TechSpot

Google redirect problem

By riss1
Nov 6, 2007
  1. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Let`s see if we can delete this bugger manually.

    Make sure all Antispyware programmes are disabled.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Clcik start/run and type regedit into the run box and hit the enter key.

    Navigate to the following regeky and delete the bold section.

    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36CE4CCD-0171-47CE-BE90-CC4CD5D6C2D8}

    Close regedit.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {36CE4CCD-0171-47CE-BE90-CC4CD5D6C2D8} - C:\WINDOWS\system32\atmf.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\system32\atmf.dll

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  2. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    no luck

    well i thought it had been deleted but when i ran hijack this it STILL said it couldnt be deleted. when i went to windows\system32\ i found that there are also these files there: atmf.2, atmf.dll, atmfd.dll, atmlib.dll, atmpvcno.dd, atrace.dll.

    thanks for your persistance on this one.
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Those other files are safe as far as I`m aware.

    I`m running out of ideas here at a fast rate of knots.

    I think you should get ready for a possible format. I.E, make sure you have all your important data backed up, just in case.

    Make sure all antispyware programmes are disabled.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    backups

    Hi,
    when you said to backup all my important info do you mean all th info on my hard drive like files / documents etc?
    if so i will do it otmorrow as i think it will take awhile and let you know how i go tomorrow night as it is past midnight here.
    this stupid thing has kept me up for 4 nights!!!
    so much for norton hey!
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No, I meant all your personal data such as music/photo`s/any important documents etc.

    This is just in case it becomes necessary to reformat.

    I still have an idea or two left, so hopefully, we can avoid a format.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    will post tomorrow

    oh ok,
    i will post tomorrow as i need some sleep. i am relieved to hear u still have some ideas!
    Thanks again.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No worries mate.

    I promise you, I`ll try my very best to solve this, if I can.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    they should make armour out of this thing

    no luck again I'm afraid. :(
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Damn, this is one hell of a resilient bugger.

    Download OTMoveIt.exe from here and place it on your desktop:
    http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

    Open OTMoveIt.exe.
    In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste the contents of the quote box below.

    Then click the MoveIt button below.
    In case you get a "Bad Image" error, just click OK at the prompt. It will move the file anyway.
    When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
    Attach this log in your next reply with a new HJT log.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    i cant believe this

    This thing is incredible!
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You forgot to post the fresh HJT log.

    Edit: Do you have your Windows cd?

    Regards Howard :)
     
     
  12. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    hjt log

    hi,
    sorry bout the hjt log. i dont have my windows cd as it is a pc i got through work
    maybe i could just tell them to wipe it all and start again??
    thans so much
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s a real shame you don`t have your Windows cd. I wanted to try deleting the file via the recovery console.

    Ok, this really is my last idea.

    Download and install the Unlocker programme.

    http://ccollomb.free.fr/unlocker/unlocker1.8.5.exe

    Instructions for using the Unlocker programme can be found HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    These are the files you need to right click on and select Unlocker.

    C:\WINDOWS\system32\drivers\sdatjvii.dat
    C:\WINDOWS\system32\drivers\uzaudnku.dat
    C:\WINDOWS\system32\atmf.dll

    Once done, rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    no go

    Hi Howard,
    well i did the unlock thing but in the middle of it a window cam eup saying:
    "the instruction 0x027539a2 which referenced memory at 0x027b36c8 could not be "read" click ok to terminate or cancel to debug.
    so i chose debug which then took ages and eventually it said DrWatson has encountered a problem and needs to close.

    error messages like this have been coming up each time i close IE. with a runtime error 216.

    have attached new hjt log
    thanks!
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Damn, I`m really sorry, but I think we`ve reached the end of the road on this.

    As far as I can tell, you`re only choice is to reformat and reinstall. :(

    If you possessed a Windows CD, then we may possibly have been able to get rid of the infection through the recovery console.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    cheers

    Thanks for your many hours help on this one!
    Reformat it is- I probbaly need it nayway cos my pc is soooo slow!
    Cheers
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I`m just sorry, I wasn`t able to solve your problem.

    Regards Howard :(

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    Great News

    At my wits end and just about to gice up i scanned my pc with DrWeb andit was able to delete the file!
    YAY!
    Thankyou for your help. Now i am going to dlete useless norton and find something else. Thanks again!
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s fantastic news, I`m real pleased for you.

    Do you have a link to the programme you used?

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. riss1

    riss1 TS Rookie Topic Starter Posts: 24

    reply

    Hi Howard, first I did a scan with this scanner to see what they thought the file was : http://virusscan.jotti.org/
    then i saw that drweb scanner thought it was trojan.sentinel so i tyoes www.drweb.com into the browser to see where it took me and i downloaded a free scanner from there so the actual address of the download was:
    http://freedrweb.com/

    since thne ihave followed your instructions and deleted norton and downloaded and installed zonealarm and avast.

    Thanks.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Thanks for the info.

    I did actually know about the DRweb Cureit programme, but never thought it`d fix your problem after everything else we`d thown at it.

    Strange how things work out sometimes.

    Regards Howard :)

    This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.