PDA

View Full Version : Trojan that poses as anti-virus software



martinl78
2010-02-15, 18:01
This was a really frustrating trojan that somehow got on my system and it blocks the ability to use Task Manager or CMD.exe or anything useful for that matter to try to find it or kill it. It terminates anti-virus software, firewall, and anti-malware tools. A scan with latest anti-virus updates and latest spybot updates did not catch or remove this thing.

To remove, I renamed the jxinsftav.exe that was in my user profile path and removed the two references in the registry. I saved a copy of the executable and have it in safe keeping. See below:

Jxinsftav.exe poses as an anti-virus package and prevents you from using TaskManager, disables anti-virus, Windows Defender, and even prevents Spybot or CMD.EXE usage. It sits in the systray and gives notifications that various files are corrupted and offers to let you activate the product. It even gives you systray popups to tell you it has found vulnerabilities and specific viruses or trojans your system is allegedly infected with. It also periodically starts the internet browser and brings up porno.com. Currently downloadable signatures for Windows Defender, Spybot, and other anti-virus packages or anti-malware tools don't recognize this trojan. It seems to really want you to go to a website and 'activate' it. Since it has disabled all sorts of protections on your system, this is likely a precursor of other nasty things to come. So far, deleting the executable and removing the registry entries seems to be a cure. The trick is that you have to launch Task Manager and registry editor quickly after login before the trojan starts up to be able to kill it and remove it. Oce it starts, new instances of any valuable tool to help you can't run.

HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Value name: C:\Users\useraccount\AppData\Local\pwniqw\jxinsftav.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name: uecipajg
Data: C:\Users\useraccount\AppData\Local\pwniqw\jxinsftav.exe

ken545
2010-02-19, 02:39
Hello Martin

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.




Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.





Next:

Please download GMER from one of the following locations and save it to your desktop:
Main Mirror (http://gmer.net/download.php)
This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip)
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.






Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


Post the GMER log and the logs from RSIT please