• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • Welcome to Free PC Help, a free PC Help forum to get help with your computer problems.

    Free PC Help is a community that offers free computer help and support for all users, all ages, worldwide.

    In order to start asking questions or contribute on someone else's post you will first need to register. Don't worry - it's quick and easy and once you have registered you will have instant access to the entire forum.

    If you do decide to join the forums you will not have the option to send Private Messages [ PMs ] or add a Signature until you have made 5 posts or more. This is an attempt to try to stop Spammers using the PM system or adding links to their Signature.

HJT log for review

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#1
There are 3 BHO (no name) items. I used HJT to remove the 2 that are not in the Symantec folder. When I restart the machine, they come back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:29 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Verizon.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search ***istant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1726607F-2762-42EA-A1A7-298B5AED5F6E} - c:\windows\system32\lpyednhx.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {4C65707E-7FED-4416-83DD-B476289C3705} - c:\windows\system32\gh***hb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: anayriad - C:\WINDOWS\SYSTEM32\gh***hb.dll
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#2
Hi Kelly

1. Did you run the ATF
2. Did you successfully run SAS
3. Did you successfully run MBAM
4. Did you successfully run ESET online scan
5. Did you reboot the computer
6. Remove ALL the toolbar applications on the box. You can reinstall them later if you want them


Click on Start - Run - {type in CMD and hit the Enter key}
Then type the following followed by the ENTER KEY

CD\
CD WINDOWS
CD SYSTEM32
ATTRIB GH*.DLL


Then let us know what files it finds that start with GH*.DLL


.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#3
I have alread run thru steps 1 thru 5. I haven't removed the toolbar apps. Do you thinkg that's necessary. If I remove them, then I'll have to find them to reinstall them.

I can look in the System32 folder and see the file: gh***hb.dll. There is even a backup of it: gh***hb.dll.bak. I'm unable to delete either of them - Access is denied.

The DOS command returns only the gh***hb.dll file.

I've started in Diagnostic Startup. If I try Safe Mode it restarts itself. I can select Safe Mode and get to the user login screen. Shortly after clicking either the Admin or the user account, the machine restarts itself. I don't know that these are related issues.

Forgot to mention - XP Media Edition SP-2.

I can pull the drive and slave it to another machine to delete the files. Better yet, I can use Recovery Console to delete them. What do you think of those options?
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#4
Kelly,

There is no way to create a file name with an * in it. That is WILD CARD for Windows.

If you are seeing that then I would say that some how it's being masked by some application. You may need to submit it to MBAM and SAS to have them analyze it.

But if you had all 3 scanners say the system is CLEAN that surely is odd in my opinion to see that.

What is the file date on the file?
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#5
Yes - I understand the * being a wildcard. Subsequent HJT scans shows the file as gh***hb.dll. That's the same name I see in the System 32 folder. Maybe HJT hiccup'd when I posted the log.

The date on gh***hb.dll is 4/16/2008 - two days ago.
The date on gh***hb.dll.bak is 4/18/2008 - today

I search the web for the file name returns no hits.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#7
yup - the name is the same in both. Wait - what is going on here? I looked at my post and the name of the file has *'s. I didn't post that. The file name is gh***hb.dll. Where did those *** come from?
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#8
Something is very strange here. I posted the file name without *** and it shows up in my posts with ***. I'm going to post the file name with spaces between the digits to see if that helps: g h a g h b . d l l
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#9
OK - this time the file name is correct - with the exception of the space characters between the actual characters. Something is wrong here. If I post the name of the file, *** shows up in the forum post. That's not what I typed in.

btw: I'm not posting from the suspected infected machine. I'm posting from my Mac.
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#10
Yes, actually that is a malware tactic. I forget the name of the one that is doing that but I'll check and get back with you on it.

Basically it comes along and actually renames valid files by just putting a space in the name.

Be back later
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#12
Well can't seem to find it right now but if you do a DIR in DOS for your Windows folder and SYSTEM32 folder for EXE, DLL files - see what you find.

C:\WINDOWS and C:\WINDOWS\SYSTEM32
DIR *.EXE (look for EXE with a space in the name)
DIR *.DLL (look for EXE with a space in the name)

You may have to use ATTRIB *.EXE and *.DLL to see if any are being hidden from you as they should not be.

Then post a list of these files here.

The system is probably clean as the scanner say, but the damage is because they are valid files - they've just been renamed.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#13
Sorry AS, but I don't understand what you want me to do. The file is in system32. There are no spaces in the file name. I only posted the file name with spaces between the characters because if I post the name as it really is, the forum takes out characters and replaces them with ***.
 

Seth

FPCH Long Term Member
Joined
Dec 17, 2007
Messages
2,268
Location
Canada
Operating System
Windows Vista - Home Premium
#15
I doubt that bho dll will have any affect.

I'd get rid of the Ask toolbar from add/remove, then blow out IE7 with the reset feature.

The RC or slave will be fine to delete that file if you want.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#16
Let's see - here is the name of the file and the same name with spaces between the digits

gh***hb.dll g h b a g h b . d l l

They should be the same, but they are not. The forum software inserted the ***
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#19
The system is pretty good. Customer had purchased Norton 360 and the install didn't go right. With the help of folks here, the bad boys were removed. I had to Remove Norton 360 and the reinstall it to get it working.

Problem now is that 1 in 3 Shut Downs come with ccSvcHst.exe – Application error, which from what I've read is Norton related. What a pain!!! I really don't know what to do about it at this point. Seems a lot of people have this problem with Norton AV 2007, but I don't see anything addressing Norton 360 v2.
 

Tony D

Free PC Help Long Term Member
Joined
Dec 30, 2007
Messages
704
Location
Malvern, PA (USA)
PC Experience
Some Experience
Operating System
OSX
#20
Not finding a solution to the error message when shutting down, I contacted Symantec's tech support and established a chat session. It went pretty well. The solution was to configure the Norton firewall to ALLOW connection of programs that were listed in the Firewall Program Rules.

What bothers me is that they allowed lmi_rescue to access the Internet. This doesn't fit right with me and I will set it to BLOCK.