rootkit-gen [RTK] with iehelper.dll

Hello - can you help me understand if I have a serious rootkit infection or something that’s been cleaned up?

I was simply reading a blog (Firefox 2 on Windows 2000) and got an avast warning that W32 Rootkit-gen was found in iehelper.dll.

At the same time, a new taskbar tray icon was “warning” me about all kinds of supposed viruses on my system and suggesting I buy Antispyware 2009 (which is, it seems, actually spyware or adware itself).

My Kerio firewall kept notifying me of outbound connection requests from an unknown program, which I refused to allow.

I was given many warnings by avast; I tried moving to vault, tried deleting. Avast claimed success, but never actually did anything. I was unable to manually delete iehelper.dll - the folder window froze.

I got a copy of malwarebyte’s anti-malware and it was able to remove iehelper.dll, sysguard.exe, and some registry keys. However, I could not accomplish this until I was able to get the instsallation program on my machine saved under a different name. The malware seemed to recognize the anti-malware and again froze the folder window, preventing me from installing the program until I managed to bypass its defense. Clearly this seemed to be monitoring file system activity and protecting itself.

Since that removal, my system seems to be working normally, and Avast is the only program that labeled this infection as a rootkit.

But since you’ve called it a rootkit, I wonder if I was able to remove all of it, or only some superficial pieces, and if under the covers it is still causing mischief like monitoring keystrokes, looking for passwords, etc.

Is it possible Avast is mistaken and this infection was not actually a rootkit?

If it was a rootkit, it doesn’t seem that removing 2 files would eliminate the problem.

So there are multiple questions:

What was this infection?
Why couldn’t Avast clean it up at all?
What is my likely present situation? Is there a way to tell whether my system has been compromised in a serious way, or if this was just a hard to delete file trying to trick me into buying some spyware?

I look forward to your advice. Let me know if you need any logs. Thank you very much.

iehelper.dll is a malicious browser helper object.
Your system is definatly not clean.
Click on the link in my signature and follow the instruction under the “malware removal” section.

Next time before asking, please use the search option on this webboard.
Things like this have been solved many times before.

Thanks - but actually everything I’ve seen so far about rootkits is that they basically can evade most detection and require reformat. So my only hope is that this isn’t actually a rootkit but was misidentified as being one. What would make iehelper.dll appear to be a rootkit and not just annoying adware?

I think even if I ran every tool your page suggests, and came up clean on every report, I still wouldn’t know if I was still infected by a stealthy rootkit. Am I being overly pessimistic? Most pages I’ve read about rootkits offer little hope and suggest the only safe thing is to reformat the drive, very carefully. (My computer is old enough that I would just buy a new one.) That the effort of eliminating a rootkit may be greater than than the effort to start over, and leaves one feeling secure rather than never completely sure.

So I am really looking to Avast to understand better why they indentify iehelper.dll as part of a rootkit, if it is perhaps a misidentification.

By the way SAS found nothing unusual - identified some innocuous false positives and a bunch of ad tracking cookies.

Hoping for a response from Avast at some point with some clarification.

I do see that iehelper.dll is BHO malware, and removed it with MBAM. What is disturbing is that Avast identifies it as having signs of a rootkit - and I saw another post where a file (n.com I think) was sent to Virus Total and was reported as a Game Trojan of various names by 50 av providers, but only avast reported it as a rootkit. The difference is big - rootkits are pretty hard, almost impossible, to remove.

All the rootkit tools I’ve downloaded have come up with NOTHING. The Microsoft Rootkit Revealer lists a few registry entries that don’t mean much to me.

So I don’t know where I stand - cleaned up system, or silent and undectable rootkit stealing my keystrokes.

I do know there are subtle changes in system behavior. The main consistent change I’ve noticed is that I applied a bit of color correction in the video driver advanced settings, and it has always taken effect at some point during login. It no longer takes effect, though the checkbox to restore my setting at startup is still checked. Something subtle has been altered at logon that is preventing my customization from taking effect. Little things like this make me wonder what is going on.

The following tools are supposed to search for rootkits but only seem to search for hidden entries, and find none:

Trend Micro Rootkit Buster
f-Secure Blacklight Rootkit Eliminator
Sophos Anti-Rootkit

Other programs that report nothing:
SpyBot Search & Destroy
SUPERAntiSpywarePro

The only program with anything to report are a few registry entries reported by Rootkit Revealer where the hive registry entry was a different length than the length reported by the Windows API, but in no case was I was I able to determine what if anything to do about it, since the program doesn’t really offer suggestions or cures, just observes anomalies.

