Ok ive been having trouble getting rid of a trojan i have not seen any website talk about. Its call Win32:Jifas-DC(Trj). It seems impossibble to get rid of. Ive been having trouble with my comp for a while so i tried many diffent things and nothing has worked. I started to think there was a virus when i noticed the resident protection isnt on and wont turn on (I have avast pro 4.8.full registerd version). I enabled the user interface to see what was going on and then it said “rpc error”. So i began thinking i have no clue how long ive been without resident protection but i know couldnt have been too long not more than 2 weeks as of now. So i tried to uninstall reinstall and i still didnt have the icos on the bottom screen so no resident protection. Then i tried to do multiple boot time scans and updates that way maybe i could get rid of whatever it was stoping the resident protection. a few days ago i noticed my security center was disabled and its still disabled. I went through the whole admin services and everything ive gotten no where on that either. I figured duh a system restore should do it then i tried it and nothing comes up. The process is running but it wont start when i click it again i get a white window that says system restore and it will load forever well at least try to. I even trid to do safe mode and do it with run commands and nothing. Tried getting malabytes or something in safe mode and running it and nothing comes up at all. The comp let me install it fine then it wont runn it no matter what i do safe mode regular. In the midst of this ive been trying to open avast every time i do i get the memory is infected message and i know already but before i get it i get to this trojan Win32:Jifas-DC(Trj). Avast finds it i tried to delete it thought all was good did the boot scan. open avast again just in case and i see it again. I try to move to chest nothing. The only thing it lets me do is delete it and whne i boot scan it doesnt even do that.Strange thing about the virus is where it is stored. I have no clue how to get it. Its stored as \?\globalroot\systemroot\system32\h8srtgsbmuxpdfx.dll I figured what will happen if i run that in the command prompt and nuthin happened so ive probably boot scanned about 20 or more times in the past 3 days alone. Please someone help i really dont want to have to restart that comp from the begining that would be hell. All my hard work to get it to where it is, any advice will help. What type of virus infects you but it will let you do what you want like go to youtube check an email. Its tormenting me oh also at random if i try to get rid of it it will freeze my comp its freezed it after a boot time scan before too. Help. You can email me at sfwx2@yahoo.com or just reply on the forum any secret techniques will help thank you. ;D
Hi Sfwx,
You may follow and see the steps at : http://www.geekstogo.com/forum/Unable-to-do-much-anything-t241915.html
or using combofix as like essexboy always referenced to do.
check your computer for malware with
MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found and restart
SAS http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26
come back and tell us if it worked and post your scan logs here
i already have malwarebyter its just that it wont let it run. It shows that its running in the back ground but nothing comes up. as for combofix i have no clue what that is you might have to enlighten me. Also thanks for helping me so far.
Here is a small program that can help you to get Malwarebytes up and running
How to use Rkill: Malware Process Terminator and Anti-Malware Assistant - Part 1
http://www.brighthub.com/computing/smb-security/articles/59807.aspx
Rkill: Malware Process Terminator and Anti-Malware Assistant - Part 2
http://www.brighthub.com/computing/smb-security/articles/59799.aspx
Here is a similar program
quote:
Try running rkill few times if the first try will not properly.
If the problem continues, please try to use exehelper. You can download it from
http://www.raktor.net/exeHelper/exeHelper.com
http://www.raktor.net/exeHelper/exeHelper.scr
It works like rkill.
If everything fails, follow this guide from essexboy, and post the logs
http://forum.avast.com/index.php?topic=53253.0
Hi, your problem sounds similar to mines. Hopefully we both can find a solution with the assistance of this very knowledgable Avast team. I can install malwarebytes, but it will not launch either. Scroll down you will see my post. Good Luck with your problem.
Ann
Ok well back again and I have tried the things you guys have been telling me but without luck. I tried redownloading MBAM and it let me download it but now i cant open it at all. SAS wont even execute, al that happens is that as soon as i double-click it, it says the programs encountered an error and closes. I tried going to al the geekstop links, it wont even let the page load all that happens is that supposedly the their server is down. That message only comes up when i have no internet but i tried going to other websites and it works. So i cant even see the information at geekstop. That pretty much eliminates all the things essexboy says to do since i cant go to the websites. I tried going to the RKILL websites it worked but then it links me to bleeping computer to download the file and i cant access any bleeping computer page or else the same server message pops up again. Ive been doing all this in safe mode too. I did download the exehelper and it let and it ran and did what it was supposed to do i think. But yea that wasnnt much help. Right now im at a loss i have no clue what to do and also i think i have a backdoor open. Because internet explorer constantly pops up even if i close it kill the process it still comes back and when it comes up it doesnt have a window open i know it pops up because i see it on process explorer and taskmanager. I dont know if thats part of the problem but its rather annoying. Wel thanks for helping me everyone if you have anymore ideas id be glad to try.
