What are these on my HJT log?

[Kazi]

O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}

i got them from going on this site and was wondering what these were

Thanks

 

[Bobbye]

Please check them against the following quoted material. Note- I have left the original referenced sites in but I did not check them all so don't know if all are still available:

Common 018 entries from http://www.greyknight17.com/spy/O18.php
CLIENTMAN
O18 - Filter: text/html - {2DE94081-9FE6-4227-BC59-B7A80CC8308C} - C:\Program Files\ClientMan\run\searchrep887fa403.dll
Read more: http://www.doxdesk.com/parasite/ClientMan.html
Could be these filenames as well: taggerbhoX.dll / trackurlX.dll / searchrepX.dll / urlcliX.dll / trackurlX.dll / searchrepX.dll / msvrfyX.dll / gstylebhoX.dll / dnsrepX.dll / 2in1X.dll
Seen here: http://forum.tweakxp.com/forum/forum_posts_view.asp?TID=19812&PN=1&get=last

Same CLSID - different filename:
O18 - Filter: text/html - {2DE94081-9FE6-4227-BC59-B7A80CC8308C} - C:\WINDOWS\System32\mshmpd.dll

TROJ_SCAGENT.B
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
O18 - Filter: text/plain - {55A83695-84E2-49E2-AB1C-6E6733ECD8B4} - C:\WINDOWS\madopew.dll
Troj_Scagent.B: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SCAGENT.B&VSect=T
The log: http://forums.spywareinfo.com/index.php?showtopic=25834&hl=

CoolWebSearch
O18-- Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
Reported related to startpage hijacks (about blank) - see here:
http://www.searchengines.pl/phpbb203/index.php?showtopic=14185&st=0&#entry74404

CoolWebSearch
O18 - Filter: application/hta - {D962EF38-5FB0-4761-8638-C86F085E25E6} - C:\WINDOWS\chp.dll
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
http://www.newbie.org/help/messages/31635.html
http://www.computercops.biz/print-1-56910.html

CoolWebSearch - same CLSIDs as above - different filenames..
O18 - Filter: application/hta - {D962EF38-5FB0-4761-8638-C86F085E25E6} - C:\WINDOWS\MWSHELP.DLL
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\MWSHELP.DLL
http://www.computercops.us/postp242476.html
WARNING: Don't delete MWSHELP.DLL - see the link above..

TROJ_WINSHOW
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=TROJ_WINSHOW.AF
http://www.kephyr.com/spywarescanner/library/msopt/index.phtml?source=alerts

Adware.FindemNow
O18 - Protocol: about - {53B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\msxmlpp.dll
Symantecs description: http://sarc.com/avcenter/venc/data/pf/adware.findemnow.html
Log reference(Ongoing) : http://www.pcguide.com/vb/showthread.php?s=&threadid=31885

CoolWebSearch
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}
http://www.daniweb.com/techtalkforums/thread7074.html
http://www.searchengines.pl/phpbb203/index.php?showtopic=15823&st=0&#entry72823
http://www.cybertechhelp.com/forums/showthread.php?t=39136&page=2

CoolWebSearch
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\LORUX[^a.dll
O18 - Filter: text/html - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINNT\System32\LORUX[^a.dll
O18 - Filter: text/plain - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINNT\System32\LORUX[^a.dll

CoolWebSearch
O18 - filters in pairs - text/plain - text/html - Randon CLSID and Random named .dll file.
Seen like this:
O18 - Filter: text/html - {7C01B72B-B6D9-437F-94B6-5B6E4A352E4F} - C:\WINDOWS\System32\gfjm.dll
O18 - Filter: text/plain - {7C01B72B-B6D9-437F-94B6-5B6E4A352E4F} - C:\WINDOWS\System32\gfjm.dll

CoolWebSearch
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msdhmd.dll
as seen here: http://www.eksperten.dk/spm/518760

