0

Hello folks,

I've acquired a virus or worse and I'm posting the required files for further scrutiny. Thanks.

malware log:

Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600

5/17/2009 5:57:09 PM
mbam-log-2009-05-17 (17-57-09).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|)
Objects scanned: 272217
Time elapsed: 55 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\C.Cousin\Local Settings\vwqwfoe.alw (Trojan.Gumblar) -> Quarantined and deleted successfully.

Here's the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:44 PM, on 5/17/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe

--
Thanks for any help you can provide.

Keep Smiling

Attachments
Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 

5/17/2009 5:57:09 PM
mbam-log-2009-05-17 (17-57-09).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|)
Objects scanned: 272217
Time elapsed: 55 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\C.Cousin\Local Settings\vwqwfoe.alw (Trojan.Gumblar) -> Quarantined and deleted successfully.
3
Contributors
18
Replies
19
Views
8 Years
Discussion Span
Last Post by bryan custer
0

Hi and welcome to daniweb,
Where in the world did the title for your thread come from? I seen nothing like that in your logs.
Your computer is woefully out of date. You have NO Windows XP updates showing at all, your java is also way, way out of date and you are showing NO antivirus program at all, nor a firewall.
Have you EVER updated this computer? If not then there are FOUR good reasons for an infection:
No Windows Updates, No Java Updates, No Anti-virus program, No Firewall
In fact the only current programs I see are the HiJackThis program and the Malwarebytes' Anti-malware program.
Are you certain this scan was run in normal mode? I know it says it was but it is extremely small.
From what I can see in the log I don't see anything else and if that is the case I have to say you are lucky. You have every door open for infection there and extremely BAD infections.
You should run the ESET Online scanner also. Have it fix whatever it finds and post back with the log.

0

I will try the ESET Online Scanner tonight.

I've kept this particular system offline for years. It is my primary edit machine (for video/film) and as such, it hasn't needed to access the internet for anything.

I have a Netgear hardware firewall that has been keeping all of my online systems healthy, and the recommendation has been to not use a software firewall if you have a hardware one. Additionally, I'd placed my hardware router in stealth mode, set it to ignore pings, closed unused ports, etc.

This WJQS.exe (found in my prefetch folder) virus/malware managed to get in during the one time that I did use the Net, whilst viewing a .pdf file. It utilized the Acrobat .pdf exploit uncovered in February. I've since disabled the Acrobat's use of javascript.

I was aware of it (WQJS.exe) almost immediately, when my CMD.exe stopped performing properly, resetting my desktop icons, and similar behavior. (Command.com still worked). I deleted the WQJS.exe file from the Prefetch using ATI-Cleaner, followed that with the Malware (with which was unable to access the updates in the net, so I had to copy the latest definitions from another system--also isolated).

Malware located one threat: vwqwfoe.alw. It quarantined and erased that file.

I then ran HJThis in what I considered Normal mode, but was also surprised at the brevity of the report--nothing like what I've seen here.

Because I kept this system isolated, and it performed the delicate video editing that I required of it, I was apprehensive about adding anything that would upset the applecart. 5 years without a single problem, until now.

Could the brevity of the HJThis post indicate a bug still lurking, covering its tracks?

One last caveat: The editing software I use stops working properly when XP-SP1 is loaded. This is a 5 year old problem, and the very one that caused me to isolate this system in the first place. My thinking was "If it never sees the net, and I never load anything that could be infectious(my video files come straight from a direct camera capture), I should be able to edit forever."

Thanks, in advance, for your continued help and your valuable opinions.

Keep Smiling

0

Could the brevity of the HJThis post indicate a bug still lurking, covering its tracks?