Is Avast labelling too many things as rootkits? The labelling of n.com as a rootkit when every other package called it a game trojan of some kind makes me wonder if Avast is on the cutting edge; or is causing undue alarm.

Unforunately, MBAM deleted iehelper.dll, so I can’t send it to virus total and see how it might be categorized by other av programs.

It was also disappointing that Avast couldn’t actually quarantee iehelper.dll and didn’t find sysguard.exe, both rooted out by mbam. The result so far is a major scare and no cure… And the result of that is going to be a week of work putting my system back together, because who knows what a real rootkit is capable of???

I assume if I have an undetectable rootbit, that I have to reformat and start over.

Any ideas how reliable are any of the rootbit detectors? All most them seem to do is search for hidden files and registry entries.

I’m way out of my depth here… and appreciate any suggestions!

Aha - Avast kept removing the iehelper.dll, and it kept coming back until MBAM finally deleted it. Meanwhile there are several copies in Avast’s quarantine, and I sent one to Virus Total. The report shows that Avast thinks this is related to a rootkit; most think it’s a trojan, or miss it altogether. What is one to make of the designation “rootkit-gen”?

a-squared 4.0.0.101 2009.04.21 Trojan.BHO!IK
AhnLab-V3 5.0.0.2 2009.04.20 -
AntiVir 7.9.0.148 2009.04.20 TR/BHO.9216
Antiy-AVL 2.0.3.1 2009.04.20 -
Authentium 5.1.2.4 2009.04.20 -
Avast 4.8.1335.0 2009.04.20 Win32:Rootkit-gen
AVG 8.5.0.287 2009.04.20 Downloader.Zlob_r.EX
BitDefender 7.2 2009.04.21 Trojan.FakeAlert.BBP
CAT-QuickHeal 10.00 2009.04.20 FraudTool.WinSpywareProtect.m (Not a Virus)
ClamAV 0.94.1 2009.04.20 Trojan.BHO-4480
Comodo 1123 2009.04.20 -
DrWeb 4.44.0.09170 2009.04.21 -
eSafe 7.0.17.0 2009.04.20 -
eTrust-Vet 31.6.6440 2009.04.20 -
F-Prot 4.4.4.56 2009.04.20 -
F-Secure 8.0.14470.0 2009.04.21 FraudTool.Win32.WinSpywareProtect.mm
Fortinet 3.117.0.0 2009.04.21 PossibleThreat
GData 19 2009.04.21 Trojan.FakeAlert.BBP
Ikarus T3.1.1.49.0 2009.04.21 Trojan.BHO
K7AntiVirus 7.10.709 2009.04.20 not-a-virus:FraudTool.Win32.WinSpywareProtect.mm
Kaspersky 7.0.0.125 2009.04.21 not-a-virus:FraudTool.Win32.WinSpywareProtect.mm
McAfee 5590 2009.04.20 FakeAlert-SpywareProtect
McAfee+Artemis 5590 2009.04.20 FakeAlert-SpywareProtect
McAfee-GW-Edition 6.7.6 2009.04.21 Trojan.BHO.9216
Microsoft 1.4602 2009.04.21 Trojan:Win32/FakeSpypro
NOD32 4023 2009.04.20 -
Norman 6.00.06 2009.04.20 FakeAV.HSV
nProtect 2009.1.8.0 2009.04.20 -
Panda 10.0.0.14 2009.04.20 -
PCTools 4.4.2.0 2009.04.21 -
Prevx1 V2 2009.04.21 Medium Risk Malware
Rising 21.26.10.00 2009.04.21 AdWare.Win32.BHO.eze
Sophos 4.40.0 2009.04.21 Troj/FakeVir-LW
Sunbelt 3.2.1858.2 2009.04.18 -
Symantec 1.4.4.12 2009.04.21 Downloader.MisleadApp
TheHacker 6.3.4.0.312 2009.04.21 -
TrendMicro 8.700.0.1004 2009.04.20 TROJ_BHO.OQ
VBA32 3.12.10.2 2009.04.21 -
ViRobot 2009.4.21.1701 2009.04.21 Adware.WinSpywareProtect.R.10752
VirusBuster 4.6.5.0 2009.04.20 Fraudtool.WinSpywareProtect.AB

