Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DLL errors on startup after running mbam


  • Please log in to reply
4 replies to this topic

#1 JennhatesPCs

JennhatesPCs

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 07 March 2010 - 09:48 PM

One of the PCs on my business network seems to be forever coming down with trojan infections. I have cleaned it a number of times with mbam and S&D and I run current versions of McAfee and use scheduled updates with all AV programs, Windows Update, etc. From what I can tell, I'm doing everything right. I have had a rather pointed discussion with the employee and after some sleuthing, I am confident that she is not playing online poker, downloading P2P music files or viewing porn during the day.

Ongoing issue:

A few months ago, I ran Spybot and "fixed" a couple of nasties. Since then, on startup the computer gives 2 messages regarding missing DLLs: mielor.dll and adagubin.dll. I have searched the various dll libraries and forums and can't find any information on either. I scanned the registry with CCleaner and did a simple Find command in regedit but can't find any references to either of these. Everything seems to be working with the computer in terms of software and functionality so these are probably remnants of a previous problem or software. But they are annoying and worrisome and I'd like to get rid of them.

New:

After a scan today, mbam found: ntload, nsrbgxod.bak, oashdihasi.....dll, and the Generic. trojan dropper. I fixed them, re-ran mbam and Spybot. Both came up clean. NOW, on startup in addition to the 2 weird dll errors above, I get a missing ntload.dll error. Seems that mbam should have cleaned that up better.

What I'd like help with:

1. Getting rid of fragments and leftovers from cleanups so my user doesn't freak out every morning and so I can sleep better.
2. Have some sort of confidence that the system is CLEAN so I can set a new restore point. I do not trust a single restore point in the history of this machine except maybe the day I plugged it in.
3. Figure out WHY IN HECK this computer can regularly come down with trojan infections when all the software is up to date?? What are we not picking up with these scans/cleans? Is one of my 3rd party programs creating some vulnerability?

Thanks in advance,

Jenn, the accidental network admin

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 PM

Posted 08 March 2010 - 08:49 AM

Since you say this a work computer, you need to contacted and advise your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. We are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system. Further, most helpers are not familiar with Servers and many of the tools we use are restricted to non-commercial use by their creators.

A business IT staff generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods. Further, the malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate measures.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JennhatesPCs

JennhatesPCs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 08 March 2010 - 12:18 PM

Hi quietman7. A large part of the problem is that I AM the IT Department. We're a very small company.

If you're not able to help, I understand.

Best regards to all and thanks for providing a great service.

Jennifer

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,955 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 PM

Posted 08 March 2010 - 12:31 PM

It's not unusual to receive .dll error(s) when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to a malware file that was set to run at startup in the registry but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for an entry related to the file(s) in the error message.
  • If found, right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
If you're going to keep and use Autoruns, be sure to read:Below I have provided some generic instructiions for network cleaning.

If this is a client machine, to prevent the malware from spreading to other clients on the network keep this system separated (isolated) from all others and disable network file and printer sharing until fully cleaned. Vista users can refer to these instructions.

If you're not sure about the source of infection, start by disconnecting (isolating) all client machines from the network. Check and disinfect each client individually by performing a full system scan with your anti-virus in safe mode to ensure it is clean before reconnecting.

Start with the server, then one at a time, do the same for each client machine until you ensure it is clean and can be reconnected. That is a tedious task, but it ensures each machine gets individual attention and a full system scan of all files and folders. Trying to do things remotely can result in missed detections. If scanning of a mapped drives only scans the mapped folders, it may not include all the folders on the remote computer. Further, if a malware file is detected on the mapped drive, the removal may fail if a program on the remote computer uses that file.

How to scan your network with Sophos Anti-Rootkit <- this link has instructions for use on large networks

On a network where the domain controller has been infected with a rootkit, you should clean the domain controller before cleaning the remaining computers on the network. See rootkit removal on a network with an infected domain controller.

If you were infected by malware that spreads to network shares or by a password stealing trojan, change the passwords for all important applications and set strong passwords for shared network resources.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JennhatesPCs

JennhatesPCs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 08 March 2010 - 02:24 PM

Thanks for the tip. I used autoruns to ID and remove the entries. One thing I ran into when doing this process: When I ran autoruns as the administrator, it did not find them and I had to log in as the domain user. One would think that logging in with admin privileges would enable one to scan all users' registries. Was there a button that I missed to enable this in autoruns?

On network security: all security policies were set up by people who were (supposedly) in the know. I certainly paid them enough to have them do a decent job. Admittedly, I love to tinker but I'm smart enough to know that I'm not smart enough to mess with these settings.

Since we're a small network, my current procedure is to scan the clients (all 4 of them) individually. Every client on the network consistently comes up clean with mbam, S&D, and Sophos AR except for the one "problem child." I hadn't considered an infected domain controller because the problems appear to be isolated to this one machine.

Thanks again for the help. I understand your hesitancy to stick your neck out in this circumstance. (Though I can assure you that the principals of this company (me) are not litigious in nature. And we always make regular backups of our dbs.)

Cheers.
Jennifer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users