CoolWebSearch Object recognized!
Type : File
Data : msdhmd.dll
Category : Malware
same CLSID -
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\mshpeb.dll
http://forums.spywareinfo.com/index.php?showtopic=28467

CWS, SmartSearch
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEM\MSXWORD.DLL
http://forums.spywareinfo.com/index.php?showtopic=10748 http://www.wilderssecurity.com/showthread.php?t=38918
(fix and delete msxword.dll)
and with a random named .dll file:

O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\LORUX[^a.dll
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEMNNNNNNNN.DLL
http://forums.spywareinfo.com/index.php?showtopic=12276

IBIS Toolbar
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
http://www.computercops.biz/postp231371.html

IBIS Toolbar Object recognized!
Type : RegKey
Category : Data Miner
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}
http://www.lavasoftsupport.com/index.php?showtopic=3275

IBIS Toolbar, Huntbar
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
as seen here:
http://forums.thatcomputerguy.us/index.php?showtopic=3608
http://www.computercops.biz/posts56320-15.html

IBIS Toolbar, Huntbar,
http://www.kephyr.com/spywarescanner/library/huntbar/index.phtml
http://www.pestpatrol.com/PestInfo/i/ibis_toolbar.asp
lop.com
O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F}
http://www.wilderssecurity.com/archive/index.php/t-7487

Huntbar
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
http://www.doxdesk.com/parasite/HuntBar.html
HuntbarO18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
http://forums.tomcoyote.org/index.php?act=ST&f=27&t=12731
O18 - Filter: text/html - {3846F57F-F837-47D0-A93B-C8FC85A70D70} - C:\Documents and Settings\Mae\Definições locais\Application Data\microsoft\internet explorer\V0.15.dat

 

[Kazi]

I'm sorry but after looking at all the links i still don't know what these are and whether i should remove them or not

they disappear and reappear if i remove something off hjt and then dissappear again

help me please

 

[Bobbye]

I gave you enough information for you to make the determination. Match your entries to the malware entries I gave. If they match, remove them. If you want help with malware removal, you will need to do more than break out a few HijackThis log entries- you will need to attach the entire (new) HijackThis log here for evaluation.

The 018 entries are for Extra protocols and protocol hijackers

Rescan with HijackThis> out a check by each of the following:

O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}

Check 'Fix' and reboot.

The danger in doing just this is that you are not dealing in any other entries that are related to what you remove.

"they disappear and reappear if i remove something off hjt and then dissappear again". If you would like to rerun and attach a new 'complete' HijackThis log, you will be assisted in finding all the entries and removing them. It would also be helpful to know what is happening with your system that you ran the HijackThis program.

 

[Kazi]

The first is a complete fresh hijackthis log

the second is if i remove something they will appear. And i already looked over the list and none of them match as i see.

 

[Bobbye]

Please disable Tea Timer. The is Real Time protection and must be disabled for now:
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

IF you need help for that, see this:
Temporarily Disable Real Time Monitoring Programs
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

Disable any of the other programs on that list.

Disable Peer Guardian:
D:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
PeerGuardian 2 is an IP blocker for Windows. Used to protect privacy on P2P networks by blocking IP addresses specified in blocklists. Features support for multiple lists, a list editor, automatic blocklist updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc)
This will interfere with the scans.

Once done, run HijackThis scan and post the new log. The maybe we'll find all the files. You do not show any IE Start & Search pages. Possibly these are being hidden by PeerGuardian but they can't be checked while it's running. Have you tried to set one up? What happens? These pages would be listed in the R1, R2 snd R3 section of HijackThis

 

[Kazi]

Yes i have disables all guards now and posted fresh hijackthis log

i already know pg2 for p2p

thanks for the help

no bad things are happening to my comp except start up is a bit slow

 

[Bobbye]

The log looks good with the exception of one new process:

C:\WINDOWS\system32\conime.exe

This IS a legitimate Wiondows process- IF it is in the correct location. This process has to do with Asian language setups.

conime.exe is located in the folder C:\Windows\System32.
If conime.exe is located in the folder C:\Windows\System32\drivers then the security rating is 84% dangerous
If conime.exe is located in a subfolder of C:\Windows then the security rating is 44% dangerous.
If conime.exe is located in the folder C:\Windows then the security rating is 80% dangerous

Important: Some malware camouflage themselves as conime.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the conime.exe process on your pc whether it is pest.