Honestly, I don't know. I have never encountered a totally "non-updated" machine, don't know if that is even a word but you know what I mean. Could also be due to the fact this machine is essentially never online and what we normally see here are logs from machines that are online machines which do require more than one such as this one, I really cannot say. I am an amateur not a trained tech or anything like that, what little I know I learned from places like this forum and from the really knowledgeable techs from "way back" who were willing to sit on the phone with you for hours to help keep your computer running as it should...those days are gone now pretty much. I will ask Crunchie to take a look here and see what he thinks of all of this.
Do try the ESET scan and see if anything else shows and let us know.
Judy

0

Consulted with Crunchie, System Restore is an option to try. One thing he said and I absolutely agree that update to XP SP1 at least, along with all security updates is an absolute must.

0

jHolland:

The ESET Online Scanner requires Windows IE (which requires Active-X components). Is there a reputable online scanner that you would reccomend that can use Firefox instead? I've never trusted IE. Never will.

With regards to Crunchie's consensus for XP SP1, is this update an absolute must, even though the machine in question is almost never online, as I explained earlier? (An upgrade to SP1 would require assorted updates to the video-editing software that I use on this machine.) If the machine is free and clear (ATI-Cleaner, Malware-Bytes, HiKJackthis, SpyBot S&D, and you, all seem to indicate so), and I continue to keep it off-line, do I still need SP1?

FYI, I have at least a dozen other systems, all running with the required protections. This single machine was the isolate: Ironic that it would be the first one to have gotten a nasty.

Keep Smiling

0

Ironic that it would be the first one to have gotten a nasty.

No it is NOT ironic. Note what you say about all the other machines....

I have at least a dozen other systems, all running with the required protections.

That is why THIS one got the infection and not the others it is not updated and totally unprotected and because of this it SHOULD NEVER go online, EVER. If it is never ever going online then no I would say forget doing anything else BUT...don't be transferring files from this computer to others either because IF there is remaining infection there would be a chance it could transfer to another computer via flash drive, cd, dvd, or just computer to computer if they are connected.
If transfers are done, the receiving computer should first SCAN whatever media is used for the transfer...DVD, CD, Flash Drive, whatever to be certain any files coming from this computer are not also carrying an infection with them.

0

Thanks for the advice, and the help. I will continue to be vigilant.

"The ESET Online Scanner requires Windows IE (which requires Active-X components). Is there a reputable online scanner that you would recommend that can utilize Firefox instead?"

Keep Smiling

0

I would seriously advise NOT to try an online scan before installing security software!
I did it once after a reformat. All I did was dial up to download.com to get a file zipping program, five minutes later and I had a worm.
Reformatted again immediately and learned my lesson.

0

Thanks Crunchie and jholland:

OK, so the alternative is to do what I've already done, which is to depend on Malwarebytes and Spybot's off-line scanning programs. Is there a significant difference between these programs and on-line scans? I mean, if the virus/worm signature files that these programs use are up-to-date, then wouldn't they both find and eradicate the same bugs?

Thanks to you both.

Keep Smiling

0

My question in return is, what is the problem with installing an AV and a firewall?
Why not install all the latest patches to the OS etc.?
Little bit of work involved, but the benefits far outweigh the negatives.

0

jholland and Crunchie: Thanks for your patience with me.

To answer your questions in return:

The editing software I use stops working properly when XP-SP1 is loaded. An upgrade to SP1 would thus require additional assorted updates to the video-editing software that I use on this machine, just to make it (the video software) run again. Further, these video software updates then require further updates for associated programs (i.e. Quicktime), which require further updates (i.e. the Java Engine). This cascading update process is exactly what I'm trying to avoid, in the midst of a large project.

Additionally, the updated programs tend to slow down the video-edit software (I've experienced this on other systems), and the AV programs disk monitoring utilities interfere with the DVD authoring program that I use, due to their tendency of regular I/O scanning, which causes interruptions of the flow between (I believe) the atapi controller and the authoring program.

This system sat behind a Netgear hardware firewall for 5 years (with pinging to it disabled), with only limited access (when I physically plugged in the Cat-5 cable) to the internet. During these rare moments, I made sure all other connected systems were off-line (or just turned off).

From the logs you can see that this system displayed a maximum of 16 processes running, when idle. I've monitored this closely through the years; keeping this list trim helped keep the video-edit transcode time short (only a few other clock-ticks).

