[highland403]

I have thought about wiping my system clean and reinstalling everything, but I have never done it before and that seems like such a daunting task. I am hoping it is something that can be fixed without starting over.

Edited by Extremeboy, 22 April 2009 - 04:04 PM.
Remove log file as per user's request.

[Advertisements]

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

Let's see if there is any malware left...

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis.

Post back with a new OTListIT2 log as well after Kaspersky is done.

With Regards,
Extremeboy

[Extremeboy]

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

Let's see if there is any malware left...

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis.

Post back with a new OTListIT2 log as well after Kaspersky is done.

With Regards,
Extremeboy

[highland403]

EB,
OTListIt2 did not generate an Extras.txt file this time.
Also, after deleting all of the Java updates, my computer made the MS Critical Stop sound near the end of the reboot (just before MS messenger came up).


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 21, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 00:25:57
Records in database: 2064463
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 115814
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 04:39:13


File name / Threat name / Threats count
E:\3-RELOCATION PROCEDURES\What's Missing Calculator.exe Infected: Backdoor.Win32.Stanex 1

Edited by Extremeboy, 22 April 2009 - 04:04 PM.
Remove log file as per user's request.

[Extremeboy]

Hello.

The log looks okay. There are some things we can talk about.

Also, after deleting all of the Java updates, my computer made the MS Critical Stop sound near the end of the reboot (just before MS messenger came up).

Please elaborate on that? What do you exactly mean by the "MS crtical Stop"?

Also, how is your compute running and what symptoms do you still have?

With Regards,
Extremeboy

[highland403]

When I restart the computer, it makes one of Microsoft's sounds. If you go to control panel>Sounds and Audio Devices>Sounds there is a window that says Program events: I went through the sounds until I came to what I thought I heard during the reboot. The sound is called Critical Stop. I have seen an error message come up at the same time and I think it said something about explorer. But the error message flashes so fast that if you aren't staring at the screen, miss it. And if you do see it, its hard to read.

My computer is still bogging down. Today, I was having trouble with a program called OfficeTime. By pure accident, I found out that this program has been creating a temp file that seems to duplicate the contents of another file in the same folder. When it reaches the same size as the file I presume it is copying, the temp file disappears. I started watching this folder and the temp file starts up about every 2 1/2 minutes. It then takes about 15 seconds to duplicate this other file and then it disappears. Then it happens all over again in another 2 1/2 minutes. This has been going on all day and it is what I have been experiencing and the reason I wrote to this forum.

[Extremeboy]

Hello.

E:\3-RELOCATION PROCEDURES\What's Missing Calculator.exe

This file is dangerous according to Kaspersky.

By pure accident, I found out that this program has been creating a temp file that seems to duplicate the contents of another file in the same folder.

Hmm.. Interesting.. CAn you tell me that temp file name it's creating? What's the other folder it creates after it creates the temp file?

Regarding backdoors your computer may be compromised.

Backdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy

[highland403]

EB,

I'll let you be the judge, but I don't think E:\3-RELOCATION PROCEDURES\What's Missing Calculator.exe Infected: Backdoor.Win32.Stanex 1 is infected with a backdoor trojan.

I got this particular program, What's Missing Calculator, from http://www.hughchou.org/. Hugh Chou writes all sorts of calculator programs for amortization schedules, etc. It's a very interesting web site. If you go to his website and look for "Windows Version of What's Missing Calculator", he has a note at the end of the paragraph that says, "Note that if you are running AVG or Trojan Hunter, they may detect my program as a trojan, but it really is not one, it is just a Rapid-Q executable (which are sometimes detected as a trojan just because someone once wrote a trojan using Rapid-Q!" EB, what do you think?

The file that is being automatically created is called OfficeTime Temp File.otd. This file is being created within an existing folder that contains the main data file and an autobackup file. (A new folder is not being created.) The main data file contains info on time spent on projects throughout the day. The autobackup file is supposed to be backing up the main data file at intervals throughout the day. I'm starting to think that this temp file is part of the autobackup process, but I think it is supposed to be running in the background and not using enough resources to be noticeable.

Is it possible that my computer has too many processes running in the background?

[Extremeboy]

Hello.

EB, what do you think?

Yes, it can be a FP.

Is it possible that my computer has too many processes running in the background?

I think it's okay. My computer has about 20 processes (understand that I don't have too much on this computer).

Your log looks fine so regarding the other issues that doesn't appear to relate to malware, you might want to start another topic in a more appropriate forum since this topic is only for malware removal.

Thanks for understanding.

With Regards,
Extremeboy

[highland403]

It took a second, but I think FP means False Positive?

If it means something else, please let me know. Otherwise,

I really appreciate the assistance!

highland403

[Extremeboy]

Hello.

It took a second, but I think FP means False Positive?

Yes. Sorry for the acronyms..

If it means something else, please let me know. Otherwise,

Please list me any problems you still have right now and I'll see where will be a better place suited.

Thanks.

With Regards,
Extremeboy

[highland403]

Now that I am reasonably sure that Officetime is the problem, I am going to contact them for a solution.


I would like to know where to post or go to find info on what can be deleted to make my computer run faster. Such as processes that aren't needed and remnants from old deleted programs that still have files on my computer that can be deleted.

Thanks

[Extremeboy]

Hello.

Regarding slowness and how to make it a bit faster I suggest in the Windows System forum.

Below are some prevention tips (even if you were not infected).

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok"
• Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" Tab.
• Click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

• So How did I get infected?
• Miekies' prevention suggestions
• Hardening Windows Security - Part 1 & Part 2.

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!

• Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
• Update ALL Critical updates and any other Windows updates for services/programs that you use.
• If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
• Note that it will download them for you, but you still have to actually click install.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks

With Regards,
Extremeboy

[highland403]

Thanks again EB for all your help. I do not have any more questions.

highland 403

[Extremeboy]

You're welcome.

Happy surfing again and good luck!

With Regards,
Extremeboy

[Extremeboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.