A trojan that exists but does not? (gert0.dll)

Gaz1701

New member
Member
Local time
7:46 AM
Messages
65
I'm sorry if this is in the wrong place, but I could use some advice about this.

I'm not sure whether this is another one of these scams to get you to buy the product, or whether is has genuinely found a trojan.

There's supposedly a gert0.dll file in "C:\Users\[username]\AppData\Local\Temp" folder, but when I go in there, it's no-where to be found - it's not a hidden file either.

"clear out the temp files directory" I hear you say. But how do you delete something that only seems to be found using Malwarebytes Anti-Malware (which btw, it tells me it can't be removed without rebooting my PC; but when I do that - and even in Safe Mode - it still appears to be there)

I've tried running UnHack Me, MSE, Spybot S&D, SUPERAntispyware, Prevx and ThreatFire (plus I've used HijackThis), but none of them show anything.

So do I need to clean the cache of Malwarebytes or something (already used CCleaner but made no difference; what else would I use?), or could it possibly be a genuine threat?

The trojan's name is Trojan.Qhosts btw. I've just finished running Symantec Trojan.Qhosts Fix tool, and that hasn't found anything either.


On another note, I've got something called HNQLQ.SYS in my systems folder, but a Google search has found nothing on it at all.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Home Premium 64-bit (6.1, Build 7601)AMD Athlon(tm) 64 X2 Dual Core Processor 4400...2048MB RAM DDR2 (now installed a 2GB chip = 4...ASUS EAH5770 CU core, 1GB GDDR5 video memory
Computer type
PC/Desktop
Computer Manufacturer/Model Number
MSI MS-7325
OS
Windows 7 Home Premium 64-bit (6.1, Build 7601)
CPU
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2 CPUs), ~2.
Motherboard
MSI K9N4 SLI-F nForce 500 SLI chipset
Memory
2048MB RAM DDR2 (now installed a 2GB chip = 4GB altogether)
Graphics Card(s)
ASUS EAH5770 CU core, 1GB GDDR5 video memory
Sound Card
Realtek AC'97 Audio
Monitor(s) Displays
AOC I2367Fh
Screen Resolution
1920x1080
Hard Drives
SAMSUNG HD401LJ ATA Device
PSU
Tagan TG700-U25 - 700Watts
Case
NZXT Zero Aluminium Full Tower
Cooling
about 6 fans on case
Keyboard
Microsoft Natural MultiMedia Keyboard
Mouse
Trust GM-4200 Gamer Mouse Optical
Internet Speed
Not sure what speed, but it's broadband - ADSL (I think).
Antivirus
Avast! Free Antivirus
Browser
Mozillla Firefox
If you restart your computer in Safe Mode and open your Temp folder, do you see a file named gert0.dll? If so, it's malware, and you should delete it.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
OS
Windows 7 Ultimate x64
Nope, the file isn't there in Safe Mode either.
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64-bit (6.1, Build 7601)AMD Athlon(tm) 64 X2 Dual Core Processor 4400...2048MB RAM DDR2 (now installed a 2GB chip = 4...ASUS EAH5770 CU core, 1GB GDDR5 video memory
Computer type
PC/Desktop
Computer Manufacturer/Model Number
MSI MS-7325
OS
Windows 7 Home Premium 64-bit (6.1, Build 7601)
CPU
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2 CPUs), ~2.
Motherboard
MSI K9N4 SLI-F nForce 500 SLI chipset
Memory
2048MB RAM DDR2 (now installed a 2GB chip = 4GB altogether)
Graphics Card(s)
ASUS EAH5770 CU core, 1GB GDDR5 video memory
Sound Card
Realtek AC'97 Audio
Monitor(s) Displays
AOC I2367Fh
Screen Resolution
1920x1080
Hard Drives
SAMSUNG HD401LJ ATA Device
PSU
Tagan TG700-U25 - 700Watts
Case
NZXT Zero Aluminium Full Tower
Cooling
about 6 fans on case
Keyboard
Microsoft Natural MultiMedia Keyboard
Mouse
Trust GM-4200 Gamer Mouse Optical
Internet Speed
Not sure what speed, but it's broadband - ADSL (I think).
Antivirus
Avast! Free Antivirus
Browser
Mozillla Firefox
Have you tried going to Tools>Folder Options>View> and then un-check Hide Protected Operating System Files? And then see if you can locate your file?

