Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RUNDLL, error loadin nfr.dll


  • Please log in to reply
21 replies to this topic

#1 soupcon

soupcon

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 05:30 PM

Hello,
Really hope someone can help. I have ran Malwarebytes' and Avast. Avast found a few things, Malwarebytes' didn't. the error box of (RUNDLL, error loading nfr.dll, the specified module could not be found) comes up and I can not get an IE page to fill in and I can not go into the Internet Options. Any help with this will be very appreciated.
Thank you,

Edited by The weatherman, 07 March 2009 - 05:36 PM.
Moved to a more appropriate forum~TW


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 07 March 2009 - 05:49 PM

Hello.

Create and Run batch script
  • Please create and execute the following batch script.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @Echo off
    
    Echo [color=orange]------------------------HKCU\RUN KEY ----------------------------[/color] > C:\looking.txt
    
    reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >> C:\looking.txt
    
    Echo [color=orange]----------------------- HKLM\RUN KEY -----------------------------------[/color] >> C:\looking.txt
    
    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >> C:\looking.txt
    
    Notepad C:\looking.txt
    
    Exit
    
    Del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad will soon open. This is normal please do not panic. Once it's complete copy and paste the contents of notepad in your next reply.

Note: If you closed notepad accidentally, it can also be found at C:\looking.txt

I can not get an IE page to fill in and I can not go into the Internet Options. Any help with this will be very appreciated.

What happens when you go to Internet Options? do you get any error messages etc... ?

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 06:03 PM

Thank you, I will work on that. I am on a different comuter now as I have no way for the other one to connect. When I click on Internet Options nothing happens, no errors or anything at all. It just stays there. I can click on Tools and then it brings up the choices, but won't go any further....? I read to look at the LAN Proxy setting, but can't get in there. I was also told, by a friend, that I may have an incomplete Malware removal...?

#4 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 06:05 PM

And actually, I can't really copy the notepad thing because I can't get my computer connected in the internet. Any suggestions on this part of it?

Appreciate your help!

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 07 March 2009 - 06:48 PM

Hello.

Create that on your clean machine and transfer it to your infected machine using a CD perfered or a flash-drive. Run flash-drive disinfector on your clean machine if you are going to use it. Then run the batch file.

Also run MBAM again and post the results

Then run WinsockXPFix do the same by transfering the setup file.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

We Need to Repair Your Internet Connection
  • Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
  • Copy the file to the desktop on the non working machine.
  • Double Click on Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot.
Please let me know if your connection is restored in your next reply

Post back with:
-Batch file log
-MBAM log
-Does your internet still not work?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 07:31 PM

Here are the contents of the notepad thing you first asked me about:

------------------------HKCU\RUN KEY ----------------------------

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Skype REG_SZ "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
SetDefaultMIDI REG_SZ MIDIDef.exe
ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
Yahoo! Pager REG_SZ "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
WMPNSCFG REG_SZ C:\Program Files\Windows Media Player\WMPNSCFG.exe
msnmsgr REG_SZ "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
nfr REG_SZ rundll32.exe nfr.dll,ServiceMain /pid=6004
----------------------- HKLM\RUN KEY -----------------------------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MBMon REG_SZ Rundll32 CTMBHA.DLL,MBMon
DLA REG_SZ C:\WINDOWS\System32\DLA\DLACTRLW.EXE
SigmatelSysTrayApp REG_SZ stsystra.exe
VoiceCenter REG_SZ "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
UpdReg REG_SZ C:\WINDOWS\UpdReg.EXE
mcagent_exe REG_SZ C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
Corel File Shell Monitor REG_SZ C:\Program Files\Corel\Corel Photo Album 7\CorelIOMonitor.exe
StxTrayMenu REG_SZ "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
<NO NAME> REG_SZ
AppleSyncNotifier REG_SZ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
BCROReminder REG_SZ C:\Program Files\ByteCrusher\RegistryOptimax\BCRO.exe -rem
avast! REG_SZ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ZoneAlarm Client REG_SZ "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
BlackBerryAutoUpdate REG_SZ C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
RoxWatchTray REG_SZ "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"
Corel Photo Downloader REG_SZ "C:\Program Files\Corel\Corel Photo Album 7\Corel Photo Downloader.exe" -startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

#7 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 07:32 PM

Here are the results of MBAM:

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

3/7/2009 5:18:21 PM
mbam-log-2009-03-07 (17-18-21).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 179984
Time elapsed: 1 hour(s), 36 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 07 March 2009 - 07:38 PM

Hello.

Okay, let's remove that error you were talking about. Also, can you access the internet after WinsockXPFix?

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.


Create and Run Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nfr"=-

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input NAMENAME.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .reg file.

Doube-click on namename.reg, you will get a warning saying something like: "do you wish to merge/add the following information to the registry?". Please say Yes. Next you will get a confirmation telling you if it was merged sucessfully.

Tell me in your next reply if the reg script got merged sucessfully

Reboot your Computer

Answer to my question and do you still get the RUNDLL error? It should be gone now. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 07:51 PM

Internet connection is still not there, or is access to the Internet Options, after WinsockFix. Should I still do the last thing you suggested?

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 07 March 2009 - 07:56 PM

Hello.

Well, you can answer both. Not sure why your internet is not working right now.

Should I still do the last thing you suggested?

Yes, that will remove that RUNDLL error you were talking about in the beginning of this topic..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 08:05 PM

Nothing has changed. Most sad. I have to leave and will try you tomorrow if that works for you?

I really appreciate you help!

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 07 March 2009 - 08:27 PM

Hello.

That's fine. However, I think we should move you to the HJT-Malware Removal forum now as there are no indications or logs to show what is causing this particular problem.

Preparation Guide: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
What to do when you have no reply for 5 days: http://www.bleepingcomputer.com/forums/t/176012/post-in-this-thread-when-you-havent-received-an-answer-in-five-days/

Good Luck!

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 08:28 PM

And actually the RUNDLL error box is removed, but still no internet browser connection. My router tells me I have connection, but IE is blank and Skype does not connect either.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 07 March 2009 - 08:29 PM

Hello.

Okay, you might want to reset your routor and see if that works at all..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 soupcon

soupcon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 March 2009 - 08:37 PM

Haha, I'm still here; sorry about that! Nope, reset router did not change anything. What is strange is that the browser page is just blank and still no options when I click on Internet Options.

What do you think?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users