Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Virus or Missing System Files?


31 Aug 2011   #1

Windows 7 Ultimate x64 RTM
 
 
Virus or Missing System Files?

When windows boots up I get an error about gclgaf40.dll module not found. I also can not seem to open my context menu on my desktop with out windows complaining. For example I tried to rename a folder. If I try to rename it it says it does not exist. If I try to choose rename, but not actually change the folder name, then it says it already exists. A quick google search about this error turned up lots of virus reports so I am a bit paranoid. I am baffled how anything would have managed to infect my computer. None the less, here is the hijack this log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:19:50 AM, on 8/31/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Code:
 
Running processes:
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
C:\Program Files (x86)\Vuze\Azureus.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Everything\Everything.exe
C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
C:\Users\Xplorer4x4\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor-1.gadget\GPUMonitor.exe
C:\Program Files (x86)\Razer\Copperhead\razertra.exe
C:\Program Files (x86)\Razer\Copperhead\razerofa.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Deluge\deluge-gtk.exe
C:\Program Files (x86)\AIMP3\AIMP3.exe
C:\Program Files (x86)\Bitvise Tunnelier\Tunnelier.exe
C:\Program Files (x86)\Bitvise Tunnelier\totermc.exe
C:\Users\Xplorer4x4\Desktop\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [Copperhead] C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\RunServices: [BulletProof FTP Server 2011 Startup] C:\Program Files (x86)\BulletProof FTP Server 2011\bpftpserver-2011.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [7 Taskbar Tweaker] "C:\Users\Xplorer4x4\AppData\Roaming\7 Taskbar Tweaker\7 Taskbar Tweaker.exe" -hidewnd
O4 - HKCU\..\Run: [Azureus] C:\Program Files (x86)\Vuze\Azureus.exe
O4 - HKCU\..\Run: [MysticThumbs] C:\Program Files\MysticCoder\MysticThumbs\MysticThumbsTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Update ESET's license.lnk = C:\Program Files (x86)\ESET\MiNODLogin\MiNODLogin.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe
O23 - Service: PhoneMyPC_Helper - SoftwareForMe Inc - C:\Program Files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 8562 bytes


My System SpecsSystem Spec
.

31 Aug 2011   #2

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64 Ubuntu 12.04 LTS Tri-Boot
 
 

Hi,

I see you are using ESET NOD32, but whilst we wait for someone to decode the hijack log, perhaps you might consider downloadng, installing, updating and running a FULL scan with FREE Malwarebytes.

If it doesn't turn up anything, are you able to Restore to a point before you noticed this problem?

Regards,
Golden
My System SpecsSystem Spec
31 Aug 2011   #3

Windows 7 Ultimate x64 RTM
 
 

Hey Golden just came to update my post but you beat me to it. I have scanned my PC with Malwarebytes and Nod32. Nod32 is my primary line of defense against viruses and such running 24/7. Malwarebytes I usually do a daily scan. Neither scanner has returned any threats. Ran sfc /scannow as admin in cmd and found no problems.
My System SpecsSystem Spec
.


31 Aug 2011   #4

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Sorry, I'm not a HijackThis expert. Actually, I'm not an expert at anything. But one more scan you can try is Microsoft's Standalone System Sweeper.

http://www.sevenforums.com/tutorials...m-sweeper.html

If still having problems you might try extracting the gclgaf40.dll file from your Windows 7 installation DVD (if you have one.) If you actually have that file on the installation DVD you might be able to import a fresh copy. Why didn't sfc /scannow detect any problems? Like I said, I'm not an expert but two possibilities come to mind. It's not a system file on your machine or, the basic file was detected but not any malicious code that might have been added to it.

Extract Files from Windows 7 Installation DVD
My System SpecsSystem Spec
31 Aug 2011   #5

Windows 7 home premium x64
 
 

Searching Google for this file to see what it's linked to it appears to be an Ikarus trojan dropper, I found full details of the other files it creates and their location on threat expert. Have a look www.threatexpert.com/report.aspx?md5=63bd2d8ddd650093865e44ed6e583a60
My System SpecsSystem Spec
31 Aug 2011   #6

Windows 7 Ultimate x64 RTM
 
 

Quote   Quote: Originally Posted by cyclic View Post
Searching Google for this file to see what it's linked to it appears to be an Ikarus trojan dropper, I found full details of the other files it creates and their location on threat expert. Have a look www.threatexpert.com/report.aspx?md5=63bd2d8ddd650093865e44ed6e583a60
I guess I should have read the first result in google lol. I skimmed through looking for sites I recognized. Anyways I look through my system for the files and registry entries listed. I managed to find 2 files an none of the reg keys. I am guessing Nod32 caught it before it could full infiltrate the system. I am still baffled how it got it, but thank you for the information I was able to remove the files with no problem. Going to go down for a reboot and make sure they do not come back.

@marsmimar, thank you for your response as well. I was not aware of this tool, but F-Secure Rescue CD has always served me well in the past for those nasty nasty infections. I will keep it in mind though!
My System SpecsSystem Spec
31 Aug 2011   #7

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by TechN9Ne1730 View Post
I guess I should have read the first result in google lol. I skimmed through looking for sites I recognized. Anyways I look through my system for the files and registry entries listed. I managed to find 2 files an none of the reg keys. I am guessing Nod32 caught it before it could full infiltrate the system. I am still baffled how it got it, but thank you for the information I was able to remove the files with no problem. Going to go down for a reboot and make sure they do not come back.

@marsmimar, thank you for your response as well. I was not aware of this tool, but F-Secure Rescue CD has always served me well in the past for those nasty nasty infections. I will keep it in mind though!
Hope the problem is solved and gone for good!
My System SpecsSystem Spec
31 Aug 2011   #8

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64 Ubuntu 12.04 LTS Tri-Boot
 
 

Quote   Quote: Originally Posted by TechN9Ne1730 View Post
F-Secure Rescue CD has always served me well in the past for those nasty nasty infections
F-Secure is a great tool to have in your arsenal

Hope things are all cleared up now.
My System SpecsSystem Spec
01 Sep 2011   #9

Windows 7 Ultimate x64 RTM
 
 

I tried the Microsoft tool. It found an infection in my Install Shield directorey of my 32 bit program files. It doesnt seem to have cleaned it imo. My hijackthis log looks exactly the same. Sucks I just did a clean install of windows like last week.It would be easier to try to remove the virus, but in the end, it would probably end up wasting more time.

Thanks anyways guys, atleast I got to the root of the problem. I am just to lazy to try to clean it out, plus this ensures I dont have any side effects from trying to remove the virus.
My System SpecsSystem Spec
Reply

 Virus or Missing System Files?




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:24 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33