martinl78
2010-02-15, 18:01
This was a really frustrating trojan that somehow got on my system and it blocks the ability to use Task Manager or CMD.exe or anything useful for that matter to try to find it or kill it. It terminates anti-virus software, firewall, and anti-malware tools. A scan with latest anti-virus updates and latest spybot updates did not catch or remove this thing.
To remove, I renamed the jxinsftav.exe that was in my user profile path and removed the two references in the registry. I saved a copy of the executable and have it in safe keeping. See below:
Jxinsftav.exe poses as an anti-virus package and prevents you from using TaskManager, disables anti-virus, Windows Defender, and even prevents Spybot or CMD.EXE usage. It sits in the systray and gives notifications that various files are corrupted and offers to let you activate the product. It even gives you systray popups to tell you it has found vulnerabilities and specific viruses or trojans your system is allegedly infected with. It also periodically starts the internet browser and brings up porno.com. Currently downloadable signatures for Windows Defender, Spybot, and other anti-virus packages or anti-malware tools don't recognize this trojan. It seems to really want you to go to a website and 'activate' it. Since it has disabled all sorts of protections on your system, this is likely a precursor of other nasty things to come. So far, deleting the executable and removing the registry entries seems to be a cure. The trick is that you have to launch Task Manager and registry editor quickly after login before the trojan starts up to be able to kill it and remove it. Oce it starts, new instances of any valuable tool to help you can't run.
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Value name: C:\Users\useraccount\AppData\Local\pwniqw\jxinsftav.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name: uecipajg
Data: C:\Users\useraccount\AppData\Local\pwniqw\jxinsftav.exe
To remove, I renamed the jxinsftav.exe that was in my user profile path and removed the two references in the registry. I saved a copy of the executable and have it in safe keeping. See below:
Jxinsftav.exe poses as an anti-virus package and prevents you from using TaskManager, disables anti-virus, Windows Defender, and even prevents Spybot or CMD.EXE usage. It sits in the systray and gives notifications that various files are corrupted and offers to let you activate the product. It even gives you systray popups to tell you it has found vulnerabilities and specific viruses or trojans your system is allegedly infected with. It also periodically starts the internet browser and brings up porno.com. Currently downloadable signatures for Windows Defender, Spybot, and other anti-virus packages or anti-malware tools don't recognize this trojan. It seems to really want you to go to a website and 'activate' it. Since it has disabled all sorts of protections on your system, this is likely a precursor of other nasty things to come. So far, deleting the executable and removing the registry entries seems to be a cure. The trick is that you have to launch Task Manager and registry editor quickly after login before the trojan starts up to be able to kill it and remove it. Oce it starts, new instances of any valuable tool to help you can't run.
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Value name: C:\Users\useraccount\AppData\Local\pwniqw\jxinsftav.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name: uecipajg
Data: C:\Users\useraccount\AppData\Local\pwniqw\jxinsftav.exe