Because this did not appear in any of the previous logs, I don't know if Tea Timer suppressed it. You must check the location:
Right click on Start> Explore> Windows> using the information above, verify the location of this process, looking first in the general Windows folder, then in the System 32 folder. And verify if you have enabled this for the use indicated.

 

[Kazi]

yes the conime is probably safe because i have installed east asian languages to play some games

 

[Bobbye]

The thing is- if you're on the lookout for malware and trying to clean it, it shouldn't be installing anything new.

 

[Kazi]

These items have finally started to do stuff to my computer.

i have followed these procedures: http://www.spywareinfoforum.com/lofiversion/index.php/t78085.html

But they will keep coming back no matter what i do

If i post a Hijackthis log now you will probably not see the protocols because they hide themselves and only way to reveal them is removing something.
I've read all the protocol Hijack: entries are bad and have followed link posted above but still cannot get these off. Only symtoms are cannot watch videos in ie but can done perfectly with firefox (firefox is my main browser) Thanks for the help.
If you wanted to see my hijackthis log anyways here it is.

the anti spyware, malware, ad-aware come up clean

 

[Bobbye]

Post #6:

Disable Peer Guardian:
D:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe

You will have to go into the program to disable it or look in Control Panel> Administrative Toold> Services>> IF Peer Guardian runs a Service here, change Startup type to Disabled, reboot.

Before you scan again with HijackThis, go to Folder Options in the Control Panel> View tab> CHECK 'show hidden files and folders'> Apply> OK.
O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe
D:\Program Files\PeerGuardian2\pg2.exe

How did you first see these in a HijackThis log?

 

[Kazi]

All you said is done and even though peerguardian runs, i keep it disabled all the time unless i'm doing p2p. the first time i saw these was if i type in techspot.com in the html bar. I added it as a bookmark and that seems to work because i reimage with acronis and now i got them again for no reason

 

[Bobbye]

O4 - HKCU\..\Run: [PeerGuardian] D:\Program Files\PeerGuardian2\pg2.exe

You may think it's disabled, but the 04 entry means it's being loaded from the Registry or Startup group.

 

[Kazi]

thats right it loads but there is an enable and disable button on it. and to tell when it is on or not is that when its on i can't connect to steam, when disabled i can. Also i finally really remember how i think i got it. I think i got it from the page called securitywiki or something like that. someoguy linked to it on the forum (old post) and i just clicked on it and read stuff on it
i also just got this after doing stuff in autorun the program thingy

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

 

[Bobbye]

How did you first see these in a HijackThis log?

If i post a Hijackthis log now you will probably not see the protocols because they hide themselves and only way to reveal them is removing something.

You copied the list of 018 entries from somewhere, but I have yet to see it. Where did you get it?

I can't find anything applicable to 'security wiki'. I don't know what the use of that is meant for. Actually only a few hijackers show up in the 018 entries. I gave you a list of them. Go through the list, compare the CLSID (that's the string of numbers in brackets) to the known hijackers.

If you are still concerned, run the Malwarebytes program and post the log. We will 'see' what it picks up:
Please download Malwarebytes' Anti-Malware from:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

Save to the desktop. Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Run the scan with Malwarebytes again> When the scan is complete, click OK, then 'Show Results' to view the results. Be sure that everything is checked, and click 'Remove Selected'.
When completed, a log will open in Notepad.

 

[Kazi]

KKK i''l remove something and i'll show you the whole log.

