Infected with Win32:Small-EPJ, Please help
- Thread starter rlmurray
- Start date
- Status
evilfantasy
Posts: 425 +0
Download SmitfraudFix (by S!Ri) to your Desktop.
PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be able to see this page in safe mode
Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish. This process can take some time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.
You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.
Now reboot into normal mode and attach this new rapport.txt in the next post.
WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!
Next post please attach:
rapport.txt log
NEW HijackThis log
PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be able to see this page in safe mode
Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish. This process can take some time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.
You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.
Now reboot into normal mode and attach this new rapport.txt in the next post.
WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!
Next post please attach:
rapport.txt log
NEW HijackThis log
evilfantasy
Posts: 425 +0
Please download Combofix by sUBs from either here or here
Save Combofix.exe to your your Desktop.
1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall
Please attach the combofix.txt log and a NEW HijackThis log in the next post.
Save Combofix.exe to your your Desktop.
1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall
Please attach the combofix.txt log and a NEW HijackThis log in the next post.
I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by TROJAN.SPY
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.
We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.
The Decision Whether to ReFormat or Not should be based on:
Please let me know what you decide.
Regards Jason
The infection is delivered by TROJAN.SPY
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.
We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.
The Decision Whether to ReFormat or Not should be based on:
- The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
- The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect.
- Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
- Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
- If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers. - From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
- DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
- Take any other steps you think appropriate for an attempted identity theft.
Please let me know what you decide.
Regards Jason
evilfantasy
Posts: 425 +0
Please do these in the order they are posted in.
Open HijackThis and select Do a system scan only and place a check mark next to:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - C:\WINDOWS\system32\hggdeby.dll
O20 - Winlogon Notify: hggdeby - C:\WINDOWS\SYSTEM32\hggdeby.dll
Close all windows and click Fix checked
--------------------
Delete these files/folders, as follows:
* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
--------------------
Download SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log
--------------------
Run a new HijackThis scan and save a log file.
--------------------
Next post please attach
Combofix.txt log
Report.txt log
NEW HijackThis scan log
Open HijackThis and select Do a system scan only and place a check mark next to:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - C:\WINDOWS\system32\hggdeby.dll
O20 - Winlogon Notify: hggdeby - C:\WINDOWS\SYSTEM32\hggdeby.dll
Close all windows and click Fix checked
--------------------
Delete these files/folders, as follows:
* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
--------------------
Download SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log
--------------------
Run a new HijackThis scan and save a log file.
--------------------
Next post please attach
Combofix.txt log
Report.txt log
NEW HijackThis scan log
all files attached. Again thanks
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
all files attached. Again thanks
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
all files attached. Again thanks
evilfantasy
Posts: 425 +0
You somehow managed to attach only the combofix quarantined list. I need the new log it produced.
Plus the report.txt and a new hijackThis log.
Plus the report.txt and a new hijackThis log.
here is the hyjackthis log
trying to attach files
report files
Let's reconvene tomorrow. Again thanks
Also I have ntos.exe how could we get rid of that???
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
trying to attach files
report files
Let's reconvene tomorrow. Again thanks
Also I have ntos.exe how could we get rid of that???
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
evilfantasy
Posts: 425 +0
We are getting there.
I should have another set of instructions waiting for you when you sign in tomorrow.
Cheers.
I should have another set of instructions waiting for you when you sign in tomorrow.
Cheers.
evilfantasy
Posts: 425 +0
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
* Hide extensions for known file types
* Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
* Show hidden files and folders
Click Apply and then click OK
--------------------
You will not be able to see this page in safe mode.
You should print these instructions before continuing or copy and paste them to notepad and save it to the desktop.