I do not intend on placing the system on-line again, if I can help it.

So, I hope that helps to answer your questions--describing it as "a little bit of work" is an understatement. I'm in mid-project with this system; I can never be sure that upgrades won't cause some program to act differently. (Example: Quicktime updates cause havoc with systems; Apple has a plethora of users complaining about system changes each time they issue an update: 6.0, 6.3, 6.4, 7.0, 7.45, 7.6. Just about all version upgrades caused users problems. Many users had further issues trying to rollback to a previous QT version. SP1 breaks the QT version that I have on this machine; this requires a later version of QT, which in turn cripples its relation/linkage to the video-edit software).

I have a second, newer machine with the same video-edit software. This machine has SP2 installed, later versions of QT and the patched video-edit software. It's contains a faster processor (Intel Quad) and faster drives, yet it runs (transcodes video) slower than the older system that we are dealing with here. Thus, the OS upgrades add additional overhead, much of it concerned with virus protection and security, none of which I need if I keep the system isolated.

If I can just use the various detection tools to assure that the older trooper is free of varmints, I can hopefully allow it to resume its work as a competent transcoding machine.

Is there a significant difference between these programs and on-line scans? I mean, if the virus/worm signature files that these programs use are up-to-date, then wouldn't they both find and eradicate the same bugs?

Keep Smiling

0

I'm in mid-project with this system;

Well obviously the final choice has to be yours...but WHY are you even going online with this system? You have not explained that AT ALL.

As I said, the choice is yours but you say above, you are in mid-project with this system, yet you went online with a totally uprotected system and were infected. Thankfully your project was not damaged or ruined, THIS TIME. But it very well could have been and very, very easily. The trojans, rootkits, worms, etc., out there today can be injected into a protected system with just the simple click of the mouse and with some of these things today cleaning can be a total nightmare. On an unprotected system, frankly it would quite possibly be impossible. You can be thankful that what you had on the system evidently was fairly benign, many of the infections today are not. They are like a cancer, and especially on an unprotected, non-updated system they can eat the key system files up and spit them out, rendering the computer 100% unusable, along with anything else that happens to be on it, like big, important, long standing projects.


Now I have been giving this a lot of thought and finally I have come to these conclusions...

You are running XP just as it was when it was released 9 years ago...period, no updates, NOTHING and supposedly you are, from reading your posts, a video editor of some kind. YET you don't want to update a computer running a 9 year old os because it would allegedly slow your other software and therefore require updates to all of the other software on the system, not to mention DRIVERS and all other things connected to the computer...WHY?

The ONLY logical conclusion is that this computer is loaded with ALL pirated software, including your copy of XP and all your video editing software. That is the only logical reason NOT to update, because you CAN'T.

Why would somebody doing video editing NOT want to update to the very latest capability instead of using programs that only work with a 9 year old non-updated operating system? Because it would slow everything down, requiring further updates to speed it back up? NO...Because they CAN'T.

Is there a significant difference between these programs and on-line scans? I mean, if the virus/worm signature files that these programs use are up-to-date, then wouldn't they both find and eradicate the same bugs?

YES, because you have to go online with an infected machine in order to get to these online scans and putting OTHERS at risk because of it. If you have an updated system, with valid, up to date programs and protection then you don't have to be concerned about going to the online scans to remove infections...9 out of 10 times they won't be ON the machine! Are the fool proof? No, but they sure up the odds for staying clean in the first place. As you have seen the chances of getting infections on an non-updated machine, with NO security protection is 100%

I'm out of here.

Just do us ALL a favor, STAY OFF THE INTERNET WITH THIS MACHINE so that the rest of us using legitimate, paid for operating systems and software don't run the risk of infection on our computers because you happened to surf by and drop infections on the pages we may want to visit.

0

Judy:

Despite your assessment, using the logic that Spock himself would use, I am not using any pirated software. Nor would I ever use any pirated software-it is not within my psyche to do so. Further, I detest all such users (thieves, scondrels and scalliwags, all of them). I don't condone crimes of any kind and I consider all criminals to be descendants of vandals, from schoolyard rock throwers, to computer hackers, to terrorists--they are all embarrassments to humanity.

