Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Redirection to r9237242.cn

  • Please log in to reply
3 replies to this topic

#1 t.crimson


  • Members
  • 2 posts
  • Local time:08:59 PM

Posted 01 December 2009 - 09:59 AM

Hello all.

I have a computer that is infeced with some crazy Hijack that is really getting on my nerves.

Every now and again when I search something via google and click it will first take me to r9237242.cn then throw me at another random search engine.

I have already run a malware bytes and nothing has been found there but there still seems to be something lurking around.

I have done a search and found many others with this issue but cant find how to remove it exactly! Could anyone give me some help on this one as I have no clue!

Thank you for your time!

BC AdBot (Login to Remove)


#2 johnnyzero


  • Members
  • 2 posts
  • Local time:08:59 PM

Posted 01 December 2009 - 12:39 PM


It sure sounds like the same malware I was dealing with (TDSS.y Rootkit). I was getting redirected via the same server you mentioned, r9237242.cn. In my case, it turned out to be a single infected driver file, ATAPI.SYS.

After trying at least 25 different malware solutions over several hellish days with no success, here's how I finally got rid of it:

* Download Esage Labs' Rootkit.Win32.TDSS remover from here and run it.

* The program should detect the infected ATAPI.SYS file, and will then offer to let you restore the file from the \i386 folder of your original Windows CD.

Unfortunately, when I tried to do this last step, I kept getting a "file version" error - probably because I'm running SP3 and my original CD is SP2. If you're running XP and you encounter the same problem (or you don't have access to your original CD) , here's the workaround for that:

1) Your WINDOWS\ServicePackFiles\i386 folder should contain a clean (uninfected) copy of ATAPI.SYS. Copy this clean version of ATAPI.SYS to both \system32\drivers and \system32\dllcache (overwriting the infected ones).

2) Before rebooting, probably a good idea to check your Hosts file & clean it out if necessary. Also, probably a good idea to clear your DNS cache.

3) Reboot & you should be good to go: hopefully no more redirects! :thumbsup:

Let me know if this works for you.


#3 t.crimson

  • Topic Starter

  • Members
  • 2 posts
  • Local time:08:59 PM

Posted 02 December 2009 - 05:20 AM

That tool worked absolutly fine!

It found 3 things, Two ?E files that it couldn't gain access too and the infected Nvata.sys

However getting rid of these wasn't so straight forward, had to first download the mainboard drivers from gigabyte and then boot into a bartPE disc to delete these files, finally pasting back the fresh nvata.sys file back into system32\drivers

scanned again and its showing no problems.

Thanks so much for this! You are a life saver and I would of never found that tool on my own.

Thank you!

#4 Martin Connolly

Martin Connolly

  • Members
  • 1 posts
  • Local time:01:59 AM

Posted 24 December 2009 - 04:34 AM

I found a variant of this that the aforementioned TDSS remover could not find. I beat the little devil by removing the hard drive, connecting it to another computer and scanning it with Microsoft Security Essentials

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users