Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Http://213.159.117.134/index.php Hijacker


  • Please log in to reply
No replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 AM

Posted 07 October 2004 - 02:18 PM

How to remove Systime.exe , -hxtp://213.159.117.134/index.php, searchmeup.cominfection


What this program does:

The systime.exe program is a new CoolWebSearch variant that hijacks your browser to be redirected to the -hxtp://213.159.117.134/index.php web page. When you open your browser and connect to that page it will also attempt to auto install a dialer on your computer that could use your modem to dial long-distance.


Tools Needed for this fix: Related Tutorials: Symptoms in a HijackThis Log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxtp://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =hxtp://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxtp://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =hxtp://213.159.117.134/index.php
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - hxtp://213.159.117.150/1/rdgUS121.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!hxtp://213.159.117.150:80/iex/ofile.exe?url=hxtp://213.159.117.150:80/dexAU10.exe


Note: The rdgUS121.exe in the above O16 example can be a different name. You can identify it because it will always have hxtp://213.159.117.150 in preceding it. The systime.exe executable can be other names as well. It has been seen in the past as c:\windows\system32\wintime.exe and c:\windows\system32\dktime.exe




Removal Instructions:

In order to remove this infection we will need to use HijackThis to manually remove the infection:
  1. Download HijackThis from the above link and extract it to c:\hijackthis.

  2. Navigate to the c:\hijackthis directory and double-click on HijackThis

  3. When the program starts, double-click on the HijackThis icon and then click on the Scan button.

    1. Put a checkmark next to the following entry (There may be more than one of each):


      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxtp://213.159.117.134/index.php
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxtp://213.159.117.134/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxtp://213.159.117.134/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = hxtp://213.159.117.134/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = hxtp://213.159.117.134/index.php
      O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
      16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - hxtp://213.159.117.150/1/rdgUS121.exe
    2. Please note that the O16 entry may be a different name than rdgUS121.exe and a different CLSID, the numbers between the { and }. You can identify the correct O16 to remove due to it always containing hxtp://213.159.117.150. If you see any entries with hxtp://213.159.117.150 in them you want to fix them.

    3. Then click the Fix button

  4. Exit HijackThis.

  5. Reboot your computer into Safe Mode

  6. Delete the following directories if they exist:

    c:\windows\system32\systime.exe

  7. Reboot your computer and let it boot normally.

Your computer should now be rid of the systime.exe searchmeup.com CWS infection.


This is a self-help guide. Use at your own risk.



BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users