Windows Live OneCare alerted me to this,
Trojan Downloader Win32 / Stration .A

After reading the message OneCare doesn't seem to actually be able to remove it so I periodically get the warning about stration.A.

I have read this forums "BEFORE you POST" thread.
I have installed and run Spybot S&D and read through its tutorial.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:12 AM, on 10/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Lenovo\Lenovo Standard Keyboard Driver\SkDaemond.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Eric\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TVersity\Media Server\web\admin\TVersity.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SkDaemond] C:\Program Files\Lenovo\Lenovo Standard Keyboard Driver\SkDaemond.exe
O4 - HKLM\..\Run: [lenscrset] C:\Windows\system32\lenscrset.exe /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Eric\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: AutoMailer.lnk = C:\Troopmaster Software\AutoMailer\AutoMailer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo5\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: OKAV Agent Service - Trend Micro Inc. - C:\Program Files\Trend Micro\OKAVAgent\OKAVAgent.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5408 bytes

hi ericbecky,

lets get a exe checked out.
see if you can locate this .exe in the C;/windows/system32 dir.

lenscrset.exe

if so go to the website below, browse for the .exe again then upload it using the send button.
you can copy/paste the results from the website in your reply:

http://www.virustotal.com/

I found lenscrset.exe .
I uploaded it to virustotal.

Here are the results:

File lenscrset.exe received on 10.21.2008 04:18:48 (CET)
Current status: finished
Result: 0/36 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2008.10.18.0 2008.10.20 -
AntiVir 7.9.0.5 2008.10.20 -
Authentium 5.1.0.4 2008.10.21 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.20 -
BitDefender 7.2 2008.10.21 -
CAT-QuickHeal 9.50 2008.10.20 -
ClamAV 0.93.1 2008.10.21 -
DrWeb 4.44.0.09170 2008.10.21 -
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6160 2008.10.20 -
Ewido 4.0 2008.10.20 -
F-Prot 4.4.4.56 2008.10.20 -
F-Secure 8.0.14332.0 2008.10.21 -
Fortinet 3.113.0.0 2008.10.20 -
GData 19 2008.10.21 -
Ikarus T3.1.1.44.0 2008.10.20 -
K7AntiVirus 7.10.500 2008.10.20 -
Kaspersky 7.0.0.125 2008.10.21 -
McAfee 5409 2008.10.21 -
Microsoft 1.4005 2008.10.21 -
NOD32 3539 2008.10.21 -
Norman 5.80.02 2008.10.20 -
Panda 9.0.0.4 2008.10.20 -
PCTools 4.4.2.0 2008.10.20 -
Prevx1 V2 2008.10.21 -
Rising 20.67.02.00 2008.10.21 -
SecureWeb-Gateway 6.7.6 2008.10.21 -
Sophos 4.34.0 2008.10.21 -
Sunbelt 3.1.1741.1 2008.10.21 -
Symantec 10 2008.10.21 -
TheHacker 6.3.1.0.121 2008.10.21 -
TrendMicro 8.700.0.1004 2008.10.20 -
VBA32 3.12.8.8 2008.10.21 -
ViRobot 2008.10.20.1428 2008.10.20 -
VirusBuster 4.5.11.0 2008.10.20 -
Additional information
File size: 45056 bytes
MD5...: 51d94af3bc8843b35c9e7f0d5a3a1da4
SHA1..: 18c0f48389242c7aebeb8f6e03360be5ba5c040b
SHA256: ab531ee64ffd1d52eeb733c3b7a04821edbf45d8767283dad2c88d2b4b330aba
SHA512: a0817a775c2930384a60850149dbe2f50af9071b2dbb3192ec751caaa32f89c0
8d442ff648d8d4595c5eb095af287e6db2cefad075a3722683f5216d8222d92e
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401450
timedatestamp.....: 0x47b2b388 (Wed Feb 13 09:08:24 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4c6a 0x5000 6.50 7ed5c392d0775fcd1296bbb8e9d6f82e
.rdata 0x6000 0x93c 0x1000 3.65 5e97bfff4f128cc5e207e6a01aaac262
.data 0x7000 0x3fbc 0x3000 0.79 ac35d1b3e58c495d1b61317950afdafb
.rsrc 0xb000 0x274 0x1000 3.69 01b57bab011fad9d8f42c088cd33d62d

( 2 imports )
> KERNEL32.dll: OutputDebugStringA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, WriteFile, GetLastError, SetFilePointer, HeapAlloc, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, SetStdHandle, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, CloseHandle
> ADVAPI32.dll: RegSetValueExA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA

( 0 exports )

ok so far so good. we will get another download to check for any possible malware on your machine:

Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the log from the scan.

shelf life,
I downloaded the program, updated it, and ran a FULL scan.

In the end it said no malicious items were detected.



Here is the log from the scan.

Malwarebytes' Anti-Malware 1.29
Database version: 1304
Windows 6.0.6001 Service Pack 1

10/21/2008 5:53:12 PM
mbam-log-2008-10-21 (17-53-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 169252
Time elapsed: 1 hour(s), 0 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ok good. i suggest, as another opinion to do a online scan and see if it can dig anything up.

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Used ESET Online Scanner.
3 threats found.


Here are the results of the scan log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3544 (20081021)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=181577d486da0d41a924770b8323d09a
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-22 02:38:50
# local_time=2008-10-21 09:38:50 (-0600, Central Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=453647
# found=3
# scan_time=2852
C:\Users\Eric\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\29B54A52-00000029.eml Win32/Stration.LZ worm (contained infected files) 595B980682841C5D552EA7E6FA7C245C
C:\Users\Eric\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\29B54A52-00000029.eml »MIME »file.zip Win32/Stration.LZ worm (deleted) 00000000000000000000000000000000
C:\Users\Eric\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\29B54A52-00000029.eml »MIME »file.zip »ZIP »file.msg.scr Win32/Stration.LZ worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

hi,

ok good. looks like the culprit has been found and deleted. Antivirus apps are better suited to handle worms than anti-malware apps.

you can keep malwarebytes. dont forget to check for updates to it before scanning. its a good idea to keep it updated anyway even if you rarely do a scan.

if all is good some info for you;

My Top Ten

The Short Version:



1) Keep your OS, (Windows) browser (IE, FireFox) and other software up to date.

2) Know what you are installing to your computer. A lot of software can come with unwanted add-ons.

3) Install, keep updated: antivirus and two or three anti-malware applications.

4)Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Dont click on ads/pop ups or offers from websites to install software.

6) Dont click on offers to "scan" your computer.

7) Set up and use limited accounts rather than administrator accounts.

8) Consider using an alternate browser and E-mail client.

9) Install and understand the limitations of a third party software firewall.

10) If your habits include visiting or installing files from: warez, cracks etc or p2p networks then you are much more likely to encounter malicious code. Do you trust the source?

Thanks for all you help and for the advice!

I know how the worm got on there and it was my own fault for being in a hurry.

Keep up the great service!