Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: A trojan that exists but does not? (gert0.dll)

05 Sep 2010   #11
dranfu

 

Hi Gaz1701,

I'm not sure why you removed the image of regedit, as that would have helped shed some more light on this, since the virus is still there. Also, just deleting entries in regedit does not delete a virus, or any file for that matter; The registry is "a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform" see here: Windows Registry - Wikipedia, the free encyclopedia

Anyhow, it appears that the file is either not in the folder, or perhaps has moved itself. It is also possible that malwarebytes simply found some other settings in the registry, or some files left over by the virus, and so reported it. Did you let malwarebytes do a full scan yet to see if it can successfully remove it? I would try that, and then afterwards I would scan again to make sure it is gone.

However, if you want to remove once and be sure, then, again, the best thing to do is to use a live boot CD -- see my earlier post in this discussion-- and scan before windows loads up (you'll need to burn the CD to disk first.)

If you want, I can try to identify the resources / tricks it is using to hide. If you want to go that route, download process explorer and take a screenshot of the entire screen. Next, download autoruns and run this command in a command prompt: autorunsc -a -c > AutoRUN Entries.CSV. Next, go to the registry again and scan for gert0.dll, or whatever file name is showing up. YOu hit the F3 key to find the next entry. For each entry you find in the registry, take a screen shot of it. Now, post the autorun csv entries (select all, copy, paste) inside of Code tags in your reply, and paste the process explorer screenshot up there, too. And finally post the screenshots from regedit.

Again, this is the long way, the easiest thing to do is scan with a boot cd.


My System SpecsSystem Spec
.
05 Sep 2010   #12
dranfu

 

And also, what is malwarebytes showing? What file name, and what location, is it reporting? And like Jacee said, what Fake AV program is it associated with?
My System SpecsSystem Spec
05 Sep 2010   #13
Keiichi25

Windows 7 Ultimate x64 and Home Premium x64
 
 

It is HIGHLY recommended to not only remove it from your registry, but also any files as there is a chance you may run it by accident and get it running again.

Also, Malwarebytes will always find stuff you haven't touched, which would include questionable files. So it is important to scrub your system as best as you can using those techniques. The removing the file or registry part without scrubbing, you still run into little problems like, for instance, one mallware makes use of messing with the HKey Root registry part and remaps .exe to run to a dll or file which makes running the system a pain in the butt.
My System SpecsSystem Spec
.

07 Sep 2010   #14
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 

Now that's odd...

I just did a quick scan with Malwarebytes, and it's told me that no malicious items were detected! I'm running a full scan with it right now.

Along with UnHackMe is a program I used called RegRun Reanimator which scans for/"protects from viruses or Trojans/Spyware/Adware parasites or Rootkits" when I login, but before explorer.exe etc. starts up.
It *did* find some suspicious .sys files, and after the program told me they were 'bad' (as partly because they weren't part of the OS), I deleted them.

But out of all of it, gert0.dll never showed up.

(you're going to be a bit annoyed at me for this, but..) I kinda forgotten what those files were, but I've still got them from my Google search history; I can't remember which ones were OK [I think] and which ones I deleted, so I'll just post the .dll and .sys names here:

wxvi.sys
UUS.DLL
WmiPrvSE.exe (might not have been from using this program. can't remember now)
HNQLQ.sys

I could still try all the things you suggested, in case it's somehow moved someplace else - should I?

Oh and while I'm at it, I might as well still show you the screenshot of regedit:
My System SpecsSystem Spec
07 Sep 2010   #15
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download the HostsXpert 4.3 - Hosts File Manager.
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
My System SpecsSystem Spec
07 Sep 2010   #16
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

More information on gert0.dll Troj/Banker-HS Trojan (Trojan-Spy.Win32.Banker.ri, PWSteal.Bancos, W32/Bancos.AIQ, W32/Banker.CNE, PWS-Banker.gen.b) - Sophos security analysis

Change all your passwords using a known 'clean' machine. Do not change them using the infected machine.
My System SpecsSystem Spec
07 Sep 2010   #17
dranfu

 

@Gaz1701,

Thank you for providing that screenshot. As I noted in the previous email, it is important to see which registry item is being accessed, an that is why it is important to see a screenshot of it. Please notice that the registry key your screen shot shows is referring to is the RUN MRU, which stands for Most recently used, or most recently ran item. Also note that the attrib -h gert0.dll is the command that you ran against that file. So it is simply showing the command that you ran. The virus may or may not be gone, but that registry key is not proof that it is still there, nor is it proof that it is still gone. Running an anti virus live boot cd would be the best option (see my post earlier)

Jacees advice is very solid, and relevant to your case, so I would take the time to follow it. Most especially the part about changing your passwords. However, please note that the registry entry you have posted is referring to a command you ran, and not to the virus itself.

Also, i would always run an Anti Virus Live Boot CD whenever I was infected, if I chose not to re-image, or if I didn't have an image to reboot to. I'm at work at the moment, but if you want to run Hi Jack this (if its easier than posting my suggestions from the earlier post) and copy and paste to this thread, I'll take a look at it.
My System SpecsSystem Spec
07 Sep 2010   #18
dranfu

 

Quote:
Along with UnHackMe is a program I used called RegRun Reanimator which scans for/"protects from viruses or Trojans/Spyware/Adware parasites or Rootkits" when I login, but before explorer.exe etc. starts up.
It *did* find some suspicious .sys files, and after the program told me they were 'bad' (as partly because they weren't part of the OS), I deleted them.
Sorry, I must have missed this part. Yes, keep in mind that a virus can easily rename itself and move itself--this is a trivial thing for a program that is well written. Again, it appears that Jacee has identified the virus, so I would follow that advice. Scanning with a good Anti virus Live Boot CD (see my earlier posts in this topic) is always a great idea. And when i say scan, I mean first scan it, let it find whatever it finds, then scan again to make sure it is gone.

