Infected with Win32:Small-EPJ, Please help

[evilfantasy]

Disable Spybots Tea Timer

First:
* Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
* Choose Exit Spybot S&D Resident
Second:
* Open Spybot S&D
* Click Mode, check Advanced Mode
* Go To Left Panel, Click Tools, then also in left panel, click Resident
* If your firewall raises a question, say OK
* Uncheck the box labeled Resident Tea-Timer and OK any prompts.
* Use File, Exit to terminate Spybot
* Reboot your machine for the changes to take effect.

-------------------

Open HijackThis and select "Do a system scan only" and place a check mark next to:

O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - (no file)
O20 - Winlogon Notify: hggdeby - C:\WINDOWS\

Close all windows except HijackThis and click "Fix checked"

---------------------

How are things now?

 

[rlmurray]

still have malware

Here is my netstat. It looks like i'm connecting to a trojon backdoor

TCP BobandTiffs:1089 f4.4.5546.static.theplanet.com:http TIME_WAIT
--------------------------------------------------------------------------
TCP BobandTiffs:12080 localhost:1117 TIME_WAIT
TCP BobandTiffs:12080 localhost:1120 TIME_WAIT
TCP BobandTiffs:12080 localhost:1122 ESTABLISHED
TCP BobandTiffs:12110 BobandTiffs:0 LISTENING
TCP BobandTiffs:12119 BobandTiffs:0 LISTENING
TCP BobandTiffs:12143 BobandTiffs:0 LISTENING
TCP BobandTiffs:netbios-ssn BobandTiffs:0 LISTENING
TCP BobandTiffs:1039 c-71-235-137-105.hsd1.ct.comcast.net:46278 TIME
AIT
TCP BobandTiffs:1040 wapp.verizon.net:http ESTABLISHED
TCP BobandTiffs:1079 phl-te.tacoda.net:http ESTABLISHED
TCP BobandTiffs:1083 69.7.234.203:http ESTABLISHED
TCP BobandTiffs:1089 f4.4.5546.static.theplanet.com:http TIME_WAIT
TCP BobandTiffs:1097 jl-in-f104.google.com:http CLOSE_WAIT
TCP BobandTiffs:1107 209.62.185.9:http ESTABLISHED
TCP BobandTiffs:kpop 207.211.65.7:http CLOSE_WAIT
TCP BobandTiffs:1111 mu-in-f91.google.com:http CLOSE_WAIT
TCP BobandTiffs:1118 wwwtk2test1.microsoft.com:http ESTABLISHED
TCP BobandTiffs:1123 65.54.152.126:http ESTABLISHED
UDP BobandTiffs:microsoft-ds *:*
UDP BobandTiffs:isakmp *:*
UDP BobandTiffs:1025 *:*
UDP BobandTiffs:1026 *:*
UDP BobandTiffs:1045 *:*
UDP BobandTiffs:3776 *:*

 

[rlmurray]

things are looking better after the reboot though.

 

[Jase123]

Could you post a fresh HJT log?

Regards Jason

 

[evilfantasy]

First lets get you onto a better firewall Comodo Free Firewall

Then run SuperAntiSpyware Free Edition. It has a huge trojan detection and removal database.

See if the firewall helps. If anything suspicious is going out you can add it to the blocked list until we find out what it is. Windows firewall does not block out bound traffic so if anything does get in it is powerless to stop it.

 

[rlmurray]

hear is the latest HJT

Thanks for the firewall and spyware removal. How do you think things are looking?

 

[evilfantasy]

Yes something nasty got back in.

Are you running the SuperAntiSpyware scan?

 

[rlmurray]

yes right now

 

[rlmurray]

i don't know who is connected but it might be somebody.
This is a netstat entry.
TCP BobandTiffs:1052 c-71-193-238-251.hsd1.or.comcast.net:3044 ESTABLISHED

 

[evilfantasy]

When the SUPERAntiSpyware (SAS) is done please attach the scan log along with a new HijackThis log.

* To retrieve the removal information please do the following:
+ After reboot, double-click the SUPERAntiSpyware icon on your desktop.
+ Click Preferences. Click the Statistics/Logs tab.
+ Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
+ It will open in your default text editor (such as Notepad/Wordpad).
+ Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment

 

[rlmurray]

damn thing is back

 

[rlmurray]

Here are the logs

Here is the new HJT and spyware logs

 

[rlmurray]

you there ??. I am going to start again tomorrow. Hopefully we could reconvene

 

[evilfantasy]

-
OK, we are going to run these all back to back and try to kill this.

Delete any existing copy of the following tools you may already have and download a fresh version

--------------------

Please download Vundofix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes


---------------------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment

--------------------

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall


--------------------

Next post please attach
Vundofix.txt log
Report.txt
Combofix.txt log
New HijackThis log

 

[rlmurray]

OK I'm done with your instructions

Here are the 4 logs

Vundo was not detected and I ran it twice
Thanks

 

[rlmurray]

Is this Normal or are all these people attached to my PC

Proto Local Address Foreign Address State
TCP BobandTiffs:3433 localhost:12080 TIME_WAIT
TCP BobandTiffs:3435 localhost:12080 ESTABLISHED
TCP BobandTiffs:3437 localhost:12080 ESTABLISHED
TCP BobandTiffs:3439 localhost:12080 ESTABLISHED
TCP BobandTiffs:3441 localhost:12080 ESTABLISHED
TCP BobandTiffs:3443 localhost:12080 TIME_WAIT
TCP BobandTiffs:3447 localhost:12080 ESTABLISHED
TCP BobandTiffs:3451 localhost:12080 ESTABLISHED
TCP BobandTiffs:3453 localhost:12080 ESTABLISHED
TCP BobandTiffs:3455 localhost:12080 ESTABLISHED
TCP BobandTiffs:3456 localhost:12080 ESTABLISHED
TCP BobandTiffs:3463 localhost:12080 ESTABLISHED
TCP BobandTiffs:3467 localhost:12080 ESTABLISHED
TCP BobandTiffs:3469 localhost:12080 ESTABLISHED
TCP BobandTiffs:3471 localhost:12080 ESTABLISHED
TCP BobandTiffs:3473 localhost:12080 ESTABLISHED
TCP BobandTiffs:3475 localhost:12080 ESTABLISHED
TCP BobandTiffs:3477 localhost:12080 ESTABLISHED
TCP BobandTiffs:3479 localhost:12080 ESTABLISHED
TCP BobandTiffs:3481 localhost:12080 ESTABLISHED
TCP BobandTiffs:3483 localhost:12080 TIME_WAIT
TCP BobandTiffs:3486 localhost:12080 TIME_WAIT
TCP BobandTiffs:3490 localhost:12080 ESTABLISHED
TCP BobandTiffs:3492 localhost:12080 ESTABLISHED
TCP BobandTiffs:3494 localhost:12080 ESTABLISHED
TCP BobandTiffs:3496 localhost:12080 ESTABLISHED
TCP BobandTiffs:3498 localhost:12080 ESTABLISHED
TCP BobandTiffs:3502 localhost:12080 ESTABLISHED
TCP BobandTiffs:12080 localhost:3435 ESTABLISHED
TCP BobandTiffs:12080 localhost:3437 ESTABLISHED
TCP BobandTiffs:12080 localhost:3439 ESTABLISHED
TCP BobandTiffs:12080 localhost:3441 ESTABLISHED
TCP BobandTiffs:12080 localhost:3445 TIME_WAIT
TCP BobandTiffs:12080 localhost:3447 ESTABLISHED
TCP BobandTiffs:12080 localhost:3449 TIME_WAIT
TCP BobandTiffs:12080 localhost:3451 ESTABLISHED
TCP BobandTiffs:12080 localhost:3453 ESTABLISHED
TCP BobandTiffs:12080 localhost:3455 ESTABLISHED
TCP BobandTiffs:12080 localhost:3456 ESTABLISHED
TCP BobandTiffs:12080 localhost:3457 TIME_WAIT
TCP BobandTiffs:12080 localhost:3463 ESTABLISHED
TCP BobandTiffs:12080 localhost:3465 TIME_WAIT
TCP BobandTiffs:12080 localhost:3467 ESTABLISHED
TCP BobandTiffs:12080 localhost:3469 ESTABLISHED
TCP BobandTiffs:12080 localhost:3471 ESTABLISHED
TCP BobandTiffs:12080 localhost:3473 ESTABLISHED
TCP BobandTiffs:12080 localhost:3475 ESTABLISHED
TCP BobandTiffs:12080 localhost:3477 ESTABLISHED
TCP BobandTiffs:12080 localhost:3479 ESTABLISHED
TCP BobandTiffs:12080 localhost:3481 ESTABLISHED
TCP BobandTiffs:12080 localhost:3488 TIME_WAIT
TCP BobandTiffs:12080 localhost:3490 ESTABLISHED
TCP BobandTiffs:12080 localhost:3492 ESTABLISHED
TCP BobandTiffs:12080 localhost:3494 ESTABLISHED
TCP BobandTiffs:12080 localhost:3496 ESTABLISHED
TCP BobandTiffs:12080 localhost:3498 ESTABLISHED
TCP BobandTiffs:12080 localhost:3502 ESTABLISHED
TCP BobandTiffs:3243 elf161.cleannet.orie.cornell.edu:45564 ESTABLI
ED
TCP BobandTiffs:3422 ip-69-22-179-107.nlayer.net:http TIME_WAIT
TCP BobandTiffs:3442 64.79.161.90:http ESTABLISHED
TCP BobandTiffs:3448 ip-69-22-179-81.nlayer.net:http ESTABLISHED
TCP BobandTiffs:3452 ip-69-22-179-81.nlayer.net:http ESTABLISHED
TCP BobandTiffs:3454 ip-69-22-179-107.nlayer.net:http ESTABLISHED
TCP BobandTiffs:3459 d1.ycs.vip.a2s.yahoo.com:http CLOSE_WAIT
TCP BobandTiffs:3460 d1.ycs.vip.a2s.yahoo.com:http CLOSE_WAIT
TCP BobandTiffs:3472 168.143.188.36:http CLOSE_WAIT
TCP BobandTiffs:3474 ip-69-22-179-88.nlayer.net:http ESTABLISHED
TCP BobandTiffs:3476 168.143.188.36:http CLOSE_WAIT
TCP BobandTiffs:3478 ip-69-22-179-88.nlayer.net:http ESTABLISHED
TCP BobandTiffs:3480 69.7.234.203:http ESTABLISHED
TCP BobandTiffs:3482 69.7.234.203:http ESTABLISHED
TCP BobandTiffs:3485 ev1s-209-85-66-221.ev1servers.net:http CLOSE_W
T
TCP BobandTiffs:3491 ip-69-22-179-65.nlayer.net:http ESTABLISHED
TCP BobandTiffs:3493 12.130.81.249:http CLOSE_WAIT
TCP BobandTiffs:3495 130.81.64.45:http CLOSE_WAIT
TCP BobandTiffs:3497 ip-69-22-179-80.nlayer.net:http ESTABLISHED
TCP BobandTiffs:3499 ip-69-22-179-82.nlayer.net:http ESTABLISHED