My software is bought and paid for; my Windows version is valid and I hold the licensed disk. I could scan it and include that in a post if it will help to mitigate your guilty-until-proven-innocent thesis. I do accept your apologies, although I understand the logic you allude to.

I was on the internet because I needed to view a .pdf file, and I was too lazy, in that one moment, to go over to my internet machine, interrupt my wife and use it. I went only and straightly to a trusted Adobe site, but was caught by the Acrobat exploit.

The system was running fine before my mistake. It didn't need any updates and it trancoded video efficiently, thoroughly. This system was relagated to transcodes only when I received the new machine, which I actually use for editing. I know it is old, but it worked properly, and I would like to keep it that way.

I myself apologize for the depth of this post, but I dislike, with extreme intensity, being accused of piracy. (I also refuse to accept pirated movie DVDs and refuse to make copies of any in my collection, DVD or CD, for anyone. I pay for my premium cable channels and my gasoline.)

Is there a significant difference between these programs and on-line scans? I mean, if the virus/worm signature files that these programs use are up-to-date, then wouldn't they both find and eradicate the same bugs?

Keep Smiling

PS. Cheaters crush humanity, which includes themselves.

0

Why would somebody doing video editing NOT want to update to the very latest capability instead of using programs that only work with a 9 year old non-updated operating system?

Beacuse it is not cost effective, time-wise, when the system has been relegated to transcode-only. I have another system, as I said, that I use for fast, live editing. This system, as I've stated, is used for passive transcoding only.

Keep Smiling

0

So, Judy, do I at least merit an apology from you, for your jumping to the wrong conclusion?

It's important to me that you understand that assumptions, however derived, can be wrong. And as a volunteer assistant, such a quick-to-accuse attitude would only serve to distance said accuser from those who would be aided, as well as those fellow aides. Instead of a more diplomatic approach. Surely you have encountered others with eccentric ways, others that have demonstrated unusual yet benign habits, that could have a million different impetuses (or is it impetii?) to explain them? An aunt or uncle? A grandfather, maybe?

I'm almost 60, and began computer work (programming), well before IBM-PCs were developed. Cobol, Fortran, Assembler Language, data punch cards!, mainframes, IBM-360s. I've programmed flight simulators, restaurant POS /seating systems, statistical programs, medical databases, and some games. I've used Apples, Macs, PCs, Texas Instruments, Commodores, mainframes, and more...

A car rental company here STIILL! uses a terminal style (DOS-based) turnkey POS system---it requires both legacy architecture and software. They stick by it because it works.
I laughed at their green and amber monitors, but I rented the car.

Entire agencies are still using Windows 3.1/95/98/2000, because it works. They, too, avoid updates, because updates can break what works. The Hubble Telescope is using computer software that is at least 7 years old. The Space Shuttle itself is running DOS systems.

So please don't aim assumptions and accusations where they don't apply, merely because your logic isn't experienced enough to include a patient's prior history. The whole story is always required. It (your logic) needs to be fuzzier.

I came here with honesty in hand, humbled by an intrepid viral intruder's attack on my business. I did not expect to have my psyche further bruised.

If "I'm out of here" means you will not be responding further, at least understand that I understand it to mean:
"I'm out of hear."

Keep Smiling, and keep a more open mind, please.

0

Look, what other conclusion should people come to? The main reason this is SO maddening is that we deal with people daily who come in with poorly updated computers, badly infected computers, kids, older people who have no clue as to why their computers are infected, not working, working slowly, etc. and who are just plain amateurs, they maybe have an excuse. But for somebody who has the knowledge you have to go online with a non-updated, totally unprotected computer and then doubt or refuse any suggestion given here, there is just no excuse. I am sorry.

People come here quite often to learn, and they do learn, they have told us so. I hope and pray others HAVE learned from this action you have done and will learn they should NEVER, EVER go online without adequately protecting their computers and the valuable programs they may have on them.

