Hi there,

I found this jimbutts spyware so damned annoying I have made an account just to tell ya how I fixed it. Have spent the last 4 hours using forums like this to finally clinch how it keeps replicating itself.

First off it goes without saying that you should have the following:

Spybot search and destroy
Ad-aware SE personal
Hijack this (latest version)
Firewall
Upto date decent virus checker and definitions.

Steps I used:

 Run a cycle of Spybot and then of Ad-aware SE

 First Uncover hidden files and folders in windows : click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes"

 Goto http://www.bitdefender.com/scan/licence.php - its a free virus checker which lists potential infected areas your usual checker might not pickup. Make a copy of the final result in a word.doc and save – we will need this later.

 Turn off inet and close all open programs and iexplorer

 Use spybot – clean as appropriate

 Use Ad-aware se – clean as appropriate (the 2 main infected files will keep replicating but its important u get rid of anything else)

 Use hijack this…. The following files are imo completely associated. I will place a list of urls to other jimbutts threads so you can have a read through and compare. The registry items that are directly applicable to jimbutts:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/

R3 - Default URLSearchHook is missing

O1 - Hosts: 60.50.170.0

Now back to that word.doc that we saved earlier. This is the real clincher as jimbutts continually replicates itself so you can get rid of everything except a window that pops up telling you that you are infected and need their spyware removal, and the R0 line in the registry for the main start page (which makes your start page continuously theirs whatever you do).

Through analysing the results from the bitdefender virus checker, I went through what it clarified as a threat (by this stage I only had 2 because I run all usual programs to keep a usually clean system. You will usually find these at the bottom of the log). As a result of me having a number of programs blocking spyware I knew quite accurately what time I was infected as numerous bells and whistles went off as it happened. Now one of the files bitdefender found was called systr.dll and is found in the following folder:

C:\WINDOWS\system32

The creation of this systr.dll was at the exact time of the infection. I therefore moved this file into a secure location (incase it caused a problem so I could just move it back in safemode later) and then rebooted the pc.


On rebooting you should run hijack this and you will find:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/

Is still there in the registry but NEVER FEAR…. mark it checked and delete and that’s the last time you will see it. On opening internet it will default and you can reset your homepage and jimbutts is gone forever !! Everything works fine and there seems to be no adverse affects to moving that .dll. The .dll is a protected file so once your sure everything is ok you will want to use: http://www.bleepingcomputer.com/files/spyware/KillBox.zip

To delete it from your system completely. (or alternatively just rename it)


I hope people find this a useful explanation of getting rid of this very annoying spyware. Bear in mind I am no hijackthis expert and deleting any files from windows system / registry etc has the potential of destabilising your system permanently if done incorrectly.

Good luck.

 

Welcome to TSF.

Please do not post your log in someone else's thread. I have created this new thread for your log.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes when you are prompted to restart Windows. When we have confirmed that your log file is clean, you may enable System Restore again by following the same steps as above except you should uncheck Disable System Restore.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.