Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Protect.dll Remnants

1K views 0 replies 1 participant last post by  mzpoizn 
#1 ·
We have a server that is used specifically for connecting remote offices to our main office through Terminal Server. Somehow, this server became infected with a virus. According to a McAfee virus scan, the virus was a Generic.dx!fhi and it was located in C:\Windows\System32\autochk.dll. I ran MalwareBytes Anti Malware to remove the virus. It seems to have removed the virus, as the pop-ups have stopped. However, each user that logs in receives a rundll error message screen that says, "Error Loading C:\DOCUME~1\username\protect.dll. The specified module could not be found." They are able to cancel out of this error screen and work, but I know this is a remnant of the virus.

Could you please review my HijackThis log to let me know how to remove these files once and for all?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:16 PM, on 9/29/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\ProPatches\Scheduler\stAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RightFax\Client\faxctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RightFax\Client\faxctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Wintrix\wx2.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\faxctrl.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1269\..\Run: [] (User 'Robert')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1269\..\Run: [autochk] rundll32.exe C:\DOCUME~1\George\protect.dll,_IWMPEvents@16 (User 'Robert')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1273\..\Run: [] (User 'joe')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1284\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'barry')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1382\..\Run: [] (User 'david')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1393\..\Run: [] (User 'cindy')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1505\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1538\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1599\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe (User

'mike')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1644\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'marcus')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1693\..\Run: [] (User 'darius')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1721\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'ariel')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1727\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1819\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1899\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe (User

'joseph')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-1902\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe (User

'sean')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-2759\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'rick')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-2962\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-2991\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'kedrick')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3016\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'kirk')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3084\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'andrew')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3111\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'john')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3134\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'jermaine')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3157\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Dwight')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3176\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'jim')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3182\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'pauline')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-3183\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'lawrence')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-4229\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'carol')
O4 - HKUS\S-1-5-21-1621393026-1209536797-370870702-4284\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe (User

'charles')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Startup: Shortcut to Bginfo.lnk = C:\temp\Bginfo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} - http://dm.cometsystems.com/dm/dm_286.cab
O16 - DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} (Shoretel SClientInstall) - http://10.1.2.205/shorewaredirector/clientinstall/ShoretelClientInstall.ocx
O16 - DPF: {47489CC3-B1AB-4414-A7D9-4A6380D819D8} (ConfigManager Control) - file://C:\Program Files\Onssi\NetGuard Remote Client\ConfigManager.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/12856badf7372c18d514/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157070101076
O16 - DPF: {817444B5-4D12-4EEB-8E78-C547E84F80B6} (EngineManager Control) - file://C:\Program Files\Onssi\NetGuard Remote Client\EngineManager.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://10.1.2.227/activex/AMC.cab
O16 - DPF: {E7B12A6B-341F-4765-A9EA-29A745916878} (ImageViewer Control) - file://C:\Program Files\Onssi\NetGuard Remote Client\ImageViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xyzco.com
O17 - HKLM\Software\..\Telephony: DomainName = xyzco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCE73ACC-1CA3-4230-AE5A-DF5A6839891F}: Domain = xyzco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCE73ACC-1CA3-4230-AE5A-DF5A6839891F}: NameServer = 10.1.1.10,10.1.1.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xyzco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xyzco.com
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Shavlik Remote Agent Service (stAgent) - Unknown owner - C:\WINDOWS\ProPatches\Scheduler\stAgent.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe

--
End of file - 12537 bytes
 
See less See more
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top