Malware Removal

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Malware Removal, I cannot remove Jimbutt

Options

Jamesy1967 View Member Profile	Apr 26 2005, 01:54 AM Post #1
New Member Posts: 1 OS: XP	Hi everyone! I am trying to fix a friends computer and have finally got windows back up and running! However after removing various spyware and the odd trojan i am left with Jimbutt, which sadly has me beaten! At present! I have run, Ad-ware, Microsoft's Anti-spyware and spybot! They find it and say they have removed it but it just comes back again and again etc! It is trying to connection to the interent even though i have it completly offline and i am receiving an error message, which i assume is disguising itself as a windows secuirty warning: Error #317, informing me that the computer is corrupted with spyware virus and i can remove it by downloading a free spyware removal tool called AntiSPY, never heard of it, i wonder why! So below is my friends Hijack This log and i hope one of you can help before i take a gun to it!!!!!!!!!!!!! I kind of think she might be a little upset at me shooting her fairly new Tosh laptop though! Logfile of HijackThis v1.99.1 Scan saved at 07:58:06, on 26/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\TPSBattM.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Jessamy Bull\Application Data\My-disgo\MyKey disgo.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\WINDOWS\system32\wpabaln.exe D:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2036 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=2036 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2036 (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080 O1 - Hosts: 60.50.170.0 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe Thank in advance for your help guys and girls! Jamesy

Replies (1 - 1)

Crustyoldbloke View Member Profile	Apr 26 2005, 12:01 PM Post #2
Malware Surgeon with a shaky scalpel Posts: 15,101 From: Worcestershire, England OS: Win98, Windows XP Professional SP2, Vista	Hello Jamesy and welcome to Geeks to Go. Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions! You do have an infection and also a re-direct pointing to Telekom Malaysia Berhad in Kuala Lumpur; is that legitimate? Now, for the rest of it and if you are ready, let�s get fixing! To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop: CWShredder (the download icon is on the right-hand side of the page) CCleaner Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2036 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=2036 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=2036 (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/ Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how: There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Post back a fresh HijackThis log and I will take another look. "Edit, As there has been no reply from the original poster this topic is now closed, Should you have any further problems please create a new Topic, Thanks " This post has been edited by Crustyoldbloke: May 6 2005, 02:36 AM

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Malware Removal Problems	0 / 45	10th February 2010 - 04:19 PM scott1234 started - last by scott1234
Virus, Spyware and Trojan Removal Malware Removal	1 / 73	16th February 2010 - 08:44 AM manasa.daggubati started - last by manasa.daggubati
Virus, Spyware and Trojan Removal BSOD after malware removal	0 / 62	19th February 2010 - 09:36 AM Timothy31833 started - last by Timothy31833
Windows XP�, 2000, 2003, NT XP - no sound after malware removal	22 / 271	Today, 03:34 AM gshaw started - last by kimsland
Virus, Spyware and Trojan Removal Anti virus and malware removal together	0 / 29	Yesterday, 11:32 AM JerseyBiker started - last by JerseyBiker