TechSpot

Infected with Win32:Small-EPJ, Please help

By rlmurray
Dec 2, 2007
Topic Status:
Not open for further replies.
  1. evilfantasy

    evilfantasy Banned Posts: 428

    Disable Spybots Tea Timer

    First:
    * Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    * Choose Exit Spybot S&D Resident
    Second:
    * Open Spybot S&D
    * Click Mode, check Advanced Mode
    * Go To Left Panel, Click Tools, then also in left panel, click Resident
    * If your firewall raises a question, say OK
    * Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    * Use File, Exit to terminate Spybot
    * Reboot your machine for the changes to take effect.

    -------------------

    Open HijackThis and select "Do a system scan only" and place a check mark next to:

    O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
    O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - (no file)
    O20 - Winlogon Notify: hggdeby - C:\WINDOWS\

    Close all windows except HijackThis and click "Fix checked"

    ---------------------

    How are things now?
     
  2. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    still have malware

    Here is my netstat. It looks like i'm connecting to a trojon backdoor

    TCP BobandTiffs:1089 f4.4.5546.static.theplanet.com:http TIME_WAIT
    --------------------------------------------------------------------------
    TCP BobandTiffs:12080 localhost:1117 TIME_WAIT
    TCP BobandTiffs:12080 localhost:1120 TIME_WAIT
    TCP BobandTiffs:12080 localhost:1122 ESTABLISHED
    TCP BobandTiffs:12110 BobandTiffs:0 LISTENING
    TCP BobandTiffs:12119 BobandTiffs:0 LISTENING
    TCP BobandTiffs:12143 BobandTiffs:0 LISTENING
    TCP BobandTiffs:netbios-ssn BobandTiffs:0 LISTENING
    TCP BobandTiffs:1039 c-71-235-137-105.hsd1.ct.comcast.net:46278 TIME
    AIT
    TCP BobandTiffs:1040 wapp.verizon.net:http ESTABLISHED
    TCP BobandTiffs:1079 phl-te.tacoda.net:http ESTABLISHED
    TCP BobandTiffs:1083 69.7.234.203:http ESTABLISHED
    TCP BobandTiffs:1089 f4.4.5546.static.theplanet.com:http TIME_WAIT
    TCP BobandTiffs:1097 jl-in-f104.google.com:http CLOSE_WAIT
    TCP BobandTiffs:1107 209.62.185.9:http ESTABLISHED
    TCP BobandTiffs:kpop 207.211.65.7:http CLOSE_WAIT
    TCP BobandTiffs:1111 mu-in-f91.google.com:http CLOSE_WAIT
    TCP BobandTiffs:1118 wwwtk2test1.microsoft.com:http ESTABLISHED
    TCP BobandTiffs:1123 65.54.152.126:http ESTABLISHED
    UDP BobandTiffs:microsoft-ds *:*
    UDP BobandTiffs:isakmp *:*
    UDP BobandTiffs:1025 *:*
    UDP BobandTiffs:1026 *:*
    UDP BobandTiffs:1045 *:*
    UDP BobandTiffs:3776 *:*
     
  3. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    things are looking better after the reboot though.
     
  4. Jase123

    Jase123 Banned Posts: 1,122

    Could you post a fresh HJT log?

    Regards Jason :)
     
  5. evilfantasy

    evilfantasy Banned Posts: 428

    First lets get you onto a better firewall Comodo Free Firewall

    Then run SuperAntiSpyware Free Edition. It has a huge trojan detection and removal database.

    See if the firewall helps. If anything suspicious is going out you can add it to the blocked list until we find out what it is. Windows firewall does not block out bound traffic so if anything does get in it is powerless to stop it.
     
  6. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    hear is the latest HJT

    Thanks for the firewall and spyware removal. How do you think things are looking?
     
  7. evilfantasy

    evilfantasy Banned Posts: 428

    Yes something nasty got back in.

    Are you running the SuperAntiSpyware scan?
     
  8. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    yes right now
     
  9. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    i don't know who is connected but it might be somebody.
    This is a netstat entry.
    TCP BobandTiffs:1052 c-71-193-238-251.hsd1.or.comcast.net:3044 ESTABLISHED
     
  10. evilfantasy

    evilfantasy Banned Posts: 428

    When the SUPERAntiSpyware (SAS) is done please attach the scan log along with a new HijackThis log.

