Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just-In-Time debugger - Malware


  • Please log in to reply
3 replies to this topic

#1 qqa92

qqa92

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 24 September 2010 - 02:26 PM

Hello,

I am attempting to clean a computer that has been redirecting URL's to alternate sites and that is popping up a Just-In-Time Debugging window that says:

Please select a debugger:

Possible Debuggers:
New instance of Microsoft Script Editor

Then a checkbox that is ticked next to "Set the currently selecte debugger as the default.

Then it asks "Do you want to debug using the selected debugger?

Yes or No

If you click Yes is opens a small window that has the title "Microsoft Script Editor" and says Failed to load "atl70.dll".
If you try and close the main window it just pops up again.

I have run Malwarebytes full system scans twice with the latest definitions and am still seeing URL redirecting. Prevx free version is also installed and the System Status says Clean and that it has scanned 15 total times and has cleaned 5717 threats and active threats are 0.

The PC is running XP Pro SP2 and has 1gb of RAM. Internet Explorer is version 7.
It also has Symantec Anti-virus installed and is running in client/server configuration and is version 10.1.5.5000. The last infection found by it was the 21st and it says it detected Trojan.FakeAV:

----------------------------

Risk Action Count Filename Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description Date
Trojan.FakeAV Partial 3 desktop security 2010.exe File c:\documents and settings\tweaver\application data\desktop security\ xxxxxxx xxxxxxx Infected c:\documents and settings\tweaver\application data\desktop security\ Clean security risk Quarantine Startup Risk was partially removed. 9/21/2010 10:55

---------------------------------
Malwarebytes Scan 1
---------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4673

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

9/23/2010 1:05:08 PM
mbam-log-2010-09-23 (13-05-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 325431
Time elapsed: 1 hour(s), 22 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Security (Rogue.DesktopSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c362hgurcebl (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfrgsnapnt.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{404604E6-8E29-45E5-8AE8-286873790CA9}\RP58\A0009720.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver.old\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\cosock.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\hardwh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\hodeme.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\jdhellwo3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\kilslmd.exex (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\kjdh_gf_jjdhgd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\lorsk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\test.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\dc_3.exe (Trojan.FakeSmoke) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\rator.exe (Trojan.FakeSmoke) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\fe.exe (Trojan.FakeSmoke) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Local Settings\Temp\ddhelp.exe (Trojan.FakeSmoke) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Start Menu\Programs\Desktop Security\Help Desktop Security.lnk (Rogue.DesktopSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\tweaver\Start Menu\Programs\Desktop Security\How to Activate Desktop Security.lnk (Rogue.DesktopSecurity) -> Quarantined and deleted successfully.

-------------------------
Malwarebytes scan 2
-------------------------

-----------------
Gooredfix Log
-----------------

GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:03 on 23/09/2010 (tweaver)
Firefox version [Unable to determine]

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{CA6BD81F-CA72-422A-A6A7-E027BAB28E1C} -> Success!
Deleting C:\Documents and Settings\tweaver\Local Settings\Application Data\{CA6BD81F-CA72-422A-A6A7-E027BAB28E1C} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{2CCC117C-3514-4DA0-BFFD-F07EB5892650} -> Success!
Deleting C:\Documents and Settings\so_dheuseveldt\Local Settings\Application Data\{2CCC117C-3514-4DA0-BFFD-F07EB5892650} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:33 12/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:52 11/03/2010]

-=E.O.F=-
--------------------

Any help would be greatly appreciated.

Thank you.

qqa92

BC AdBot (Login to Remove)

 


#2 qqa92

qqa92
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 27 September 2010 - 05:55 PM

Hello,

I am sorry, have I made a mistake posting to the wrong forum? If so, can someone please let me know where to post my question to get some help on this.

Thank you,

qqa92

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 PM

Posted 27 September 2010 - 05:57 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 qqa92

qqa92
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 27 September 2010 - 06:06 PM

Thank you Budapest! I will give that a try.

qqa92




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users