Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32:Jifas-cd [Trj]


  • Please log in to reply
8 replies to this topic

#1 erachinskas

erachinskas

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:12:59 AM

Posted 28 January 2010 - 08:56 AM

I did a deep scan and found the below listed. I have read A LOT of post about removing the restore points but I am unable to do it. Need some help.
Used Avaist and found this. Have moved them to the Chest and like some other things I have read I cant move my slider in the System restore down to 3%. It is locked out. Have used Spybot, trojan Remover, Registry Patrol, Identity patrol, and more. How can I delete these files.

All of these files are in:

C:\System Volume Information\_restore{72A0193C-60C3-4CD5-88F6C0E060A7B5EA}\RP47 win32:Trojan-gen
C:\System Volume Information\_restore{72A0193C-60C3-4CD5-88F6C0E060A7B5EA}\RP143 win32:Jifas-CD [Trj]
C:\System Volume Information\_restore{72A0193C-60C3-4CD5-88F6C0E060A7B5EA}\RP143 win32:Jifas-CO [Trj]
C:\System Volume Information\_restore{72A0193C-60C3-4CD5-88F6C0E060A7B5EA}\RP143 win32:Jifas-CO [Trj]
C:\System Volume Information\_restore{72A0193C-60C3-4CD5-88F6C0E060A7B5EA}\RP143 win32:Jifas-CO [Trj]
C:\System Volume Information\_restore{72A0193C-60C3-4CD5-88F6C0E060A7B5EA}\RP153 win32:malware.gen
C:\System Volume Information\_restore{72A0193C-60C3-4CD5-88F6C0E060A7B5EA}\RP153 win32:malware.gen

BC AdBot (Login to Remove)

 


#2 venompc

venompc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 31 January 2010 - 04:02 AM

c:\windows\system32\hememefo.dll is the source but makes its own drive by puting a "," in front of c or what ever drive i am also having trouble removing this virus and it constantly attacks firefox and other internet related software also it is located in the registry
dont click on any of the blue links as these are pics infected with the virus on the web including aol home pages or a fake version of it

i hope someone helps us soon i have just lost my job because of this problem until it is fixed i cannot and will not do anything with my buisness or its customers

Edited by quietman7, 01 February 2010 - 12:41 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 01 February 2010 - 12:47 PM

Hello venompc

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Posting for assistance in someone else's topic is not considered proper forum etiquette.

Further, posting full or partial DDS/HijackThis logs are not permitted in this forum. If you need to post a log, then please follow the directions in the the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own.

Thanks for your cooperation.
The BC Staff

---------------------------------------
erachinskas

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.

Note: Removing files individually (manually) from restore points can cause problems with System Restore. Restore points are chained (linked) together with previous restore points. When a restore point is chosen, all restore points created prior to that restore point are also required to complete the restoration. During the process, a log is created or updated that tracks the consistency between the files System Restore is monitoring, and the files that are actually backed up. If an inconsistency is found between the log file and the files located in the SVI folder, restore point corruption can occur. This causes a break in the chain and any prior restore points become useless resulting in System Restore failing to work properly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 erachinskas

erachinskas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:12:59 AM

Posted 03 February 2010 - 10:36 AM

Ok so I looked at everything, Did a complete full scan with Maliware program. It found 2 infections. One was an AD.WARE. ***** THE OTHER THOUGH:
Something in my windows. I deleted the files rebooted and THIS IS NOW WHAT I GET:


Windows could not start because of a computer disk hardware configuration problem.
Could not read from the selected boot disk. Check boot path and disk hardware.
Please check windows documentation about hardware disk configuration and your hardware reference manuals for additional information.



I cant even safe boot NOTHING. NEED SERIOUS HELP.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 03 February 2010 - 10:59 AM

Error message: "Windows could not start because of a computer disk hardware configuration problem"

This behavior can occur if any or some of the following conditions are true:

* The Default value in the [Boot Loader] section of the Boot.ini file is missing or invalid.
* Windows XP is not installed in the location specified in the Boot.ini file.
* The Ntoskrnl.exe file is missing or damaged.
* The partition path in the Boot.ini file is not set correctly.
* General hardware failure.

