Is this a sign of malware? (I'm ready to do the ComboFix scan, please read)

I’ve been PMing essexboy about this issue, I will be posting my OTL file here.

Here is my problem:
[QUOTE=From Misuzu’s PM]
My family member has been worried about this “Error Message” that pops up every now and then after we turn on the computer and go to the desktop.

RunDLL

Error loading C:\Users\Myname\AppData\Roaming\netcorehck.dll

The specified module could not be found.

Is this a sign of malware?
Avast! hasn’t reported anything and MBAM scans isn’t finding anything…
[/quote]
essexboy said it was a registry key pointing to malware that no longer exists. I used OTL like he asked to scan.

My family members are a little worried about OTL, though I know it’s safe. My family members think people use OTL to actually USE or GET INTO your computer. OTL is just a scanner right? That’s what I told them it was…

If your not sure that the virus is completely gone, then upload it to Virus Total.

OTL text files.
I replaced my name with [my name] in the result files and my country with [my country], is that okay?

Dumb Question OTL is still on my PC, is it safe to scan with MBAM while OTL is on your computer?

Haven’t seen this one for a few months - OTL is an analysis programme so it interferes with nothing

Run OTL

[*]As this is a big fix it is to long to post so download the attached fix.txt to your desktop
[*]Then click the Run Fix button at the top
[*]OTL will ask for the location of the fix.txt browse to the file you downloaded and double click it
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

NEXT

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hello.

Okay. I downloaded the fix file and I did a “Run Fix” with OTL. When the computer got done rebooting and I went to desktop, a notepad file appeared. Am I supposed to post that file? Or the “Quick Scan” file?
I also did the “Run Fix” set on “Minimal Output” and I didn’t have the “Scan all users” box check marked. Will this cause “problems”?

Should I check mark the “Scan all users” on my “Quick Scan”
Thanks.

OTL Quick Scan result file.

I’ll do ComboFix next. Just a question: Will it “clash” with Avast! or MBAM? Or has it in the past?
I don’t think I can turn off MBAM, but MBAM is just a scanner, not a anti virus program so it should be safe to just leave it as it is?

Do/did I have malware? Or some other computer issue?

Sorry for all the questions. I really appreciate your help.

There should be no clash - just do not let avast quarantine anything

Okay got done scanning with ComboFix. However, because the interface for the ComboFix looked weird, I attached a picture of it.

However I did not see these pop ups:

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

http://img.photobucket.com/albums/v706/ried7/whatnext.png

I seen some sort of pop up about something called “EUR” though…

I forgot to save/move ComboFix.exe to the desktop however. What “damage” will that cause?

Well if I need to uninstall ComboFix and rescan it, I will. I attached the log from ComboFix anyway…

EDIT: The “RunDLL” pop up is no longer popping up, however, every time I start FireFox now, it asks me if I want to make it the default browser (Or something like that) because I believe IE is the default browser… But FireFox never did this before.

Combofix resets the default browser to IE - once we are done then just reset Firefox to default

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

File:: c:\windows\system32\XDva219.sys c:\windows\system32\XDva224.sys c:\windows\system32\XDva238.sys c:\windows\system32\XDva248.sys c:\windows\system32\XDva273.sys c:\windows\system32\XDva280.sys c:\windows\system32\XDva281.sys c:\windows\system32\XDva337.sys c:\windows\system32\XDva344.sys

Driver::
XDva219
XDva224
XDva238
XDva248
XDva273
XDva280
XDva281
XDva337
XDva344

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.

So after following these directions this will like “reinstall” ComboFix and THIS TIME if I install ComboFix from the desktop it will work right?

NEVER MIND IGNORE THIS POST
I’ve been busy and my family members need to use the computer for work etc… So I haven’t had the time to do the scan yet, but important question:

Apparently I have malware? Or some kind of issue? How severe is it? I don’t really know what kind of issue my family’s PC has (The family PC is the one that had the RunDLL pop up and is the one that I used OTL to scan on etc…) And if it’s malware, is it preventing MBAM or Avast! from detecting it or something? Because neither Avast or MBAM has found any issues.

Ok. I am ready to do the ComboFix scan.

IMPORTANT QUESTION: Sorry another question, but can I just drag the text file onto the shortcut (That is on the desktop) to ComboFix, or does it have to be the actual .exe file? I can’t seem to put ComboFix.exe onto the desktop without it becoming a shortcut…

Can I just delete ComboFix.exe and re-download it. And if I re-download it, will I still have to drag the text file onto ComboFix?

And you want me to do another “Quick Scan” with OTL?

Combofix needs to be on your desktop, so delete your current copy and download a fresh one to your desktop and then drag/drop the CFscript.txt onto Combofix

On completion run an OTL quickscan but select all users

Okay I did what you said in the above post, however it did the same thing it did before. (I also disabled Avast to scan)

First it popped up with a long window that said that “If you bought Combofix from any of these websites… etc etc…” and other “legal” issue stuff.

Several boxes showed up, one of them had 2 bars on it and it said something like HIV.

But the two boxes you posted did not show up once again and it did the “Completed Stage” thing in the Administrator box again…

However, I believe from what I remember, unlike the first time I used ComboFix, after it said “Completed Stage_50” it said it was deleting a file, at: C:[my name]\system.exe
That probably wasn’t the actual location of the file, but something like that.

After it got done scanning it rebooted my computer on it’s own.
When the computer started back up, Avast’s icon on the bar at the bottom of the screen (Forgot the name) disappeared… Is that … Normal?

Why is ComboFix “acting weird”?

Oh well. Here’s the ComboFix log from this scan anyway…
P.S. I could not find the actual log file that ComboFix made, however I just copied and pasted the results into another notepad file, is that ok?

Uh, I just checked Task Manager and almost all of the processes are gone. Is this normal? :-\

I attached pictures to show what it looked like before the scan (First picture) and what it looks like now, after the scan (second picture).

The first taskmanager is showing all users and the second just current user - so that is normal

As you have Vista, Combofix will not install the recovery console as it is already present

What problems do you have now ?

Ah okay that makes sense.

As for what problems I have now: Is ComboFix working correctly then? Is the log I posted “okay”? I assumed since those two windows/pop ups pictures that you posted didn’t show up, I was doing something wrong.

I can see no further problems but I need to know if you are happy

I think the computer is fine now. But I can still do a OTL quick scan if you think I should.

EDIT: Oh sorry. Quick question: Whenever I went to the Recycle Bin it would say “Windows Explorer Has Stopped Working” and it would close the Recycle Bin window right away and it continued to do that until I shut down the computer and turned it back on and now it hasn’t happened anymore… Is this a sign of malware or just DEP or something like that?

Other than that, thanks for the help! I appreciate it. :slight_smile:

Looking at that I am a happy bunny :slight_smile:

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: