Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

STEELWERX

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

STEELWERX

Unread postby silverdel » July 24th, 2008, 4:35 pm

Hi, My Pc was infected with STEELWERX and the only program that has helped with the infection was COMBOFIX, how ever I was not to happy about using the program, wondered if the forum had any better and safer fixes that I could have and would have been better to use.
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm
Advertisement
Register to Remove

Re: STEELWERX

Unread postby Elrond » July 25th, 2008, 6:56 am

I'm Elrond and I'll be glad to help you with your computer problems.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please only use this topic for your replies on this problem. Do not start another thread.
Please note that the fixes we will use are specific to your problems on this computer and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default) Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.



Please note that I will be off line for about 26 hours (sundown Friday until nightfall Saturday my local time) every week.


End of preliminaries. What follows is related to analyzing what is on your computer and cleaning it up.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Please download HJTInstall.exe from here and save it to your desktop
  • Double click on the HJTInstall.exe icon on your desktop
  • Click I Accept
  • HijackThis will open
  • Click on the Do a system scan and save a log file button.
  • It will scan and then the log will open in notepad.
  • Paste the log as a reply to this thread.
  • Don't use the Analyse This button - its findings are dangerous if misinterpreted.
Do NOT have HijackThis fix anything yet.


Open "HijackThis". Click on "Open Misc.Tool Section".
Use the scroll bar on the right and scroll down to "Open Uninstall Manager". Click it.
On the right you will find "Save List". Click it.
The log that you just saved will appear.
Use "Copy" and "Paste" to add it to your next post.

What I want to see int he next post in this topic is a log from HijackThis and the log from Uninstall Manager.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: STEELWERX

Unread postby silverdel » July 25th, 2008, 4:41 pm

Here as requested is the Hyjack file, and thanks for your help.
You do not have the required permissions to view the files attached to this post.
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby silverdel » July 25th, 2008, 4:44 pm

Thanks Elrond any help will be of great value to me
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby silverdel » July 25th, 2008, 4:53 pm

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Advanced WindowsCare 3 Beta
Apple Mobile Device Support
Apple Software Update
BBC iPlayer Download Manager
Bejeweled 2 Deluxe
Big Fish Games Client
BitDefender Internet Security 2008
Bonjour
BookWorm Deluxe 1.02
Bricks of Atlantis
Bricks of Camelot
Build in Time
Build in Time
Canon ScanGear Toolbox CS 2.2
ClearType Tuning Control Panel Applet
CueClub
DVDFab Platinum 2.70
EasyCleaner
Garmin WebUpdater
HijackThis 2.0.2
hp deskjet 845c series (Remove only)
Insaniquarium Deluxe 1.0
iTunes
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 5
LimeWire PRO 4.12.3
Little Farm
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSN
MSXML 4.0 SP2 (KB936181)
Mummy Maze Deluxe 1.1
Nero 8
neroxml
NVIDIA Drivers
PowerDVD
PrintParade Studio
QuickTime
RealPlayer
Ricochet Xtreme
Rocket Mania 1.01
ScanSpyware v3.8.0.4
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
SpeedTouch USB Software
Spell Checker For OE 2.1
Tradewinds Caravans
Tradewinds Full Game
TuneUp Utilities 2008
Uniblue Registry Booster
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb953463)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Virtual Villagers: The Secret City
Webshots Desktop
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Your Uninstaller! 2008 Version 6.0
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby silverdel » July 25th, 2008, 4:54 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55, on 2008-07-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE8A24C4-ABAA-4C16-8F79-EFF6A64CC5BE}: NameServer = 212.139.132.38 212.139.132.39
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7392 bytes
Hope this the file you require!!!!!!!!!!!
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby Elrond » July 26th, 2008, 4:47 pm

I do not see anything that does not look OK. The SteelWerks that I know of is a legitimate program that is used by Malware hunters.
Please tell me how you found SteelWerks on your computer and what problems you see.
========================================================================

Meanwhile we should take care of a few things:

P2P Warning!

LimeWire PRO 4.12.3

I understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., copyrighted material, pirated software, and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

An often unanticipated and unintended consequence of using p2p programs is that you may be leaving your computer open to access by others without either your knowledge or consent. I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them. This is how you can uninstall it/them:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    LimeWire PRO 4.12.3

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

If you wish to keep them which I WOULD STRONGLY advice you not to do, you MUST NOT use them until your computer is clean.
==============================================================================

While you are at it you should use the same method to remove the following old Java versions as they pose a security risk.
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 5


Close the Add/Remove and the Control Panel.

Update Java Runtime


Now
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 7 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u7-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
============================================================================

Let us look a bit closer at your computer and see if there is anything thta shows up as nasty:

Download Deckard's System Scanner (DSS)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
==============================================================================

What I need you to post in this topic are the following
  1. A description of how you found SteelWerks and what problems you have.
  2. The DSS log main.text
  3. The DSS log extra.txt
  4. A new HijackThis log.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: STEELWERX

Unread postby silverdel » July 28th, 2008, 3:33 am

Hi, Thanks for the information, I have completed the removal of Limewire, and the Java system has been updated, the Steelwerx virus or malware kept stopping the Pc from running any desktop icons, freezing the pc then retarting the initial page again.
Combofix removed this for me but I was unsure about that program and its use, I have never had malware problems before but since starting to use BITDEFENDER 2008, this program was tells you disable all forms of anti virus protection prior to installation so I assume this was when my PC was infected, by the way BItdeffender do appear to be having problems with the product, I have been in touch by phone and e-mail and have still not resolved the problem that program has in clashing with OE 6.
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby Elrond » July 28th, 2008, 6:57 am

I do need to see the Deckard's System Scanner (DDS) log.
If you still have the Combofix log I would like to see that as well.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: STEELWERX

Unread postby silverdel » July 28th, 2008, 10:43 am

Hi, As requeted i've posted the required files, am experiencing problems with Anti Virus 2008 malware getting past my BITDEFFENDER
You do not have the required permissions to view the files attached to this post.
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby Elrond » July 29th, 2008, 10:04 am

Hi again.
Sorry for the delay but I had a few real life problems that had to be taken care of.


Please Do not attache the logs but post them in the topic. if I do not specifically ask you to attache them. It makes my job much more difficult and also makes it the information more difficult to access if somebody else wants to or needs to use it.


The SteelWerks that you see is not malware but a tool that is used by some of the tools that we use to clean up malware. It is a specialiced registry tool that can do certain things that can not be done by normal registry tools.


I see that you have XoftSpySE installed. It was once classified as a roug application but it has been de-listed a few years ago. However it is not a program that I would recomend and it has been known to be prone to falsly identifiying files as bad. If you have paid for it I would keep it for now but I would not renew it. There are much better programs out there.

If you want to remove it then please
  1. Click Start>Run type in appwiz.cpl and hit Enter.
  2. Select XoftSpySE if you find it.
  3. Click on the "Add/Remove" button.
  4. If it asks if you really want to remove the program please click Yes
  5. If it gives you more than one option about what to do please chose Remove
  6. Once the program/s are uninstalled, click on the "OK" button.
  7. Reboot the computer.


I'd like you to check (a file/some files) for Viruses.
C:\WINDOWS\SysF7.exe
C:\WINDOWS\SysF6.exe
C:\WINDOWS\SysF5.exe
C:\WINDOWS\SysF4.exe
C:\WINDOWS\SysF3.exe
C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\mpt.exe

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please



Download and Run OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\WINDOWS\system32\mpxa.exe
C:\Program Files\uTorrent
C:\Documents and Settings\User\Application Data\uTorrent
C:\Program Files\LimeWire
C:\Documents and Settings\User\Application Data\LimeWire

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2


What I need from you are the results of the scans of the files at Jotti or VirusTotal and the OTMoveIt2 log.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: STEELWERX

