Multiple O18 Protocol Hijacks reported in HijackThis

[taitoku]

Hello everyone, this is my first post here. This is a problem which I've had for a while, and though there are no overt malevolent effects on my system, the very fact that these entries appear in HijackThis is enough to make me want to rid myself of them (I say no overt effects, but my computer is often very slow after it's been on for a short while and there's heavy hard disk activity with things like changing panes in Firefox or switching from Firefox to Thunderbird). I've searched many other forums and twice implemented the recommended registry fixes which seemed to fix the problem, but it obviously didn't fix it for long. If I select 'fix checked' in HijackThis and scan again, these O18s disappear, leaving a single O18 protocol hijack - something like 'msdaipp.dll (application missing)'. If I select 'fix checked' and scan again, this entry is still present. After rebooting, the original 9 O18s are again present and the msdaipp.dll one is not.

Attached are the log files from SuperAntiSpyware, Malwarebytes Anti-Malware, RootRepeal and MGtools (I tried using ComboFix, but it caused my system to hang and I ended up having to yank out the power cable). I found this website after Google turned up a post ('Protocal Hijack Entries still present after R&R') by someone on here with a similar problem. Theirs was one with 7 O18s:

O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}

Though as these 7 are present in the 9 O18s that I have, I followed the steps to solve that problem, including closing all running programs before using HijackThis to remove these entries. Unfortunately, there was no C:\WINDOWS\SYSTEM32\cd.dat file on my system and after rebooting, those meddlesome hijacks were there once again.

I realise this is a lot of trouble, but any help you can provide will be much appreciated, thank you.

[taitoku]

Oops, here are the attachments.

[Kestrel13!]

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

[taitoku]

Thanks for the reply, here are the log files from those two programs. I know that some of the processes that show up in the TDSSkiller one are part of the default setup on this IBM laptop I'm using. Some of them I'm not so sure about though, I'll have to look into them.

[Kestrel13!]

Quote:

Some of them I'm not so sure about though, I'll have to look into them.

They're just fine.


Why did you not run Combofix??



There should not be any issues with this but just in case please create a restore point. See the below for how to do this:

http://support.microsoft.com/kb/948247



Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\lid]
@="MS TV ATVEF compliant lid: Protocol Handler"
"CLSID"="{5C135180-9973-46D9-ABF4-148267CBB8BF}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now re run Hijackthis, do a system scan only and attach the log file for me to see.

[taitoku]

Quote:

Originally Posted by Kestrel13!

Why did you not run Combofix??

As stated in my first post, I couldn't get it to work. Despite following the directions laid out in this forum for using Combofix, it never started scanning, there was just a message about it starting the scan and a flashing carat. I left it for five minutes, but it still didn't progress past this point, and when I tried to right click it in the task bar to close it, my system locked up entirely. The power button wasn't responding, so I ended up having to cut the power by pulling the power cable out. I'm slightly apprehensive about trying to use it again.

Anyway, I followed your directions, and created and applied the registry fix with success message. After applying it, the HijackThis scan appeared as hijackthis.log - seemingly clear. However, just to make sure I wasn't in the same situation as before, I tried "fixing" one of the normal entries to see if the protocol hijacks would reappear and sure enough...(hijackthis2.log)

This must be why when I tried similar registry fixes in the past the damned things always came back. It's truly puzzling. Perhaps they're anchored to a hidden file somewhere?

[Kestrel13!]

Hello there. I have had another look and they appear to be legit entries. Here is one example to show you http://www.systemlookup.com/O18/51-itss_dll.html You should stop fixing them now.

[taitoku]

Well that's good to know. Thank you for all your help!

[Kestrel13!]

You're most welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!