Also, try downloading process explorer from sys internals and then going to Find >DLL or Handle> and then search for the name of your suspect file.

You could also try opening up the registry and searching for the name of your file.
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
I'm not sure whether this is another one of these scams to get you to buy the product, or whether is has genuinely found a trojan
What 'anti-virus'? product was mentioned and how did you get that message?
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Actually, one of the variants of the Fake-AntiVirus Malwares have used an interesting technique that is difficult to see the file.

You will not be able to see it under safe mode either, because the hackers use the Attrib function to hide it. Safe mode doesn't show attribed hidden files unless you attrib -h it.

Explorer will not show it, even though you have hidden files showing, it might be tagged as a system file as well.

You should be able to change to that directory and go:

attrib

And it should show you the files in that location. Doing the following:

attrib -h <name of file>

Should remove the 'hidden' flag on it.

Be very careful what you do with this... As unhiding and removing files like this can be bad if you remove the wrong ones.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64 and Home Premium x64Intel i7 960 (3.2 GHz Quad Core)12 Gigs (Triple Channel)Alienware OEM nVidia GTX 560 Ti (1.25 Gig)
Computer Manufacturer/Model Number
Alienware Area 51 Desktop and Dell Inspirion 17R (N7010)
OS
Windows 7 Ultimate x64 and Home Premium x64
CPU
Intel i7 960 (3.2 GHz Quad Core)
Motherboard
Alienware Intel based X58
Memory
12 Gigs (Triple Channel)
Graphics Card(s)
Alienware OEM nVidia GTX 560 Ti (1.25 Gig)
Sound Card
Creative Labs X-Fi Titanium
Monitor(s) Displays
Samsung PX2370 LED 23" Monitor
Screen Resolution
1920x1080
Hard Drives
2 320 Gig SATA in Raid 1 Configuration (System/App)
1 1 Tera SATA (Games)
1 1 Tera SATA (Data/Music/Videos)
PSU
750 Watt Power Supply
Case
Alienware Area 51 Desktop
Cooling
Liquid Cooled
Keyboard
Logitech G510
Mouse
Microsoft Trackball Explorer
Internet Speed
Cable
*edit* I found it! It was what Keiichi25 said it was.

I did a search for it in regedit as dranfu suggested, and it really was there

*edit 2*
After I deleted it, I did another quick scan with Malwarebytes, and it's still there (but it's not in regedit any more)!
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Home Premium 64-bit (6.1, Build 7601)AMD Athlon(tm) 64 X2 Dual Core Processor 4400...2048MB RAM DDR2 (now installed a 2GB chip = 4...ASUS EAH5770 CU core, 1GB GDDR5 video memory
Computer type
PC/Desktop
Computer Manufacturer/Model Number
MSI MS-7325
OS
Windows 7 Home Premium 64-bit (6.1, Build 7601)
CPU
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2 CPUs), ~2.
Motherboard
MSI K9N4 SLI-F nForce 500 SLI chipset
Memory
2048MB RAM DDR2 (now installed a 2GB chip = 4GB altogether)
Graphics Card(s)
ASUS EAH5770 CU core, 1GB GDDR5 video memory
Sound Card
Realtek AC'97 Audio
Monitor(s) Displays
AOC I2367Fh
Screen Resolution
1920x1080
Hard Drives
SAMSUNG HD401LJ ATA Device
PSU
Tagan TG700-U25 - 700Watts
Case
NZXT Zero Aluminium Full Tower
Cooling
about 6 fans on case
Keyboard
Microsoft Natural MultiMedia Keyboard
Mouse
Trust GM-4200 Gamer Mouse Optical
Internet Speed
Not sure what speed, but it's broadband - ADSL (I think).
Antivirus
Avast! Free Antivirus
Browser
Mozillla Firefox
Update*: User already found solution.

