What are these on my HJT log?

By Kazi · 42 replies
Aug 23, 2008
  1. O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
    O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
    O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
    O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
    O18 - Protocol: msdaipp - (no CLSID) - (no file)
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
    O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
    O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
    O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}

    i got them from going on this site and was wondering what these were

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please check them against the following quoted material. Note- I have left the original referenced sites in but I did not check them all so don't know if all are still available:
  3. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    I'm sorry but after looking at all the links i still don't know what these are and whether i should remove them or not

    they disappear and reappear if i remove something off hjt and then dissappear again

    help me please
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I gave you enough information for you to make the determination. Match your entries to the malware entries I gave. If they match, remove them. If you want help with malware removal, you will need to do more than break out a few HijackThis log entries- you will need to attach the entire (new) HijackThis log here for evaluation.

    The 018 entries are for Extra protocols and protocol hijackers

    Rescan with HijackThis> out a check by each of the following:
    Check 'Fix' and reboot.

    The danger in doing just this is that you are not dealing in any other entries that are related to what you remove.

    "they disappear and reappear if i remove something off hjt and then dissappear again". If you would like to rerun and attach a new 'complete' HijackThis log, you will be assisted in finding all the entries and removing them. It would also be helpful to know what is happening with your system that you ran the HijackThis program.
  5. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    The first is a complete fresh hijackthis log

    the second is if i remove something they will appear. And i already looked over the list and none of them match as i see.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please disable Tea Timer. The is Real Time protection and must be disabled for now:
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    IF you need help for that, see this:
    Temporarily Disable Real Time Monitoring Programs

    Disable any of the other programs on that list.

    Disable Peer Guardian:
    D:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
    PeerGuardian 2 is an IP blocker for Windows. Used to protect privacy on P2P networks by blocking IP addresses specified in blocklists. Features support for multiple lists, a list editor, automatic blocklist updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc)
    This will interfere with the scans.

    Once done, run HijackThis scan and post the new log. The maybe we'll find all the files. You do not show any IE Start & Search pages. Possibly these are being hidden by PeerGuardian but they can't be checked while it's running. Have you tried to set one up? What happens? These pages would be listed in the R1, R2 snd R3 section of HijackThis
  7. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    Yes i have disables all guards now and posted fresh hijackthis log

    i already know pg2 for p2p

    thanks for the help

    no bad things are happening to my comp except start up is a bit slow
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    The log looks good with the exception of one new process:

    This IS a legitimate Wiondows process- IF it is in the correct location. This process has to do with Asian language setups.

    conime.exe is located in the folder C:\Windows\System32.
    If conime.exe is located in the folder C:\Windows\System32\drivers then the security rating is 84% dangerous
    If conime.exe is located in a subfolder of C:\Windows then the security rating is 44% dangerous.
    If conime.exe is located in the folder C:\Windows then the security rating is 80% dangerous

    Important: Some malware camouflage themselves as conime.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the conime.exe process on your pc whether it is pest.

    Because this did not appear in any of the previous logs, I don't know if Tea Timer suppressed it. You must check the location:
    Right click on Start> Explore> Windows> using the information above, verify the location of this process, looking first in the general Windows folder, then in the System 32 folder. And verify if you have enabled this for the use indicated.
  9. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    yes the conime is probably safe because i have installed east asian languages to play some games
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    The thing is- if you're on the lookout for malware and trying to clean it, it shouldn't be installing anything new.
  11. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    These items have finally started to do stuff to my computer.

    i have followed these procedures: http://www.spywareinfoforum.com/lofiversion/index.php/t78085.html

    But they will keep coming back no matter what i do

    If i post a Hijackthis log now you will probably not see the protocols because they hide themselves and only way to reveal them is removing something.
    I've read all the protocol Hijack: entries are bad and have followed link posted above but still cannot get these off. Only symtoms are cannot watch videos in ie but can done perfectly with firefox (firefox is my main browser) Thanks for the help.
    If you wanted to see my hijackthis log anyways here it is.

    the anti spyware, malware, ad-aware come up clean
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Post #6:
    You will have to go into the program to disable it or look in Control Panel> Administrative Toold> Services>> IF Peer Guardian runs a Service here, change Startup type to Disabled, reboot.