These are good questions. I’m somewhat out of my depth re: the rootkit question, too, so won’t attempt to offer any possibly false reassurance.
You use Windows 2000? Is your file system FAT32 or NFTS? If the former, as far as I know, rootkits can not install to it.
Maybe Avast reports this as “rootkit gen” (the “gen” is short for “generic”) because typically rootkit methods - attempting to hide in the alternate data stream - are often used by what has been detected as malware, to install themselves. It would seem by the scans you have done that you don’t actually have a rootkit. It would also be normal for such a trojan to not actually cloak itself, at least beyond the initial install, because its cargo was a rogue antispyware program. (A variant of SpywareProtect, AKA Antispy2009.) These programs make the authors money by revealing their presence in a way that fools the user into purchasing the product. Works, too, I’m afraid. $50 down the drain, for anyone gullible enough.
Some more reading, if you want, about these particular rogues.
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948
http://www.spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.Win%20SpywareProtect.htm
http://www.bleepingcomputer.com/malware-removal/remove-xp-antispyware-2009
Any of that (especially the pictures) look familiar?

Rootkits certainly used to be treated as the devil incarnate, with a format and reinstall the only solution recommended, but I actually do not think that is always the case any more, as modern anti malware tools (such as MBAM and SAS) have become very much more accomplished at removing them. Not saying you have or had a rootkit, (or not), just saying that if it were me, I would not be defaulting to a format and reinstall.

Thanks for your ideas. I have NTFS with Windows 2000. Because of subtle changes in my system, I’m paranoid the complete infection hasn’t been wiped out. I do think Avast may be using the term “rootkit” overly casually since they may be labelling many infections that way that others call trojans. This may make Avast appear more powerful - and may mean it really is, or may be a marketing tool.

The original consensus on rootkits is that they were the nuclear option, essentially undetectable, and not worth the trouble of trying to fix, since they may not even be possible to detect and fix.The major AV vendors don’t appear to discuss them or make any promises about them.

It’s possible I picked up two things at the same time - a rootkit and a trojan advertising phony a phony anti-virus program. Or maybe the rootkit element Avast detected was primarily its ability to survive most standard removal attempts, including Avast’s own attempts. I don’t know. Avast tech support hasn’t offered any ideas of its own yet. I’m just about ready to save off my many gigs of personal data, reformat and install XP.

If this isn’t really a rootkit, telling us it is an alarming disservice. It implies keystroke monitors and password stealers - theft of all credit card numbers if the kit notices you have financial software installed, loss of social security number, and at least observation of whether you have enough money in some bank to make you an interesting ongoing target of observation. If you log in to any institituion, then they’ve got the login as well. In other words, a real rootkit can lead to total identity theft. That may be true of many types of viruses - but most viruses can be eliminated or caught at point of entry. I’m suspicious of all the rootkit eliminators that simply look for hidden files, and very concerned that Avast called this a rootkit and then could not eliminate it, but it kept coming back (I think sysguard.exe kept replacing iehelper.dll as soon as Avast quarantined it).

It’s a fact that Avast could not defeat this infection without MBAM’s help; at the same time, it’s the only one that called it a rootkit. I can’t think of a worse combination than declaring “You have the worst infection you could possibly get and we cured it” but they just didn’t cure any part of it at all.

I’d feel more, not less, confident, possibly, from any AV vendor that labeled this a trojan and eliminated it at infection time. That, of course, could be a false confidence if they missed the depth of the infection.

Maybe you’re right, that rootkits aren’t as serious as originally thought. I don’t know. The major vendors don’t talk about them, and searching on papers about rootkits describe them as kind of the nuclear option nearly impossible to eradicate or even detect, because they can alter the inner kernel as well as Windows API so that any info they give out to the AV program is basically false, completely subverting AV program from even detecting the problem.

Still hoping Avast is able to chime in at some point. Thanks for your comments!

First of all, hello to everyone, I’m new here, and also new members of Avast Club.
The second, I’m from Croatia and my English is not so good.
However, hoping that you’ll understand at least something…
Well, before Avast, I used only AVG free and it was good until few days ago when some ugly things came to my PC - trojan horse rootkit agent, something like that and I didn’t know what to do. When I start to looking for help, it was too late and my system was corupted, I couldn’t open Windows anymore. Then I called Microsoft support (here in Croatia) and they were very kind, but nothing helped. They said I should install Malwarebites’ Anti -Malware, and I did. He found over 50 infections, but every new scan found it more. It was: TROJAN AGENT and TROJAN ROOTKIT. On the end, I installed Windows again. Microsoft support said that I should try install Avast, and I did, and SpyBoot Search&Destroy as well, but my problems not finished here, because it seams that Avast and SB don’t like each-other, or maybe It’s my mistake because I didn’t know how to manage SB to work properly and my system crushed again. I went to system restore and install again some drivers, and here I’m on the begining again. :-\ Very stupid girl. I’m just using, but dont’ know how things works, and I’m afraid now install something more than Avast. I also have Malwarebites, because I think It’s good and very simple for dummies like me. 8) Now, the question is; should I install something else, or I can live only with Avast, Malwarebites (free, so it’s not active all the time) and Windows XP Home Edition SP2 Firewall?
If not, then what is simple for using and friendly with Avast free Home Edition?
Thank You very much for Your help. :slight_smile:

