Serious problems with computer

markcars · 10-01-2004, 07:18 AM

Hello, I have having serious problems with my computer and wondered if you would perhaps be able to help. My main problem is that the my start up page for the internet has been changed to a Pornographoc site and secondly the fact that every now and again I get strange pop up warning such as ‘now running’ or ‘no modem found’ and then out of nowhere I get connected to a Pornagraphic site.
I ran a scan on RAV antivirus and the results are as below;

H:\web.exe - Trojan:Win32/Small.AI -> Infected
H:\Documents and Settings\Mark\herovdfan.exe - Tool:PornDialer.HQ -> Infected
H:\Documents and Settings\Mark\Local Settings\Temp\xwxload.exe - TrojanDownloader:Win32/Xoad -> Infected
H:\WINDOWS\system32\dktibs.exe - TrojanDownloader:Win32/Small.MY -> Infected
H:\WINDOWS\system32\sex.exe - Tool:PornDialer.HQ -> Infected
H:\WINDOWS\system32\xdldr24.exe - TrojanDownloader:Win32/Xoad -> Suspicious

Also, my Hijack this log is as follows;
Logfile of HijackThis v1.98.2
Scan saved at 22:07:35, on 2004/10/01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\WINDOWS\shicoxp.exe
H:\WINDOWS\System32\windows\services.exe
H:\WINDOWS\System32\systime.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
H:\WINDOWS\System32\systime.exe
H:\WINDOWS\System32\ctfmon.exe
H:\WINDOWS\System32\wuauclt.exe
H:\WINDOWS\System32\wuauclt.exe
H:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe
O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - H:\WINDOWS\System32\Mhcjjcnk.dll

Thank you for your time and any help you may be able to give will be much appreciated. Yours Sincerely. Mark Schumann

greyknight17 · 10-01-2004, 12:55 PM

Welcome to TSF.

Are the viruses removed by RAV now?

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (????????? On-Line Scan) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - H:\WINDOWS\System32\Mhcjjcnk.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

H:\WINDOWS\System32\windows\services.exe
H:\WINDOWS\System32\Mhcjjcnk.dll

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.

markcars · 10-02-2004, 02:37 AM

Thank you very much for taking the time to reply. Very much appreciated. I have taken the steps that you mentioned and have now post a new Hijack This Log. Also, the Viruses that i mentioned in my first posted have been removed using Spyware Doctor.

Logfile of HijackThis v1.98.2
Scan saved at 17:34:39, on 2004/10/02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\inetdim\services.exe
H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\WINDOWS\shicoxp.exe
H:\WINDOWS\System32\systime.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
H:\WINDOWS\System32\systime.exe
H:\WINDOWS\System32\wuauclt.exe
H:\Program Files\Spyware Doctor\spydoctor.exe
H:\Program Files\Outlook Express\msimn.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\HJT\HijackThis.exe

F3 - REG:win.ini: run=H:\WINDOWS\inetdim\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe
O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe
O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thanks for your help.
Regards
Mark Schumann

greyknight17 · 10-02-2004, 09:51 AM

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

H:\WINDOWS\inetdim\services.exe

Check and fix the following in HijackThis if they still exist (make sure not to miss any):

F3 - REG:win.ini: run=H:\WINDOWS\inetdim\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe
O4 - HKLM\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

H:\WINDOWS\inetdim\services.exe
H:\WINDOWS\System32\windows\services.exe - make sure to delete the services.exe in this folder ONLY

Open up this folder (H:\WINDOWS\System32\windows\) and see what other files are listed in there.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided.

markcars · 10-02-2004, 11:49 AM

Thank you very much for your continued support. Everything appears to be almost back to normal again, however, the web page start up setting still changes to a pornographic website upon re-boot. Here is my latest Hijack This log;

Logfile of HijackThis v1.98.2
Scan saved at 2:45:57, on 2004/10/03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\WINDOWS\shicoxp.exe
H:\WINDOWS\System32\systime.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
H:\WINDOWS\System32\systime.exe
H:\Program Files\Spyware Doctor\spydoctor.exe
H:\WINDOWS\System32\wuauclt.exe
H:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe
O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thank you for all your support.
Regards
Mark Schumann

greyknight17 · 10-05-2004, 07:07 AM

End the following process if it still exists:

H:\WINDOWS\shicoxp.exe

Check and fix:

O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe

Delete:

H:\WINDOWS\shicoxp.exe

Restart and post a new log.

markcars · 10-05-2004, 10:31 AM

Thank You very much for your reply. I post a new Hijack this log as below; Please note that my Home Page start up setting still reverts to a certain page even after i try and change it.

