Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor virus?


  • This topic is locked This topic is locked
4 replies to this topic

#1 gregbxp

gregbxp

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 03 October 2012 - 01:13 AM

I am infected with something. It looks like a Trojan backdoor is active. Ran Malwarebytes found Hijack.StartMenu and BundleOffers.IIQ last week looked like multiple registry changes were made after MWB cleaned did a restore. All AVs showed clean and MWBs scans were clean. Finally tried my VPN and it would'nt work. Ran CurrPorts and can see open ports one linked to jasras.dll in my System 32 folder. I do not see the file there. Searched PC for file and it 's not found. Ran Super AntiSpyware in Safe mode after rKill and found Trojan.Agent/Gen-Koobface[Bonkers] along with MyWebSearch/FunWebProducts, repaired. Boot to normal windows XP and ran again. Found same Trojan in a different location. Ran Tddskiller no threats detected then ran combofix. I'm out of ideas and don't want to damage anything. Still see jasras.dll and open ports in CurrPorts. Please help

Edited by Orange Blossom, 03 October 2012 - 05:04 AM.
Moved from XP to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 gregbxp

gregbxp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 03 October 2012 - 11:32 AM

Sorry about posting in the wrong spot. Update I ran Spybot S&D and it found W3i.Iq5.fraud and removed it. Ran rouge killer and deleted:
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Ran Adwcleaner

HijackThis log removed. ~ OB

Removed : R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

I'm still seeing jasras.dll active with UDP connections in CurrPorts.

Edited by Orange Blossom, 03 October 2012 - 12:41 PM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:29 PM

Posted 03 October 2012 - 12:44 PM

Hello,

I really need to polish my glasses. I didn't see previously that you had run Combofix already. Given that and the rest of your narrative, please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log already generated in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 gregbxp

gregbxp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 03 October 2012 - 03:46 PM

Done and Posted.

Thank You!

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:29 PM

Posted 05 October 2012 - 08:05 AM

You're welcome. Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic470670.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean. And I see that your new topic has been picked up this morning. You're in good hands. To avoid potential confusion, I'm going to go ahead and close this topic.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users