BleepingComputer.com: Remove Http://213.159.117.134/index.php Hijacker

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Remove Http://213.159.117.134/index.php Hijacker How to remove Self-Help Guide

#1 User is offline   Grinler 

  • Bleep Bleep!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Admin
  • Posts: 36,174
  • Joined: 24-January 04
  • Gender:Male
  • Location:USA

Posted 07 October 2004 - 02:18 PM

How to remove Systime.exe , -hxtp://213.159.117.134/index.php, searchmeup.cominfection


What this program does:

The systime.exe program is a new CoolWebSearch variant that hijacks your browser to be redirected to the -hxtp://213.159.117.134/index.php web page. When you open your browser and connect to that page it will also attempt to auto install a dialer on your computer that could use your modem to dial long-distance.


Tools Needed for this fix: Related Tutorials: Symptoms in a HijackThis Log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxtp://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =hxtp://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxtp://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =hxtp://213.159.117.134/index.php
 O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - hxtp://213.159.117.150/1/rdgUS121.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!hxtp://213.159.117.150:80/iex/ofile.exe?url=hxtp://213.159.117.150:80/dexAU10.exe

Note: The rdgUS121.exe in the above O16 example can be a different name. You can identify it because it will always have hxtp://213.159.117.150 in preceding it. The systime.exe executable can be other names as well. It has been seen in the past as c:\windows\system32\wintime.exe and c:\windows\system32\dktime.exe



Removal Instructions:

In order to remove this infection we will need to use HijackThis to manually remove the infection:
  1. Download HijackThis from the above link and extract it to c:\hijackthis.

  2. Navigate to the c:\hijackthis directory and double-click on HijackThis

  3. When the program starts, double-click on the HijackThis icon and then click on the Scan button.

    1. Put a checkmark next to the following entry (There may be more than one of each):


      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxtp://213.159.117.134/index.php
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxtp://213.159.117.134/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxtp://213.159.117.134/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = hxtp://213.159.117.134/index.php
      O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
      16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - hxtp://213.159.117.150/1/rdgUS121.exe
    2. Please note that the O16 entry may be a different name than rdgUS121.exe and a different CLSID, the numbers between the { and }. You can identify the correct O16 to remove due to it always containing hxtp://213.159.117.150. If you see any entries with hxtp://213.159.117.150 in them you want to fix them.

    3. Then click the Fix button

  4. Exit HijackThis.

  5. Reboot your computer into Safe Mode

  6. Delete the following directories if they exist:

    c:\windows\system32\systime.exe

  7. Reboot your computer and let it boot normally.

Your computer should now be rid of the systime.exe searchmeup.com CWS infection.

This is a self-help guide. Use at your own risk.



BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users