...Edit the Boot.ini file to restore or correct the Default entry
...Use the Bootcfg utility in the Recovery Console to correct the Boot.ini file


How to edit the Boot.ini file in Windows XP
How to install and use the Windows XP Recovery Console

If you don't have your XP CD you can download an ISO of the Recovery Console files from one of these locations:Burn it as an image to a disk with MagicISO or similar program to get a bootable CD which will startup the Recovery Console for troubleshooting and repair. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. If you are not sure how to burn an image, please refer to How to write a CD/DVD image or ISO and How can I burn ISO files to CD or DVD?.

Note: In order to use the disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computerís BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:

Edited by quietman7, 03 February 2010 - 11:11 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 erachinskas

erachinskas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:12:59 AM

Posted 03 February 2010 - 11:32 AM

Ok I downloaded and burned the ISO with Power ISO and checked it with my laptop, which Im on now. Put in in Computer and booted from CD drive. Now it starts and reads the image on the CD, black screen comes up and across the top it says,

Setup is chacking you configuration...

Then reboots and does the same thing over and over.

#7 erachinskas

erachinskas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:12:59 AM

Posted 03 February 2010 - 11:53 AM

Still working with it. Got it to start and them got this:

Blue screen


File \i386\ntkrnlmp.exe could not be loaded.
The error code is 7



Need more help.... :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 03 February 2010 - 12:14 PM

This behavior can occur if either one of the following conditions is true:

* There are incorrect settings in the computer's basic input/output system (BIOS) configuration.

-or-
* One or more of the random access memory (RAM) modules that is installed on the computer is faulty.

The file I386\Ntkrnlmp.exe could not be loaded. The error code is 7.


This issue may occur if your computer's BIOS has issues when ACPI is enabled.

Ntkrnlmp.exe Could Not Be Loaded Error Code 7
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Robert385001

Robert385001

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 05 February 2010 - 10:30 AM

Greetings.
I'm new to the post but not to computers. The Virus that took over your hard drive is one I have been battling with for a number of customers. It is not a typical malware or virus. This is what happened to your computer.

The virus propagates through USB supported devices and seeds when you insert the device and windows calls an .inf file that says "hey, you have a usb connect and you can use it now". You can see the infected seed file on the infected usb device by the setting "show hidden files". To clean the usb, on a computer that works, boot in safe mode (the inf file is not invoked) show hidden files and delete the hidden file (make sure you are using a real del application and not sending to recycle bin). If the usb has been plugged into a mac it will have other hidden file that are ok to delete.

It also spreads through web sites via torrent downloads, links for websites, virus fix it applications etc.

The virus starts out infecting files on your system and generally behaves for a bit, but eventually it triggers a windows operating system "updates installed, you need to reboot", then the virus during the update goes to work on your hard drive.

The virus creates two new hidden partitions on your drive. The first is a character "-,+,~" and not a letter like C, D, E so that windows can't show it. The last partition is open on the end of your drive. The virus then copies your master boot record from bit 00 to 62 out past the last partition. It then encodes your MBR with it's own encrypted code to call the boot information out at the end of the drive. So, you end up with a computer that looks like it's your computer, but all the control is in the hands of the virus.

Attempts to clean it don't work because you are removing the virus from files on the C: drive and not knocking it out in the MBR. This reserved space is tricky, because if you did wipe it, your drive will not boot. Same with doing a windows install and removing the additional partitions. When the outer partition is removed, since it has your boot info, the hard drive will not boot. If you wipe the whole drive and reinstall, you will have the virus again, because it is still in the reserve area; the MBR.

To fix one of these I would recommend having the drive zeroed out and the boot sector reinstalled. I do this by having a separate machine setup to access the drive remotely with a different operation system boot. If you are ambitious, check out the "ultimate boot cd". It has tools that can zero the drive and format the MBR and set new partitions. A word of caution, though. This is not point and click. If not your flair, then take the computer to a skilled tech shop and have them do the work.

Also, change all your login info on your websites that you visit. Symantec has posted information about a very very similar virus (actions are identical, just names are different) that the decoded info from the virus shows references to tracking banking websites that you might visit. Not good. And remember to check ALL of the usb devices that could have been plugged in. Even cameras etc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users