A trojan that exists but does not? (gert0.dll)

dranfu · 05 Sep 2010

Hi Gaz1701,

I'm not sure why you removed the image of regedit, as that would have helped shed some more light on this, since the virus is still there. Also, just deleting entries in regedit does not delete a virus, or any file for that matter; The registry is "a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform" see here: Windows Registry - Wikipedia, the free encyclopedia

Anyhow, it appears that the file is either not in the folder, or perhaps has moved itself. It is also possible that malwarebytes simply found some other settings in the registry, or some files left over by the virus, and so reported it. Did you let malwarebytes do a full scan yet to see if it can successfully remove it? I would try that, and then afterwards I would scan again to make sure it is gone.

However, if you want to remove once and be sure, then, again, the best thing to do is to use a live boot CD -- see my earlier post in this discussion-- and scan before windows loads up (you'll need to burn the CD to disk first.)

If you want, I can try to identify the resources / tricks it is using to hide. If you want to go that route, download process explorer and take a screenshot of the entire screen. Next, download autoruns and run this command in a command prompt: autorunsc -a -c > AutoRUN Entries.CSV. Next, go to the registry again and scan for gert0.dll, or whatever file name is showing up. YOu hit the F3 key to find the next entry. For each entry you find in the registry, take a screen shot of it. Now, post the autorun csv entries (select all, copy, paste) inside of Code tags in your reply, and paste the process explorer screenshot up there, too. And finally post the screenshots from regedit.

Again, this is the long way, the easiest thing to do is scan with a boot cd.

dranfu · 05 Sep 2010

And also, what is malwarebytes showing? What file name, and what location, is it reporting? And like Jacee said, what Fake AV program is it associated with?

Keiichi25 · 05 Sep 2010

It is HIGHLY recommended to not only remove it from your registry, but also any files as there is a chance you may run it by accident and get it running again.

Also, Malwarebytes will always find stuff you haven't touched, which would include questionable files. So it is important to scrub your system as best as you can using those techniques. The removing the file or registry part without scrubbing, you still run into little problems like, for instance, one mallware makes use of messing with the HKey Root registry part and remaps .exe to run to a dll or file which makes running the system a pain in the butt.

Gaz1701 · 07 Sep 2010

Now that's odd...

I just did a quick scan with Malwarebytes, and it's told me that no malicious items were detected! I'm running a full scan with it right now.

Along with UnHackMe is a program I used called RegRun Reanimator which scans for/"protects from viruses or Trojans/Spyware/Adware parasites or Rootkits" when I login, but before explorer.exe etc. starts up.
It *did* find some suspicious .sys files, and after the program told me they were 'bad' (as partly because they weren't part of the OS), I deleted them.

But out of all of it, gert0.dll never showed up.

(you're going to be a bit annoyed at me for this, but..) I kinda forgotten what those files were, but I've still got them from my Google search history; I can't remember which ones were OK [I think] and which ones I deleted, so I'll just post the .dll and .sys names here:

wxvi.sys
UUS.DLL
WmiPrvSE.exe (might not have been from using this program. can't remember now)
HNQLQ.sys

I could still try all the things you suggested, in case it's somehow moved someplace else - should I?

Oh and while I'm at it, I might as well still show you the screenshot of regedit:

Jacee · 07 Sep 2010

Download the HostsXpert 4.3 - Hosts File Manager.

Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Jacee · 07 Sep 2010

More information on gert0.dll Troj/Banker-HS Trojan (Trojan-Spy.Win32.Banker.ri, PWSteal.Bancos, W32/Bancos.AIQ, W32/Banker.CNE, PWS-Banker.gen.b) - Sophos security analysis

Change all your passwords using a known 'clean' machine. Do not change them using the infected machine.

dranfu · 07 Sep 2010

@Gaz1701,

Thank you for providing that screenshot. As I noted in the previous email, it is important to see which registry item is being accessed, an that is why it is important to see a screenshot of it. Please notice that the registry key your screen shot shows is referring to is the RUN MRU, which stands for Most recently used, or most recently ran item. Also note that the attrib -h gert0.dll is the command that you ran against that file. So it is simply showing the command that you ran. The virus may or may not be gone, but that registry key is not proof that it is still there, nor is it proof that it is still gone. Running an anti virus live boot cd would be the best option (see my post earlier)

Jacees advice is very solid, and relevant to your case, so I would take the time to follow it. Most especially the part about changing your passwords. However, please note that the registry entry you have posted is referring to a command you ran, and not to the virus itself.