:\Documents and Settings\Bob>

 

[evilfantasy]

The logs are clean.

Run ATF Cleaner.

Go to add/remove programs and look for old versions of Java and uninstall them.
The only version that should be there is Java 6 Update 3.

Find and delete these folders:
C:\VundoFix Backups
C:\WINDOWS\SDFIX

You can also get rid of any logs.

If you don't have CCleaner download it HERE
When you open CCleaner look for the Registry tab to the top left. Use the Scan for Issues function. Run it multiple times until it shows no entries to be cleaned.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again


Security tools I suggest, and use myself. (all free)

They give active protection without slowing down your PC.

COMODO BOClean Anti-Malware

WinPatrol 2007

Is this Normal or are all these people attached to my PC

I am honestly not sure. Try looking in the firewall settings and see if you can see if anything is being blocked or not. If it isn't being blocked then I would say it is normal.

Let me know when you get all this done and how things are now.

 

[Jase123]

Just to add the Ccleaner link as you did a little error lol.

Download it HERE.

Regards Jason

 

[evilfantasy]

Whoops!!

Thanks Jase.

 

[rlmurray]

One other thing. I noticed my hard drive light is continually on and processing. SVCHOST.exe is showing as the activity in my firewall. Hopefully all is well. ALso the PC is sluggish. I did install pcillin 14 but no scans are currently on.

Thanks for your tenacity and skill. You have really been a life saver. Are we done? If so thanks again!!

 

[evilfantasy]

All instances of the svchost.exe are running in the correct location according to HijackThis. Which is C:\WINDOWS\system32\svchost.exe

It is not uncommon to have multiple instances of svchost.exe running but it can also be an indication of a keylogger. But there is a scanner that is good at finding keyloggers.

Download, update and run A-Squared Free

At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.

If malware is found, click the button Remove Selected Malware
If malware is found, select all found and click Quarantine selected objects
Be sure to quarantine anything found before removing it completely until we can have a good look at the log. This is a powerful scanner and it can not distinguish between "good' and "bad."
Click Save Report. Save the report to somewhere convenient, such as your desktop
Add the report as an attachment in your next post.

 

[rlmurray]

Ok I will do that but in the meantime internet explorer can't get to a webpage. It simply does not work. I disabled the firewall temporarily. Firefox works perfectly.

 

[Jase123]

Please follow evilfantasys instructions and then we will look into your problem with Internet Explorer.

Regards Jason

This thread is for the use of rlmurray ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.

 

[rlmurray]

in the middle of the scan the PC blue screened

you there//the pc is slow sluggish and I running pentium d 2.8 with 2 gig ram

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

 

[evilfantasy]

I am puzzled on the blue screen.

We can try to run LSP-Fix. This is used after malware removal in cases like this to basically reset the router.

LSP-Fix

Also look at IEFix