Malware or not? .dll error

im4eversmart · 18 Jun 2013

So just a few days ago my ESET picked up a file in my appdata named gclgaf40.dll to be a trojan, it automatically deleted it

The thing is, every now and then an error saying "unable to start gclgaf40.dll because file is not found" appears, googling suggests that it might be registry error but I searched "gclgaf40.dll" in regedit and no result was found

Any suggestions on how I could remove this error?

ThrashZone · 18 Jun 2013

autoruns,
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Please review this carefully "What not to uncheck",
http://forum.sysinternals.com/faq-common-autoruns-issues_topic4719.html

im4eversmart · 18 Jun 2013

ThrashZone said:

autoruns,
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Please review this carefully "What not to uncheck",
http://forum.sysinternals.com/faq-common-autoruns-issues_topic4719.html

Thanks for your reply, autoruns is indeed a great tool, however I did not find anything anything related to gclgaf40.dll on the list, nor anything from its original directory

VistaKing · 18 Jun 2013

im4eversmart

Run Malwarebytes

Download Link

MalwareBytes

When the installation is done uncheck Enable free trial of Malwarebytes (see image below )

Update the definitions and do a full scan

On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

Make sure that everything is checked, and click Remove Selected.

When removal is completed, a log report will open in Notepad.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply and exit MBAM.

Jacee · 18 Jun 2013

GCLGAF40.DLL is a Trojan/Backdoor. Using a "clean" computer, not the infected on, change ALL your passwords!

It is located here in the registry:
HKLM\SOFTWARE\Classes\CLSID\{88C9E494-ECB8-4ABB-AFED-608DA3DBA78F}\InProcServer32\: “%AppData%\Microsoft\msxmin40.dll”

These are the files:
%AppData%\Microsoft\gclgaf40.dll
%AppData%\Microsoft\msxmin40.dll
%AppData%\Microsoft\wiches32.dll
%Temp%\omfc.dll
%Temp%\setup.exe
%Temp%\snapview.exe

im4eversmart · 19 Jun 2013

Jacee said:

GCLGAF40.DLL is a Trojan/Backdoor. Using a "clean" computer, not the infected on, change ALL your passwords!

It is located here in the registry:
HKLM\SOFTWARE\Classes\CLSID\{88C9E494-ECB8-4ABB-AFED-608DA3DBA78F}\InProcServer32\: “%AppData%\Microsoft\msxmin40.dll”

These are the files:
%AppData%\Microsoft\gclgaf40.dll
%AppData%\Microsoft\msxmin40.dll
%AppData%\Microsoft\wiches32.dll
%Temp%\omfc.dll
%Temp%\setup.exe
%Temp%\snapview.exe

It took me quite a while to locate the file in my registry, the numbers were not the same, it was {09293DF5-1614-485A-93F7-EC88B8AE96A1} for me, so far so good, i'll report back later if there is any problem

Jacee · 19 Jun 2013

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.