    * To retrieve the removal information please do the following:
    + After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    + Click Preferences. Click the Statistics/Logs tab.
    + Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    + It will open in your default text editor (such as Notepad/Wordpad).
    + Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    * Please add the log as an attachment
     
  11. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    damn thing is back
     
     
  12. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    Here are the logs

    Here is the new HJT and spyware logs
     
  13. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    you there ??. I am going to start again tomorrow. Hopefully we could reconvene
     
  14. evilfantasy

    evilfantasy Banned Posts: 428

    -
    OK, we are going to run these all back to back and try to kill this.

    Delete any existing copy of the following tools you may already have and download a fresh version

    --------------------

    Please download Vundofix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * Put a check next to Run VundoFix as a task.
    * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will shutdown your computer, click OK.
    * Turn your computer back on.
    * Please post the contents of C:\vundofix.txt

    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Please let Vundo finish, sometimes it can take multiple passes


    ---------------------

    Download SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following:
    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, the Advanced Options Menu should appear;
    * Select the first option, to run Windows in Safe Mode, then press Enter.
    * Choose your usual account.
    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    *] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
    * Finally add the contents of the Report.txt in your next post as an Attachment

    --------------------

    Please download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    2. When finished, it will produce a log for you.
    3. Attach that log in your next reply.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause your computer to stall


    --------------------

    Next post please attach
    Vundofix.txt log
    Report.txt
    Combofix.txt log
    New HijackThis log
     
  15. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    OK I'm done with your instructions

    Here are the 4 logs

    Vundo was not detected and I ran it twice
    Thanks
     
  16. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    Is this Normal or are all these people attached to my PC

    Proto Local Address Foreign Address State
    TCP BobandTiffs:3433 localhost:12080 TIME_WAIT
    TCP BobandTiffs:3435 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3437 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3439 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3441 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3443 localhost:12080 TIME_WAIT
    TCP BobandTiffs:3447 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3451 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3453 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3455 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3456 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3463 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3467 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3469 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3471 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3473 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3475 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3477 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3479 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3481 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3483 localhost:12080 TIME_WAIT
    TCP BobandTiffs:3486 localhost:12080 TIME_WAIT
    TCP BobandTiffs:3490 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3492 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3494 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3496 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3498 localhost:12080 ESTABLISHED
    TCP BobandTiffs:3502 localhost:12080 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3435 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3437 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3439 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3441 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3445 TIME_WAIT
    TCP BobandTiffs:12080 localhost:3447 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3449 TIME_WAIT
    TCP BobandTiffs:12080 localhost:3451 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3453 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3455 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3456 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3457 TIME_WAIT
    TCP BobandTiffs:12080 localhost:3463 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3465 TIME_WAIT
    TCP BobandTiffs:12080 localhost:3467 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3469 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3471 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3473 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3475 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3477 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3479 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3481 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3488 TIME_WAIT
    TCP BobandTiffs:12080 localhost:3490 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3492 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3494 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3496 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3498 ESTABLISHED
    TCP BobandTiffs:12080 localhost:3502 ESTABLISHED
    TCP BobandTiffs:3243 elf161.cleannet.orie.cornell.edu:45564 ESTABLI
    ED
    TCP BobandTiffs:3422 ip-69-22-179-107.nlayer.net:http TIME_WAIT
    TCP BobandTiffs:3442 64.79.161.90:http ESTABLISHED
    TCP BobandTiffs:3448 ip-69-22-179-81.nlayer.net:http ESTABLISHED
    TCP BobandTiffs:3452 ip-69-22-179-81.nlayer.net:http ESTABLISHED
    TCP BobandTiffs:3454 ip-69-22-179-107.nlayer.net:http ESTABLISHED
    TCP BobandTiffs:3459 d1.ycs.vip.a2s.yahoo.com:http CLOSE_WAIT
    TCP BobandTiffs:3460 d1.ycs.vip.a2s.yahoo.com:http CLOSE_WAIT
    TCP BobandTiffs:3472 168.143.188.36:http CLOSE_WAIT
    TCP BobandTiffs:3474 ip-69-22-179-88.nlayer.net:http ESTABLISHED
    TCP BobandTiffs:3476 168.143.188.36:http CLOSE_WAIT
    TCP BobandTiffs:3478 ip-69-22-179-88.nlayer.net:http ESTABLISHED
    TCP BobandTiffs:3480 69.7.234.203:http ESTABLISHED
    TCP BobandTiffs:3482 69.7.234.203:http ESTABLISHED
    TCP BobandTiffs:3485 ev1s-209-85-66-221.ev1servers.net:http CLOSE_W
    T
    TCP BobandTiffs:3491 ip-69-22-179-65.nlayer.net:http ESTABLISHED
    TCP BobandTiffs:3493 12.130.81.249:http CLOSE_WAIT
    TCP BobandTiffs:3495 130.81.64.45:http CLOSE_WAIT
    TCP BobandTiffs:3497 ip-69-22-179-80.nlayer.net:http ESTABLISHED
    TCP BobandTiffs:3499 ip-69-22-179-82.nlayer.net:http ESTABLISHED