Logfile of HijackThis v1.98.2
Scan saved at 1:28:11, on 2004/10/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\WINDOWS\System32\systime.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
H:\WINDOWS\System32\systime.exe
H:\Program Files\Spyware Doctor\spydoctor.exe
H:\WINDOWS\System32\wuauclt.exe
H:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe
O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thanks again and regards.
Mark Schumann

mimo2005 · 10-05-2004, 11:34 AM

you have a trojan downloader too
Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

restart in safe mode (hit F5 or F8 when rebooting)

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe

O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete
H:\WINDOWS\System32\systime.exe
H:\WINDOWS\inetdim\services.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Go http://housecall.trendmicro.com/ and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.

When you are sure you are clean turn it back on and create a restore point.

one more thing about a program you have in your machine : review from an user :
Diazruanova 17-Sep-2004 07:12:12 AM
"Odd behavior"
I downloaded SWD a couple of weeks ago, because of the good userýs reviews, but I am really disapointed with the product: 1- It does NOT perform such a thorough scan like Ad-Aware (therefore its scanning speed). Its full scan covers only about 60000 items in my PC while Ad-Aware scans close to 140,000. 2- Its database is very small compared to that of other major competitors 3- It detects frequently some ""False Positives"" like AdNet, that SpyBot,Ad-aware, and Pest patrol do not detect, simply because there are NONE. 4.- The program itself is full with bugs: a. It does not keep some of the settings after a reboot: If you decide that SWD starts with Windows, and performs a quick scan, it looses its On-Guard activation, having to re-activate it manually- b.- You can NOT change the option (on startup) to NOT start with Windows, it reverts on and on and always starts everytime you re-boot.This is because it puts a small file on the registry named spydoctor.exe/Q, which despite UN-installing the program, it tries to start it over and over. Very difficult to get rid of it BTW. c.-Despite having payed for the full version (very expensive if you ask), I never detected the program to perform an automatic up-date of its database. I always had to do it manually. There was not a pop up window saying so or something else. c.- I think its On-Guard function is very weak. It did not detected the attempt of installation of a BHO that BHO Demon did, and prevented to complete it. d.-While the customer service is polite, they are very slow in responding, and sometimes they did not respond at all when I questioned the ODD behavior of some of the programýs settings not working properly. I do NOT think- as many of the people here- that SWD is as good as they rated it. I think it is an incomplete, buggy overrated and overpriced software that does NOT compete very well with other major vendors, SpyBot included.

my point of view ,adware se and spybot search and destroy are better than spyware doctor .
and if you have to spend 39 bucks ,i would buy tds3 with no hesitation .
and if you decide to remove it ,then you have to fix with HJT this entrie
O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware
Doctor\spydoctor.exe" /Q

good luck

10-01-2004, 07:18 AM	#1 (permalink)
markcars Registered User Join Date: Oct 2004 Posts: 4 OS: XP	Serious problems with computer Hello, I have having serious problems with my computer and wondered if you would perhaps be able to help. My main problem is that the my start up page for the internet has been changed to a Pornographoc site and secondly the fact that every now and again I get strange pop up warning such as ‘now running’ or ‘no modem found’ and then out of nowhere I get connected to a Pornagraphic site. I ran a scan on RAV antivirus and the results are as below; H:\web.exe - Trojan:Win32/Small.AI -> Infected H:\Documents and Settings\Mark\herovdfan.exe - Tool:PornDialer.HQ -> Infected H:\Documents and Settings\Mark\Local Settings\Temp\xwxload.exe - TrojanDownloader:Win32/Xoad -> Infected H:\WINDOWS\system32\dktibs.exe - TrojanDownloader:Win32/Small.MY -> Infected H:\WINDOWS\system32\sex.exe - Tool:PornDialer.HQ -> Infected H:\WINDOWS\system32\xdldr24.exe - TrojanDownloader:Win32/Xoad -> Suspicious Also, my Hijack this log is as follows; Logfile of HijackThis v1.98.2 Scan saved at 22:07:35, on 2004/10/01 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\Program Files\Ahead\InCD\InCDsrv.exe H:\WINDOWS\system32\spoolsv.exe H:\WINDOWS\Explorer.EXE H:\WINDOWS\system32\ZoneLabs\vsmon.exe H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe H:\Program Files\Ahead\InCD\InCD.exe H:\WINDOWS\shicoxp.exe H:\WINDOWS\System32\windows\services.exe H:\WINDOWS\System32\systime.exe H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe H:\WINDOWS\System32\ctfmon.exe H:\Program Files\Messenger\msmsgs.exe H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe H:\WINDOWS\System32\systime.exe H:\WINDOWS\System32\ctfmon.exe H:\WINDOWS\System32\wuauclt.exe H:\WINDOWS\System32\wuauclt.exe H:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: .searchmiracle.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: *.windupdates.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - H:\WINDOWS\System32\Mhcjjcnk.dll Thank you for your time and any help you may be able to give will be much appreciated. Yours Sincerely. Mark Schumann

