 | |
| |
| 31 Aug 2011 | #1 |
| | Virus or Missing System Files? When windows boots up I get an error about gclgaf40.dll module not found. I also can not seem to open my context menu on my desktop with out windows complaining. For example I tried to rename a folder. If I try to rename it it says it does not exist. If I try to choose rename, but not actually change the folder name, then it says it already exists. A quick google search about this error turned up lots of virus reports so I am a bit paranoid. I am baffled how anything would have managed to infect my computer. None the less, here is the hijack this log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 2:19:50 AM, on 8/31/2011 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16421) Boot mode: Normal Code: Running processes: C:\Program Files (x86)\Windows Sidebar\sidebar.exe C:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe C:\Program Files (x86)\Vuze\Azureus.exe C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe C:\Program Files (x86)\Everything\Everything.exe C:\Program Files (x86)\Razer\Copperhead\razerhid.exe C:\Users\Xplorer4x4\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor-1.gadget\GPUMonitor.exe C:\Program Files (x86)\Razer\Copperhead\razertra.exe C:\Program Files (x86)\Razer\Copperhead\razerofa.exe C:\Program Files (x86)\mIRC\mirc.exe C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Program Files (x86)\Deluge\deluge-gtk.exe C:\Program Files (x86)\AIMP3\AIMP3.exe C:\Program Files (x86)\Bitvise Tunnelier\Tunnelier.exe C:\Program Files (x86)\Bitvise Tunnelier\totermc.exe C:\Users\Xplorer4x4\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe, O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe O4 - HKLM\..\Run: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup O4 - HKLM\..\Run: [Copperhead] C:\Program Files (x86)\Razer\Copperhead\razerhid.exe O4 - HKLM\..\RunServices: [BulletProof FTP Server 2011 Startup] C:\Program Files (x86)\BulletProof FTP Server 2011\bpftpserver-2011.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [7 Taskbar Tweaker] "C:\Users\Xplorer4x4\AppData\Roaming\7 Taskbar Tweaker\7 Taskbar Tweaker.exe" -hidewnd O4 - HKCU\..\Run: [Azureus] C:\Program Files (x86)\Vuze\Azureus.exe O4 - HKCU\..\Run: [MysticThumbs] C:\Program Files\MysticCoder\MysticThumbs\MysticThumbsTray.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Startup: Dropbox.lnk = C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe O4 - Global Startup: Update ESET's license.lnk = C:\Program Files (x86)\ESET\MiNODLogin\MiNODLogin.exe O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1 O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe O23 - Service: PhoneMyPC_Helper - SoftwareForMe Inc - C:\Program Files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8562 bytes |
My System Specs | |
| 31 Aug 2011 | #2 |
| | Hi, I see you are using ESET NOD32, but whilst we wait for someone to decode the hijack log, perhaps you might consider downloadng, installing, updating and running a FULL scan with FREE Malwarebytes. If it doesn't turn up anything, are you able to Restore to a point before you noticed this problem? Regards, Golden |
| My System Specs |
| 31 Aug 2011 | #3 |
| | Hey Golden just came to update my post but you beat me to it. I have scanned my PC with Malwarebytes and Nod32. Nod32 is my primary line of defense against viruses and such running 24/7. Malwarebytes I usually do a daily scan. Neither scanner has returned any threats. Ran sfc /scannow as admin in cmd and found no problems. |
| My System Specs |
| . |
| |
| 31 Aug 2011 | #4 |
| | Sorry, I'm not a HijackThis expert. Actually, I'm not an expert at anything. But one more scan you can try is Microsoft's Standalone System Sweeper. http://www.sevenforums.com/tutorials...m-sweeper.html If still having problems you might try extracting the gclgaf40.dll file from your Windows 7 installation DVD (if you have one.) If you actually have that file on the installation DVD you might be able to import a fresh copy. Why didn't sfc /scannow detect any problems? Like I said, I'm not an expert but two possibilities come to mind. It's not a system file on your machine or, the basic file was detected but not any malicious code that might have been added to it. Extract Files from Windows 7 Installation DVD |
| My System Specs |
| 31 Aug 2011 | #5 |
| | Searching Google for this file to see what it's linked to it appears to be an Ikarus trojan dropper, I found full details of the other files it creates and their location on threat expert. Have a look www.threatexpert.com/report.aspx?md5=63bd2d8ddd650093865e44ed6e583a60 |
| My System Specs |
| 31 Aug 2011 | #6 |
| | 
Quote: Originally Posted by cyclic  Searching Google for this file to see what it's linked to it appears to be an Ikarus trojan dropper, I found full details of the other files it creates and their location on threat expert. Have a look www.threatexpert.com/report.aspx?md5=63bd2d8ddd650093865e44ed6e583a60 @marsmimar, thank you for your response as well. I was not aware of this tool, but F-Secure Rescue CD has always served me well in the past for those nasty nasty infections. I will keep it in mind though! |
| My System Specs |
| 31 Aug 2011 | #7 |
| |
Quote: Originally Posted by TechN9Ne1730 I guess I should have read the first result in google lol. I skimmed through looking for sites I recognized. Anyways I look through my system for the files and registry entries listed. I managed to find 2 files an none of the reg keys. I am guessing Nod32 caught it before it could full infiltrate the system. I am still baffled how it got it, but thank you for the information I was able to remove the files with no problem. Going to go down for a reboot and make sure they do not come back. @marsmimar, thank you for your response as well. I was not aware of this tool, but F-Secure Rescue CD has always served me well in the past for those nasty nasty infections. I will keep it in mind though! |
| My System Specs |
| 31 Aug 2011 | #8 |
| |
Quote: Originally Posted by TechN9Ne1730 F-Secure Rescue CD has always served me well in the past for those nasty nasty infections  Hope things are all cleared up now. |
| My System Specs |
| 01 Sep 2011 | #9 |
| | I tried the Microsoft tool. It found an infection in my Install Shield directorey of my 32 bit program files. It doesnt seem to have cleaned it imo. My hijackthis log looks exactly the same. Sucks I just did a clean install of windows like last week.It would be easier to try to remove the virus, but in the end, it would probably end up wasting more time. Thanks anyways guys, atleast I got to the root of the problem. I am just to lazy to try to clean it out, plus this ensures I dont have any side effects from trying to remove the virus. |
| My System Specs |
 |
Virus or Missing System Files? problems?
| Thread Tools | |
| Similar help and support threads for: Virus or Missing System Files? | ||||
| Thread | Forum | |||
| Windows 7 Virus - File \Boot\BCD Missing, Operating System Not Found | General Discussion | |||
| External HDD space missing (all hidden and system files counted) | General Discussion | |||
| Can't Clear System Restore Files. System Check Virus the Cause? | General Discussion | |||
 Missing .dll files (Virus) | Backup and Restore | |||
| Files Missing after virus | System Security | |||
All times are GMT -5. The time now is 04:25 AM.