Also, i would always run an Anti Virus Live Boot CD whenever I was infected, if I chose not to re-image, or if I didn't have an image to reboot to. I'm at work at the moment, but if you want to run Hi Jack this (if its easier than posting my suggestions from the earlier post) and copy and paste to this thread, I'll take a look at it.

dranfu · 07 Sep 2010

Along with UnHackMe is a program I used called RegRun Reanimator which scans for/"protects from viruses or Trojans/Spyware/Adware parasites or Rootkits" when I login, but before explorer.exe etc. starts up.
It *did* find some suspicious .sys files, and after the program told me they were 'bad' (as partly because they weren't part of the OS), I deleted them.

Sorry, I must have missed this part. Yes, keep in mind that a virus can easily rename itself and move itself--this is a trivial thing for a program that is well written. Again, it appears that Jacee has identified the virus, so I would follow that advice. Scanning with a good Anti virus Live Boot CD (see my earlier posts in this topic) is always a great idea. And when i say scan, I mean first scan it, let it find whatever it finds, then scan again to make sure it is gone.

Again, after work I'll do some more research on the files it found, but you definitely want to change your passwords (on a clean machine, btw)

Gaz1701 · 08 Sep 2010

Man, I've got a LOT of passwords to change! Even if I change them on a clean computer, how would that help when I type in the new ones on this computer [afterwards]?

Which Anti virus Live Boot CD would you say is the best one to use (most of them are Linux only on there, anyway)?

And speaking of which, do you need a blank CD to be able to use this? I've ran out of them at the moment.

Here's the HijackThis log you asked for:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:10:19 PM, on 07/09/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFService.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\1-Hardware software\Trust\GM-4200 Gamer Mouse Optical\Panel.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFTray.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe
C:\Program Files\z-Windows Addons\ClocX\ClocX.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\z-Windows Addons\PowerMenu\PowerMenu.exe
C:\Program Files\z-Windows Addons\ObjectDock\ObjectDock.exe
C:\Windows\System32\svchost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\SUPERAnti-spyware\SUPERAntiSpyware.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Secunia\psi.exe
C:\Users\Gareth\My Programs\text programs\EditPad Lite\EditPadLite.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Gareth\My Programs\text programs\EditPad Lite\EditPadLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\0-a safe, protected computer\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\Windows\system32\PxSecure.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Users\Gareth\MYPROG~1\1-OTHE~1\DAP\DAPIEL~1.DLL
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Trust Gaming mouse] "C:\Program Files\1-Hardware software\Trust\GM-4200 Gamer Mouse Optical\Panel.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\0-a safe, protected computer\Anti-malware\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [x3watch] "C:\Program Files\X3watch\x3watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ClocX] C:\Program Files\z-Windows Addons\ClocX\ClocX.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Gareth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: dwm.exe.lnk = C:\Windows\System32\dwm.exe
O4 - Startup: PowerMenu.lnk = C:\Program Files\z-Windows Addons\PowerMenu\PowerMenu.exe
O4 - Startup: RocketDock.exe - Shortcut.lnk = C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\z-Windows Addons\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: &Clean Traces - C:\Users\Gareth\My Programs\1-other programs\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Users\Gareth\My Programs\1-other programs\DAP\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Users\Gareth\My Programs\1-other programs\DAP\dapextie2.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/Driver...reqlab_nvd.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Users\Gareth\My Programs\0-a safe, protected PC\SUPERAnti-spyware\SASWINLO.dll
O23 - Service: CSIScanner - Prevx - C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFService.exe

--
End of file - 10130 bytes

Keiichi25 · 08 Sep 2010

Well, from the looks of that hijack this log, at least, cursory scan, you don't seem to have anything out of the ordinary there. You have a lot of stuff running, and a lot of stuff getting loaded, but so far, nothing that seems to stand out.

Unfortunately, some of the newer malwares have also been hiding from hijack this (As I found out to my dismay) on how they get back via polymorphisms. I don't believe it is a pure rootkit method, but they hidden themselves partially so even if you look for it via hijack this, you wouldn't find the other part that re-imbed itself back in.