Hi Gala, welcome to the forum.
Spybot and Avast normally get on OK. Sometimes the S&D teatimer can be a problem.
I think what is more likely is that AVG is interfering with Avast.
Did you uninstall AVG?
Try downloading and running the AVG removal tool http://www.avg.com/download-tools
Try a repair of Avast, from the control panel>add/remove programs.

Did you format and reinstall Windows, or carry out a repair install of Windows?
If you scan with MBAM again, does it still detect anything?

Hi Gala,

Welcome to these forums, well there are things you learn by coming here more often and that is good to make you a bit more confident with your computer and security related issues. Rule one: never combine two resident av solutions, so two major av solutions that scan all your files running in the background is a bad thing. They can be compared by two ferocious dogs that do not guard the house, but start fighting amongs themselves for a bone (e.g. virus signature). One resident av can be combined with certain online scanners, other non-resident av solutions like DrWebCureIt (regularly update before scanning with that, preferably from a clean pendrive), ClamWin, you can combine with Super-Anti-Spyware and MBAM as anti-malware scanners, and you can use a browser with in-browser security like Firefox or Flock with NoScript and RequestPolicy and Perspectives extensions installed to block malicious scripts from running or block requests from destinations that are insecure.
The same story goes with Firewalls, just one software FW please, more is not better, this is worse,
What you should do under all circumstances is upload all ServicePacks and updates and patches for your Windows OS and check if all your third party software is updated using free Secunia PSI, you can download this here: http://secunia.com/PSISetup.exe
Well these are the first important steps, also minimizing your risk with malware is only use your admin rights for updating and downloading trusted software and for your normal online activities use normal user rights, that will minimize the results of malware by some 90%, what the system does not allow the malware cannot do, simple as that. DropMeRights is a good program to do that “on the fly”, http://download.microsoft.com/download/f/2/e/f2e49491-efde-4bca-9057-adc89c476ed4/DropMyRights.msi

I hope this posting gave you some inspiration,

pozdravi,

polonus

Hi Gala, welcome to the forum.

Hi Tarq, ty. :slight_smile:

Yes, I did format and reinstall Windows and then install Avast& SB, but something was wrong. Than I uninstall both of them(but not properly as I see now, haha), and went to system restore. After that I install only Avast& Malwarebytes again, and now everything looks just fine. MBAM and Avast didn’t show any bad things yet.

Try downloading and running the AVG removal tool http://www.avg.com/download-tools

Should I still do it?
And should I do something more to remove SB? - I just went to add/remove option. I’m afraid to install SB again.

What you should do under all circumstances is upload all ServicePacks and updates and patches for your Windows OS

Hello Polonus. I can’t do it, because there is some error with Windows XP SP2 upgrade on SP3. When I called Microsoft for help, their first question was did I installed SP3, because it looks this upgrade can be the problem. I don’t’ know why, but they told me so. ?? But I did install all other security updates for IE7 as well.

Rule one: never combine two resident av solutions,

I didn’t. I had only AVG before formating. After that I start to use Avast with SB, and currently only Avast and MBAM which is not active.

No need to run the AVG removal, formatting Windows will have removed it. (And everything else, as I guess you know.)
Your choice as to whether you try Spybot again. If you do, I would suggest not running any of the resident protections.
MBAM and Avast should be adequate. Another excellent scanner - a bit like Spybot or MBAM in operation - is Superantispyware. http://www.superantispyware.com/download.html
There is no need to run an additional tool for S&D. (I don’t think there is one.)
The updates (not upgrades) are important. I’ll let Polonius advise you further there. There should be no reason you can’t update, if your copy of Windows is activated. You may need to get the MS WGA download first; MS update site will probably prompt you for it.
I think a two-way firewall is important, for outbound control. The XP firewall is great at what it does, but offers little or no outbound protection.

