# HJT log for review

#### Tony D

##### Free PC Help Long Term Member
There are 3 BHO (no name) items. I used HJT to remove the 2 that are not in the Symantec folder. When I restart the machine, they come back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:29 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Verizon.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search ***istant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {1726607F-2762-42EA-A1A7-298B5AED5F6E} - c:\windows\system32\lpyednhx.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {4C65707E-7FED-4416-83DD-B476289C3705} - c:\windows\system32\gh***hb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: anayriad - C:\WINDOWS\SYSTEM32\gh***hb.dll
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

##### FPCH Long Term Member
Hi Kelly

1. Did you run the ATF
2. Did you successfully run SAS
3. Did you successfully run MBAM
4. Did you successfully run ESET online scan
5. Did you reboot the computer
6. Remove ALL the toolbar applications on the box. You can reinstall them later if you want them

Click on Start - Run - {type in CMD and hit the Enter key}
Then type the following followed by the ENTER KEY

CD\
CD WINDOWS
CD SYSTEM32
ATTRIB GH*.DLL

Then let us know what files it finds that start with GH*.DLL

.

#### Tony D

##### Free PC Help Long Term Member
I have alread run thru steps 1 thru 5. I haven't removed the toolbar apps. Do you thinkg that's necessary. If I remove them, then I'll have to find them to reinstall them.

I can look in the System32 folder and see the file: gh***hb.dll. There is even a backup of it: gh***hb.dll.bak. I'm unable to delete either of them - Access is denied.

The DOS command returns only the gh***hb.dll file.

I've started in Diagnostic Startup. If I try Safe Mode it restarts itself. I can select Safe Mode and get to the user login screen. Shortly after clicking either the Admin or the user account, the machine restarts itself. I don't know that these are related issues.

Forgot to mention - XP Media Edition SP-2.

I can pull the drive and slave it to another machine to delete the files. Better yet, I can use Recovery Console to delete them. What do you think of those options?

##### FPCH Long Term Member
Kelly,

There is no way to create a file name with an * in it. That is WILD CARD for Windows.

If you are seeing that then I would say that some how it's being masked by some application. You may need to submit it to MBAM and SAS to have them analyze it.

But if you had all 3 scanners say the system is CLEAN that surely is odd in my opinion to see that.

What is the file date on the file?

#### Tony D

##### Free PC Help Long Term Member
Yes - I understand the * being a wildcard. Subsequent HJT scans shows the file as gh***hb.dll. That's the same name I see in the System 32 folder. Maybe HJT hiccup'd when I posted the log.

The date on gh***hb.dll is 4/16/2008 - two days ago.
The date on gh***hb.dll.bak is 4/18/2008 - today

I search the web for the file name returns no hits.

##### FPCH Long Term Member
Do you see this exact same name in a DOS PROMPT not in Explorer.

DOS for the most part ignores all the fancy registry and folder hacks that hide and manipulate things.

#### Tony D

##### Free PC Help Long Term Member
yup - the name is the same in both. Wait - what is going on here? I looked at my post and the name of the file has *'s. I didn't post that. The file name is gh***hb.dll. Where did those *** come from?

#### Tony D

##### Free PC Help Long Term Member
Something is very strange here. I posted the file name without *** and it shows up in my posts with ***. I'm going to post the file name with spaces between the digits to see if that helps: g h a g h b . d l l

#### Tony D

##### Free PC Help Long Term Member
OK - this time the file name is correct - with the exception of the space characters between the actual characters. Something is wrong here. If I post the name of the file, *** shows up in the forum post. That's not what I typed in.

btw: I'm not posting from the suspected infected machine. I'm posting from my Mac.

##### FPCH Long Term Member
Yes, actually that is a malware tactic. I forget the name of the one that is doing that but I'll check and get back with you on it.

Basically it comes along and actually renames valid files by just putting a space in the name.

Be back later

#### Tony D

##### Free PC Help Long Term Member
Thanks - I thought I was losing it.

##### FPCH Long Term Member
Well can't seem to find it right now but if you do a DIR in DOS for your Windows folder and SYSTEM32 folder for EXE, DLL files - see what you find.

C:\WINDOWS and C:\WINDOWS\SYSTEM32
DIR *.EXE (look for EXE with a space in the name)
DIR *.DLL (look for EXE with a space in the name)

You may have to use ATTRIB *.EXE and *.DLL to see if any are being hidden from you as they should not be.

Then post a list of these files here.

The system is probably clean as the scanner say, but the damage is because they are valid files - they've just been renamed.

#### Tony D

##### Free PC Help Long Term Member
Sorry AS, but I don't understand what you want me to do. The file is in system32. There are no spaces in the file name. I only posted the file name with spaces between the characters because if I post the name as it really is, the forum takes out characters and replaces them with ***.

##### FPCH Long Term Member
If you put the name in [ code ] tags or put in your own spaces what does the board software do?

Example.
Code:
G  H  O  S  T  .  E  X  E

#### Seth

##### FPCH Long Term Member
I doubt that bho dll will have any affect.

I'd get rid of the Ask toolbar from add/remove, then blow out IE7 with the reset feature.

The RC or slave will be fine to delete that file if you want.

#### Tony D

##### Free PC Help Long Term Member
Let's see - here is the name of the file and the same name with spaces between the digits

gh***hb.dll g h b a g h b . d l l

They should be the same, but they are not. The forum software inserted the ***

#### Tony D

##### Free PC Help Long Term Member
The system is pretty good. Customer had purchased Norton 360 and the install didn't go right. With the help of folks here, the bad boys were removed. I had to Remove Norton 360 and the reinstall it to get it working.

Problem now is that 1 in 3 Shut Downs come with ccSvcHst.exe – Application error, which from what I've read is Norton related. What a pain!!! I really don't know what to do about it at this point. Seems a lot of people have this problem with Norton AV 2007, but I don't see anything addressing Norton 360 v2.

#### Tony D

##### Free PC Help Long Term Member
Not finding a solution to the error message when shutting down, I contacted Symantec's tech support and established a chat session. It went pretty well. The solution was to configure the Norton firewall to ALLOW connection of programs that were listed in the Firewall Program Rules.

What bothers me is that they allowed lmi_rescue to access the Internet. This doesn't fit right with me and I will set it to BLOCK.