Adtomi browserhelper hijack

Discussion in 'spyware news and general information' started by Pieter_Arntz, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Research and write-up by FreeAtLast:

    --RightClick on the yahoo stock task bar icon,
    choose remove-while being online!
    A web page from Adtomi would appear
    "-uninstall was succesful!"

    --Restart computer in safe mode ONLY!

    --Make a new text file, copy and paste this inside:
    REGEDIT4

    [-HKEY_CURRENT_USER\Software\adtomi]

    [-HKEY_CLASSES_ROOT\CLSID\{B549456D-F5D0-4641-BCED-8648A0C13D83}]

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B549456D-F5D0-4641-BCED-8648A0C13D83}]


    --Save it-(Change to "all files" in drop box-)
    As remove.reg
    DoubleClick and hit yes on the prompt!

    --In hijackthis or similar startup manager,
    delete any entries with the following pattern:
    In:--HKCU....\Software\Microsoft\Windows\CurrentVersion\Run
    In:--HKLM....\..run...... as well:
    With:....<C:\WINDOWS.....8 characters>
    random, unknown exe
    files, ending with..... /dk
    Example (C:\WINDOWS\IH5B0AKB.EXE /dk )

    --In hijackthis fix the 02 line BHO -if present:
    C:\WINDOWS\BrowserHelper.dll

    --Find and delete:
    BrowserHelper.dll from any location(s)
    There seem to be a few...

    --Navigate to Windows folder,
    rearrange it by size from menu:
    (view-Details, -Size)
    Inspect files in the 600kb group:
    Files with square plain icon, no info in
    properties and are-- .exe type And...
    600kb (614,912 bytes), 8 characters
    in file name-- DELETE!
    (they may be listed as 601kb)

    --Another size group of files with same pattern:
    681 kb (697,344 bytes ) -DELETE!

    --Go to:
    :\WINDOWS\All Users\Start Menu\Programs\StartUp
    Find and delete any shortcuts with <8 chars.exe>

    --Same for:
    WINDOWS\Start Menu\Programs\StartUp folder.
     
    Pieter_Arntz, Mar 27, 2004
    #1
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This is primarily for use for use in Windows 98 or ME, but there is an XP removal zip on the download site

    It is new and might not work in all cases, if unsuccessful, then follow the advice for manual cleaning in the first post

    download this file here (Adtomi Cleanup.zip).
    https://www.wilderssecurity.com/attachments/9x_Adtomi_Cleanup.zip for 98 or ME
    https://www.wilderssecurity.com/attachments/XPAdtomi_Cleanup.zip for XP

    or alternatively from
    http://www.thespykiller.co.uk/downloads.htm


    It was created by Mosaic1 and is available here with her kind permission
    And follow the instructions.

    First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

    Unzip it to C:\Windows

    See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part

    --A web page from Adtomi would appear "-uninstall was succesful!"
    then go off line
    (note not all infections have this icon, so if it isn't there then don't worry)

    next press ctrl+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
    and there might also be morze1 running, if so end that process as well

    if you don't have any starnge named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first

    Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

    ***Do not Touch the VBS files. The bat file will run the scripts.

    It will remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the BHO
    Start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

    edited to include some new additional directions
     
    dvk01, Mar 31, 2004
    #2
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    zip files replaced by new version on 04-07

    Pieter
     
    Pieter_Arntz, Apr 7, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...