Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JIT Debugger - some kind of malware/virus?


  • This topic is locked This topic is locked
6 replies to this topic

#1 ferdw

ferdw

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 26 April 2009 - 01:29 PM

I have repeatedly tried running SpyBot Search & Destroy, but it always seems to hang up before it's halfway through the scan. Aside from the computer being very slow, I keep getting these windows that pop up saying something about an error and do I want to debug using JIT Debugger. I wish I had done a screen capture, but then that might be more than anyone wants to see. I ran the DDS.scr script and include here the two files of information; per the instructions I zipped the Attach.txt file.

Oh yeah, another thing that happened this morning is that Internet Explorer (even though I normally use FireFox) starting popping up porn sites. Very disconcerting as my granddaughter was sitting behind me watching her programs. Luckily she was intent on her programs!

I apologize if my description is lacking, but I have spent some time trying to figure this out, including running SmitfraudFix this morning (based on a recommendation found at a forum), and am a little confused as to what symptoms I have experienced. The most prevalent are the debugging popups. I appreciate any suggestions you might have.

DDS.txt:


DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 11:14:27.81 on Sun 04/26/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.87 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\wdmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\My Documents\Ferd\MP3s\from Blogs\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [P2kAutostart]
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [odby] c:\windows\odb.exe
mRun: [netc] c:\windows\svc.exe
mRun: [sms] c:\windows\sms.exe
mRun: [ctfmon] c:\windows\ctfmon.exe
mRun: [taskmg] c:\windows\taskmg.exe
mRun: [servicelayer] c:\windows\servicelayer.exe
mRun: [vlc] c:\windows\vlc.exe
mRun: [netx] c:\windows\svx.exe
mRun: [wdmon] c:\windows\wdmon.exe
mRun: [netw] c:\windows\svw.exe
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\documents and settings\hp_owner\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Search - ?p=ZKfox000
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: neology-rfid.com\neo-ex1
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168654447187
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197747374468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: awvtt - c:\windows\system32\awvtt.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awvtt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\jxg5pf3y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\jxg5pf3y.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2003-12-8 218736]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-6-8 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-6-8 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-6-8 42112]

=============== Created Last 30 ================

2009-04-26 09:30 3,298 a------- c:\windows\system32\tmp.reg
2009-04-25 19:41 <DIR> --d----- c:\program files\ToniArts
2009-04-11 00:15 261,632 a------- c:\windows\svw.exe
2009-04-11 00:15 261,632 a------- c:\windows\wdmon.exe
2009-04-11 00:15 261,632 a------- c:\windows\svx.exe
2009-04-11 00:15 262,144 a------- c:\windows\vlc.exe
2009-04-11 00:15 311,296 a------- c:\windows\servicelayer.exe
2009-04-11 00:15 308,224 a------- c:\windows\ctfmon.exe
2009-04-11 00:15 271,360 a------- c:\windows\taskmg.exe
2009-04-11 00:15 270,848 a------- c:\windows\sms.exe
2009-04-11 00:11 197 a--sh--- c:\windows\system32\1959992787.dat
2009-04-11 00:11 261,632 a------- c:\windows\svc.exe
2009-04-11 00:11 234,496 a------- c:\windows\odb.exe
2009-04-11 00:11 24,064 a--sh--- c:\documents and settings\hp_owner\protect.dll
2009-04-11 00:11 24,064 a--sh--- c:\windows\system32\autochk.dll

==================== Find3M ====================

2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2008-06-28 20:14 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe
2007-09-30 13:25 774,144 a------- c:\program files\RngInterstitial.dll
2007-04-20 20:26 24,192 a------- c:\documents and settings\hp_owner\usbsermptxp.sys
2007-04-20 20:26 22,768 a------- c:\documents and settings\hp_owner\usbsermpt.sys
2007-03-04 20:03 92,064 a------- c:\documents and settings\hp_owner\mqdmmdm.sys
2007-03-04 20:03 79,328 a------- c:\documents and settings\hp_owner\mqdmserd.sys
2007-03-04 20:03 66,656 a------- c:\documents and settings\hp_owner\mqdmbus.sys
2007-03-04 20:03 9,232 a------- c:\documents and settings\hp_owner\mqdmmdfl.sys
2007-03-04 20:03 6,208 a------- c:\documents and settings\hp_owner\mqdmcmnt.sys
2007-03-04 20:03 5,936 a------- c:\documents and settings\hp_owner\mqdmwhnt.sys
2007-03-04 20:03 4,048 a------- c:\documents and settings\hp_owner\mqdmcr.sys
2008-01-06 17:14 342,597 ---sh--- c:\windows\system32\ttvwa.bak1
2008-02-24 12:09 245,737 ---sh--- c:\windows\system32\ttvwa.bak2
2008-02-24 12:38 239,852 ---sh--- c:\windows\system32\ttvwa.ini2
2006-11-07 21:47 722,009 ---sh--- c:\windows\system32\tvvwa.bak1

============= FINISH: 11:15:06.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:18 AM

Posted 30 April 2009 - 09:45 AM

Hello ferdw,

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh DSS log. Please do not zip any of the logs.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by SifuMike, 30 April 2009 - 09:48 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ferdw

ferdw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 30 April 2009 - 10:15 AM

SifuMike, thanks for the response. The IT guy at work offered to take a look at the computer for me and ended up using the tool you specified plus a 30-day trial Trend Micro Internet Security installation. I just hooked the computer up last night and my son jumped on it and spent the next few hours on the web. I'll take another look at it this weekend and see if I need more help.

Thanks again.

Ferd

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:18 AM

Posted 30 April 2009 - 11:21 AM

Ok. :thumbup2: If this is a business computer then you should let him fix it.

In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources.
In fact, many companies will require you to read those policies and sign a statement of understanding.
Further, they usually have procedures in place to deal with infections on the network and may not approve of employees seeking help at an online forum or outside the business office.

Edited by SifuMike, 30 April 2009 - 09:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ferdw

ferdw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 01 May 2009 - 10:08 AM

I didn't mean to confuse you, it's a personal computer but the IT guy at work offered to look at it for me. I took it to work and he worked on it in his spare time. He has some since we've had to downsize recently.

Thanks again for your time.

Ferd

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:18 AM

Posted 01 May 2009 - 11:51 AM

Your very welcome. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:18 AM

Posted 22 May 2009 - 05:49 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users