Systime

A homepage hijacker that re-diverts the victims browser to an adult search page (http://213.159.117.134/). Resists all attempts by Ad-Aware and Spybot S&D to remove it. Recognised by the following HJT Log entries:
	R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\system32\systime.exe O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\system32\systime.exe O15 - Trusted Zone: .blazefind.com O15 - Trusted Zone: .flingstone.com O15 - Trusted Zone: .searchbarcash.com O15 - Trusted Zone: .slotch.com O15 - Trusted Zone: .xxxtoolbar.com O15 - Trusted Zone: .05p.com O15 - Trusted Zone: .clickspring.net O15 - Trusted Zone: .mt-download.com O15 - Trusted Zone: .my-internet.info O15 - Trusted Zone: .searchmiracle.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: .windupdates.com O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...3dfe2ba6d2474e0 O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file....bcca450006 O16 - DPF: {755E1C24-CEF1-6F41-063C-5B3A0A4DA1A7} - http://213.159.117.150/1/rdgCA10.exe
Removal Instructions:
	Using HijackThis, close all browser windows, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked': All R1/R0's pointing to 213.159.117.134 The O4 Startup for systime.exe The O15 Trusted Zones The O16 DPFs Click on Config then click on Misc Tools. At the new screen click on the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste C:\WINDOWS\systime.exe into the file name field and press the open button. Hijackthis will prompt you to reboot, on doing so the hijacker will be removed.