Again, after work I'll do some more research on the files it found, but you definitely want to change your passwords (on a clean machine, btw)
My System SpecsSystem Spec
08 Sep 2010   #19
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 

Man, I've got a LOT of passwords to change! Even if I change them on a clean computer, how would that help when I type in the new ones on this computer [afterwards]?

Which Anti virus Live Boot CD would you say is the best one to use (most of them are Linux only on there, anyway)?

And speaking of which, do you need a blank CD to be able to use this? I've ran out of them at the moment.

Here's the HijackThis log you asked for:
Quote:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:10:19 PM, on 07/09/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFService.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\1-Hardware software\Trust\GM-4200 Gamer Mouse Optical\Panel.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFTray.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe
C:\Program Files\z-Windows Addons\ClocX\ClocX.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\z-Windows Addons\PowerMenu\PowerMenu.exe
C:\Program Files\z-Windows Addons\ObjectDock\ObjectDock.exe
C:\Windows\System32\svchost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\SUPERAnti-spyware\SUPERAntiSpyware.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Secunia\psi.exe
C:\Users\Gareth\My Programs\text programs\EditPad Lite\EditPadLite.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Gareth\My Programs\text programs\EditPad Lite\EditPadLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\0-a safe, protected computer\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\Windows\system32\PxSecure.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Users\Gareth\MYPROG~1\1-OTHE~1\DAP\DAPIEL~1.DLL
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Trust Gaming mouse] "C:\Program Files\1-Hardware software\Trust\GM-4200 Gamer Mouse Optical\Panel.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\0-a safe, protected computer\Anti-malware\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [x3watch] "C:\Program Files\X3watch\x3watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ClocX] C:\Program Files\z-Windows Addons\ClocX\ClocX.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Gareth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: dwm.exe.lnk = C:\Windows\System32\dwm.exe
O4 - Startup: PowerMenu.lnk = C:\Program Files\z-Windows Addons\PowerMenu\PowerMenu.exe
O4 - Startup: RocketDock.exe - Shortcut.lnk = C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\z-Windows Addons\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: &Clean Traces - C:\Users\Gareth\My Programs\1-other programs\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Users\Gareth\My Programs\1-other programs\DAP\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Users\Gareth\My Programs\1-other programs\DAP\dapextie2.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/Driver...reqlab_nvd.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Users\Gareth\My Programs\0-a safe, protected PC\SUPERAnti-spyware\SASWINLO.dll
O23 - Service: CSIScanner - Prevx - C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFService.exe

--
End of file - 10130 bytes


Attached Files
File Type: log hijackthis.log (9.9 KB, 2 views)
My System SpecsSystem Spec
08 Sep 2010   #20
Keiichi25

Windows 7 Ultimate x64 and Home Premium x64
 
 

Well, from the looks of that hijack this log, at least, cursory scan, you don't seem to have anything out of the ordinary there. You have a lot of stuff running, and a lot of stuff getting loaded, but so far, nothing that seems to stand out.

Unfortunately, some of the newer malwares have also been hiding from hijack this (As I found out to my dismay) on how they get back via polymorphisms. I don't believe it is a pure rootkit method, but they hidden themselves partially so even if you look for it via hijack this, you wouldn't find the other part that re-imbed itself back in.
My System SpecsSystem Spec
Reply

 A trojan that exists but does not? (gert0.dll)




Thread Tools




Similar help and support threads
Thread Forum
Trojan called 'Trojan.Generic.2582177' on my system
Hi, I have Window7 Ultimate 64 bit on my system. I use Bitfender as my antivirus software. This morning it informed me that it has found a file infected with a virus called 'Trojan.Generic.2582177' which it cannot clean. I've contacted Bitfender to see if they know what I should do but haven't...
System Security
A connection with a name you specified already exists!
Hi, My network adapter is named Local area connection 6 for unknown reasons http://i.imgur.com/Zwu1wDh.png I tried renaming it to Local area connection 1-5, but all were failed http://i.imgur.com/U9LynXz.png I tried hidden driver remover but still no use.:( Here is a screenshot of network...
Network & Sharing
White / Beige Blu-ray Drive Exists?
Hey Guys, I was putting some new life into an old (beige) computer I built a few years ago, and was curious if anyone has seen any internal blu-ray players that were white? Looking at newegg, all I see currently are black ones: Newegg.com - Blu-ray Drives, Blu-ray Readers I want to match...
Hardware & Devices
ATI 3D Rage II+ driver needed (if something like that exists)
hi everyone! first time i'm here. i've been browsing sevenforums before and i quite liked it, so i'm feeling positive about my situation :) i'm trying to find a driver, or just to set up my screen refresh rate to something more than painful 60Hz. i'm using LG Flatron CRT monitor T710B and ATI 3D...
Drivers
Printer port already exists
New to forum I was trying to add an HP 1200SE printer manually by way of linksys printer server(no Win 7 updated drivers). After configuring it, it didn't work so I attempted to redo entries. I now get a message "port already exists" after I deleted the previous install. How do I delete...
Hardware & Devices
No minidump folder exists (it is enabled)
A process or thread crucial to the system operation has unexpectedly exited or been terminated. STOP: 0x000000F4 0x0000000000000003 0xFFFFFA800C2F1E10 0xFFFFF8000318BDBO I don't know what to do or how to find what the cause is.
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:35.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App