Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: A trojan that exists but does not? (gert0.dll)

08 Sep 2010   #21
dranfu

 

Yeah, nothing that sticks out. But Hijack this is basically a useless program, as far as I'm concerned, besides giving you a quick glance at browser helper objects and some other auto run entries. Process Explorer and Autoruns from sys internals offers a welath of insight. But here are some tools that might be good at determing if you are still infected, too.

(Disclaimer: If you have not burned an Anti Virus Live Boot CD and scanned your system with it yet, what might you be waiting on?) Have you installed Avast and then let it do a pre-boot scan? ) I suspect you have a more academic interest in this virus, so you might enjoy these tools. And these great tools, too.

From Root Kit Analytics:

SpyDLLRemover v3: SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. It comes with advanced spyware scanner which quickly discovers hidden Rootkit processes as well suspcious/injected DLLs within all running processes. It not only performs sophisticated auto analysis on process DLLs but also displays them with various threatlevels, which greatly helps in quick identification of malicious DLLs. The DLL search feature helps in finding DLL within all running processes using just partial or full name. Then user can choose to remove the dll from single process or from all loaded processes with just one click.

One of the unique feature of SpyDLLRemover is its capability to free the DLL from remote process using advanced DLL injection method which can defeat any existing Rootkit tricks. It also uses sophisticated low level anti-rootkit techniques to uncover hidden userland Rootkit processes as well as to terminate them.

Stream Armor: StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams. ( If you haven't heard of Alernate Data Streams in NTFS, read up about it. You'll love it. )

Actually, you should check out all the tools from: Spyware Analytics Forums - The Front Page . These guys are amazing at what they do, and they make modern tools that are relevant to todays threats.


My System SpecsSystem Spec
.
09 Sep 2010   #22
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 

Quote   Quote: Originally Posted by dranfu View Post
(Disclaimer: If you have not burned an Anti Virus Live Boot CD and scanned your system with it yet, what might you be waiting on?) Have you installed Avast and then let it do a pre-boot scan? ) I suspect you have a more academic interest in this virus, so you might enjoy these tools. And these great tools, too.
I don't think you actually read what I put above the HijackThis log.

I said:
Quote:
Which Anti virus Live Boot CD would you say is the best one to use (most of them are Linux only on there, anyway)? [*edit* as long as it's free, that is */edit]

And speaking of which, do you need a blank CD to be able to use this? I've ran out of them at the moment.
Hopefully I'll be getting some more blank CDs tonight, when my dad gets home (he works at Currys).

ps. I have MSE, so would that affect Avast if I had both on together?
My System SpecsSystem Spec
09 Sep 2010   #23
dranfu

 

My mistake, I did miss that part.

Quote:
"Which Anti virus Live Boot CD would you say is the best one to use (most of them are Linux only on there, anyway)? [*edit* as long as it's free, that is */edit]

And speaking of which, do you need a blank CD to be able to use this? I've ran out of them at the moment."
My recommendation would be G-Data, Kapersky, and Avast. Yes, you have to burn the iso image to a cd in order to use it.

Quote:
ps. I have MSE, so would that affect Avast if I had both on together?
Well, I'm not an MSE user, so I can't answer that with authority. However, its generally not a good idea to install two AV programs at the same time. If you're happy with the one you have, kick the tires on it for a while. It's free, so you can always uninstall and reinstall as much as you like.
My System SpecsSystem Spec
.

09 Sep 2010   #24
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Your HJT log doesn't show the infection... as suspected .. it's hidden.

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3
  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt <--will be mininmised in the task bar
  • Save both reports to your desktop.
Include the contents of both logs in your new topic.

