Adtomi browserhelper hijack

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Research and write-up by FreeAtLast:

    --RightClick on the yahoo stock task bar icon,
    choose remove-while being online!
    A web page from Adtomi would appear
    "-uninstall was succesful!"

    --Restart computer in safe mode ONLY!

    --Make a new text file, copy and paste this inside:
    REGEDIT4

    [-HKEY_CURRENT_USER\Software\adtomi]

    [-HKEY_CLASSES_ROOT\CLSID\{B549456D-F5D0-4641-BCED-8648A0C13D83}]

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B549456D-F5D0-4641-BCED-8648A0C13D83}]


    --Save it-(Change to "all files" in drop box-)
    As remove.reg
    DoubleClick and hit yes on the prompt!

    --In hijackthis or similar startup manager,
    delete any entries with the following pattern:
    In:--HKCU....\Software\Microsoft\Windows\CurrentVersion\Run
    In:--HKLM....\..run...... as well:
    With:....<C:\WINDOWS.....8 characters>
    random, unknown exe
    files, ending with..... /dk
    Example (C:\WINDOWS\IH5B0AKB.EXE /dk )

    --In hijackthis fix the 02 line BHO -if present:
    C:\WINDOWS\BrowserHelper.dll

    --Find and delete:
    BrowserHelper.dll from any location(s)
    There seem to be a few...

    --Navigate to Windows folder,
    rearrange it by size from menu:
    (view-Details, -Size)
    Inspect files in the 600kb group:
    Files with square plain icon, no info in
    properties and are-- .exe type And...
    600kb (614,912 bytes), 8 characters
    in file name-- DELETE!
    (they may be listed as 601kb)

    --Another size group of files with same pattern:
    681 kb (697,344 bytes ) -DELETE!

    --Go to:
    :\WINDOWS\All Users\Start Menu\Programs\StartUp
    Find and delete any shortcuts with <8 chars.exe>

    --Same for:
    WINDOWS\Start Menu\Programs\StartUp folder.
  2. dvk01
    Offline

    dvk01 Global Moderator

    This is primarily for use for use in Windows 98 or ME, but there is an XP removal zip on the download site

    It is new and might not work in all cases, if unsuccessful, then follow the advice for manual cleaning in the first post

    download this file here (Adtomi Cleanup.zip).
    http://www.wilderssecurity.com/attachments/9x_Adtomi_Cleanup.zip for 98 or ME
    http://www.wilderssecurity.com/attachments/XPAdtomi_Cleanup.zip for XP

    or alternatively from
    http://www.thespykiller.co.uk/downloads.htm


    It was created by Mosaic1 and is available here with her kind permission
    And follow the instructions.

    First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

    Unzip it to C:\Windows

    See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part

    --A web page from Adtomi would appear "-uninstall was succesful!"
    then go off line
    (note not all infections have this icon, so if it isn't there then don't worry)

    next press ctrl+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
    and there might also be morze1 running, if so end that process as well

    if you don't have any starnge named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first

    Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

    ***Do not Touch the VBS files. The bat file will run the scripts.

    It will remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the BHO
    Start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

    edited to include some new additional directions
  3. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    zip files replaced by new version on 04-07

    Pieter
Thread Status:
Not open for further replies.