Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:small-epj Trojan Is On My Computer


  • This topic is locked This topic is locked
3 replies to this topic

#1 sandorman

sandorman

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 07 October 2007 - 01:37 PM

I have this:

http://www.bleepingcomputer.com/startups/startdrv-18061.html

I have found many things that say they will remove it but they never do. They always just stupidly say that it can't be removed because it's active and it has to reboot the computer. The computer reboots. And they still don't do it.

On top of this, it has downloaded many other things, most of which I've removed. Here's the junk I want off my computer:

c:/windows/temp/startdrv.exe
c:/windows/system32/WSNPOEM/audio.dll and video.dll

I tried many things. I tried to modify the windows registry file for it either to delete it, or to change it to something that isn't a virus and is in the same directory and is also 8 characters.exe. I wanted to put my hard drive in another computer as a slave but my other computer is windows 98 and doesn't recognize the hard drive being there at all. It says 'scanning primary slave' in the bios and there it's stuck forever. I tried to run a MS dos boot disk and then the only drives there were the 3.5 inch floppy and the 2 dvd burners (drive c was a dvd burner!) but no hard drives. I tried running a linux program from a CD called "Insert" which essentially be an operating system working from the CD and with stuff downloaded into RAM only, and would then run "Clam Antivirus" but I couldn't figure out how to even access the hard drive - and I can't remove the thing if I can't even read the hard drive. I have run 5 or 6 antivirus and antiadware programs and they all either don't detect it at all or they don't do a thing about it (though they did ruin my pkzip program just because it had a dll that was called tsad.dll by coincidence which it thought was adware). I found a little bit about 2 programs that I THINK might be used to remove it, since I can't do it the slave hard drive way. One's called avenger and the other is hijack this. Well, you probably all know about hijack this since you have people posting their logs here - but could someone please tell me how I could use these programs, if at all, to remove these specific files? I think they form the foundation of the virus, and if I nail them, I can clean up any mess they leave behind, but they're continually making messes and I only can kind of clean up the messes as they make them, plus the audio and video dll thing supposedly steals bank information and the startdrv thing is a backdoor for some jerkwad to seize control of my computer.

By the way, no one go to isohunt.com. It's a bittorrent search engine. Just GOING to that website gave me this crap. Amazing, huh!

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:53 AM

Posted 07 October 2007 - 01:51 PM

http://www.pandasecurity.com/enterprise/se...;idvirus=159770
Brief Description


Wsnpoem.AW is a Trojan that monitors the web traffic and captures the information entered by the user in some websites.

Additionally, it deletes the cookies so that the user has to enter the access data required in certain websites.

Finally, it sends the gathered information and the name of the machine to its author.

Wsnpoem.AW does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This Log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 AM

Posted 08 October 2007 - 09:30 AM

After doing the above scans, please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply.

Edited by quietman7, 08 October 2007 - 09:30 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 AM

Posted 09 October 2007 - 09:22 PM

I have moved your Hijackthis log to the Misplaced HJT Logs forum. You posted your log in a forum not intended for these logs analysis. Your log can be found here.

Please follow all directions that I posted as a reply to your log. Following these instructions will ensure that your hijackthis log is properly posted so it can be reviewed in a timely manner.

If you have any questions please respond in that thread. To avoid confusing, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users