I can't get rid of the desktop thingy.
Malwarebytes already on comp

Found:

If you get something like this - a long list of legal files in O18 - it's probably because you are running HijackThis with the "ihatewhitelists" command line option - ihatewhitelists
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\POWERW~1\XDictExB.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - %SystemRoot%\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - %SystemRoot%\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll

but protocolhijack stuff ain't there

O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}

 

[rf6647]

Note to Bobbye - spot check of o18 list (user's HJT log) appear on the whitelist.

Search of o18.html works only for names or files. Search by clsid does not appear to work.

Example - searched for 'wia'. The clsid matches the entry in the users HJT log.

It appears that HJT complains 'hijack' if the path is not valid. Does this mean that HJT actions trigger an attack against protocols?

 

[Kazi]

your note is interesting

after i installed ie7 i can now watch vids in it

 

[Bobbye]

Thanks for the tip about the 018 not showing! I have just been trying to find out where the user is seeing these entries.

KKK i''l remove something and i'll show you the whole log.

WHAT are you removing? Why are you removing it? What purpose is it serving?
When we trying to help clean out malware, using anything to hide some of the HijackThis entries accomplishes nothing! Especially when your question was specifically about those entries in the first place! How do we know you're not 'hiding' other entries?

If you're back using IE6 without incident and you uninstalled IE7 which removed the video 'block', then it sound like the settings were wrong.

 

[Kazi]

What i removed was the desktop compartment thing but it wouldn't acually remove so it stayed there but the 018s will appear if i click fix check on anything and immedietly saving a log. the purpose to remove something is that the 018s will appear if i click fix check on anything. The desktop component thingy has no name and no file. No i just recent;y installed IE7. I don't hide the hijackthislog entries at all. THEY WILL DISAPPEAR on it self and then if i click fix checked on anything whether it removed or not they will appear.

 

[Bobbye]

the desktop compartment thing. The desktop component thingy has no name and no file

I may be showing my ignorance here, but I have no idea what this is!

 

[Kazi]

did you check the last item of the latest log?
the 024

 

[rf6647]

o24 thingy - very interesting. I've ignored it because I "a$s u me" it can' hurt unless touched by the user. After re-reading the tutorial, it is not clear how to delete the desktop item.

On unused portion of desktop > right click > properties > desktop > customize desktop > web

Please describe the contents of the box "web pages"

Feel free to muckaround with properties for a better understanding

 

[Bobbye]

I am still uncertain as to just what this process is doing. All other logs I checked have all or most of the following processes in combination:

O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

You have only the 024 entry. And the only 018 entry of yours that is anything close to this is:

O18 - Protocol: msdaipp - (no CLSID) - (no file)
msdaipp.dll is a module associated with SharePoint Portal Server from Microsoft Corporation.

SharePoint can refer to two products:

* Windows SharePoint Services (WSS)
* Microsoft Office SharePoint Server (MOSS)

WSS allows creation of Document libraries, which are collections of files that can be shared for collaborative editing. It also includes a collection of web parts, which are web widgets that can be embedded into web pages. A SharePoint page is built by combining the web parts into a web page, to be accessed using a browser..

Microsoft Office SharePoint Server (MOSS), is part of Microsoft SharePoint, and runs on top of Windows SharePoint Services (WSS). enabling an organization’s information to be organized and aggregated in one central, web-based application and provide a taxonomy for corporate data.

So back again to the beginning- what has Autorun disabled and why does it's running allow the 018 entries to show in the log- whereas disabling it hides them?

Maybe someone has he answer for this. I do not. About Autorun:

The term AutoRun is also used in reference to a feature that causes a certain file to open or a certain program to start automatically as soon as a computer with Windows is booted up. AutoRun is a feature of the Windows operating system that causes a certain file to open or a certain program to run automatically as soon as a compact disc (CD) is inserted into the CD drive.

Enabling and Disabling AutoRun:
http://msdn.microsoft.com/en-us/library/cc144204(VS.85).aspx

AutoRun also works with network drives that are mapped to a drive letter with Windows Explorer or mounted with the Microsoft Management Console (MMC).