    Before you scan again with HijackThis, go to Folder Options in the Control Panel> View tab> CHECK 'show hidden files and folders'> Apply> OK.
    O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
    D:\Program Files\PeerGuardian2\pg2.exe

    How did you first see these in a HijackThis log?
  13. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    All you said is done and even though peerguardian runs, i keep it disabled all the time unless i'm doing p2p. the first time i saw these was if i type in techspot.com in the html bar. I added it as a bookmark and that seems to work because i reimage with acronis and now i got them again for no reason
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You may think it's disabled, but the 04 entry means it's being loaded from the Registry or Startup group.
  15. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    thats right it loads but there is an enable and disable button on it. and to tell when it is on or not is that when its on i can't connect to steam, when disabled i can. Also i finally really remember how i think i got it. I think i got it from the page called securitywiki or something like that. someoguy linked to it on the forum (old post) and i just clicked on it and read stuff on it
    i also just got this after doing stuff in autorun the program thingy

    O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You copied the list of 018 entries from somewhere, but I have yet to see it. Where did you get it?

    I can't find anything applicable to 'security wiki'. I don't know what the use of that is meant for. Actually only a few hijackers show up in the 018 entries. I gave you a list of them. Go through the list, compare the CLSID (that's the string of numbers in brackets) to the known hijackers.

    If you are still concerned, run the Malwarebytes program and post the log. We will 'see' what it picks up:
    Please download Malwarebytes' Anti-Malware from:

    Save to the desktop. Double Click mbam-setup.exe to install the application.
    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

    Run the scan with Malwarebytes again> When the scan is complete, click OK, then 'Show Results' to view the results. Be sure that everything is checked, and click 'Remove Selected'.
    When completed, a log will open in Notepad.
  17. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    KKK i''l remove something and i'll show you the whole log.

    I can't get rid of the desktop thingy.
    Malwarebytes already on comp

    but protocolhijack stuff ain't there

  18. rf6647

    rf6647 TS Maniac Posts: 829

    Note to Bobbye - spot check of o18 list (user's HJT log) appear on the whitelist.

    Search of o18.html works only for names or files. Search by clsid does not appear to work.

    Example - searched for 'wia'. The clsid matches the entry in the users HJT log.

    It appears that HJT complains 'hijack' if the path is not valid. Does this mean that HJT actions trigger an attack against protocols?
  19. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    your note is interesting

    after i installed ie7 i can now watch vids in it
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Thanks for the tip about the 018 not showing! I have just been trying to find out where the user is seeing these entries.

    WHAT are you removing? Why are you removing it? What purpose is it serving?
    When we trying to help clean out malware, using anything to hide some of the HijackThis entries accomplishes nothing! Especially when your question was specifically about those entries in the first place! How do we know you're not 'hiding' other entries?

    If you're back using IE6 without incident and you uninstalled IE7 which removed the video 'block', then it sound like the settings were wrong.
  21. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    What i removed was the desktop compartment thing but it wouldn't acually remove so it stayed there but the 018s will appear if i click fix check on anything and immedietly saving a log. the purpose to remove something is that the 018s will appear if i click fix check on anything. The desktop component thingy has no name and no file. No i just recent;y installed IE7. I don't hide the hijackthislog entries at all. THEY WILL DISAPPEAR on it self and then if i click fix checked on anything whether it removed or not they will appear.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I may be showing my ignorance here, but I have no idea what this is!
  23. Kazi

    Kazi TS Enthusiast Topic Starter Posts: 121

    did you check the last item of the latest log?
    the 024
  24. rf6647

    rf6647 TS Maniac Posts: 829

    o24 thingy - very interesting. I've ignored it because I "a$s u me" it can' hurt unless touched by the user. After re-reading the tutorial, it is not clear how to delete the desktop item.

    On unused portion of desktop > right click > properties > desktop > customize desktop > web

    Please describe the contents of the box "web pages"

    Feel free to muckaround with properties for a better understanding
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I am still uncertain as to just what this process is doing. All other logs I checked have all or most of the following processes in combination:
    You have only the 024 entry. And the only 018 entry of yours that is anything close to this is:
    SharePoint can refer to two products:
    WSS allows creation of Document libraries, which are collections of files that can be shared for collaborative editing. It also includes a collection of web parts, which are web widgets that can be embedded into web pages. A SharePoint page is built by combining the web parts into a web page, to be accessed using a browser..

    Microsoft Office SharePoint Server (MOSS), is part of Microsoft SharePoint, and runs on top of Windows SharePoint Services (WSS). enabling an organization’s information to be organized and aggregated in one central, web-based application and provide a taxonomy for corporate data.

    So back again to the beginning- what has Autorun disabled and why does it's running allow the 018 entries to show in the log- whereas disabling it hides them?

    Maybe someone has he answer for this. I do not. About Autorun:
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...