also @ TechSpot: Android 4.0: Tracking Ice Cream Sandwich's Availability on Smartphones

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

What are these on my HJT log?

Discussion in 'Virus and Malware Removal' started by Kazi, Aug 23, 2008.

Thread Status:
Not open for further replies.
Page 1 of 3

  1. Kazi Newcomer, in training

    O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
    O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
    O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
    O18 - Protocol: msdaipp - (no CLSID) - (no file)
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
    O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
    O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}

    i got them from going on this site and was wondering what these were

    Thanks
    Kazi, Aug 23, 2008
    #1

  2. Bobbye Helper on the Fringe

    Please check them against the following quoted material. Note- I have left the original referenced sites in but I did not check them all so don't know if all are still available:
    Bobbye, Aug 26, 2008
    #2

  3. Kazi Newcomer, in training

    I'm sorry but after looking at all the links i still don't know what these are and whether i should remove them or not

    they disappear and reappear if i remove something off hjt and then dissappear again

    help me please
    Kazi, Sep 1, 2008
    #3

  4. Bobbye Helper on the Fringe

    I gave you enough information for you to make the determination. Match your entries to the malware entries I gave. If they match, remove them. If you want help with malware removal, you will need to do more than break out a few HijackThis log entries- you will need to attach the entire (new) HijackThis log here for evaluation.

    The 018 entries are for Extra protocols and protocol hijackers

    Rescan with HijackThis> out a check by each of the following:
    Check 'Fix' and reboot.

    The danger in doing just this is that you are not dealing in any other entries that are related to what you remove.

    "they disappear and reappear if i remove something off hjt and then dissappear again". If you would like to rerun and attach a new 'complete' HijackThis log, you will be assisted in finding all the entries and removing them. It would also be helpful to know what is happening with your system that you ran the HijackThis program.
    Bobbye, Sep 2, 2008
    #4

  5. Kazi Newcomer, in training

    The first is a complete fresh hijackthis log

    the second is if i remove something they will appear. And i already looked over the list and none of them match as i see.
    Kazi, Sep 2, 2008
    #5

  6. Bobbye Helper on the Fringe

    Please disable Tea Timer. The is Real Time protection and must be disabled for now:
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    IF you need help for that, see this:
    Temporarily Disable Real Time Monitoring Programs
    http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

    Disable any of the other programs on that list.

    Disable Peer Guardian:
    D:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
    PeerGuardian 2 is an IP blocker for Windows. Used to protect privacy on P2P networks by blocking IP addresses specified in blocklists. Features support for multiple lists, a list editor, automatic blocklist updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc)
    This will interfere with the scans.

    Once done, run HijackThis scan and post the new log. The maybe we'll find all the files. You do not show any IE Start & Search pages. Possibly these are being hidden by PeerGuardian but they can't be checked while it's running. Have you tried to set one up? What happens? These pages would be listed in the R1, R2 snd R3 section of HijackThis
    Bobbye, Sep 3, 2008
    #6

  7. Kazi Newcomer, in training

    Yes i have disables all guards now and posted fresh hijackthis log

    i already know pg2 for p2p

    thanks for the help

    no bad things are happening to my comp except start up is a bit slow
    Kazi, Sep 3, 2008
    #7

  8. Bobbye Helper on the Fringe

    The log looks good with the exception of one new process:

    This IS a legitimate Wiondows process- IF it is in the correct location. This process has to do with Asian language setups.

    conime.exe is located in the folder C:\Windows\System32.
    If conime.exe is located in the folder C:\Windows\System32\drivers then the security rating is 84% dangerous
    If conime.exe is located in a subfolder of C:\Windows then the security rating is 44% dangerous.
    If conime.exe is located in the folder C:\Windows then the security rating is 80% dangerous

    Important: Some malware camouflage themselves as conime.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the conime.exe process on your pc whether it is pest.

    Because this did not appear in any of the previous logs, I don't know if Tea Timer suppressed it. You must check the location:
    Right click on Start> Explore> Windows> using the information above, verify the location of this process, looking first in the general Windows folder, then in the System 32 folder. And verify if you have enabled this for the use indicated.
    Bobbye, Sep 4, 2008
    #8

  9. Kazi Newcomer, in training

    yes the conime is probably safe because i have installed east asian languages to play some games
    Kazi, Sep 4, 2008
    #9

  10. Bobbye Helper on the Fringe

    The thing is- if you're on the lookout for malware and trying to clean it, it shouldn't be installing anything new.
    Bobbye, Sep 5, 2008
    #10

  11. Kazi Newcomer, in training

    These items have finally started to do stuff to my computer.

