TechSpot - PC Technology News and Analysis

O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}

i got them from going on this site and was wondering what these were

Thanks

Please check them against the following quoted material. Note- I have left the original referenced sites in but I did not check them all so don't know if all are still available:

I'm sorry but after looking at all the links i still don't know what these are and whether i should remove them or not

they disappear and reappear if i remove something off hjt and then dissappear again

help me please

I gave you enough information for you to make the determination. Match your entries to the malware entries I gave. If they match, remove them. If you want help with malware removal, you will need to do more than break out a few HijackThis log entries- you will need to attach the entire (new) HijackThis log here for evaluation.

The 018 entries are for Extra protocols and protocol hijackers

Rescan with HijackThis> out a check by each of the following:
Check 'Fix' and reboot.

The danger in doing just this is that you are not dealing in any other entries that are related to what you remove.

"they disappear and reappear if i remove something off hjt and then dissappear again". If you would like to rerun and attach a new 'complete' HijackThis log, you will be assisted in finding all the entries and removing them. It would also be helpful to know what is happening with your system that you ran the HijackThis program.

The first is a complete fresh hijackthis log

the second is if i remove something they will appear. And i already looked over the list and none of them match as i see.

Attached Files

	hijackthis.log (8.5 KB, 4 views)
	hijackthis after removeal of any item.log (10.8 KB, 3 views)

Please disable Tea Timer. The is Real Time protection and must be disabled for now:
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

IF you need help for that, see this:
Temporarily Disable Real Time Monitoring Programs
http://wiki.castlecops.com/Malware_R...oring_Programs

Disable any of the other programs on that list.

Disable Peer Guardian:
D:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
PeerGuardian 2 is an IP blocker for Windows. Used to protect privacy on P2P networks by blocking IP addresses specified in blocklists. Features support for multiple lists, a list editor, automatic blocklist updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc)
This will interfere with the scans.

Once done, run HijackThis scan and post the new log. The maybe we'll find all the files. You do not show any IE Start & Search pages. Possibly these are being hidden by PeerGuardian but they can't be checked while it's running. Have you tried to set one up? What happens? These pages would be listed in the R1, R2 snd R3 section of HijackThis

Yes i have disables all guards now and posted fresh hijackthis log

i already know pg2 for p2p

thanks for the help

no bad things are happening to my comp except start up is a bit slow

Attached Files

hijackthis.log (8.1 KB, 4 views)

The log looks good with the exception of one new process:

This IS a legitimate Wiondows process- IF it is in the correct location. This process has to do with Asian language setups.

conime.exe is located in the folder C:\Windows\System32.
If conime.exe is located in the folder C:\Windows\System32\drivers then the security rating is 84% dangerous
If conime.exe is located in a subfolder of C:\Windows then the security rating is 44% dangerous.
If conime.exe is located in the folder C:\Windows then the security rating is 80% dangerous

Important: Some malware camouflage themselves as conime.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the conime.exe process on your pc whether it is pest.

Because this did not appear in any of the previous logs, I don't know if Tea Timer suppressed it. You must check the location:
Right click on Start> Explore> Windows> using the information above, verify the location of this process, looking first in the general Windows folder, then in the System 32 folder. And verify if you have enabled this for the use indicated.

yes the conime is probably safe because i have installed east asian languages to play some games

The thing is- if you're on the lookout for malware and trying to clean it, it shouldn't be installing anything new.

These items have finally started to do stuff to my computer.

i have followed these procedures: http://www.spywareinfoforum.com/lofi...hp/t78085.html

But they will keep coming back no matter what i do

If i post a Hijackthis log now you will probably not see the protocols because they hide themselves and only way to reveal them is removing something.
I've read all the protocol Hijack: entries are bad and have followed link posted above but still cannot get these off. Only symtoms are cannot watch videos in ie but can done perfectly with firefox (firefox is my main browser) Thanks for the help.
If you wanted to see my hijackthis log anyways here it is.

the anti spyware, malware, ad-aware come up clean

Attached Files

hijackthis.log (7.7 KB, 3 views)

Post #6:
You will have to go into the program to disable it or look in Control Panel> Administrative Toold> Services>> IF Peer Guardian runs a Service here, change Startup type to Disabled, reboot.

Before you scan again with HijackThis, go to Folder Options in the Control Panel> View tab> CHECK 'show hidden files and folders'> Apply> OK.
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
D:\Program Files\PeerGuardian2\pg2.exe

How did you first see these in a HijackThis log?

All you said is done and even though peerguardian runs, i keep it disabled all the time unless i'm doing p2p. the first time i saw these was if i type in techspot.com in the html bar. I added it as a bookmark and that seems to work because i reimage with acronis and now i got them again for no reason

You may think it's disabled, but the 04 entry means it's being loaded from the Registry or Startup group.

thats right it loads but there is an enable and disable button on it. and to tell when it is on or not is that when its on i can't connect to steam, when disabled i can. Also i finally really remember how i think i got it. I think i got it from the page called securitywiki or something like that. someoguy linked to it on the forum (old post) and i just clicked on it and read stuff on it
i also just got this after doing stuff in autorun the program thingy

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

You copied the list of 018 entries from somewhere, but I have yet to see it. Where did you get it?

I can't find anything applicable to 'security wiki'. I don't know what the use of that is meant for. Actually only a few hijackers show up in the 018 entries. I gave you a list of them. Go through the list, compare the CLSID (that's the string of numbers in brackets) to the known hijackers.

If you are still concerned, run the Malwarebytes program and post the log. We will 'see' what it picks up:
Please download Malwarebytes' Anti-Malware from:
http://www.majorgeeks.com/Malwarebyt...are_d5756.html

Save to the desktop. Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Run the scan with Malwarebytes again> When the scan is complete, click OK, then 'Show Results' to view the results. Be sure that everything is checked, and click 'Remove Selected'.
When completed, a log will open in Notepad.

KKK i''l remove something and i'll show you the whole log.

I can't get rid of the desktop thingy.
Malwarebytes already on comp

Found:
but protocolhijack stuff ain't there

Attached Files

	hijackthis.log (9.2 KB, 3 views)
	mbam-log-2008-09-17 (21-49-49).txt (845 Bytes, 4 views)

Note to Bobbye - spot check of o18 list (user's HJT log) appear on the whitelist.

Search of o18.html works only for names or files. Search by clsid does not appear to work.

Example - searched for 'wia'. The clsid matches the entry in the users HJT log.

It appears that HJT complains 'hijack' if the path is not valid. Does this mean that HJT actions trigger an attack against protocols?

your note is interesting

after i installed ie7 i can now watch vids in it

Thanks for the tip about the 018 not showing! I have just been trying to find out where the user is seeing these entries.

WHAT are you removing? Why are you removing it? What purpose is it serving?
When we trying to help clean out malware, using anything to hide some of the HijackThis entries accomplishes nothing! Especially when your question was specifically about those entries in the first place! How do we know you're not 'hiding' other entries?

If you're back using IE6 without incident and you uninstalled IE7 which removed the video 'block', then it sound like the settings were wrong.