Infected with Win32:Small-EPJ, Please help

By rlmurray
Dec 2, 2007
Topic Status:
Not open for further replies.
  1. Here is my HJT log. I can't seem to get rid of this!!
    Thanks in advance!!
  2. Jase123

    Jase123 Banned Posts: 1,122

    Before posting your HJT log - can you go through the instructions HERE.

    Remember to post a fresh HJT log.

    Regards Jason :)
  3. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    thanks Jason will do
  4. Jase123

    Jase123 Banned Posts: 1,122

    I'll keep me eye out for your attachments and fresh HJT log. ;)

    Regards Jason :)
  5. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    here it is I may have attached it twice

    here it is I may have attached it twice
  6. evilfantasy

    evilfantasy Banned Posts: 428

    Download SmitfraudFix (by S!Ri) to your Desktop.

    PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

    You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be able to see this page in safe mode

    Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.

    Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.

    Select option #2 - Clean by typing 2 and press Enter.
    The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish. This process can take some time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.

    The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:
    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.

    Now reboot into normal mode and attach this new rapport.txt in the next post.

    WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!

    Next post please attach:
    rapport.txt log
    NEW HijackThis log
  7. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    OK here are the files you asked for. thanks againhyt and rapport files

    OK here are the files you asked for. thanks again
  8. evilfantasy

    evilfantasy Banned Posts: 428

    Please download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    2. When finished, it will produce a log for you.
    3. Attach that log in your next reply.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause your computer to stall


    Please attach the combofix.txt log and a NEW HijackThis log in the next post.
  9. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    attached are the combo fix files

    attached are the combo fix files
    Thanks.
  10. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    here is a new hjt file as well

    here is a new hjt file as well
  11. Jase123

    Jase123 Banned Posts: 1,122

    I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
    The infection is delivered by TROJAN.SPY
    It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
    IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

    We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

    The Decision Whether to ReFormat or Not should be based on:
    • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
    • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect.
    If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
    • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
    • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
    • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
      Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
    • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
    • Take any other steps you think appropriate for an attempted identity theft.
    While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
    Please let me know what you decide.

    Regards Jason :)
  12. evilfantasy

    evilfantasy Banned Posts: 428

    Please do these in the order they are posted in.

    Open HijackThis and select Do a system scan only and place a check mark next to:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - C:\WINDOWS\system32\hggdeby.dll
    O20 - Winlogon Notify: hggdeby - C:\WINDOWS\SYSTEM32\hggdeby.dll


    Close all windows and click Fix checked

    --------------------

    Delete these files/folders, as follows:

    * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    * Save this as CFScript on the desktop.
    * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    --------------------

    Download SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following:
    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, the Advanced Options Menu should appear;
    * Select the first option, to run Windows in Safe Mode, then press Enter.
    * Choose your usual account.
    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    *] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
    * Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log

    --------------------

    Run a new HijackThis scan and save a log file.

    --------------------

    Next post please attach
    Combofix.txt log
    Report.txt log
    NEW HijackThis scan log
  13. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    all files attached. Again thanks

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

    all files attached. Again thanks
     
  14. evilfantasy

    evilfantasy Banned Posts: 428

    You somehow managed to attach only the combofix quarantined list. I need the new log it produced.

    Plus the report.txt and a new hijackThis log.
  15. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    here is the hyjackthis log

    trying to attach files

    report files

    Let's reconvene tomorrow. Again thanks
    Also I have ntos.exe how could we get rid of that???

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
  16. evilfantasy

    evilfantasy Banned Posts: 428

    We are getting there.

    I should have another set of instructions waiting for you when you sign in tomorrow.

    Cheers.
  17. evilfantasy

    evilfantasy Banned Posts: 428

    Go to Start > My Computer
    Go to Tools > Folder Options
    Click on the View tab
    Untick the following:
    * Hide extensions for known file types
    * Hide protected operating system files (Recommended)
    You will get a message warning you about showing protected operating system files, click Yes
    Make sure this option is selected:
    * Show hidden files and folders
    Click Apply and then click OK

    --------------------

    You will not be able to see this page in safe mode.

    You should print these instructions before continuing or copy and paste them to notepad and save it to the desktop.
    (from here to where it says Restart the computer to Normal Boot Mode
    )

    --------------------

    1. Go to Start > Turn off computer > Restart.
    2. Lightly tap F8 until the menue screen appears.
    3. Using the arrow keys, highlight Safe Mode option, then press Enter.
    4. Log in with your usual account name.

    --------------------

    Open HijackThis and select Do a system scan only then place a check mark next to:

    O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
    O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
    O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - (no file)
    O20 - Winlogon Notify: hggdeby - hggdeby.dll (file missing)


    Close all windows except HijackThis and click fix checked

    Close HijackThis and continue in Safe Mode.

    --------------------

    Double click the My Computer icon on your Desktop.

    Double click on Local Disc (C:\)

    Double click on the Program Files folder.

    Right click on SecCenter and from the menu that appears, click on Delete

    Next, repeat the steps but go to C: > Windows > System32 > and delete bkhibkh.dll

    --------------------

    Restart the computer to Normal Boot Mode

    --------------------

    Go to Start > Run and type in Services.msc then click OK

    Click the Extended tab.

    Scroll down until you find FFI

    Right click on the service and choose Stop

    Right-Click on the service again.

    Click on 'Properties'

    Select the 'General' tab

    Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

    From the drop-down menu, click on 'Disabled'

    Click the 'Apply' tab, then click 'OK'

    --------------------

    Please open HijackThis and select Open the Misc Tools section

    Then choose Delete an NT service

    In the Delete window, type FFI and press OK

    OK any prompts, close HijackThis.

    Restart your computer.

    --------------------

    Delete these files/folders, as follows:

    * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    * Save this as CFScript on the desktop.
    * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    [​IMG]

    * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    --------------------

    Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.

    NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser
    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    --------------------

    Next post please attach
    Combofix.txt log
    NEW HijackThis log
  18. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    I get home from work around 6PM EST today

    I will work with you then.
    Thanks
  19. evilfantasy

    evilfantasy Banned Posts: 428

    OK, what does that mean?
  20. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    I am at work and won't be at my home computer to further troubleshoot and clean and get you your log files till I am at home. I will be there between 6 and 6:30 PM eastern standard time then we will pick it up from there.
    Please let me know if you have any additional questions.
    Thanks
  21. evilfantasy

    evilfantasy Banned Posts: 428

    OK, I see now. I didn't notice your header message about being at work. By just reading the message body it seemed as if you were speaking to nobody :)

    We will pick it up later then, have a good day at work......
  22. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    OK I'm done with your instructions

    Back from work
    Thanks you for being so patient. Attached are the attachments you called for. We are seriously making headway :)
  23. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    FYI,
    I never did find bkhibkh.dll
  24. rlmurray

    rlmurray Newcomer, in training Topic Starter Posts: 35

    you there?
  25. evilfantasy

    evilfantasy Banned Posts: 428

    I'm here, looking at the logs now......
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.