The updates (not upgrades) are important.

Ups! Sorry :slight_smile:

There should be no reason you can't update, if your copy of Windows is activated.

It is.

I think a two-way firewall is important, for outbound control.

OK. I see that You have much firewalls in Your signature. Is it the first one on that list, simple enough for me?

P.S. Thank You and Polonus very much for helping me.

Ups! Sorry
That's OK. Just correcting the terminology. Try downloading the standalone installer for SP3, if you can.http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en I know it says it's for developers etc, but I had no problems downloading it. Save it. Maybe even to a CD. Might be useful in the future.
OK. I see that You have much firewalls in Your signature. Is it the first one on that list, simple enough for me?
Yeah, PCTools is fairly easy to use, and offers good protection. Another popular and highly regarded one is Comodo. It's a bit of a hassle because you have to download the installer package for the suite, but then you just install what you want from that.

If you aren’t used to an outbound firewall, the prompts will be a bit of a pain for a time, until it is trained.
Basically, the point of it is that if you get malware on the system that your AV hasn’t detected, the firewall will prompt you when the malware tries to connect outbound. So there you have the chance to (a) stop the malware from doing further damage, and (b) to know something is wrong and use another scanner/examine the system further.

What I’d do after downloading SP3 is disconnect from the net, and exit all running programs (extra programs, Avast, Skype, Messenger etc) then double click the installer to run it. It takes a few minutes. I have sometimes found 2 restarts useful following this. Once it’s done (if it works), restart the AV, reconnect to the net. See how that works. If it works, go to Windows (or MS) update to check for further updates.

P.S. Thank You and Polonus very much for helping me.
You're welcome. I enjoy trying to help. It helps me learn. It's a hobby. And every computer that is secured from malware makes the net a safer place.

Good morning! :slight_smile:

OK, I’ll try to install SP3 later today. I’ll follow the steps from http://support.microsoft.com/kb/950717, and I will also remove IE7 before I start. Just for the case. If everything goes well, I will install Comodo from Your signature. Will You help me to manage Comodo to work properly?
If I don’t come back until evening, You will know that somethings is wrong.
Regards

Hi, I won’t be able to help much with Comodo installation or setup; I don’t use it. The one in my signature is a buffer overflow protector, quite different.
PCTools firewall is the one I use.http://www.pctools.com/firewall/
Might pay to read a few user reviews, and decide for yourself which one you’d like to try. There are plenty of firewalls around, I just mentioned two of the fairly popular ones.

OK, PCTools firewall looks good. :slight_smile:
I will install it after I finished update SP3. But one more important question;
Should I uninstall Avast before install SP3, and install again after, or just disable?

Well, I got away with just disabling it for the SP3 install. (“Stop on access protection”) But I don’t know what you should do. Something prevented you from updating to SP3 before. If it isn’t too much hassle, maybe it would be better to uninstall it for the update. Don’t forget to disconnect the cable!

PCTools Firewall is pretty good to go on the default settings. It is what is called an “application based firewall”. The other common type is a “rules based firewall”. The “rules” one gives more precise control, but needs knowledge and usually a bit of time to set up. And if you get this wrong, it can be a serious security hole. I wouldn’t try to set up a rules based firewall without a tutorial, and someone to walk me through it.

Some people have complained about slowdowns when a feature called “enhanced security verification” is active. If you choose to deselect this, select “settings”, and untick the box indicated. Leaving it ticked will cause it to guard against internal system changes, a sort of an “internal firewall”. I leave it on, but turn it off when installing or updating known and safe software. It doesn’t seem to slow down the computer at all.

After you install it, check via the control panel that the windows firewall has been turned off.

Every time an unknown program wants to connect to the net, the firewall will prompt you. If you know the process, click “allow”. It will remember this, unless you un-tick the box that says “remember this decision” (or similar.)
Just as you think the popups are driving you insane, they will start to decrease. The firewall has learned what has rights to connect to the net.
If it should prompt for an application you don’t recognize, or understand, try Googling it. If you are still no better off, ask someone. A lot of the advanced users here will have a good or excellent idea.

I Install SP3, and for now looking good, but it was unplanned, because it came in automatic updates, and I just let it go to run, shut down everything else, and disabled Avast. Now I’m downloading device-drivers.com, and then I will go further hoping that everything will be OK.
Regards :slight_smile:

I have iehelper.dll , infected with Win32Root kit. Have it in virus chest. What should I do; deleate it or chest it. I’m afraid of causing more harm than good for my pc.