10-01-2004, 12:55 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Are the viruses removed by RAV now? Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe O15 - Trusted Zone: .searchmiracle.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: *.windupdates.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (????????? On-Line Scan) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - H:\WINDOWS\System32\Mhcjjcnk.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: H:\WINDOWS\System32\windows\services.exe H:\WINDOWS\System32\Mhcjjcnk.dll Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

10-02-2004, 09:51 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): H:\WINDOWS\inetdim\services.exe Check and fix the following in HijackThis if they still exist (make sure not to miss any): F3 - REG:win.ini: run=H:\WINDOWS\inetdim\services.exe O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe O4 - HKLM\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: H:\WINDOWS\inetdim\services.exe H:\WINDOWS\System32\windows\services.exe - make sure to delete the services.exe in this folder ONLY Open up this folder (H:\WINDOWS\System32\windows\) and see what other files are listed in there. Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

10-05-2004, 07:07 AM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	End the following process if it still exists: H:\WINDOWS\shicoxp.exe Check and fix: O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe Delete: H:\WINDOWS\shicoxp.exe Restart and post a new log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

10-02-2004, 02:37 AM	#3 (permalink)
markcars Registered User Join Date: Oct 2004 Posts: 4 OS: XP	Thank you very much for taking the time to reply. Very much appreciated. I have taken the steps that you mentioned and have now post a new Hijack This Log. Also, the Viruses that i mentioned in my first posted have been removed using Spyware Doctor. Logfile of HijackThis v1.98.2 Scan saved at 17:34:39, on 2004/10/02 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\Program Files\Ahead\InCD\InCDsrv.exe H:\WINDOWS\system32\spoolsv.exe H:\WINDOWS\system32\ZoneLabs\vsmon.exe H:\WINDOWS\Explorer.EXE H:\WINDOWS\inetdim\services.exe H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe H:\Program Files\Ahead\InCD\InCD.exe H:\WINDOWS\shicoxp.exe H:\WINDOWS\System32\systime.exe H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe H:\WINDOWS\System32\ctfmon.exe H:\Program Files\Messenger\msmsgs.exe H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe H:\WINDOWS\System32\systime.exe H:\WINDOWS\System32\wuauclt.exe H:\Program Files\Spyware Doctor\spydoctor.exe H:\Program Files\Outlook Express\msimn.exe H:\Program Files\Internet Explorer\iexplore.exe H:\HJT\HijackThis.exe F3 - REG:win.ini: run=H:\WINDOWS\inetdim\services.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [Windows] H:\WINDOWS\System32\windows\services.exe O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\spydoctor.exe" /Q O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab Thanks for your help. Regards Mark Schumann

10-02-2004, 11:49 AM	#5 (permalink)
markcars Registered User Join Date: Oct 2004 Posts: 4 OS: XP	Thank you very much for your continued support. Everything appears to be almost back to normal again, however, the web page start up setting still changes to a pornographic website upon re-boot. Here is my latest Hijack This log; Logfile of HijackThis v1.98.2 Scan saved at 2:45:57, on 2004/10/03 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\Program Files\Ahead\InCD\InCDsrv.exe H:\WINDOWS\system32\spoolsv.exe H:\WINDOWS\system32\ZoneLabs\vsmon.exe H:\WINDOWS\Explorer.EXE H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe H:\Program Files\Ahead\InCD\InCD.exe H:\WINDOWS\shicoxp.exe H:\WINDOWS\System32\systime.exe H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe H:\WINDOWS\System32\ctfmon.exe H:\Program Files\Messenger\msmsgs.exe H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe H:\WINDOWS\System32\systime.exe H:\Program Files\Spyware Doctor\spydoctor.exe H:\WINDOWS\System32\wuauclt.exe H:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [shicoxp] H:\WINDOWS\shicoxp.exe O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\spydoctor.exe" /Q O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab Thank you for all your support. Regards Mark Schumann