What Keiichi25 is talking about is that you can set a files attributes to hidden, which will override Windows "Show Hidden Files" function. What you need to do is this:

Open a command prompt and type cd "C:\Users\[username]\AppData\Local\Temp"

Next, type dir /a:h, this will show you all of the files in that folder that have been attribed, or have had a special attribute added to them, such as the h flag, for hidden. You can also try using dir /a, to show all files with special attributes.

If you find the file you're looking for, you will need to un-hide it, so that you can see it. Use the following command to do that: attrib -H gert0.dll, which will remove the hidden attribute from the gert0.dll file. Then close the folder and re-open it. You should now be able to see it.
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
Right on. Now you should run malwarebytes, or some other good scanner, and make sure you are totally clean. The best thing to do would be to run a scan with a Live Boot CD AV scanner, see here: 13 Antivirus Rescue CDs Software Compared in Search For the Best Rescue Disk | Raymond.CC Blog

Great thing about scanning with an Anti-Virus Boot CD is that viruses/malware cannot use the operating system to hide. In your case, using the attrib +h function would not have any affect when running a live cd against it, because the operating system is not running. Therefore, the gert0.dll file would not be hidden.

Nice that you found it. That's always satisfying :thumbsup:
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
If you didn't get my last edited message:
I found it! It was what Keiichi25 said it was.

I did a search for it in regedit as dranfu suggested, and it really was there.

*edit 2*
After I deleted it, I did another quick scan with Malwarebytes, and it's still there (but it's not in regedit any more)!

Is this what you meant dranfu?
isthisit.jpg
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64-bit (6.1, Build 7601)AMD Athlon(tm) 64 X2 Dual Core Processor 4400...2048MB RAM DDR2 (now installed a 2GB chip = 4...ASUS EAH5770 CU core, 1GB GDDR5 video memory
Computer type
PC/Desktop
Computer Manufacturer/Model Number
MSI MS-7325
OS
Windows 7 Home Premium 64-bit (6.1, Build 7601)
CPU
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2 CPUs), ~2.
Motherboard
MSI K9N4 SLI-F nForce 500 SLI chipset
Memory
2048MB RAM DDR2 (now installed a 2GB chip = 4GB altogether)
Graphics Card(s)
ASUS EAH5770 CU core, 1GB GDDR5 video memory
Sound Card
Realtek AC'97 Audio
Monitor(s) Displays
AOC I2367Fh
Screen Resolution
1920x1080
Hard Drives
SAMSUNG HD401LJ ATA Device
PSU
Tagan TG700-U25 - 700Watts
Case
NZXT Zero Aluminium Full Tower
Cooling
about 6 fans on case
Keyboard
Microsoft Natural MultiMedia Keyboard
Mouse
Trust GM-4200 Gamer Mouse Optical
Internet Speed
Not sure what speed, but it's broadband - ADSL (I think).
Antivirus
Avast! Free Antivirus
Browser
Mozillla Firefox
Hi Gaz1701,

I'm not sure why you removed the image of regedit, as that would have helped shed some more light on this, since the virus is still there. Also, just deleting entries in regedit does not delete a virus, or any file for that matter; The registry is "a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform" see here: Windows Registry - Wikipedia, the free encyclopedia

Anyhow, it appears that the file is either not in the folder, or perhaps has moved itself. It is also possible that malwarebytes simply found some other settings in the registry, or some files left over by the virus, and so reported it. Did you let malwarebytes do a full scan yet to see if it can successfully remove it? I would try that, and then afterwards I would scan again to make sure it is gone.

However, if you want to remove once and be sure, then, again, the best thing to do is to use a live boot CD -- see my earlier post in this discussion-- and scan before windows loads up (you'll need to burn the CD to disk first.)

If you want, I can try to identify the resources / tricks it is using to hide. If you want to go that route, download process explorer and take a screenshot of the entire screen. Next, download autoruns and run this command in a command prompt: autorunsc -a -c > AutoRUN Entries.CSV. Next, go to the registry again and scan for gert0.dll, or whatever file name is showing up. YOu hit the F3 key to find the next entry. For each entry you find in the registry, take a screen shot of it. Now, post the autorun csv entries (select all, copy, paste) inside of Code tags in your reply, and paste the process explorer screenshot up there, too. And finally post the screenshots from regedit.

