Possible Infection?

Discussion in 'Windows - Virus and spyware problems' started by Xplorer4, Aug 31, 2011.

  1. Xplorer4

    Xplorer4 Active member

    Joined:
    Apr 13, 2006
    Messages:
    1,080
    Likes Received:
    0
    Trophy Points:
    66
    When windows boots up I get an error about gclgaf40.dll module not found. I also can not seem to open my context menu on my desktop with out windows complaining. For example I tried to rename a folder. If I try to rename it it says it does not exist. If I try to choose rename, but not actually change the folder name, then it says it already exists. A quick google search about this error turned up lots of virus reports so I am a bit paranoid. I am baffled how anything would have managed to infect my computer. None the less, here is the hijack this log:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:19:50 AM, on 8/31/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe
    C:\Program Files (x86)\Vuze\Azureus.exe
    C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
    C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files (x86)\Everything\Everything.exe
    C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
    C:\Users\Xplorer4x4\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor-1.gadget\GPUMonitor.exe
    C:\Program Files (x86)\Razer\Copperhead\razertra.exe
    C:\Program Files (x86)\Razer\Copperhead\razerofa.exe
    C:\Program Files (x86)\mIRC\mirc.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\Deluge\deluge-gtk.exe
    C:\Program Files (x86)\AIMP3\AIMP3.exe
    C:\Program Files (x86)\Bitvise Tunnelier\Tunnelier.exe
    C:\Program Files (x86)\Bitvise Tunnelier\totermc.exe
    C:\Users\Xplorer4x4\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
    O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    O4 - HKLM\..\Run: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
    O4 - HKLM\..\Run: [Copperhead] C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
    O4 - HKLM\..\RunServices: [BulletProof FTP Server 2011 Startup] C:\Program Files (x86)\BulletProof FTP Server 2011\bpftpserver-2011.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [7 Taskbar Tweaker] "C:\Users\Xplorer4x4\AppData\Roaming\7 Taskbar Tweaker\7 Taskbar Tweaker.exe" -hidewnd
    O4 - HKCU\..\Run: [Azureus] C:\Program Files (x86)\Vuze\Azureus.exe
    O4 - HKCU\..\Run: [MysticThumbs] C:\Program Files\MysticCoder\MysticThumbs\MysticThumbsTray.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: Dropbox.lnk = C:\Users\Xplorer4x4\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Update ESET's license.lnk = C:\Program Files (x86)\ESET\MiNODLogin\MiNODLogin.exe
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2C735C13-E7DB-436A-95EE-C3981B2B01D6}: NameServer = 192.168.1.1
    O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe
    O23 - Service: PhoneMyPC_Helper - SoftwareForMe Inc - C:\Program Files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 8562 bytes
     
    Xplorer4, Aug 31, 2011
    #1
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi Xplorer4,
    I see you are a Senior Member so I’ll try not to patronize you. Lol

    Move your HJT:
    C:\Users\Xplorer4x4\Desktop\HijackThis.exe Hijackthis must be run in an own folder. Only if Hijackthis is run in it’s own folder will it create backups! E. g. C:\Program Files\HijackThis\HijackThis.exe

    Deluge is a nasty…..
    If you can find it in add/remove programs then un-install it. If not, use HJT to fix this line:
    C:\Program Files (x86)\Deluge\deluge-gtk.exe

    Download and run SuperAntiSpyware Free – That should take care of it. If not, give me a shout..

    You really need an Anti Virus. You have remnants of ESET NOD32 but it is not running.
    If it’s out of date and you don’t want to pay for it, just uninstall and install a free one that is better…. MS essentials AV or Avira Antivir Free. Both are Free and both work better that NOD32.


    2oG
     
    2oldGeek, Sep 7, 2011
    #2
  3. Xplorer4

    Xplorer4 Active member

    Joined:
    Apr 13, 2006
    Messages:
    1,080
    Likes Received:
    0
    Trophy Points:
    66
    Hey 2oG, thanks for the answer. I have already did a format and clean install to solve the problem, but I just did a another HJT log and see similar results.
    http://pastebin.com/4UssykMD

    If memory serves me right I did try SuperAntiSpywareFree but it found no real infections. It found a false positive or two, maybe a tracking cookie or two but nothing of any real significance Will give it another try.

    As for as security goes, I had Nod32 installed and running. I assure you it was running. I had Malwarebytes installed, but I always have it set up for a daily scheduled scan rather then real time protection. I tried Microsoft Standalone System Sweeper and that did find something if memory serves me right, but it was unable to clean it and I was to impatient to wait on a scan of F-Secure Rescue CD to run and clean it out.

    If you have any more ideas let me know. In the mean time I will run a scan or two and get back with the results.

    Going to run another scan of Super. I assume the portable version will do the trick?

    Also, what are you talking about in regard to deluge? Since when did Deluge become a problem? :s
     
    Last edited: Sep 7, 2011
    Xplorer4, Sep 7, 2011
    #3

Share This Page