Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: A trojan that exists but does not? (gert0.dll)

04 Sep 2010   #1
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 
A trojan that exists but does not? (gert0.dll)

I'm sorry if this is in the wrong place, but I could use some advice about this.

I'm not sure whether this is another one of these scams to get you to buy the product, or whether is has genuinely found a trojan.

There's supposedly a gert0.dll file in "C:\Users\[username]\AppData\Local\Temp" folder, but when I go in there, it's no-where to be found - it's not a hidden file either.

"clear out the temp files directory" I hear you say. But how do you delete something that only seems to be found using Malwarebytes Anti-Malware (which btw, it tells me it can't be removed without rebooting my PC; but when I do that - and even in Safe Mode - it still appears to be there)

I've tried running UnHack Me, MSE, Spybot S&D, SUPERAntispyware, Prevx and ThreatFire (plus I've used HijackThis), but none of them show anything.

So do I need to clean the cache of Malwarebytes or something (already used CCleaner but made no difference; what else would I use?), or could it possibly be a genuine threat?

The trojan's name is Trojan.Qhosts btw. I've just finished running Symantec Trojan.Qhosts Fix tool, and that hasn't found anything either.


On another note, I've got something called HNQLQ.SYS in my systems folder, but a Google search has found nothing on it at all.


My System SpecsSystem Spec
.
04 Sep 2010   #2
Magnus Mischel

Windows 7 Ultimate x64
 
 

If you restart your computer in Safe Mode and open your Temp folder, do you see a file named gert0.dll? If so, it's malware, and you should delete it.
My System SpecsSystem Spec
04 Sep 2010   #3
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 

Nope, the file isn't there in Safe Mode either.
My System SpecsSystem Spec
.

04 Sep 2010   #4
dranfu

 

Have you tried going to Tools>Folder Options>View> and then un-check Hide Protected Operating System Files? And then see if you can locate your file?

Also, try downloading process explorer from sys internals and then going to Find >DLL or Handle> and then search for the name of your suspect file.

You could also try opening up the registry and searching for the name of your file.
My System SpecsSystem Spec
04 Sep 2010   #5
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
I'm not sure whether this is another one of these scams to get you to buy the product, or whether is has genuinely found a trojan
What 'anti-virus'? product was mentioned and how did you get that message?
My System SpecsSystem Spec
05 Sep 2010   #6
Keiichi25

Windows 7 Ultimate x64 and Home Premium x64
 
 

Actually, one of the variants of the Fake-AntiVirus Malwares have used an interesting technique that is difficult to see the file.

You will not be able to see it under safe mode either, because the hackers use the Attrib function to hide it. Safe mode doesn't show attribed hidden files unless you attrib -h it.

Explorer will not show it, even though you have hidden files showing, it might be tagged as a system file as well.

You should be able to change to that directory and go:

attrib

And it should show you the files in that location. Doing the following:

attrib -h <name of file>

Should remove the 'hidden' flag on it.

Be very careful what you do with this... As unhiding and removing files like this can be bad if you remove the wrong ones.
My System SpecsSystem Spec
05 Sep 2010   #7
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 

*edit* I found it! It was what Keiichi25 said it was.

I did a search for it in regedit as dranfu suggested, and it really was there

*edit 2*
After I deleted it, I did another quick scan with Malwarebytes, and it's still there (but it's not in regedit any more)!
My System SpecsSystem Spec
05 Sep 2010   #8
dranfu

 

Update*: User already found solution.

What Keiichi25 is talking about is that you can set a files attributes to hidden, which will override Windows "Show Hidden Files" function. What you need to do is this:

Open a command prompt and type cd "C:\Users\[username]\AppData\Local\Temp"

Next, type dir /a:h, this will show you all of the files in that folder that have been attribed, or have had a special attribute added to them, such as the h flag, for hidden. You can also try using dir /a, to show all files with special attributes.

If you find the file you're looking for, you will need to un-hide it, so that you can see it. Use the following command to do that: attrib -H gert0.dll, which will remove the hidden attribute from the gert0.dll file. Then close the folder and re-open it. You should now be able to see it.
My System SpecsSystem Spec
05 Sep 2010   #9
dranfu

 

Right on. Now you should run malwarebytes, or some other good scanner, and make sure you are totally clean. The best thing to do would be to run a scan with a Live Boot CD AV scanner, see here: 13 Antivirus Rescue CDs Software Compared in Search For the Best Rescue Disk | Raymond.CC Blog

Great thing about scanning with an Anti-Virus Boot CD is that viruses/malware cannot use the operating system to hide. In your case, using the attrib +h function would not have any affect when running a live cd against it, because the operating system is not running. Therefore, the gert0.dll file would not be hidden.

Nice that you found it. That's always satisfying
My System SpecsSystem Spec
05 Sep 2010   #10
Gaz1701

Windows 7 Home Premium 64-bit (6.1, Build 7601)
 
 

If you didn't get my last edited message:
Quote:
I found it! It was what Keiichi25 said it was.

I did a search for it in regedit as dranfu suggested, and it really was there.

*edit 2*
After I deleted it, I did another quick scan with Malwarebytes, and it's still there (but it's not in regedit any more)!
Is this what you meant dranfu?
My System SpecsSystem Spec
Reply

 A trojan that exists but does not? (gert0.dll)




Thread Tools




Similar help and support threads
Thread Forum
Trojan called 'Trojan.Generic.2582177' on my system
Hi, I have Window7 Ultimate 64 bit on my system. I use Bitfender as my antivirus software. This morning it informed me that it has found a file infected with a virus called 'Trojan.Generic.2582177' which it cannot clean. I've contacted Bitfender to see if they know what I should do but haven't...
System Security
A connection with a name you specified already exists!
Hi, My network adapter is named Local area connection 6 for unknown reasons http://i.imgur.com/Zwu1wDh.png I tried renaming it to Local area connection 1-5, but all were failed http://i.imgur.com/U9LynXz.png I tried hidden driver remover but still no use.:( Here is a screenshot of network...
Network & Sharing
White / Beige Blu-ray Drive Exists?
Hey Guys, I was putting some new life into an old (beige) computer I built a few years ago, and was curious if anyone has seen any internal blu-ray players that were white? Looking at newegg, all I see currently are black ones: Newegg.com - Blu-ray Drives, Blu-ray Readers I want to match...
Hardware & Devices
ATI 3D Rage II+ driver needed (if something like that exists)
hi everyone! first time i'm here. i've been browsing sevenforums before and i quite liked it, so i'm feeling positive about my situation :) i'm trying to find a driver, or just to set up my screen refresh rate to something more than painful 60Hz. i'm using LG Flatron CRT monitor T710B and ATI 3D...
Drivers
Printer port already exists
New to forum I was trying to add an HP 1200SE printer manually by way of linksys printer server(no Win 7 updated drivers). After configuring it, it didn't work so I attempted to redo entries. I now get a message "port already exists" after I deleted the previous install. How do I delete...
Hardware & Devices
No minidump folder exists (it is enabled)
A process or thread crucial to the system operation has unexpectedly exited or been terminated. STOP: 0x000000F4 0x0000000000000003 0xFFFFFA800C2F1E10 0xFFFFF8000318BDBO I don't know what to do or how to find what the cause is.
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:20.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App