Hi all.
I thank you in advance for any one who kindly help me to remove/disable all of hijackers and magicians from my PC.
They work like a kind of magic. First I know, they could close regedit and some other programs, also they have ability to prevent IE browsing to some anti spyware web-sites (that's why I use FireFox).
Then I realized that it also changed notepad.exe to notepad.com, and (may be) copy it self into fontview.exe so it can not work as it is.
Moreover it made all of HijackThis, HJT, CWShredde, etc (either in zip and exe files) always disappear when I download from various web and ftp sites even using FTP software. Then finally I can download HJT.zip by using Save As to non english words (i.e. HJT.zip to NorakAbis.zip which is contain HijackThis.exe).
But when I do unzip (thru DOS prompt) the result always lost or disappear. I have searched the computer but could not find. I can get the exe file after unzip to another name (i.e. HijackThis.exe to Nyebelin.exe) then run Nyebelin.exe to produce log file as below.
Again, I can not save the log file into HijackThis.log as default instead of another name - KiJakaTole.log.
Logfile of HijackThis v1.98.1
Scan saved at 0:47:02 AM, on 8/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\locator.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINNT\sm56hlpr.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\HJT\HijackTH.EXE
C:\Program Files\UltraEdit\uedit32.exe
C:\Program Files\UltraEdit\uedit32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BF96158-B614-7496-8003-64550DA7294E} - C:\WINNT\System32\jqnu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O2 - BHO: (no name) - {DE614603-6320-4046-A7A7-6A69CEC26F14} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.vladzone.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v3/vet_install_popup.pl?0&4&unknown&unknown&unknown&unknown&unknown&unknown&unknown&unknown&unknown&unknown&unknown&unknown&unknown
O16 - DPF: {10B80396-96A7-11D3-B7A6-00A0C94C6AE0} (ParallelGraphics Cortona VRML 1.0 to VRML 2.0 convertor) - http://www.parallelgraphics.com/bin/cortvrml10.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{902F1274-FC81-43C3-BB2C-53D9F03CC3C8}: NameServer = 202.51.252.2,202.51.252.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{902F1274-FC81-43C3-BB2C-53D9F03CC3C8}: NameServer = 202.51.252.2,202.51.252.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{902F1274-FC81-43C3-BB2C-53D9F03CC3C8}: NameServer = 202.51.252.2,202.51.252.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O19 - User stylesheet: C:\WINNT\system32\ebftcm.555 (file missing)
Again, appreciate and thanks in advance for any help and idea how to remove them from my PC permanently.
--
Hastu Ws.//Jakarta
