Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

DKTaber

My AV program is Avira Antivir. Scans by it find no malware. In an effort to make sure my computer is "clean", I recently ran online scans from Kaspersky, Panda, and Trend Micro. Only Kaspersky found anything -- Trojan.Downloader.JS.Gumblar.a. Is this a legit trojan, or a false positive? If not false, what does this trojan do?

FYI, I found the following on a Kaspersky forum: "FYI - this suspected trojan infection is directly related to Visual Ticket software......visualticket.com. I just spoke with Michael, the software developer on the telephone (425-822-4690) and he stated that the recent Kaspersky databases are causing the false detection of the Gumblar virus. He stated that he has contacted Kaspersky today and is working with them to fix this."

The above message was posted 5/27/09 -- 2 months ago -- so if this is indeed a false positive, why hasn't it been fixed in 2 months!?

Karen
Malware Specialist Coordinator
Where did Kaspersky find it? Please check your logs and report back.

DKTaber

Where did Kaspersky find it? Please check your logs and report back.
They're in e-mails in my In- and Sent boxes. Problem with Kaspersky's online scan is that, whereas Panda and Trend Micro REMOVE the offending malware, Kaspersky does not. They want you to buy their product to do that. . . which I'm not about to do.

My intuition is telling me to ignore Kaspersky's finding, for several reasons: (a) No other AV software, on my HD or online, says I have a malware infection. (b) Before doing a total computer scan with Kaspersky, I did a "Critical Areas" scan (essentially the system files). It found no infections there, so it appears that even if some e-mails (it says 3) are infected, the infection isn't spreading to other files. (c) I retain only the last 3 months of e-mails on my PC, deleting the oldest full month of them on the 1st of every month. So the infected files, if they are indeed infected, will sooner or later be deleted.

So in your opinion, what's the probability that (a) this is a real infection, not a false positive and (b) that it's doing or will do anything I need to be concerned about?

DKTaber

Hey, I just discovered something interesting. In the report, I right-clicked the name of the malware (Trojan-Downloader.JS.Gumblar.a), and it automatically enters the name in Kaspersky's online virus list search box and does a search. Guess what? NOT FOUND! I tried multiple searches after removing (sequentially) "Trojan", "Downloader", "JS" and ".a", ultimately searching only on the word "Gumblar". None of the searches found anything.

Me thinks the evidence that this is a false positive that Kaspersky has been unable to fix for at least 2 months is persuasive. Unless you think otherwise, I'm going to ignore it.

Karen
Malware Specialist Coordinator
JS.Gumblar.a is a javascript file that is normally picked up visiting a web site but I suppose it could be in an e-mail attachment as well. If you delete the suspicious e-mails and you're not experiencing other symptoms, such as redirects, you should be fine. But I would change all passwords as a precaution. It would be a good idea to post a HijackThis log so I can see if there's anything out of place.

• Save HJTsetup.exe to your desktop.
• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
• Click Save to save the log file and then the log will open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

DKTaber

Per your request, here's the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12pm, on 7/31/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Emoticons Mail\emomail.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Emoticons Mail] C:\Program Files\Emoticons Mail\emomail.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246207098187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246965741818
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7372 bytes

Karen
Malware Specialist Coordinator

Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

DKTaber

Cookie: I already have, and run full scans regularly (like every other day) with, SuperAntiSpyware and Ad-aware Anniversary Edition (the best of Lavasoft's editions). I used to also have Malwarebytes, but it never found anything, so I removed it about 3 months ago. Despite that experience, I did as you said &#8211; downloaded, installed and updated Malwarebytes, then ran a quick scan.

My experience with it continues. . . as always, it found nothing. Nor did SuperAntiSpyware. The only one that occasionally finds 1 or 2 supposed spyware files is Ad-aware, and it did find the file it always finds, "live365", which is actually probably not spyware. . . at least not malicious spyware; it loads every time I go to Beethoven.com to listen to classical music.

Karen
Malware Specialist Coordinator
Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
1. Close any open browsers.
2. If your Real protection or Antivirus interferes with OTS, allow it to run.
3. Open the OTS folder and double-click on OTS.exe to start the program.
4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
5. Now click the Run Scan button on the toolbar.
6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
7. When the scan is complete Notepad will open with the report file loaded in it.
Use the Reply button, scroll down to the attachments section and attach the notepad file here.

DKTaber

Cookie: What does OTS do? It didn't take a long time; only a little over a minute. The file it created was to big to attach directly -- 1.76MB -- so I zipped it.

Karen
Malware Specialist Coordinator
It scans various places in the registry and files created and modified on your computer. But you didn't select the correct setting so you are showing every file ever created and modified on your computer.

Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.

Code:
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\AV-CLS\WGET.EXE" -> C:\AV-CLS\WGET.EXE [C:\AV-CLS\WGET.EXE:*:Enabled:WGET.EXE]
[Files/Folders - Created Within All Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within All Days]
NY -> 6 C:\Documents and Settings\Don Taber\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Don Taber\Local Settings\Temp\*.tmp
NY -> 1 C:\Documents and Settings\Don Taber\Local Settings\Temp\HCBackup\*.tmp files -> C:\Documents and Settings\Don Taber\Local Settings\Temp\HCBackup\*.tmp
NY -> 1 C:\Documents and Settings\Don Taber\Local Settings\Temp\HouseCall\*.tmp files -> C:\Documents and Settings\Don Taber\Local Settings\Temp\HouseCall\*.tmp
[Alternate Data Streams]
NY -> @Alternate Data Stream - 344 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
[Empty Temp Folders]
[Start Explorer]
[Reboot]

DKTaber

I did as you said. When OTC got to [Empty Temp Folders], it issued an error message about "Range error" and froze the system. My Desktop was left void of any shortcuts, I had no taskbar, so had to manually reboot.

Karen
Malware Specialist Coordinator
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
• If you use Firefox:
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera:
• Click Opera at the top and choose: Select All
• Click the Empty Selected button.

[*]NOTE:
• Click Exit on the Main menu to close the program.

Then post a new HijackThis log please.

DKTaber

Cookie: I do not want to zap all of my cookies and Internet history, both of which would be wiped out if I 'select all' with ATF. As I said in a previous message, the evidence that the "Gumblar" thing is a false positive is pretty strong. So I think I'll leave things as they are.

Karen
Malware Specialist Coordinator
OK then. You're welcome.

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

As Seen On