Again, this is the long way, the easiest thing to do is scan with a boot cd.
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
And also, what is malwarebytes showing? What file name, and what location, is it reporting? And like Jacee said, what Fake AV program is it associated with?
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
It is HIGHLY recommended to not only remove it from your registry, but also any files as there is a chance you may run it by accident and get it running again.

Also, Malwarebytes will always find stuff you haven't touched, which would include questionable files. So it is important to scrub your system as best as you can using those techniques. The removing the file or registry part without scrubbing, you still run into little problems like, for instance, one mallware makes use of messing with the HKey Root registry part and remaps .exe to run to a dll or file which makes running the system a pain in the butt.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64 and Home Premium x64Intel i7 960 (3.2 GHz Quad Core)12 Gigs (Triple Channel)Alienware OEM nVidia GTX 560 Ti (1.25 Gig)
Computer Manufacturer/Model Number
Alienware Area 51 Desktop and Dell Inspirion 17R (N7010)
OS
Windows 7 Ultimate x64 and Home Premium x64
CPU
Intel i7 960 (3.2 GHz Quad Core)
Motherboard
Alienware Intel based X58
Memory
12 Gigs (Triple Channel)
Graphics Card(s)
Alienware OEM nVidia GTX 560 Ti (1.25 Gig)
Sound Card
Creative Labs X-Fi Titanium
Monitor(s) Displays
Samsung PX2370 LED 23" Monitor
Screen Resolution
1920x1080
Hard Drives
2 320 Gig SATA in Raid 1 Configuration (System/App)
1 1 Tera SATA (Games)
1 1 Tera SATA (Data/Music/Videos)
PSU
750 Watt Power Supply
Case
Alienware Area 51 Desktop
Cooling
Liquid Cooled
Keyboard
Logitech G510
Mouse
Microsoft Trackball Explorer
Internet Speed
Cable
Now that's odd...

I just did a quick scan with Malwarebytes, and it's told me that no malicious items were detected! I'm running a full scan with it right now.

Along with UnHackMe is a program I used called RegRun Reanimator which scans for/"protects from viruses or Trojans/Spyware/Adware parasites or Rootkits" when I login, but before explorer.exe etc. starts up.
It *did* find some suspicious .sys files, and after the program told me they were 'bad' (as partly because they weren't part of the OS), I deleted them.

But out of all of it, gert0.dll never showed up.

(you're going to be a bit annoyed at me for this, but..) I kinda forgotten what those files were, but I've still got them from my Google search history; I can't remember which ones were OK [I think] and which ones I deleted, so I'll just post the .dll and .sys names here:

wxvi.sys
UUS.DLL
WmiPrvSE.exe (might not have been from using this program. can't remember now)
HNQLQ.sys

I could still try all the things you suggested, in case it's somehow moved someplace else - should I?

Oh and while I'm at it, I might as well still show you the screenshot of regedit:
gert0.jpg
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64-bit (6.1, Build 7601)AMD Athlon(tm) 64 X2 Dual Core Processor 4400...2048MB RAM DDR2 (now installed a 2GB chip = 4...ASUS EAH5770 CU core, 1GB GDDR5 video memory
Computer type
PC/Desktop
Computer Manufacturer/Model Number
MSI MS-7325
OS
Windows 7 Home Premium 64-bit (6.1, Build 7601)
CPU
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2 CPUs), ~2.
Motherboard
MSI K9N4 SLI-F nForce 500 SLI chipset
Memory
2048MB RAM DDR2 (now installed a 2GB chip = 4GB altogether)
Graphics Card(s)
ASUS EAH5770 CU core, 1GB GDDR5 video memory
Sound Card
Realtek AC'97 Audio
Monitor(s) Displays
AOC I2367Fh
Screen Resolution
1920x1080
Hard Drives
SAMSUNG HD401LJ ATA Device
PSU
Tagan TG700-U25 - 700Watts
Case
NZXT Zero Aluminium Full Tower
Cooling
about 6 fans on case
Keyboard
Microsoft Natural MultiMedia Keyboard
Mouse
Trust GM-4200 Gamer Mouse Optical
Internet Speed
Not sure what speed, but it's broadband - ADSL (I think).
Antivirus
Avast! Free Antivirus
Browser
Mozillla Firefox
Download the HostsXpert 4.3 - Hosts File Manager.
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
@Gaz1701,