1 Download OTL to your Desktop
2 Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
3 Under the Custom Scan box paste this in:
netsvcs
%SYSTEMDRIVE%*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
c:\windows\system32*.dll /lockedfiles
c:\windows\system32\drivers*.sys /lockedfiles
%systemroot%*. /mp /s
CREATERESTOREPOINT
4 Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply as an attachment.
You can also try downloading MalwareBytes Anti-Malware on a clean PC, renaming it (just pick a random filename) and putting it on a read-only device (USB drive with a hardware read-only switch - don’t trust a software read-only switch! or a CD-R). Then, run it from the read-only device on the infected PC. That will hopefully let MBAM get around the virus.
I tried going to the RKILL websites it worked but then it links me to bleeping computer to download the file and i cant access any bleeping computer page or else the same server message pops up again.Did you trie the direkt download links for Rkill?
•rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
•rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
•rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
•rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif
Have you tried MBAM from safe mode ?
I tried MBAM in safe mode a long time ago and it hasnt worked. I tried going to the otl and it keeps saying server not found. i think it knows what can stop it so it wont let me go to it. All the r kill links that i click on a message pops up saying wither server not found or some message talking about oops this link appears to be broken.
i just looked around and i saw you helped ineedhelpbad. I noticed you told her to download the ost and on her comp it didnt work either. mines didnt either but i noticed you repasted a different link and it allowed me to do it. So ill just follow what computerfreak said to do and i guess well go from there.
Ok well ost scanned and i followed the directions to a T. But only ost text poped up so i didnt get the extras text i was supposed to get hopefully thats fine. well i tried to upload the file as an attachment and its well way to big so instead i have a 4shared account that i can upload files to so i uploaded the file there here is the link http://www.4shared.com/file/231970331/19a8d415/OTS.html
it should be there since i just did it let me know whats up.
I am not familiar with this program but I do notice -
You do not have up to date version of Windows - you should really have SP3 on yr computer
You have Kaspersky program on yr computer and this may conflict with smooth run of avast - again not familiar with Kaspersky program
There was update by avast on 2.1.2010 to combat this malware (although def not precisely the same).
Can you update yr avast or can you download the latest version using another computer (you can use same registration key)?
Do yr re-install in Safe Mode. Dont forget to use the correct uninstall utility.
http://forum.avast.com/index.php?topic=55739.msg472725#msg472725
3.1.2010 - 100103-0
Win32:KillAV-NA [Trj], Win32:VB-OCW [Trj]
2.1.2010 - 100102-1
Win32:Jifas-CN [Trj]
2.1.2010 - 100102-0
Win32:FakeAlert-FV [Trj], Win32:FakeAlert-FW [Trj]
I’m in a bit of a rush, but someone should add more comment shortly.
Hi that link is down - could you attach it to your next post instead
Under additional options is an attach line - browse to OTS log and double click
Is this the file you mean? - from sfwx
oops its 919kb - the OTS file is in my downloads - if you dont have it yet I can send it to you in parts
I post the part I am talking about above
Hmm ta but alas it is corrupted and only 11.5 kb ???
I have problems connecting to that site I do not know why though
Oh I checked and see what you mean - but the part file (11.56) is still not corrupted on my computer.
I have also cut out two more parts which should just about cover the log for you.
Lets try this - I have tried guesstimate 200kb of it
The rest pretty much follows this pattern –
[Alternate Data Streams]
@Alternate Data Stream - 100 bytes → C:\camcaud.sys:KAVICHS
@Alternate Data Stream - 100 bytes → C:\camchal.sys:KAVICHS
@Alternate Data Stream - 100 bytes → C:\caudinst.dll:KAVICHS
And so on to the end of the report
No corrupted again - shall I try just post in the text editor?
okay here’s the first part (11.5kb) I was talking about above
http://forum.avast.com/index.php?topic=54442.msg475939#msg475939
OTS logfile created on: 3/1/2010 12:30:33 AM - Run 1
OTS by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
510.00 Mb Total Physical Memory | 219.00 Mb Available Physical Memory | 43.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 9.10 Gb Free Space | 16.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SFWX
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Quick Scan
[Processes - Safe List]
ots.exe → C:\Documents and Settings\Owner\Desktop\OTS.exe → [2010/03/01 00:23:45 | 000,632,320 | ---- | M] (OldTimer Tools)
qttask.exe → C:\Program Files\QuickTime\QTTask.exe → [2009/09/05 00:54:42 | 000,417,792 | ---- | M] (Apple Inc.)
applemobiledeviceservice.exe → C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe → [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.)
iexplore.exe → C:\Program Files\Internet Explorer\iexplore.exe → [2008/10/15 02:06:26 | 000,633,632 | ---- | M] (Microsoft Corporation)
lssrvc.exe → C:\Program Files\Common Files\LightScribe\LSSrvc.exe → [2007/10/18 14:32:42 | 000,079,136 | ---- | M] (Hewlett-Packard Company)
explorer.exe → C:\WINDOWS\explorer.exe → [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation)
syntpenh.exe → C:\Program Files\Synaptics\SynTP\SynTPEnh.exe → [2007/06/07 23:47:00 | 000,827,392 | ---- | M] (Synaptics, Inc.)
googletoolbarnotifier.exe → C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe → [2007/04/03 23:34:57 | 000,068,856 | ---- | M] (Google Inc.)
kavpf.exe → C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe → [2006/07/19 08:51:57 | 002,195,583 | ---- | M] (Kaspersky Lab)
ati2evxx.exe → C:\WINDOWS\system32\ati2evxx.exe → [2005/08/03 23:02:58 | 000,380,928 | ---- | M] (ATI Technologies Inc.)
[Modules - Safe List]
ots.exe → C:\Documents and Settings\Owner\Desktop\OTS.exe → [2010/03/01 00:23:45 | 000,632,320 | ---- | M] (OldTimer Tools)
comctl32.dll → C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll → [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation)
[Win32 Services - Safe List]
(avast! Antivirus) avast! Antivirus [Auto | Stopped] → C:\Program Files\Alwil Software\Avast4\ashServ.exe → [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software)
(avast! Mail Scanner) avast! Mail Scanner [On_Demand | Stopped] → C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe → [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software)
(avast! Web Scanner) avast! Web Scanner [On_Demand | Stopped] → C:\Program Files\Alwil Software\Avast4\ashWebSv.exe → [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software)
(aswUpdSv) avast! iAVS4 Control Service [Auto | Stopped] → C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe → [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software)
(getPlusHelper) getPlus(R) Helper [On_Demand | Stopped] → C:\Program Files\NOS\bin\getPlus_Helper.dll → [2009/11/06 09:20:16 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.)
(gusvc) Google Software Updater [Auto | Stopped] → C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe → [2009/10/01 20:32:04 | 000,182,768 | ---- | M] (Google)
(iPod Service) iPod Service [On_Demand | Stopped] → C:\Program Files\iPod\bin\iPodService.exe → [2009/09/21 15:36:02 | 000,545,568 | ---- | M] (Apple Inc.)
(Apple Mobile Device) Apple Mobile Device [Auto | Running] → C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe → [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.)
(Bonjour Service) Bonjour Service [Auto | Stopped] → C:\Program Files\Bonjour\mDNSResponder.exe → [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.)
(NMIndexingService) NMIndexingService [On_Demand | Stopped] → C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe → [2007/12/14 09:52:02 | 000,267,560 | ---- | M] (Nero AG)
(LightScribeService) LightScribeService Direct Disc Labeling Service [Auto | Running] → C:\Program Files\Common Files\LightScribe\LSSrvc.exe → [2007/10/18 14:32:42 | 000,079,136 | ---- | M] (Hewlett-Packard Company)
(Microsoft Office Groove Audit Service) Microsoft Office Groove Audit Service [On_Demand | Stopped] → C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe → [2007/08/24 05:59:20 | 000,068,464 | ---- | M] (Microsoft Corporation)
(odserv) Microsoft Office Diagnostics Service [On_Demand | Stopped] → C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE → [2007/08/24 02:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation)
(ose) Office Source Engine [On_Demand | Stopped] → C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE → [2006/10/26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation)
(Ati HotKey Poller) Ati HotKey Poller [Auto | Running] → C:\WINDOWS\system32\ati2evxx.exe → [2005/08/03 23:02:58 | 000,380,928 | ---- | M] (ATI Technologies Inc.)
If you need me to do anything for you like post the rest or parts of it - just let me know, but I’ll be going out in about 30 mins. 
Tried post some more - 'fraid just too much there (919kb in total)