    :\Documents and Settings\Bob>
     
  17. evilfantasy

    evilfantasy Banned Posts: 428

    The logs are clean.

    Run ATF Cleaner.

    Go to add/remove programs and look for old versions of Java and uninstall them.
    The only version that should be there is Java 6 Update 3.

    Find and delete these folders:
    C:\VundoFix Backups
    C:\WINDOWS\SDFIX


    You can also get rid of any logs.

    If you don't have CCleaner download it HERE
    When you open CCleaner look for the Registry tab to the top left. Use the Scan for Issues function. Run it multiple times until it shows no entries to be cleaned.

    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    [​IMG]

    Make sure there's a space between Combofix and /
    Then hit Enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again


    Security tools I suggest, and use myself. (all free)

    They give active protection without slowing down your PC.

    COMODO BOClean Anti-Malware

    WinPatrol 2007

    I am honestly not sure. Try looking in the firewall settings and see if you can see if anything is being blocked or not. If it isn't being blocked then I would say it is normal.

    Let me know when you get all this done and how things are now.
     
  18. Jase123

    Jase123 Banned Posts: 1,122

    Just to add the Ccleaner link as you did a little error lol.

    Download it HERE.

    Regards Jason :)
     
  19. evilfantasy

    evilfantasy Banned Posts: 428

    Whoops!!

    Thanks Jase.
     
  20. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    One other thing. I noticed my hard drive light is continually on and processing. SVCHOST.exe is showing as the activity in my firewall. Hopefully all is well. ALso the PC is sluggish. I did install pcillin 14 but no scans are currently on.

    Thanks for your tenacity and skill. You have really been a life saver. Are we done? If so thanks again!!
     
  21. evilfantasy

    evilfantasy Banned Posts: 428

    All instances of the svchost.exe are running in the correct location according to HijackThis. Which is C:\WINDOWS\system32\svchost.exe

    It is not uncommon to have multiple instances of svchost.exe running but it can also be an indication of a keylogger. But there is a scanner that is good at finding keyloggers.

    Download, update and run A-Squared Free

    At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.

    If malware is found, click the button Remove Selected Malware
    If malware is found, select all found and click Quarantine selected objects
    Be sure to quarantine anything found before removing it completely until we can have a good look at the log. This is a powerful scanner and it can not distinguish between "good' and "bad."
    Click Save Report. Save the report to somewhere convenient, such as your desktop
    Add the report as an attachment in your next post.
     
  22. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    Ok I will do that but in the meantime internet explorer can't get to a webpage. It simply does not work. I disabled the firewall temporarily. Firefox works perfectly.
     
  23. Jase123

    Jase123 Banned Posts: 1,122

    Please follow evilfantasys instructions and then we will look into your problem with Internet Explorer.

    Regards Jason :)

    This thread is for the use of rlmurray ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.
     
  24. rlmurray

    rlmurray TS Rookie Topic Starter Posts: 35

    in the middle of the scan the PC blue screened

    you there//the pc is slow sluggish and I running pentium d 2.8 with 2 gig ram

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
     
  25. evilfantasy

    evilfantasy Banned Posts: 428

    I am puzzled on the blue screen.

    We can try to run LSP-Fix. This is used after malware removal in cases like this to basically reset the router.

    LSP-Fix

    Also look at IEFix
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.