I'll take a look at both... and either help you here, or advise you to 'certified' anti-malware forum to get the help you need.
My System SpecsSystem Spec
09 Sep 2010   #25
dranfu

 

Quote:
I'll take a look at both... and either help you here, or advise you to 'certified' anti-malware forum to get the help you need.
hmm...
My System SpecsSystem Spec
09 Sep 2010   #26
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote   Quote: Originally Posted by dranfu View Post
Quote:
I'll take a look at both... and either help you here, or advise you to 'certified' anti-malware forum to get the help you need.
hmm...
More of a comment, please dranfu
My System SpecsSystem Spec
09 Sep 2010   #27
dranfu

 

Oh, nothin, I just don't have a lot of faith in "malware forums". I think he can get all the help he needs here. I mean, he has IT professionals, a Microsoft MVP in security, and an assembly programmer in this thread alone. Why send people to these Hijack This experts. Most of them have no clue what they are talking about.

I mean, yes, he may find people there who want to spend more time on his issue, but I think he would get a wealth of advice here that he wouldn't get at other forums. I mean, that is why I was drawn here

Update: This does not apply to every "malware help" forum user of course, just my general experience with the Hijack This lunatics, who never seem to find the problem, which could have been found with a Debugger and Sys Internals tools in 10 minutes.
My System SpecsSystem Spec
10 Sep 2010   #28
Keiichi25

Windows 7 Ultimate x64 and Home Premium x64
 
 

Well, Virus and malware programs are constantly evolving so there will always be new ways to circumvent or try to avoid detection to what most people will use, which would also include things such as the programs we have listed.

The previous generation of Malware and spyware was easy to find because they took advantage of BHO, which Hijack This helped in determining it. This included some of the previous generation Hijackware/False AV Malwares which didn't use Rootkits.
My System SpecsSystem Spec
10 Sep 2010   #29
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 

OK, I've downloaded the Kaperspy one (hopefully it's Windows 7 compatible) and burned the ISO to a disk.

When I restart my computer, do I go into BIOS and change the order of what runs first during bootup, or is there another way of doing it?

Here's the DDS logs btw.


Attached Files
File Type: txt DDS.txt (17.3 KB, 9 views)
File Type: txt Attach.txt (13.0 KB, 8 views)
My System SpecsSystem Spec
10 Sep 2010   #30
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run

***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix
My System SpecsSystem Spec
Reply

 A trojan that exists but does not? (gert0.dll)




Thread Tools




Similar help and support threads
Thread Forum
Trojan called 'Trojan.Generic.2582177' on my system
Hi, I have Window7 Ultimate 64 bit on my system. I use Bitfender as my antivirus software. This morning it informed me that it has found a file infected with a virus called 'Trojan.Generic.2582177' which it cannot clean. I've contacted Bitfender to see if they know what I should do but haven't...
System Security
A connection with a name you specified already exists!
Hi, My network adapter is named Local area connection 6 for unknown reasons http://i.imgur.com/Zwu1wDh.png I tried renaming it to Local area connection 1-5, but all were failed http://i.imgur.com/U9LynXz.png I tried hidden driver remover but still no use.:( Here is a screenshot of network...
Network & Sharing
White / Beige Blu-ray Drive Exists?
Hey Guys, I was putting some new life into an old (beige) computer I built a few years ago, and was curious if anyone has seen any internal blu-ray players that were white? Looking at newegg, all I see currently are black ones: Newegg.com - Blu-ray Drives, Blu-ray Readers I want to match...
Hardware & Devices
ATI 3D Rage II+ driver needed (if something like that exists)
hi everyone! first time i'm here. i've been browsing sevenforums before and i quite liked it, so i'm feeling positive about my situation :) i'm trying to find a driver, or just to set up my screen refresh rate to something more than painful 60Hz. i'm using LG Flatron CRT monitor T710B and ATI 3D...
Drivers
Printer port already exists
New to forum I was trying to add an HP 1200SE printer manually by way of linksys printer server(no Win 7 updated drivers). After configuring it, it didn't work so I attempted to redo entries. I now get a message "port already exists" after I deleted the previous install. How do I delete...
Hardware & Devices
No minidump folder exists (it is enabled)
A process or thread crucial to the system operation has unexpectedly exited or been terminated. STOP: 0x000000F4 0x0000000000000003 0xFFFFFA800C2F1E10 0xFFFFF8000318BDBO I don't know what to do or how to find what the cause is.
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:59.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App