Virus or Missing System Files?

[TechN9Ne1730]

When windows boots up I get an error about gclgaf40.dll module not found. I also can not seem to open my context menu on my desktop with out windows complaining. For example I tried to rename a folder. If I try to rename it it says it does not exist. If I try to choose rename, but not actually change the folder name, then it says it already exists. A quick google search about this error turned up lots of virus reports so I am a bit paranoid. I am baffled how anything would have managed to infect my computer. None the less, here is the hijack this log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:19:50 AM, on 8/31/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
C:\Program Files (x86)\Vuze\Azureus.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Everything\Everything.exe
C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
C:\Users\Xplorer4x4\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor-1.gadget\GPUMonitor.exe
C:\Program Files (x86)\Razer\Copperhead\razertra.exe
C:\Program Files (x86)\Razer\Copperhead\razerofa.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Deluge\deluge-gtk.exe
C:\Program Files (x86)\AIMP3\AIMP3.exe
C:\Program Files (x86)\Bitvise Tunnelier\Tunnelier.exe
C:\Program Files (x86)\Bitvise Tunnelier\totermc.exe
C:\Users\Xplorer4x4\Desktop\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL]http://192.168.1.1/[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [Copperhead] C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\RunServices: [BulletProof FTP Server 2011 Startup] C:\Program Files (x86)\BulletProof FTP Server 2011\bpftpserver-2011.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [7 Taskbar Tweaker] "C:\Users\Xplorer4x4\AppData\Roaming\7 Taskbar Tweaker\7 Taskbar Tweaker.exe" -hidewnd
O4 - HKCU\..\Run: [Azureus] C:\Program Files (x86)\Vuze\Azureus.exe
O4 - HKCU\..\Run: [MysticThumbs] C:\Program Files\MysticCoder\MysticThumbs\MysticThumbsTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Update ESET's license.lnk = C:\Program Files (x86)\ESET\MiNODLogin\MiNODLogin.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [URL]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe
O23 - Service: PhoneMyPC_Helper - SoftwareForMe Inc - C:\Program Files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 8562 bytes

 

[Golden]

Hi,

I see you are using ESET NOD32, but whilst we wait for someone to decode the hijack log, perhaps you might consider downloadng, installing, updating and running a FULL scan with FREE Malwarebytes.

If it doesn't turn up anything, are you able to Restore to a point before you noticed this problem?

Regards,
Golden

 

[TechN9Ne1730]

Hey Golden just came to update my post but you beat me to it. I have scanned my PC with Malwarebytes and Nod32. Nod32 is my primary line of defense against viruses and such running 24/7. Malwarebytes I usually do a daily scan. Neither scanner has returned any threats. Ran sfc /scannow as admin in cmd and found no problems.

 

[marsmimar]

Sorry, I'm not a HijackThis expert. Actually, I'm not an expert at anything. But one more scan you can try is Microsoft's Standalone System Sweeper.

http://www.sevenforums.com/tutorials/166445-microsoft-standalone-system-sweeper.html

If still having problems you might try extracting the gclgaf40.dll file from your Windows 7 installation DVD (if you have one.) If you actually have that file on the installation DVD you might be able to import a fresh copy. Why didn't sfc /scannow detect any problems? Like I said, I'm not an expert but two possibilities come to mind. It's not a system file on your machine or, the basic file was detected but not any malicious code that might have been added to it.

http://www.sevenforums.com/tutorials/42776-extract-files-windows-7-installation-dvd.html

 

[cyclic]

Searching Google for this file to see what it's linked to it appears to be an Ikarus trojan dropper, I found full details of the other files it creates and their location on threat expert. Have a look www.threatexpert.com/report.aspx?md5=63bd2d8ddd650093865e44ed6e583a60

 

[TechN9Ne1730]

Searching Google for this file to see what it's linked to it appears to be an Ikarus trojan dropper, I found full details of the other files it creates and their location on threat expert. Have a look www.threatexpert.com/report.aspx?md5=63bd2d8ddd650093865e44ed6e583a60

I guess I should have read the first result in google lol. I skimmed through looking for sites I recognized. Anyways I look through my system for the files and registry entries listed. I managed to find 2 files an none of the reg keys. I am guessing Nod32 caught it before it could full infiltrate the system. I am still baffled how it got it, but thank you for the information I was able to remove the files with no problem. Going to go down for a reboot and make sure they do not come back.

@marsmimar, thank you for your response as well. I was not aware of this tool, but F-Secure Rescue CD has always served me well in the past for those nasty nasty infections. I will keep it in mind though!

 

[marsmimar]

I guess I should have read the first result in google lol. I skimmed through looking for sites I recognized. Anyways I look through my system for the files and registry entries listed. I managed to find 2 files an none of the reg keys. I am guessing Nod32 caught it before it could full infiltrate the system. I am still baffled how it got it, but thank you for the information I was able to remove the files with no problem. Going to go down for a reboot and make sure they do not come back.

@marsmimar, thank you for your response as well. I was not aware of this tool, but F-Secure Rescue CD has always served me well in the past for those nasty nasty infections. I will keep it in mind though!

Hope the problem is solved and gone for good!

 

[Golden]

F-Secure Rescue CD has always served me well in the past for those nasty nasty infections

F-Secure is a great tool to have in your arsenal

Hope things are all cleared up now.

 

[TechN9Ne1730]

I tried the Microsoft tool. It found an infection in my Install Shield directorey of my 32 bit program files. It doesnt seem to have cleaned it imo. My hijackthis log looks exactly the same. Sucks I just did a clean install of windows like last week.It would be easier to try to remove the virus, but in the end, it would probably end up wasting more time.

Thanks anyways guys, atleast I got to the root of the problem. I am just to lazy to try to clean it out, plus this ensures I dont have any side effects from trying to remove the virus.