Infected with Win32:Small-EPJ, Please help

OK, I see now. I didn't notice your header message about being at work. By just reading the message body it seemed as if you were speaking to nobody

We will pick it up later then, have a good day at work......

OK I'm done with your instructions

Back from work
Thanks you for being so patient. Attached are the attachments you called for. We are seriously making headway

FYI,
I never did find bkhibkh.dll

you there?

I'm here, looking at the logs now......

Disable Spybots Tea Timer

First:
* Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
* Choose Exit Spybot S&D Resident
Second:
* Open Spybot S&D
* Click Mode, check Advanced Mode
* Go To Left Panel, Click Tools, then also in left panel, click Resident
* If your firewall raises a question, say OK
* Uncheck the box labeled Resident Tea-Timer and OK any prompts.
* Use File, Exit to terminate Spybot
* Reboot your machine for the changes to take effect.

-------------------

Open HijackThis and select "Do a system scan only" and place a check mark next to:

O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - (no file)
O20 - Winlogon Notify: hggdeby - C:\WINDOWS\

Close all windows except HijackThis and click "Fix checked"

---------------------

How are things now?

still have malware

Here is my netstat. It looks like i'm connecting to a trojon backdoor

TCP BobandTiffs:1089 f4.4.5546.static.theplanet.com:http TIME_WAIT
--------------------------------------------------------------------------
TCP BobandTiffs:12080 localhost:1117 TIME_WAIT
TCP BobandTiffs:12080 localhost:1120 TIME_WAIT
TCP BobandTiffs:12080 localhost:1122 ESTABLISHED
TCP BobandTiffs:12110 BobandTiffs:0 LISTENING
TCP BobandTiffs:12119 BobandTiffs:0 LISTENING
TCP BobandTiffs:12143 BobandTiffs:0 LISTENING
TCP BobandTiffs:netbios-ssn BobandTiffs:0 LISTENING
TCP BobandTiffs:1039 c-71-235-137-105.hsd1.ct.comcast.net:46278 TIME
AIT
TCP BobandTiffs:1040 wapp.verizon.net:http ESTABLISHED
TCP BobandTiffs:1079 phl-te.tacoda.net:http ESTABLISHED
TCP BobandTiffs:1083 69.7.234.203:http ESTABLISHED
TCP BobandTiffs:1089 f4.4.5546.static.theplanet.com:http TIME_WAIT
TCP BobandTiffs:1097 jl-in-f104.google.com:http CLOSE_WAIT
TCP BobandTiffs:1107 209.62.185.9:http ESTABLISHED
TCP BobandTiffs:kpop 207.211.65.7:http CLOSE_WAIT
TCP BobandTiffs:1111 mu-in-f91.google.com:http CLOSE_WAIT
TCP BobandTiffs:1118 wwwtk2test1.microsoft.com:http ESTABLISHED
TCP BobandTiffs:1123 65.54.152.126:http ESTABLISHED
UDP BobandTiffs:microsoft-ds *:*
UDP BobandTiffs:isakmp *:*
UDP BobandTiffs:1025 *:*
UDP BobandTiffs:1026 *:*
UDP BobandTiffs:1045 *:*
UDP BobandTiffs:3776 *:*

things are looking better after the reboot though.

Could you post a fresh HJT log?

Regards Jason

First lets get you onto a better firewall Comodo Free Firewall

Then run SuperAntiSpyware Free Edition. It has a huge trojan detection and removal database.

See if the firewall helps. If anything suspicious is going out you can add it to the blocked list until we find out what it is. Windows firewall does not block out bound traffic so if anything does get in it is powerless to stop it.

hear is the latest HJT

Thanks for the firewall and spyware removal. How do you think things are looking?

Yes something nasty got back in.

Are you running the SuperAntiSpyware scan?

yes right now

i don't know who is connected but it might be somebody.
This is a netstat entry.
TCP BobandTiffs:1052 c-71-193-238-251.hsd1.or.comcast.net:3044 ESTABLISHED

When the SUPERAntiSpyware (SAS) is done please attach the scan log along with a new HijackThis log.

* To retrieve the removal information please do the following:
+ After reboot, double-click the SUPERAntiSpyware icon on your desktop.
+ Click Preferences. Click the Statistics/Logs tab.
+ Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
+ It will open in your default text editor (such as Notepad/Wordpad).
+ Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment

damn thing is back

Here are the logs

Here is the new HJT and spyware logs

you there ??. I am going to start again tomorrow. Hopefully we could reconvene

-
OK, we are going to run these all back to back and try to kill this.

Delete any existing copy of the following tools you may already have and download a fresh version

--------------------

Please download Vundofix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes


---------------------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment

--------------------

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall


--------------------

Next post please attach
Vundofix.txt log
Report.txt
Combofix.txt log
New HijackThis log

OK I'm done with your instructions

Here are the 4 logs

Vundo was not detected and I ran it twice
Thanks