ieshims.dll false detection causing issues

[danodano]

Back in early january, Malwarebytes had a false positive on IEShims.dll ( see this topic https://forums.malwarebytes.com/topic/217659-genuine-ieshimsdll-detected-as-trojanfakems/ )

At the time, malwarebytes quarantined the file and I pretty much ignored it because I didnt use IE anyways but i restored the file a week or two later after reading the post.

Fast forward to today. I am unable to install the latest windows updates for some reason. After doing some diagnosis with sfc /scannow I get the following.

 

(p)	CSI Payload Corrupt			x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_11.0.16299.192_none_3c7a5252764397e2\IEShims.dll
Repair failed: Missing replacement payload.

Summary:
Operation: Detect and Repair 
Operation result: 0x800f081f
Last Successful Step: Entire operation completes.
Total Detected Corruption:	1
	CBS Manifest Corruption:	0
	CBS Metadata Corruption:	0
	CSI Manifest Corruption:	0
	CSI Metadata Corruption:	0
	CSI Payload Corruption:	1
Total Repaired Corruption:	0
	CBS Manifest Repaired:	0
	CSI Manifest Repaired:	0
	CSI Payload Repaired:	0
	CSI Store Metadata refreshed:	True

 

2018-02-14 22:31:42, Info                  CSI    00004f17 Hashes for file member [l:11]'IEShims.dll' do not match.
 Expected: {l:32 b:11f5cfb1fed1f0c2be3a69c4aa38ff5bc14259d7510874df1406e071ff96236f}.
 Actual: {l:32 b:544635c18481c70c6355e45abc699df4ed16175cde90f7570ceb5018abf82650}.
2018-02-14 22:31:42, Info                  CSI    00004f18 [SR] Cannot repair member file [l:11]'IEShims.dll' of Microsoft-Windows-IE-IEShims, version 11.0.16299.192, arch x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2018-02-14 22:31:42, Info                  CSI    00004f19 [SR] This component was referenced by [l:80]'Package_1110_for_KB4056892~31bf3856ad364e35~amd64~~10.0.1.9.4056892-2879_neutral'
2018-02-14 22:31:42, Info                  CSI    00004f1a Hashes for file member [l:11]'IEShims.dll' do not match.
 Expected: {l:32 ml:4096 b:11f5cfb1fed1f0c2be3a69c4aa38ff5bc14259d7510874df1406e071ff96236f}.
 Actual: {l:32 b:544635c18481c70c6355e45abc699df4ed16175cde90f7570ceb5018abf82650}.
2018-02-14 22:31:42, Info                  CSI    00004f1b [SR] Could not reproject corrupted file \??\C:\Program Files (x86)\Internet Explorer\IEShims.dll; source file in store is also corrupted

 

It seems that now my ieshims is corrupt, both the file I restored and the 'backup' that windows keeps. I am unsure how to fix this- Some advice from the MWB team would be great as I am not in a position to do a full restore on my computer..

 

I have attempted to use DISM with both a ISO source as mentioned above and standalone, but I get error 0x800f081f  - Windows 10 version is 1709, 64 bit

Edited February 15, 2018 by danodano

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Farbar Recovery Scan Tool (FRST)
  1. Download FRST and save it to your desktop
     Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  3. Press the "Scan" button
  4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
     • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
• MB-Check
  1. Download MB-Check and save to your desktop
  2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
  3. This will produce one log file on your desktop: mb-check-results.zip
     • This file will include the FRST logs generated from the previous set of instructions
     • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Porthos]

18 minutes ago, danodano said:

Some advice from the MWB team would be great as I am not in a position to do a full restore on my computer..

I would suggest a repair install using that ISO (with 1709 I hope). https://www.tenforums.com/tutorials/16397-repair-install-windows-10-place-upgrade.html

[danodano]

9 minutes ago, Porthos said:

I would suggest a repair install using that ISO (with 1709 I hope). https://www.tenforums.com/tutorials/16397-repair-install-windows-10-place-upgrade.html

I already attempted this. I downloaded the ISO from https://www.microsoft.com/en-us/software-download/windows10 , mounted it and ran DISM with it as a source. It failed saying "source not found" even though I correctly spelled it out. Attempted multiple variations as well.

[Porthos]

2 minutes ago, danodano said:

mounted it and ran DISM with it as a sourc

No, look at the link I gave. Mount and run setup and keep everything.  Dism is not needed.

Ps ...That downloaded ISO will not work for DISM, It is in the ESD format.  I am not allowed to link you to a ISO that is in the correct format.

Edited February 15, 2018 by Porthos

[danodano]

1 minute ago, Porthos said:

No, look at the link I gave. Mount and run setup and keep everything.  Dism is not needed.

Im not in a position to do that level of a reset. Im not willing to remove all my settings/customizations because of a corrupt IE file. There has to be another way, thats going nuclear.

[Porthos]

20 hours ago, danodano said:

m not willing to remove all my settings/customizations because of a corrupt IE file.

Takes about 10 minutes to change them back, At least you do not lose your programs and files doing a repair install.

Does about the same thing as the upgrade from 1703 to 1709 did.

Edited February 16, 2018 by Porthos

[exile360]

You should be able to uninstall/reinstall IE.  Open Programs and Features and select Turn Windows features on or off and then uncheck the box next to Internet Explorer, allow it to uninstall it and reboot when prompted.  Once complete, repeat the process but this time checking the box and allowing it to reinstall it, then reboot if prompted, check for Windows Updates and install them, reboot if necessary, repeat until no further updates are listed.

[danodano]

uninstalling IE did not remove the folder unfortunately, the corruption remains. I also do not have permission to delete the folder, even as a administrator

[KenW]

If you download the ISO and burn it to a dvd, from within Windows 10, go to setup.exe on the dvd and run it. This is a repair reinstall which keeps all your programs and settings. I have done it a few times.

DO NOT boot the dvd.

[danodano]

The issue is, there is no ISO out for my version of windows at the moment. The version you can download from microsofts media creation tool is 16299.15

My version is 16299.192 - Trying to use the ISO they provide wont work

[KenW]

OK, never ran into that stuff. Mine is 16299.248  I thought only the 16299 counted.

[Porthos]

1 hour ago, danodano said:

The version you can download from microsofts media creation tool is 16299.15

That is all you need or can get, The updates take care of the rest, Remember they are Cumulative.  Key is the creation tool is ESD based and the ISO needed is WIM based.

Might want to check your PM's

Edited February 16, 2018 by Porthos

[dcollins]

Most likely what happened here is that the file was in quarantine, then an update came through that updated the file, and then you restored from quarantine (as you said, ~2 weeks later). You should be able to download the mentioned KB from the Windows Update Catalog, and extract the contents of the file. Then copy IEShim.dll into C:\Program Files (x86)\Internet Explorer\

[debrasteed]

 

The ieshims.dll is an artefact of Vista/7 where a shim DLL is used to proxy certain calls (such as Create Process) to handle protected mode IE, which doesn't exist on XP, so it is unnecessary. IEShims.dll should be in your "Program Files\Internet Explorer" folder, it's part of the initial install. You need replace or install the file at specific location to get rid of ieshims.dll false detection causing issues. 

Edited September 17, 2021 by AdvancedSetup
corrected font issue

[Porthos]

@debrasteed

You posted in a 3yr old topic. Please create your own topic.