Jump to content


Photo

Need a litle corporate help


  • Please log in to reply
3 replies to this topic

#1 IT-Jedi

IT-Jedi

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 06:30 PM

After running McAfee Stinger for viruses and Spybot, Adaware and Spy Sweeper for the spyware I turn to all of you.

The symptom is that IE will stop during the page load just as its about to finish and then sit there for 5 minutes or so before continueing. I have included the HJT log below.

Just need some guidance on what of these are safe to remove. Also we see something hitting the proxy for internet access at start up and randomly throughout the day. If I let it go out to the net it immeadiately installs Internet Keyword (inetmgr and inetsvc).

Thanks
Wes Anderosn
Client Support Services

Logfile of HijackThis v1.97.7
Scan saved at 4:20:51 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.20.32.62:4480
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\ielcaabe.dll
O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINNT\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\System32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\System32\ielcaabe.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\System32\he3bbcff.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} -
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com
O17 - HKLM\Software\..\Telephony: DomainName = lucasfilm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{854ED9C9-23C0-464F-A062-61DE875207EF}: NameServer = 172.20.4.7,172.20.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lucasfilm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lucasfilm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lucasfilm.com

Edited by IT-Jedi, 01 July 2004 - 06:55 PM.


#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 01 July 2004 - 07:07 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\ielcaabe.dll
O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINNT\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\System32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\System32\ielcaabe.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\System32\he3bbcff.dll

O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32

O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} -
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -

Reboot and delete

files
C:\WINNT\System32\he3bbcff.dll
C:\WINNT\System32\wmcbaaca.dll
C:\WINNT\System32\icddefff.dll
C:\WINNT\System32\ielcaabe.dll

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 July 2004 - 07:12 PM

:::Edit:::
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 IT-Jedi

IT-Jedi

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 July 2004 - 07:28 PM

Logfile of HijackThis v1.97.7
Scan saved at 5:22:50 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\msiexec.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Palm\hotsync.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lucasfilm.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} -
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com
O17 - HKLM\Software\..\Telephony: DomainName = lucasfilm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{854ED9C9-23C0-464F-A062-61DE875207EF}: NameServer = 172.20.4.7,172.20.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lucasfilm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lucasfilm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lucasfilm.com



Worked perfectly! Thank you very much for your help Dave. You may see some of the other members of the CSS team here post in the future as spyware is becoming a big issue due to its impact on productivity for certain users.

Wes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button