(from here to where it says Restart the computer to Normal Boot Mode)
--------------------
1. Go to Start > Turn off computer > Restart.
2. Lightly tap F8 until the menue screen appears.
3. Using the arrow keys, highlight Safe Mode option, then press Enter.
4. Log in with your usual account name.
--------------------
Open HijackThis and select Do a system scan only then place a check mark next to:
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - (no file)
O20 - Winlogon Notify: hggdeby - hggdeby.dll (file missing)
Close all windows except HijackThis and click fix checked
Close HijackThis and continue in Safe Mode.
--------------------
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Program Files folder.
Right click on SecCenter and from the menu that appears, click on Delete
Next, repeat the steps but go to C: > Windows > System32 > and delete bkhibkh.dll
--------------------
Restart the computer to Normal Boot Mode
--------------------
Go to Start > Run and type in Services.msc then click OK
Click the Extended tab.
Scroll down until you find FFI
Right click on the service and choose Stop
Right-Click on the service again.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on 'Disabled'
Click the 'Apply' tab, then click 'OK'
--------------------
Please open HijackThis and select Open the Misc Tools section
Then choose Delete an NT service
In the Delete window, type FFI and press OK
OK any prompts, close HijackThis.
Restart your computer.
--------------------
Delete these files/folders, as follows:
* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
--------------------
Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.
NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main ATF Cleaner menu to close the program.
--------------------
Next post please attach
Combofix.txt log
NEW HijackThis log
Go to Tools > Folder Options
Click on the View tab
Untick the following:
* Hide extensions for known file types
* Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
* Show hidden files and folders
Click Apply and then click OK
--------------------
You will not be able to see this page in safe mode.
You should print these instructions before continuing or copy and paste them to notepad and save it to the desktop.
(from here to where it says Restart the computer to Normal Boot Mode)
--------------------
1. Go to Start > Turn off computer > Restart.
2. Lightly tap F8 until the menue screen appears.
3. Using the arrow keys, highlight Safe Mode option, then press Enter.
4. Log in with your usual account name.
--------------------
Open HijackThis and select Do a system scan only then place a check mark next to:
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: (no name) - {FED51DF2-9644-4C58-9104-90244EDD6EEC} - (no file)
O20 - Winlogon Notify: hggdeby - hggdeby.dll (file missing)
Close all windows except HijackThis and click fix checked
Close HijackThis and continue in Safe Mode.
--------------------
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Program Files folder.
Right click on SecCenter and from the menu that appears, click on Delete
Next, repeat the steps but go to C: > Windows > System32 > and delete bkhibkh.dll
--------------------
Restart the computer to Normal Boot Mode
--------------------
Go to Start > Run and type in Services.msc then click OK
Click the Extended tab.
Scroll down until you find FFI
Right click on the service and choose Stop
Right-Click on the service again.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on 'Disabled'
Click the 'Apply' tab, then click 'OK'
--------------------
Please open HijackThis and select Open the Misc Tools section
Then choose Delete an NT service
In the Delete window, type FFI and press OK
OK any prompts, close HijackThis.
Restart your computer.
--------------------
Delete these files/folders, as follows:
* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
--------------------
Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.
NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main ATF Cleaner menu to close the program.
--------------------
Next post please attach
Combofix.txt log
NEW HijackThis log
evilfantasy
Posts: 425 +0
OK, what does that mean?
I am at work and won't be at my home computer to further troubleshoot and clean and get you your log files till I am at home. I will be there between 6 and 6:30 PM eastern standard time then we will pick it up from there.
Please let me know if you have any additional questions.
Thanks
Please let me know if you have any additional questions.
Thanks
evilfantasy
Posts: 425 +0
OK, I see now. I didn't notice your header message about being at work. By just reading the message body it seemed as if you were speaking to nobody
We will pick it up later then, have a good day at work......
We will pick it up later then, have a good day at work......
evilfantasy
Posts: 425 +0
I'm here, looking at the logs now......
- Status
Similar threads
Latest posts
-
Ford is losing boatloads of money on every electric vehicle sold- WhiteLeaff replied
-
8BitDo updates gamepads with drift-proof hall-effect analog sticks- GodisanAtheist replied
