A trojan that exists but does not? (gert0.dll)

Gaz1701 · 10 Sep 2010

Wow, this must be some serious piece of software!

Anyway, here's the ComboFix log, and a new HJT one too:

Btw, it must've took nearly 40 minutes to do all the scanning!

Jacee · 10 Sep 2010

Navigate to this file C:\comment.htt, make sure you have hidden files and folders set to show, so you can find it.

Upload it to VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 36 AntiVirus Engines! have it scanned and save the log to post back here.

Gaz1701 · 11 Sep 2010

Hmmm, it says the file is not found.

Could this be because I've restarted my computer since then?

Jacee · 11 Sep 2010

Please download OTMoveIt from here:
http://oldtimer.geekstogo.com/OTM.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
Code:
```
:Processes
 
:Services
 
:Reg
 
:Files
C:\comment.htt
c:\windows\winstart.bat
 
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
```
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
The list will be processed and the results for each line will be displayed in the right-hand pane.
Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Gaz1701 · 12 Sep 2010

Results window? I presume you mean everything in the OTM log file (I also assume it's the same info as what was in the right-hand column?)?

(and btw, I thought I'd try and see if VirSCAN could detect the comment.htt file again after moving it, but to no avail)

Jacee · 12 Sep 2010

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\comment.htt folder moved successfully.
c:\windows\winstart.bat moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gareth
->Temp folder emptied: 1678124 bytes
->Temporary Internet Files folder emptied: 15002883 bytes
->Java cache emptied: 20112950 bytes
->FireFox cache emptied: 160458057 bytes
->Google Chrome cache emptied: 92304208 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 10890 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Temporary
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6761155 bytes
->FireFox cache emptied: 72318300 bytes
->Flash cache emptied: 1927 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15978 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3194296 bytes

Total Files Cleaned = 355.00 mb

OTM by OldTimer - Version 3.1.16.0 log created on 09122010_173523
Files moved on Reboot...
Registry entries deleted on Reboot...

Looks like OTM found and deleted it :)

Did you notice your computer not working right ater opening an email?
ThreatExpert Report: Email-Worm.Rays, W32.Wullik@mm, Email-Worm.Win32.Rays.c, W32/Wukill.worm.gen..

Jacee · 12 Sep 2010

I'd like you to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Gaz1701 · 14 Sep 2010

Jacee said:

Looks like OTM found and deleted it :)

Did you notice your computer not working right ater opening an email?
ThreatExpert Report: Email-Worm.Rays, W32.Wullik@mm, Email-Worm.Win32.Rays.c, W32/Wukill.worm.gen..

btw, how could you tell that OTM found and deleted it based on that log file? To me it just looks like it's cleared the cache out, and moved comment.htt & winstart.bat to a different location (but not deleted it).

I haven't really had any problems with my computer (as far as I know), and I don't remember opening any e-mails from someone who I don't know [also. 'as far as I remember']

Jacee said:

I'd like you to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

I'm not sure if this was what I've been after for ages now, but ESET has found and deleted 4 threats on my computer.

Here's the log file you requested

Jacee · 14 Sep 2010

Use Shark007's codecs .. Shark007.net - Windows 7 Codecs - WMP12 Codecs (download from MajorGeeks)
How is your computer running now?

Trojan.Packed.Autoit.Gen can bring about:

Infamous Blue Screen of Death Errors brought by Trojan.Packed.Autoit.Gen
Constantly appeared system freezes
Network corruption Serious data loss caused by Trojan.Packed.Autoit.Gen
Drained system resources
Applications freezing
Computer reboot failure
Advertisements bombard by Trojan.Packed.Autoit.Gen
System setting and software setting have been rewritten by Trojan.Packed.Autoit.Gen
Browser with additional components come with Trojan.Packed.Autoit.Gen

Gaz1701 · 16 Sep 2010

It seems to be running fine, although TBH I can't really tell much difference in my compter's performance anyway (ie. it didn't really show any of those signs before-hand anyway; although I did get a few BSODs a while back before I knew about this, so who knows?).

Does explorer.exe not loading up after I login (just today) be part of the list?

I'd still like to know how you could tell that OTM found and deleted it based on that log file? To me it just looks like it's cleared the cache out, and moved comment.htt & winstart.bat to a different location (but not deleted it).