Remove Paytime.exe Or Http:://81.222.131.49/index.php

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Spyware and Malware Removal Guides and Reading Room

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

Remove Paytime.exe Or Http:://81.222.131.49/index.php, Self-Help Guide

Options

Grinler View Member Profile	Apr 20 2005, 10:03 AM Post #1
Bleep Bleep! Group: Admin Posts: 31,601 Joined: 24-January 04 From: USA Member No.: 3	How to remove the CWS_Paytime or http:://81.222.131.49/index.php infection Warning: This log contains links that may infect you if you visit them.. DO NOT visit http:://81.222.131.49/index.php, just follow these instructions.. What this program does: The paytime.exe program is a new CoolWebSearch variant that hijacks your browser to be redirected to the http:://81.222.131.49/index.php web page. When you open your browser and connect to that page it will also attempt to auto install a dialer on your computer that could use your modem to dial long-distance. Tools Needed for this fix: HijackThis Related Tutorials: How to use HijackThis to remove Browser Hijackers & Spyware Symptoms in a HijackThis Log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe Note: This infection at times may install a dialer on your machine as well. If this happens it will appear as a O16 entry with an entry similar to: O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - http:://69.31.82.260/1/gdnUS10.exe This should be removed as well. If you see an entry like this, but are unsure, feel free to ask us about it in the forums. Removal Instructions: In order to remove this infection we will need to use HijackThis to manually remove the infection: Download HijackThis from the above link and extract it to c:\hijackthis. Reboot your computer into Safe Mode Delete the following file: c:\windows\system32\paytime.exe Navigate to the c:\hijackthis directory and double-click on HijackThis When the program starts, double-click on the HijackThis icon and then click on the Scan button. Put a checkmark next to the following entry (There may be more than one of each): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - http:://69.31.82.260/1/gdnUS10.exe Please note that the O16 entry may be a different name than rdgUS121.exe and a different CLSID. Then click the Fix button Exit HijackThis. Reboot your compute back to normal mode. Your computer should now be rid of the Paytime.exe / searchmeup.com / CWS_Paytime infection. This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 08:58 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides