Remove Paytime.exe Or Http:://81.222.131.49/index.php

How to remove the CWS_Paytime or http:://81.222.131.49/index.php infection


Warning: This log contains links that may infect you if you visit them.. DO NOT visit http:://81.222.131.49/index.php, just follow these instructions.. What this program does: The paytime.exe program is a new CoolWebSearch variant that hijacks your browser to be redirected to the http:://81.222.131.49/index.php web page. When you open your browser and connect to that page it will also attempt to auto install a dialer on your computer that could use your modem to dial long-distance.
Tools Needed for this fix:

• HijackThis
  

Related Tutorials:

• How to use HijackThis to remove Browser Hijackers & Spyware
  

Symptoms in a HijackThis Log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
Note: This infection at times may install a dialer on your machine as well. If this happens it will appear as a O16 entry with an entry similar to: O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - http:://69.31.82.260/1/gdnUS10.exe

This should be removed as well. If you see an entry like this, but are unsure, feel free to ask us about it in the forums.

---

Removal Instructions: In order to remove this infection we will need to use HijackThis to manually remove the infection:

1. Download HijackThis from the above link and extract it to c:\hijackthis.
   
   
2. Reboot your computer into Safe Mode
   
   
3. Delete the following file:
   
   c:\windows\system32\paytime.exe
   
   
4. Navigate to the c:\hijackthis directory and double-click on HijackThis
   
   
5. When the program starts, double-click on the HijackThis icon and then click on the Scan button.
   
   
   1. Put a checkmark next to the following entry (There may be more than one of each):
      
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:://81.222.131.49/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:://81.222.131.49/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:://81.222.131.49/index.php
      O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O16 - DPF: {08F9B026-4ECE-0B2B-59ED-60DD2C2D155D} - http:://69.31.82.260/1/gdnUS10.exe
      
   2. Please note that the O16 entry may be a different name than rdgUS121.exe and a different CLSID.
      
      
   3. Then click the Fix button
      
      
6. Exit HijackThis.
   
   
7. Reboot your compute back to normal mode.
   

Your computer should now be rid of the Paytime.exe / searchmeup.com / CWS_Paytime infection.

---

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.