MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Closed Thread
 
Thread Tools Display Modes
  #1  
Old 04-25-12, 09:04
taitoku taitoku is offline
Private E-2
 
Join Date: Apr 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default Multiple O18 Protocol Hijacks reported in HijackThis

Hello everyone, this is my first post here. This is a problem which I've had for a while, and though there are no overt malevolent effects on my system, the very fact that these entries appear in HijackThis is enough to make me want to rid myself of them (I say no overt effects, but my computer is often very slow after it's been on for a short while and there's heavy hard disk activity with things like changing panes in Firefox or switching from Firefox to Thunderbird). I've searched many other forums and twice implemented the recommended registry fixes which seemed to fix the problem, but it obviously didn't fix it for long. If I select 'fix checked' in HijackThis and scan again, these O18s disappear, leaving a single O18 protocol hijack - something like 'msdaipp.dll (application missing)'. If I select 'fix checked' and scan again, this entry is still present. After rebooting, the original 9 O18s are again present and the msdaipp.dll one is not.

Attached are the log files from SuperAntiSpyware, Malwarebytes Anti-Malware, RootRepeal and MGtools (I tried using ComboFix, but it caused my system to hang and I ended up having to yank out the power cable). I found this website after Google turned up a post ('Protocal Hijack Entries still present after R&R') by someone on here with a similar problem. Theirs was one with 7 O18s:

O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}

Though as these 7 are present in the 9 O18s that I have, I followed the steps to solve that problem, including closing all running programs before using HijackThis to remove these entries. Unfortunately, there was no C:\WINDOWS\SYSTEM32\cd.dat file on my system and after rebooting, those meddlesome hijacks were there once again.

I realise this is a lot of trouble, but any help you can provide will be much appreciated, thank you.
Sponsored links
  #2  
Old 04-25-12, 09:08
taitoku taitoku is offline
Private E-2
 
Join Date: Apr 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

Oops, here are the attachments.
Attached Files
File Type: zip MGlogs.zip (127.2 KB, 2 views)
File Type: log SUPERAntiSpyware Scan Log - 04-25-2012 - 03-23-18.log (8.4 KB, 1 views)
File Type: txt mbam-log-2012-04-25 (03-39-44).txt (1.8 KB, 1 views)
File Type: txt RRlog.txt (690 Bytes, 1 views)
  #3  
Old 04-25-12, 09:41
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 29,311
Thanks: 1,044
Thanked 3,820 Times in 3,718 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
  #4  
Old 04-25-12, 10:53
taitoku taitoku is offline
Private E-2
 
Join Date: Apr 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

Thanks for the reply, here are the log files from those two programs. I know that some of the processes that show up in the TDSSkiller one are part of the default setup on this IBM laptop I'm using. Some of them I'm not so sure about though, I'll have to look into them.
Attached Files
File Type: txt TDSSKiller.2.7.33.0_25.04.2012_15.23.46_log.txt (111.6 KB, 2 views)
File Type: txt MBRCheck_04.25.12_15.47.06.txt (10.1 KB, 1 views)
  #5  
Old 04-25-12, 19:15
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 29,311
Thanks: 1,044
Thanked 3,820 Times in 3,718 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

Quote:
Some of them I'm not so sure about though, I'll have to look into them.
They're just fine.


Why did you not run Combofix??



There should not be any issues with this but just in case please create a restore point. See the below for how to do this:

http://support.microsoft.com/kb/948247



Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


Quote:
REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\lid]
@="MS TV ATVEF compliant lid: Protocol Handler"
"CLSID"="{5C135180-9973-46D9-ABF4-148267CBB8BF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now re run Hijackthis, do a system scan only and attach the log file for me to see.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Sponsored links
  #6  
Old 04-26-12, 11:28
taitoku taitoku is offline
Private E-2
 
Join Date: Apr 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

Quote:
Originally Posted by Kestrel13! View Post
Why did you not run Combofix??
As stated in my first post, I couldn't get it to work. Despite following the directions laid out in this forum for using Combofix, it never started scanning, there was just a message about it starting the scan and a flashing carat. I left it for five minutes, but it still didn't progress past this point, and when I tried to right click it in the task bar to close it, my system locked up entirely. The power button wasn't responding, so I ended up having to cut the power by pulling the power cable out. I'm slightly apprehensive about trying to use it again.

Anyway, I followed your directions, and created and applied the registry fix with success message. After applying it, the HijackThis scan appeared as hijackthis.log - seemingly clear. However, just to make sure I wasn't in the same situation as before, I tried "fixing" one of the normal entries to see if the protocol hijacks would reappear and sure enough...(hijackthis2.log)

This must be why when I tried similar registry fixes in the past the damned things always came back. It's truly puzzling. Perhaps they're anchored to a hidden file somewhere?
Attached Files
File Type: log hijackthis.log (4.4 KB, 1 views)
File Type: log hijackthis2.log (5.1 KB, 1 views)
  #7  
Old 04-27-12, 07:50
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 29,311
Thanks: 1,044
Thanked 3,820 Times in 3,718 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

Hello there. I have had another look and they appear to be legit entries. Here is one example to show you http://www.systemlookup.com/O18/51-itss_dll.html You should stop fixing them now.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
  #8  
Old 04-27-12, 08:57
taitoku taitoku is offline
Private E-2
 
Join Date: Apr 2012
Posts: 5
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

Well that's good to know. Thank you for all your help!
  #9  
Old 04-27-12, 19:02
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 29,311
Thanks: 1,044
Thanked 3,820 Times in 3,718 Posts
Default Re: Multiple O18 Protocol Hijacks reported in HijackThis

You're most welcome.

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis.
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
The Following User Says Thank You to Kestrel13! For This Useful Post:
taitoku (04-27-12)
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hijacks doc Holliday Malware Removal 5 06-03-11 14:48
email hijacks chartist Malware Removal 1 03-01-07 01:33
possibly more hijacks... RayJay Malware Removal 10 07-18-06 01:12
Hijacks R us!!! Deb Malware Removal 1 04-15-05 00:06
Only the Best and other hijacks Scaryduke Malware Removal 13 07-24-04 05:14


All times are GMT -5. The time now is 00:49.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger