A trojan that exists but does not? (gert0.dll)

[dranfu]

Yeah, nothing that sticks out. But Hijack this is basically a useless program, as far as I'm concerned, besides giving you a quick glance at browser helper objects and some other auto run entries. Process Explorer and Autoruns from sys internals offers a welath of insight. But here are some tools that might be good at determing if you are still infected, too.

(Disclaimer: If you have not burned an Anti Virus Live Boot CD and scanned your system with it yet, what might you be waiting on?) Have you installed Avast and then let it do a pre-boot scan? ) I suspect you have a more academic interest in this virus, so you might enjoy these tools. And these great tools, too.

From Root Kit Analytics:

SpyDLLRemover v3: SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. It comes with advanced spyware scanner which quickly discovers hidden Rootkit processes as well suspcious/injected DLLs within all running processes. It not only performs sophisticated auto analysis on process DLLs but also displays them with various threatlevels, which greatly helps in quick identification of malicious DLLs. The DLL search feature helps in finding DLL within all running processes using just partial or full name. Then user can choose to remove the dll from single process or from all loaded processes with just one click.

One of the unique feature of SpyDLLRemover is its capability to free the DLL from remote process using advanced DLL injection method which can defeat any existing Rootkit tricks. It also uses sophisticated low level anti-rootkit techniques to uncover hidden userland Rootkit processes as well as to terminate them.

Stream Armor: StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams. ( If you haven't heard of Alernate Data Streams in NTFS, read up about it. You'll love it. )

Actually, you should check out all the tools from: Spyware Analytics Forums - The Front Page . These guys are amazing at what they do, and they make modern tools that are relevant to todays threats.

 

[Gaz1701]

(Disclaimer: If you have not burned an Anti Virus Live Boot CD and scanned your system with it yet, what might you be waiting on?) Have you installed Avast and then let it do a pre-boot scan? ) I suspect you have a more academic interest in this virus, so you might enjoy these tools. And these great tools, too.

I don't think you actually read what I put above the HijackThis log.

I said:

Which Anti virus Live Boot CD would you say is the best one to use (most of them are Linux only on there, anyway)? [*edit* as long as it's free, that is */edit]

And speaking of which, do you need a blank CD to be able to use this? I've ran out of them at the moment.

Hopefully I'll be getting some more blank CDs tonight, when my dad gets home (he works at Currys).

ps. I have MSE, so would that affect Avast if I had both on together?

 

[dranfu]

My mistake, I did miss that part.

"Which Anti virus Live Boot CD would you say is the best one to use (most of them are Linux only on there, anyway)? [*edit* as long as it's free, that is */edit]

And speaking of which, do you need a blank CD to be able to use this? I've ran out of them at the moment."

My recommendation would be G-Data, Kapersky, and Avast. Yes, you have to burn the iso image to a cd in order to use it.

ps. I have MSE, so would that affect Avast if I had both on together?

Well, I'm not an MSE user, so I can't answer that with authority. However, its generally not a good idea to install two AV programs at the same time. If you're happy with the one you have, kick the tires on it for a while. It's free, so you can always uninstall and reinstall as much as you like.

 

[Jacee]

Your HJT log doesn't show the infection... as suspected .. it's hidden.

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3

• Disable any script blocking protection
• Double click the dds icon to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt <--will be mininmised in the task bar
• Save both reports to your desktop.

Include the contents of both logs in your new topic.

I'll take a look at both... and either help you here, or advise you to 'certified' anti-malware forum to get the help you need.

 

[dranfu]

I'll take a look at both... and either help you here, or advise you to 'certified' anti-malware forum to get the help you need.

hmm...

 

[Jacee]

I'll take a look at both... and either help you here, or advise you to 'certified' anti-malware forum to get the help you need.

hmm...

More of a comment, please dranfu

 

[dranfu]

Oh, nothin, I just don't have a lot of faith in "malware forums". I think he can get all the help he needs here. I mean, he has IT professionals, a Microsoft MVP in security, and an assembly programmer in this thread alone. Why send people to these Hijack This experts. Most of them have no clue what they are talking about.

I mean, yes, he may find people there who want to spend more time on his issue, but I think he would get a wealth of advice here that he wouldn't get at other forums. I mean, that is why I was drawn here

Update: This does not apply to every "malware help" forum user of course, just my general experience with the Hijack This lunatics, who never seem to find the problem, which could have been found with a Debugger and Sys Internals tools in 10 minutes.

 

[Keiichi25]

Well, Virus and malware programs are constantly evolving so there will always be new ways to circumvent or try to avoid detection to what most people will use, which would also include things such as the programs we have listed.