Thank you for providing that screenshot. As I noted in the previous email, it is important to see which registry item is being accessed, an that is why it is important to see a screenshot of it. Please notice that the registry key your screen shot shows is referring to is the RUN MRU, which stands for Most recently used, or most recently ran item. Also note that the attrib -h gert0.dll is the command that you ran against that file. So it is simply showing the command that you ran. The virus may or may not be gone, but that registry key is not proof that it is still there, nor is it proof that it is still gone. Running an anti virus live boot cd would be the best option (see my post earlier)

Jacees advice is very solid, and relevant to your case, so I would take the time to follow it. Most especially the part about changing your passwords. However, please note that the registry entry you have posted is referring to a command you ran, and not to the virus itself.

Also, i would always run an Anti Virus Live Boot CD whenever I was infected, if I chose not to re-image, or if I didn't have an image to reboot to. I'm at work at the moment, but if you want to run Hi Jack this (if its easier than posting my suggestions from the earlier post) and copy and paste to this thread, I'll take a look at it.
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
Along with UnHackMe is a program I used called RegRun Reanimator which scans for/"protects from viruses or Trojans/Spyware/Adware parasites or Rootkits" when I login, but before explorer.exe etc. starts up.
It *did* find some suspicious .sys files, and after the program told me they were 'bad' (as partly because they weren't part of the OS), I deleted them.

Sorry, I must have missed this part. Yes, keep in mind that a virus can easily rename itself and move itself--this is a trivial thing for a program that is well written. Again, it appears that Jacee has identified the virus, so I would follow that advice. Scanning with a good Anti virus Live Boot CD (see my earlier posts in this topic) is always a great idea. And when i say scan, I mean first scan it, let it find whatever it finds, then scan again to make sure it is gone.

Again, after work I'll do some more research on the files it found, but you definitely want to change your passwords (on a clean machine, btw)
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
Man, I've got a LOT of passwords to change! Even if I change them on a clean computer, how would that help when I type in the new ones on this computer [afterwards]?

Which Anti virus Live Boot CD would you say is the best one to use (most of them are Linux only on there, anyway)?

And speaking of which, do you need a blank CD to be able to use this? I've ran out of them at the moment.

Here's the HijackThis log you asked for:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:10:19 PM, on 07/09/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFService.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\1-Hardware software\Trust\GM-4200 Gamer Mouse Optical\Panel.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFTray.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe
C:\Program Files\z-Windows Addons\ClocX\ClocX.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\z-Windows Addons\PowerMenu\PowerMenu.exe
C:\Program Files\z-Windows Addons\ObjectDock\ObjectDock.exe
C:\Windows\System32\svchost.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\SUPERAnti-spyware\SUPERAntiSpyware.exe
C:\Users\Gareth\My Programs\0-a safe, protected PC\Secunia\psi.exe
C:\Users\Gareth\My Programs\text programs\EditPad Lite\EditPadLite.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Gareth\My Programs\text programs\EditPad Lite\EditPadLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\0-a safe, protected computer\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\Windows\system32\PxSecure.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Users\Gareth\MYPROG~1\1-OTHE~1\DAP\DAPIEL~1.DLL
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Trust Gaming mouse] "C:\Program Files\1-Hardware software\Trust\GM-4200 Gamer Mouse Optical\Panel.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\0-a safe, protected computer\Anti-malware\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [x3watch] "C:\Program Files\X3watch\x3watch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ClocX] C:\Program Files\z-Windows Addons\ClocX\ClocX.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Gareth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: dwm.exe.lnk = C:\Windows\System32\dwm.exe
O4 - Startup: PowerMenu.lnk = C:\Program Files\z-Windows Addons\PowerMenu\PowerMenu.exe
O4 - Startup: RocketDock.exe - Shortcut.lnk = C:\Program Files\z-Windows Addons\RocketDock\RocketDock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\z-Windows Addons\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: &Clean Traces - C:\Users\Gareth\My Programs\1-other programs\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Users\Gareth\My Programs\1-other programs\DAP\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Users\Gareth\My Programs\1-other programs\DAP\dapextie2.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Users\Gareth\MYPROG~1\0-ASAF~1\ANTI-M~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C9E1459-4692-4106-BFD0-3E35E96078FB}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Users\Gareth\My Programs\0-a safe, protected PC\SUPERAnti-spyware\SASWINLO.dll
O23 - Service: CSIScanner - Prevx - C:\Users\Gareth\My Programs\0-a safe, protected PC\Anti-virus\prevx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Users\Gareth\My Programs\0-a safe, protected PC\anti-malware\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\0-a safe, protected computer\firewall-type progs\ThreatFire\TFService.exe

