 Remove Http://213.159.117.134/index.php Hijacker, How to remove Self-Help Guide |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site. How to use the self-help guides
This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.
If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log
  |
 Oct 7 2004, 02:18 PM
Post
#1
|
|
 Bleep Bleep!  Group: Admin Posts: 31,022 Joined: 24-January 04 From: USA Member No.: 3  |
What this program does: The systime.exe program is a new CoolWebSearch variant that hijacks your browser to be redirected to the -hxtp://213.159.117.134/index.php web page. When you open your browser and connect to that page it will also attempt to auto install a dialer on your computer that could use your modem to dial long-distance. Tools Needed for this fix: Related Tutorials: Symptoms in a HijackThis Log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxtp://213.159.117.134/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =hxtp://213.159.117.134/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxtp://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =hxtp://213.159.117.134/index.php O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - hxtp://213.159.117.150/1/rdgUS121.exe O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!hxtp://213.159.117.150:80/iex/ofile.exe?url=hxtp://213.159.117.150:80/dexAU10.exe Note: The rdgUS121.exe in the above O16 example can be a different name. You can identify it because it will always have hxtp://213.159.117.150 in preceding it. The systime.exe executable can be other names as well. It has been seen in the past as c:\windows\system32\wintime.exe and c:\windows\system32\dktime.exe Removal Instructions: In order to remove this infection we will need to use HijackThis to manually remove the infection:
Your computer should now be rid of the systime.exe searchmeup.com CWS infection. This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Lawrence
Become a BleepingComputer fan: Facebook |
 |
 
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 4th July 2009 - 10:11 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.