10-05-2004, 10:31 AM	#7 (permalink)
markcars Registered User Join Date: Oct 2004 Posts: 4 OS: XP	Thank You very much for your reply. I post a new Hijack this log as below; Please note that my Home Page start up setting still reverts to a certain page even after i try and change it. Logfile of HijackThis v1.98.2 Scan saved at 1:28:11, on 2004/10/06 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\Program Files\Ahead\InCD\InCDsrv.exe H:\WINDOWS\system32\spoolsv.exe H:\WINDOWS\Explorer.EXE H:\WINDOWS\system32\ZoneLabs\vsmon.exe H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe H:\Program Files\Ahead\InCD\InCD.exe H:\WINDOWS\System32\systime.exe H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe H:\WINDOWS\System32\ctfmon.exe H:\Program Files\Messenger\msmsgs.exe H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe H:\WINDOWS\System32\systime.exe H:\Program Files\Spyware Doctor\spydoctor.exe H:\WINDOWS\System32\wuauclt.exe H:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IMJPMIG8.1] "H:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] H:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IMJPMIG9.0] H:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PowerBar] "H:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\spydoctor.exe" /Q O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: リサーチ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab Thanks again and regards. Mark Schumann

10-05-2004, 11:34 AM	#8 (permalink)
mimo2005 Manager, The Relaxation Room/Analyst, Security Team Join Date: Oct 2004 Posts: 11,069 OS: xp	you have a trojan downloader too Turn off System Restore: On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. Restart your computer. restart in safe mode (hit F5 or F8 when rebooting) Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked" O4 - HKLM\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKCU\..\Run: [SysTime] H:\WINDOWS\System32\systime.exe O4 - HKCU\..\Run: [xp_system] H:\WINDOWS\inetdim\services.exe Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" Now find and delete H:\WINDOWS\System32\systime.exe H:\WINDOWS\inetdim\services.exe Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty the Recycle Bin Go http://housecall.trendmicro.com/ and do an online virus scan. Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself. When you are sure you are clean turn it back on and create a restore point. one more thing about a program you have in your machine : review from an user : Diazruanova 17-Sep-2004 07:12:12 AM "Odd behavior" I downloaded SWD a couple of weeks ago, because of the good userýs reviews, but I am really disapointed with the product: 1- It does NOT perform such a thorough scan like Ad-Aware (therefore its scanning speed). Its full scan covers only about 60000 items in my PC while Ad-Aware scans close to 140,000. 2- Its database is very small compared to that of other major competitors 3- It detects frequently some ""False Positives"" like AdNet, that SpyBot,Ad-aware, and Pest patrol do not detect, simply because there are NONE. 4.- The program itself is full with bugs: a. It does not keep some of the settings after a reboot: If you decide that SWD starts with Windows, and performs a quick scan, it looses its On-Guard activation, having to re-activate it manually- b.- You can NOT change the option (on startup) to NOT start with Windows, it reverts on and on and always starts everytime you re-boot.This is because it puts a small file on the registry named spydoctor.exe/Q, which despite UN-installing the program, it tries to start it over and over. Very difficult to get rid of it BTW. c.-Despite having payed for the full version (very expensive if you ask), I never detected the program to perform an automatic up-date of its database. I always had to do it manually. There was not a pop up window saying so or something else. c.- I think its On-Guard function is very weak. It did not detected the attempt of installation of a BHO that BHO Demon did, and prevented to complete it. d.-While the customer service is polite, they are very slow in responding, and sometimes they did not respond at all when I questioned the ODD behavior of some of the programýs settings not working properly. I do NOT think- as many of the people here- that SWD is as good as they rated it. I think it is an incomplete, buggy overrated and overpriced software that does NOT compete very well with other major vendors, SpyBot included. my point of view ,adware se and spybot search and destroy are better than spyware doctor . and if you have to spend 39 bucks ,i would buy tds3 with no hesitation . and if you decide to remove it ,then you have to fix with HJT this entrie O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\spydoctor.exe" /Q good luck