• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
IT-Jedi

Need a litle corporate help

4 posts in this topic

After running McAfee Stinger for viruses and Spybot, Adaware and Spy Sweeper for the spyware I turn to all of you.

 

The symptom is that IE will stop during the page load just as its about to finish and then sit there for 5 minutes or so before continueing. I have included the HJT log below.

 

Just need some guidance on what of these are safe to remove. Also we see something hitting the proxy for internet access at start up and randomly throughout the day. If I let it go out to the net it immeadiately installs Internet Keyword (inetmgr and inetsvc).

 

Thanks

Wes Anderosn

Client Support Services

 

Logfile of HijackThis v1.97.7

Scan saved at 4:20:51 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\System32\CCM\CcmExec.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINNT\System32\msiexec.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\hjt\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.20.32.62:4480

O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icddefff.dll

O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\System32\wmcbaaca.dll

O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\ielcaabe.dll

O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINNT\System32\icddefff.dll

O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\System32\he3bbcff.dll

O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\System32\wmcbaaca.dll

O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\System32\ielcaabe.dll

O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\System32\he3bbcff.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32

O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32

O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32

O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll

O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} -

O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com

O17 - HKLM\Software\..\Telephony: DomainName = lucasfilm.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{854ED9C9-23C0-464F-A062-61DE875207EF}: NameServer = 172.20.4.7,172.20.4.8

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lucasfilm.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lucasfilm.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lucasfilm.com

Edited by IT-Jedi

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

 

O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icddefff.dll

O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\System32\wmcbaaca.dll

O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\ielcaabe.dll

O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINNT\System32\icddefff.dll

O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\System32\he3bbcff.dll

O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\System32\wmcbaaca.dll

O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\System32\ielcaabe.dll

O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\System32\he3bbcff.dll

 

O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32

O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32

O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32

O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32

 

O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} -

O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -

Reboot and delete

 

files

C:\WINNT\System32\he3bbcff.dll

C:\WINNT\System32\wmcbaaca.dll

C:\WINNT\System32\icddefff.dll

C:\WINNT\System32\ielcaabe.dll

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 5:22:50 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\WINNT\System32\CCM\CcmExec.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\msiexec.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Palm\hotsync.exe

C:\hjt\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lucasfilm.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll

O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} -

O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com

O17 - HKLM\Software\..\Telephony: DomainName = lucasfilm.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{854ED9C9-23C0-464F-A062-61DE875207EF}: NameServer = 172.20.4.7,172.20.4.8

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lucasfilm.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lucasfilm.alllucas.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = lucasfilm.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lucasfilm.com

 

 

 

Worked perfectly! Thank you very much for your help Dave. You may see some of the other members of the CSS team here post in the future as spyware is becoming a big issue due to its impact on productivity for certain users.

 

Wes

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0