    i have followed these procedures: http://www.spywareinfoforum.com/lofiversion/index.php/t78085.html

    But they will keep coming back no matter what i do

    If i post a Hijackthis log now you will probably not see the protocols because they hide themselves and only way to reveal them is removing something.
    I've read all the protocol Hijack: entries are bad and have followed link posted above but still cannot get these off. Only symtoms are cannot watch videos in ie but can done perfectly with firefox (firefox is my main browser) Thanks for the help.
    If you wanted to see my hijackthis log anyways here it is.

    the anti spyware, malware, ad-aware come up clean
    Kazi, Sep 16, 2008
    #11

  12. Bobbye Helper on the Fringe

    Post #6:
    You will have to go into the program to disable it or look in Control Panel> Administrative Toold> Services>> IF Peer Guardian runs a Service here, change Startup type to Disabled, reboot.

    Before you scan again with HijackThis, go to Folder Options in the Control Panel> View tab> CHECK 'show hidden files and folders'> Apply> OK.
    O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
    D:\Program Files\PeerGuardian2\pg2.exe

    How did you first see these in a HijackThis log?
    Bobbye, Sep 16, 2008
    #12

  13. Kazi Newcomer, in training

    All you said is done and even though peerguardian runs, i keep it disabled all the time unless i'm doing p2p. the first time i saw these was if i type in techspot.com in the html bar. I added it as a bookmark and that seems to work because i reimage with acronis and now i got them again for no reason
    Kazi, Sep 16, 2008
    #13

  14. Bobbye Helper on the Fringe

    You may think it's disabled, but the 04 entry means it's being loaded from the Registry or Startup group.
    Bobbye, Sep 17, 2008
    #14

  15. Kazi Newcomer, in training

    thats right it loads but there is an enable and disable button on it. and to tell when it is on or not is that when its on i can't connect to steam, when disabled i can. Also i finally really remember how i think i got it. I think i got it from the page called securitywiki or something like that. someoguy linked to it on the forum (old post) and i just clicked on it and read stuff on it
    i also just got this after doing stuff in autorun the program thingy

    O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
    Kazi, Sep 17, 2008
    #15

  16. Bobbye Helper on the Fringe

    You copied the list of 018 entries from somewhere, but I have yet to see it. Where did you get it?

    I can't find anything applicable to 'security wiki'. I don't know what the use of that is meant for. Actually only a few hijackers show up in the 018 entries. I gave you a list of them. Go through the list, compare the CLSID (that's the string of numbers in brackets) to the known hijackers.

    If you are still concerned, run the Malwarebytes program and post the log. We will 'see' what it picks up:
    Please download Malwarebytes' Anti-Malware from:
    http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

    Save to the desktop. Double Click mbam-setup.exe to install the application.
    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

    Run the scan with Malwarebytes again> When the scan is complete, click OK, then 'Show Results' to view the results. Be sure that everything is checked, and click 'Remove Selected'.
    When completed, a log will open in Notepad.
    Bobbye, Sep 18, 2008
    #16

  17. Kazi Newcomer, in training

    KKK i''l remove something and i'll show you the whole log.

    I can't get rid of the desktop thingy.
    Malwarebytes already on comp

    Found:
    but protocolhijack stuff ain't there

    Kazi, Sep 18, 2008
    #17

  18. rf6647 Newcomer, in training

    Note to Bobbye - spot check of o18 list (user's HJT log) appear on the whitelist.

    Search of o18.html works only for names or files. Search by clsid does not appear to work.

    Example - searched for 'wia'. The clsid matches the entry in the users HJT log.

    It appears that HJT complains 'hijack' if the path is not valid. Does this mean that HJT actions trigger an attack against protocols?
    rf6647, Sep 18, 2008
    #18

  19. Kazi Newcomer, in training

    your note is interesting

    after i installed ie7 i can now watch vids in it
    Kazi, Sep 18, 2008
    #19

  20. Bobbye Helper on the Fringe

    Thanks for the tip about the 018 not showing! I have just been trying to find out where the user is seeing these entries.

    WHAT are you removing? Why are you removing it? What purpose is it serving?
    When we trying to help clean out malware, using anything to hide some of the HijackThis entries accomplishes nothing! Especially when your question was specifically about those entries in the first place! How do we know you're not 'hiding' other entries?

    If you're back using IE6 without incident and you uninstalled IE7 which removed the video 'block', then it sound like the settings were wrong.
    Bobbye, Sep 19, 2008
    #20
Page 1 of 3
Thread Status:
Not open for further replies.