Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Paytime.exe Or Http:://81.222.131.49/index.php


  • Please log in to reply
No replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:25 PM

Posted 20 April 2005 - 10:03 AM


How to remove the CWS_Paytime or http:://81.222.131.49/index.php
infection


Warning: This log contains links that may infect you if you visit them.. DO NOT visit http:://81.222.131.49/index.php, just follow these instructions.. What this program does: The paytime.exe program is a new CoolWebSearch variant that hijacks your browser to be redirected to the http:://81.222.131.49/index.php web page. When you open your browser and connect to that page it will also attempt to auto install a dialer on your computer that could use your modem to dial long-distance.
Tools Needed for this fix: Related Tutorials: Symptoms in a HijackThis Log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
Note: This infection at times may install a dialer on your machine as well. If this happens it will appear as a O16 entry with an entry similar to: O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - http:://69.31.82.260/1/gdnUS10.exe

This should be removed as well. If you see an entry like this, but are unsure, feel free to ask us about it in the forums.

Removal Instructions: In order to remove this infection we will need to use HijackThis to manually remove the infection:
  1. Download HijackThis from the above link and extract it to c:\hijackthis.

  2. Reboot your computer into Safe Mode

  3. Delete the following file:

    c:\windows\system32\paytime.exe

  4. Navigate to the c:\hijackthis directory and double-click on HijackThis

  5. When the program starts, double-click on the HijackThis icon and then click on the Scan button.

    1. Put a checkmark next to the following entry (There may be more than one of each):

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
      O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - http:://69.31.82.260/1/gdnUS10.exe
    2. Please note that the O16 entry may be a different name than rdgUS121.exe and a different CLSID.

    3. Then click the Fix button

  6. Exit HijackThis.

  7. Reboot your compute back to normal mode.
Your computer should now be rid of the Paytime.exe / searchmeup.com / CWS_Paytime infection.


This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users