The previous generation of Malware and spyware was easy to find because they took advantage of BHO, which Hijack This helped in determining it. This included some of the previous generation Hijackware/False AV Malwares which didn't use Rootkits.

 

[Gaz1701]

OK, I've downloaded the Kaperspy one (hopefully it's Windows 7 compatible) and burned the ISO to a disk.

When I restart my computer, do I go into BIOS and change the order of what runs first during bootup, or is there another way of doing it?

Here's the DDS logs btw.

 

[Jacee]

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

 

[Gaz1701]

Wow, this must be some serious piece of software!

Anyway, here's the ComboFix log, and a new HJT one too:

Btw, it must've took nearly 40 minutes to do all the scanning!

 

[Jacee]

Navigate to this file C:\comment.htt, make sure you have hidden files and folders set to show, so you can find it.

Upload it to VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 36 AntiVirus Engines! have it scanned and save the log to post back here.

 

[Gaz1701]

Hmmm, it says the file is not found.

Could this be because I've restarted my computer since then?

 

[Jacee]

Please download OTMoveIt from here:
http://oldtimer.geekstogo.com/OTM.exe

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  

  :Processes
   
  :Services
   
  :Reg
   
  :Files
  C:\comment.htt
  c:\windows\winstart.bat
   
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [Reboot]

• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• The list will be processed and the results for each line will be displayed in the right-hand pane.
• Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[Gaz1701]

Results window? I presume you mean everything in the OTM log file (I also assume it's the same info as what was in the right-hand column?)?

(and btw, I thought I'd try and see if VirSCAN could detect the comment.htt file again after moving it, but to no avail)

 

[Jacee]

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\comment.htt folder moved successfully.
c:\windows\winstart.bat moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gareth
->Temp folder emptied: 1678124 bytes
->Temporary Internet Files folder emptied: 15002883 bytes
->Java cache emptied: 20112950 bytes
->FireFox cache emptied: 160458057 bytes
->Google Chrome cache emptied: 92304208 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 10890 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Temporary
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6761155 bytes
->FireFox cache emptied: 72318300 bytes
->Flash cache emptied: 1927 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15978 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3194296 bytes

Total Files Cleaned = 355.00 mb


OTM by OldTimer - Version 3.1.16.0 log created on 09122010_173523
Files moved on Reboot...
Registry entries deleted on Reboot...

Looks like OTM found and deleted it

Did you notice your computer not working right ater opening an email?
ThreatExpert Report: Email-Worm.Rays, W32.Wullik@mm, Email-Worm.Win32.Rays.c, W32/Wukill.worm.gen..

 

[Jacee]

I'd like you to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[Gaz1701]

Looks like OTM found and deleted it

Did you notice your computer not working right ater opening an email?
ThreatExpert Report: Email-Worm.Rays, W32.Wullik@mm, Email-Worm.Win32.Rays.c, W32/Wukill.worm.gen..

btw, how could you tell that OTM found and deleted it based on that log file? To me it just looks like it's cleared the cache out, and moved comment.htt & winstart.bat to a different location (but not deleted it).

I haven't really had any problems with my computer (as far as I know), and I don't remember opening any e-mails from someone who I don't know [also. 'as far as I remember']

I'd like you to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

I'm not sure if this was what I've been after for ages now, but ESET has found and deleted 4 threats on my computer.

Here's the log file you requested

 

[Jacee]

Use Shark007's codecs .. Shark007.net - Windows 7 Codecs - WMP12 Codecs (download from MajorGeeks)
How is your computer running now?

Trojan.Packed.Autoit.Gen can bring about:

• Infamous Blue Screen of Death Errors brought by Trojan.Packed.Autoit.Gen
• Constantly appeared system freezes
• Network corruption Serious data loss caused by Trojan.Packed.Autoit.Gen
• Drained system resources
• Applications freezing
• Computer reboot failure
• Advertisements bombard by Trojan.Packed.Autoit.Gen
• System setting and software setting have been rewritten by Trojan.Packed.Autoit.Gen
• Browser with additional components come with Trojan.Packed.Autoit.Gen

 

[Gaz1701]

It seems to be running fine, although TBH I can't really tell much difference in my compter's performance anyway (ie. it didn't really show any of those signs before-hand anyway; although I did get a few BSODs a while back before I knew about this, so who knows?).

Does explorer.exe not loading up after I login (just today) be part of the list?


I'd still like to know how you could tell that OTM found and deleted it based on that log file? To me it just looks like it's cleared the cache out, and moved comment.htt & winstart.bat to a different location (but not deleted it).