It's important to me that you understand that assumptions, however derived, can be wrong.

They certainly can.

I'm almost 60, and began computer work (programming), well before IBM-PCs were developed. Cobol, Fortran, Assembler Language, data punch cards!, mainframes, IBM-360s.

By this, I MAY be wrong but I get the "feeling" that you think I am a "kid" or somebody who knows nothing of these old systems...I am 63 years old. And yes I do know of these systems, I have done some minimal work on a few of them also. No I am not a programmer, never claimed to be but I AM familiar with them. When I was in high school we received instruction at a local, privately owned data processing center, with yes data punch cards, mainframes and IBM-360s. Minimal instruction, yes, but we were at least informed of these, saw them in action and at least given some knowledge of what they did and how. We were told "way back then" that "sometime in the future" everybody would have a computer in their home! Of course at that time the only mental picture one could conjure up would be homes that would have to be 20, 30 times the size of homes we lived in at that time in order to accommodate something that large in our home!

I've used Apples, Macs, PCs, Texas Instruments, Commodores,

And so have I. My very first home computer was one of the original Texas Instruments home computers and a printer with perforated paper! The first computer we purchased for our daughter was a Mac. So yes, I am familiar with those and also used a terminal style (DOS-based) turnkey POS system at the small Catholic school where I worked years ago compiling alumni records and yes, they had those green screens you could barely read with the lights turned on in the room.

Surely you have encountered others with eccentric ways, others that have demonstrated unusual yet benign habits, that could have a million different impetuses (or is it impetii?) to explain them? An aunt or uncle? A grandfather, maybe?

My grandfathers both have been dead for over 60 years, I've had two 80+ year old Uncles I have helped with their computers...the one remaining who is now 86, and got his first computer 3 years ago, the other got his first computer 20 years ago, an old Radio Shack Tandy computer. He must have used it 10 years. Yes, I helped him with that when he had problems and I helped him set up his first PC with Windows on it and helped him secure it against the very few nasty items floating around back then.

So please don't aim assumptions and accusations where they don't apply, merely because your logic isn't experienced enough to include a patient's prior history. The whole story is always required. It (your logic) needs to be fuzzier.

Sorry you feel my logic is not experienced enough to include "the patients" prior history...I did include the prior history, at least as far as the computer you have posted about is concerned. I have to base my feelings, comments, suggestions and yes assumptions on what I HEAR from the poster and have also have experienced with others in the past, which is go online with an out of date, unprotected computer and EXPECT to become infected and then EXPECT to NOT be able to run various required programs without updating that computer.
We see this every week here, along with the very same excuses you gave, it will ruin other programs, they will all have to be updated, it will take a long time, I don't want to update what is working well, I hardly ever go online and finally the poster says, "I got this OS via P2P file sharing or from my friend and I can't update it because it isn't legal" so what are we to assume? We have heard ALL of these same excuses before. So yes I DO HEAR.
We are all volunteers here. We are here because we want to be.
One of the nightmares we all experience and I am sure will from this thread, is..."I saw on your website a post from a guy who ran his computer not updated because he said it made his computer slower and his programs not run right and it got infected and he got it cleaned ok. That is why I didn't update my computer or use an anti-virus program because it makes your computer slower." This is why we have this PC Protection - How To Avoid Infections as a "sticky" Read Me at the top of this section. It is something we all adhere to and state daily in our instructions.
As for keeping an open mind, I do have a very open mind, with the exception of what is needed to clean a computer and to keep it safe. I will continue to preach what is in that sticky.

0

That is not an apology. Your assumption was wrong. Period. The proper words to use are:

"I apologize for jumping to the wrong conclusion. I'm sorry." Not "What else was I to think?"

I apologize for assuming that you are [much] younger than you are. That assumption has as its basis the apparent lack of ability to admit when you are wrong, a trait that seems to be more and more prevalent these days, among the younger folks. I'm sorry.

Keep Smiling

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.