank you.

Link to post
Share on other sites

No, stick with Normal Mode for now.

 

Try rebooting the computer.

If after rebooting the internet still doesn't work, run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

 

Can you connect to the internet now?

Link to post
Share on other sites

We really need to run that script with ComboFix. Here's what we'll do.

1. Delete your existing copy of ComboFix.exe

2. Download a new one from here. Save it to your Desktop.

3. Save the new copy of ComboFix as cheese.exe

4. Boot to Safe Mode. Run the CFScript you created earlier (drag it onto cheese.exe) and allow it to run.

Make sure you don't click the ComboFix window as it's running- that will cause it to stall.

Keep me posted as to how it goes.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.