Unread postby silverdel » July 29th, 2008, 11:39 am

C:\WINDOWS\system32\mpxa.exe moved successfully.
C:\Program Files\uTorrent moved successfully.
C:\Documents and Settings\User\Application Data\uTorrent moved successfully.
C:\Program Files\LimeWire\root\magnet10 moved successfully.
C:\Program Files\LimeWire\root moved successfully.
C:\Program Files\LimeWire\.NetworkShare moved successfully.
C:\Program Files\LimeWire moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\xml\schemas moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\xml\misc moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\xml\data moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\xml moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\themes\windows_theme moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\themes\other_theme moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\themes\limewire_theme moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\themes\limewirePro_theme moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\themes\classic_theme moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\themes\black_theme moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\themes moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\.NetworkShare\Incomplete moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire\.NetworkShare moved successfully.
C:\Documents and Settings\User\Application Data\LimeWire moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07292008_163927
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby silverdel » July 29th, 2008, 12:07 pm

Hi Uploaded one file as requested, now hereis a list of the virus'es detected by the selected program;
TR/Pc Health.1 ; WIN32;TROJAN-GEN ; GENERICO.BTM ; GENERICO.BHUC ; TROJAN FAKEALERT.1080
WIN32/TREPOLATS ; PHISH/FRAUDTOOL.AGENT.AG

I do hope that this is helpful and that you can offer me some light on how to get rid of them
Derek
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm

Re: STEELWERX

Unread postby Elrond » July 29th, 2008, 1:31 pm

Derek
Please do as follows with those files:
For each file please use the file name as a header and then copy and paste the report that you get with regards to that file. Repeat the same for each of the files that are shown in red in the quote box.
Once I know what the report for each file is we can then see if they should be removed and if so how to do it.

Getting rid of malware is a slow process because one has to be very careful not to do any unnecessary damage.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: STEELWERX

Unread postby silverdel » July 30th, 2008, 3:55 am

AhnLab-V3 2008.7.29.1 2008.07.30 Win-Trojan/Downloader.106496.T
AntiVir 7.8.1.12 2008.07.30 TR/Dldr.Agent.122
Authentium 5.1.0.4 2008.07.30 -
Avast 4.8.1195.0 2008.07.29 Win32:Trojan-gen {Other}
AVG 8.0.0.130 2008.07.29 Generic10.BHUD
BitDefender 7.2 2008.07.30 BehavesLike:Trojan.Downloader
CAT-QuickHeal 9.50 2008.07.29 TrojanDownloader.Agent.xkd
ClamAV 0.93.1 2008.07.30 -
DrWeb 4.44.0.09170 2008.07.30 Trojan.Fakealert.1080
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5994 2008.07.30 -
Ewido 4.0 2008.07.29 -
F-Prot 4.4.4.56 2008.07.30 -
F-Secure 7.60.13501.0 2008.07.30 Trojan-Downloader.Win32.Agent.xkd
Fortinet 3.14.0.0 2008.07.30 PossibleThreat
GData 2.0.7306.1023 2008.07.30 Trojan-Downloader.Win32.Agent.xkd
Ikarus T3.1.1.34.0 2008.07.30 BehavesLike.Trojan-Downloader
Kaspersky 7.0.0.125 2008.07.30 Trojan-Downloader.Win32.Agent.xkd
McAfee 5349 2008.07.29 Generic FakeAlert.a
Microsoft 1.3704 2008.07.28 -
NOD32v2 3308 2008.07.29 Win32/TrojanDownloader.Agent.OBE
Norman 5.80.02 2008.07.30 W32/DLoader.IPKX
Panda 9.0.0.4 2008.07.29 Trj/Downloader.MDW
PCTools 4.4.2.0 2008.07.30 Trojan-Downloader.Agent!sd6
Prevx1 V2 2008.07.30 Spyware
Rising 20.55.21.00 2008.07.30 -
Sophos 4.31.0 2008.07.30 Troj/Dloadr-BOV
Sunbelt 3.1.1537.1 2008.07.29 FakeAlert.PCHealthCenter
Symantec 10 2008.07.30 Downloader.MisleadApp
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.30 TROJ_AGENT.LDR
ViRobot 2008.7.29.1315 2008.07.29 -
VirusBuster 4.5.11.0 2008.07.29 -
Webwasher-Gateway 6.6.2 2008.07.30 Trojan.Dldr.Agent.122
Additional information
File size: 106496 bytes
MD5...: f10bc783207e5f193be1dcad62ed4d89
SHA1..: e6e02bf76fa2ae2788e62136357b175850ca4a66
SHA256: 1f83a175424b66a6f2b69b02eee503ed2b0e94ec37ae896679b69e189d64a8e9
SHA512: cee2787ffc4ccec476b09cdd2032a8fb5c4a37d1bf46c860c06445ba6a1bd98e
7b2c885425f331892db1999c08a6fe286af0aebd4dbda586beea82c8275844b8
PEiD..: Armadillo v1.71
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40237e
timedatestamp.....: 0x4886fc84 (Wed Jul 23 09:40:20 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd9aa 0xe000 6.46 1dd38f087d0973d159c1ffb1244ab0f9
.rdata 0xf000 0x3ef0 0x4000 4.83 b201cf860a5804ac86f485d1a8475746
.data 0x13000 0x5a00 0x4000 1.21 f1b5ec8bc56659baddb0306656ca2bb0
.rsrc 0x19000 0x25e0 0x3000 3.33 dfeeecae71ff311cd5637bbdeb4d8d53

( 8 imports )
> KERNEL32.dll: RtlUnwind, GetStartupInfoA, GetCommandLineA, TerminateProcess, HeapFree, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, GetACP, UnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, WriteFile, GetCurrentProcess, SetErrorMode, GetOEMCP, GetCPInfo, GetProcessVersion, WritePrivateProfileStringA, GlobalFlags, lstrcpynA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalFree, LocalAlloc, SetLastError, LoadLibraryA, FreeLibrary, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GetProcAddress, GlobalUnlock, GlobalFree, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, CloseHandle, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, CreateThread, WinExec, Sleep, GetTempFileNameA, DeleteFileA, CopyFileA, OpenEventA, CreateEventA, GetLastError, ExitProcess, GetModuleHandleA, GetModuleFileNameA, MoveFileExA, lstrcpyA, lstrcatA, FindFirstFileA, FreeEnvironmentStringsA, FindClose
> USER32.dll: CopyRect, AdjustWindowRectEx, SetFocus, GetSysColor, MapWindowPoints, SetWindowTextA, ShowWindow, ClientToScreen, GetDC, ReleaseDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, LoadCursorA, GetClassNameA, PtInRect, GetSysColorBrush, LoadStringA, DestroyMenu, GetTopWindow, GetCapture, WinHelpA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, SystemParametersInfoA, GetWindowPlacement, EndDialog, DestroyWindow, GetDlgItem, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, MessageBoxA, SetCursor, PostQuitMessage, PostMessageA, EnableWindow, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, LoadIconA, wsprintfA, GetWindowRect, UnregisterClassA
> GDI32.dll: OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, DeleteObject, SetViewportOrgEx, GetDeviceCaps, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, DeleteDC, GetObjectA, SetMapMode, SetBkColor, SetTextColor, GetStockObject, SelectObject, RestoreDC, CreateBitmap, GetClipBox, SaveDC
> WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter
> ADVAPI32.dll: RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, RegCreateKeyExA, RegDeleteValueA, RegCloseKey
> COMCTL32.dll: -
> OLEAUT32.dll: -
> urlmon.dll: URLDownloadToFileA

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext. ... 00A89D87D0
ThreatExpert info: http://www.threatexpert.com/report.aspx ... ad62ed4d89


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
silverdel
Regular Member
 
Posts: 32
Joined: July 24th, 2008, 4:18 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware