Google redirect problem

[howard_hopkinso]

Let`s see if we can delete this bugger manually.

Make sure all Antispyware programmes are disabled.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Clcik start/run and type regedit into the run box and hit the enter key.

Navigate to the following regeky and delete the bold section.

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36CE4CCD-0171-47CE-BE90-CC4CD5D6C2D8}

Close regedit.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {36CE4CCD-0171-47CE-BE90-CC4CD5D6C2D8} - C:\WINDOWS\system32\atmf.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\system32\atmf.dll

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

no luck

well i thought it had been deleted but when i ran hijack this it STILL said it couldnt be deleted. when i went to windows\system32\ i found that there are also these files there: atmf.2, atmf.dll, atmfd.dll, atmlib.dll, atmpvcno.dd, atrace.dll.

thanks for your persistance on this one.

 

[howard_hopkinso]

Those other files are safe as far as I`m aware.

I`m running out of ideas here at a fast rate of knots.

I think you should get ready for a possible format. I.E, make sure you have all your important data backed up, just in case.

Make sure all antispyware programmes are disabled.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\atmf.dll
C:\WINDOWS\system32\drivers\mojkweehrlrd.sys
C:\WINDOWS\system32\drivers\sdatjvii.dat
C:\WINDOWS\system32\drivers\uzaudnku.dat
Folder::
C:\bintheredunthat
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36CE4CCD-0171-47CE-BE90-CC4CD5D6C2D8}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

backups

Hi,
when you said to backup all my important info do you mean all th info on my hard drive like files / documents etc?
if so i will do it otmorrow as i think it will take awhile and let you know how i go tomorrow night as it is past midnight here.
this stupid thing has kept me up for 4 nights!!!
so much for norton hey!

 

[howard_hopkinso]

No, I meant all your personal data such as music/photo`s/any important documents etc.

This is just in case it becomes necessary to reformat.

I still have an idea or two left, so hopefully, we can avoid a format.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

will post tomorrow

oh ok,
i will post tomorrow as i need some sleep. i am relieved to hear u still have some ideas!
Thanks again.

 

[howard_hopkinso]

No worries mate.

I promise you, I`ll try my very best to solve this, if I can.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

they should make armour out of this thing

no luck again I'm afraid.

 

[howard_hopkinso]

Damn, this is one hell of a resilient bugger.

Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste the contents of the quote box below.

C:\WINDOWS\system32\drivers\sdatjvii.dat
C:\WINDOWS\system32\drivers\uzaudnku.dat
C:\WINDOWS\system32\atmf.dll

Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the prompt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Attach this log in your next reply with a new HJT log.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

i cant believe this

This thing is incredible!

 

[howard_hopkinso]

You forgot to post the fresh HJT log.

Edit: Do you have your Windows cd?

Regards Howard

 

[riss1]

hjt log

hi,
sorry bout the hjt log. i dont have my windows cd as it is a pc i got through work
maybe i could just tell them to wipe it all and start again??
thans so much

 

[howard_hopkinso]

That`s a real shame you don`t have your Windows cd. I wanted to try deleting the file via the recovery console.

Ok, this really is my last idea.

Download and install the Unlocker programme.

http://ccollomb.free.fr/unlocker/unlocker1.8.5.exe

Instructions for using the Unlocker programme can be found HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

These are the files you need to right click on and select Unlocker.

C:\WINDOWS\system32\drivers\sdatjvii.dat
C:\WINDOWS\system32\drivers\uzaudnku.dat
C:\WINDOWS\system32\atmf.dll

Once done, rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

no go

Hi Howard,
well i did the unlock thing but in the middle of it a window cam eup saying:
"the instruction 0x027539a2 which referenced memory at 0x027b36c8 could not be "read" click ok to terminate or cancel to debug.
so i chose debug which then took ages and eventually it said DrWatson has encountered a problem and needs to close.

error messages like this have been coming up each time i close IE. with a runtime error 216.

have attached new hjt log
thanks!

 

[howard_hopkinso]

Damn, I`m really sorry, but I think we`ve reached the end of the road on this.

As far as I can tell, you`re only choice is to reformat and reinstall.

If you possessed a Windows CD, then we may possibly have been able to get rid of the infection through the recovery console.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

cheers

Thanks for your many hours help on this one!
Reformat it is- I probbaly need it nayway cos my pc is soooo slow!
Cheers

 

[howard_hopkinso]

I`m just sorry, I wasn`t able to solve your problem.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

Great News

At my wits end and just about to gice up i scanned my pc with DrWeb andit was able to delete the file!
YAY!
Thankyou for your help. Now i am going to dlete useless norton and find something else. Thanks again!

 

[howard_hopkinso]

That`s fantastic news, I`m real pleased for you.

Do you have a link to the programme you used?

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[riss1]

reply

Hi Howard, first I did a scan with this scanner to see what they thought the file was : http://virusscan.jotti.org/
then i saw that drweb scanner thought it was trojan.sentinel so i tyoes www.drweb.com into the browser to see where it took me and i downloaded a free scanner from there so the actual address of the download was:
http://freedrweb.com/

since thne ihave followed your instructions and deleted norton and downloaded and installed zonealarm and avast.

Thanks.

 

[howard_hopkinso]

Thanks for the info.

I did actually know about the DRweb Cureit programme, but never thought it`d fix your problem after everything else we`d thown at it.

Strange how things work out sometimes.

Regards Howard

This thread is for the use of riss1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.