--
End of file - 10130 bytes
 

Attachments

My Computer My Computer

At a glance

Windows 7 Home Premium 64-bit (6.1, Build 7601)AMD Athlon(tm) 64 X2 Dual Core Processor 4400...2048MB RAM DDR2 (now installed a 2GB chip = 4...ASUS EAH5770 CU core, 1GB GDDR5 video memory
Computer type
PC/Desktop
Computer Manufacturer/Model Number
MSI MS-7325
OS
Windows 7 Home Premium 64-bit (6.1, Build 7601)
CPU
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2 CPUs), ~2.
Motherboard
MSI K9N4 SLI-F nForce 500 SLI chipset
Memory
2048MB RAM DDR2 (now installed a 2GB chip = 4GB altogether)
Graphics Card(s)
ASUS EAH5770 CU core, 1GB GDDR5 video memory
Sound Card
Realtek AC'97 Audio
Monitor(s) Displays
AOC I2367Fh
Screen Resolution
1920x1080
Hard Drives
SAMSUNG HD401LJ ATA Device
PSU
Tagan TG700-U25 - 700Watts
Case
NZXT Zero Aluminium Full Tower
Cooling
about 6 fans on case
Keyboard
Microsoft Natural MultiMedia Keyboard
Mouse
Trust GM-4200 Gamer Mouse Optical
Internet Speed
Not sure what speed, but it's broadband - ADSL (I think).
Antivirus
Avast! Free Antivirus
Browser
Mozillla Firefox
Well, from the looks of that hijack this log, at least, cursory scan, you don't seem to have anything out of the ordinary there. You have a lot of stuff running, and a lot of stuff getting loaded, but so far, nothing that seems to stand out.

Unfortunately, some of the newer malwares have also been hiding from hijack this (As I found out to my dismay) on how they get back via polymorphisms. I don't believe it is a pure rootkit method, but they hidden themselves partially so even if you look for it via hijack this, you wouldn't find the other part that re-imbed itself back in.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64 and Home Premium x64Intel i7 960 (3.2 GHz Quad Core)12 Gigs (Triple Channel)Alienware OEM nVidia GTX 560 Ti (1.25 Gig)
Computer Manufacturer/Model Number
Alienware Area 51 Desktop and Dell Inspirion 17R (N7010)
OS
Windows 7 Ultimate x64 and Home Premium x64
CPU
Intel i7 960 (3.2 GHz Quad Core)
Motherboard
Alienware Intel based X58
Memory
12 Gigs (Triple Channel)
Graphics Card(s)
Alienware OEM nVidia GTX 560 Ti (1.25 Gig)
Sound Card
Creative Labs X-Fi Titanium
Monitor(s) Displays
Samsung PX2370 LED 23" Monitor
Screen Resolution
1920x1080
Hard Drives
2 320 Gig SATA in Raid 1 Configuration (System/App)
1 1 Tera SATA (Games)
1 1 Tera SATA (Data/Music/Videos)
PSU
750 Watt Power Supply
Case
Alienware Area 51 Desktop
Cooling
Liquid Cooled
Keyboard
Logitech G510
Mouse
Microsoft Trackball Explorer
Internet Speed
Cable
Back
Top