Adtomi browserhelper hijack

[Pieter_Arntz]

Research and write-up by FreeAtLast:

--RightClick on the yahoo stock task bar icon,
choose remove-while being online!
A web page from Adtomi would appear
"-uninstall was succesful!"

--Restart computer in safe mode ONLY!

--Make a new text file, copy and paste this inside:
REGEDIT4

[-HKEY_CURRENT_USER\Software\adtomi]

[-HKEY_CLASSES_ROOT\CLSID\{B549456D-F5D0-4641-BCED-8648A0C13D83}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B549456D-F5D0-4641-BCED-8648A0C13D83}]


--Save it-(Change to "all files" in drop box-)
As remove.reg
DoubleClick and hit yes on the prompt!

--In hijackthis or similar startup manager,
delete any entries with the following pattern:
In:--HKCU....\Software\Microsoft\Windows\CurrentVersion\Run
In:--HKLM....\..run...... as well:
With:....<C:\WINDOWS.....8 characters>
random, unknown exe
files, ending with..... /dk
Example (C:\WINDOWS\IH5B0AKB.EXE /dk )

--In hijackthis fix the 02 line BHO -if present:
C:\WINDOWS\BrowserHelper.dll

--Find and delete:
BrowserHelper.dll from any location(s)
There seem to be a few...

--Navigate to Windows folder,
rearrange it by size from menu:
(view-Details, -Size)
Inspect files in the 600kb group:
Files with square plain icon, no info in
properties and are-- .exe type And...
600kb (614,912 bytes), 8 characters
in file name-- DELETE!
(they may be listed as 601kb)

--Another size group of files with same pattern:
681 kb (697,344 bytes ) -DELETE!

--Go to:
:\WINDOWS\All Users\Start Menu\Programs\StartUp
Find and delete any shortcuts with <8 chars.exe>

--Same for:
WINDOWS\Start Menu\Programs\StartUp folder.

[dvk01]

This is primarily for use for use in Windows 98 or ME, but there is an XP removal zip on the download site

It is new and might not work in all cases, if unsuccessful, then follow the advice for manual cleaning in the first post

download this file here (Adtomi Cleanup.zip).
http://www.wilderssecurity.com/attac...mi_Cleanup.zip for 98 or ME
http://www.wilderssecurity.com/attac...mi_Cleanup.zip for XP

or alternatively from
http://www.thespykiller.co.uk/downloads.htm


It was created by Mosaic1 and is available here with her kind permission
And follow the instructions.

First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part

--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry)

next press ctrl+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
and there might also be morze1 running, if so end that process as well

if you don't have any starnge named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

edited to include some new additional directions

[Pieter_Arntz]

zip files replaced by new version on 04-07

Pieter