W32.Jeefo Virus

[edpaulw]

Somehow I managed to get this virus on my PC.

SARC documentation tells me to edit the registry and to remove a value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

in the right pane to delete the value:

"PowerManager"="%windir%\svchost.exe"

I don't have any such entry. I've scanned the entire registry and can't find a reference to svchost.exe.

Now I believe I have located the "rogue" svchost.exe in the root of WinNT. It's a 36K file. (36,352 bytes) Could a Win2K user verify that they do NOT have such a file in the root of WinNT.

I have renamed it but I think there must be more "to do" in order to kill this virus.

Could somebody tell me the ONLY spots you should see svchost.exe in Windows. I believe it is an 8K file in the SYSTEM directory, but I'd like to know for sure.

This thing is malicious. It starts randomly modifying all your EXE files. Likely right now it's busy killing files on my PC, but I'll recover everything from a drive image.

 

[paulbenn]

HI,

The SVCHOST.EXE file should not be in the WinNT (WinDIR) there should be one in the SYSTEM DIR it is 8Kb

Need a good virus checker and keep it up to date.



Kind Regards, Paul Benn

**** Never Giveup, keep trying, the answer is out there!!! ****

 

[edpaulw]

This JEEFO virus is quite peculiar.

I did not have any major problems with my system until I upgraded to the latest NAV definitions (which were up to date previously).

Nothing showed up UNTIL I installed the latest definitions. Supposedly this virus appeared on the first week of June.

Yet my image files, which were made in the middle of May, when restored, show over 500 EXE files clobbered by JEEFO. And some of these files, which were supposedly altered, I'd been using with no problems.

So far today, simply by removing svchost.exe (32K version) my NAV program hasn't popped up. But something must be around that loaded that "rogue" file as per the registry info given by SARC.

I want to be very sure some memory resident code isn't hanging around before I go and TRY to fix all the corrupted EXE files.

 

[paulbenn]

Hi,

If it helps the NAI website says that the virus installs a Service that keeps it running and it also recomends that you disable the Automatic restore for ME & XP.

Have a look and good luck, Damn Virus's are a real pain and what do they get from it, hey but that's for another forum...

Good luck.

Kind Regards, Paul Benn

**** Never Giveup, keep trying, the answer is out there!!! ****

 

[mapleleaf]

edpaulw,

For Win2K, here are two places to check:-

CURRENT_USER\Software\Microsoft\Windows\Run
LOCAL_MACHINE\Software\Microsoft\Windows\Run

You may also want to look at these:-

CURRENT_USER\Software\Microsoft\Windows\RunOnce
LOCAL_MACHINE\Software\Microsoft\Windows\RunOnce
LOCAL_MACHINE\Software\Microsoft\Windows\RunOnceEx
%WinDir%\Win.ini
%WinDir%\System.ini

Ian

 

[dyost]

http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Try this link to Symantec. It is a free online virus scanner that will tell you what files are infected and how to properly clean them.

 

[mattjurado]

Norton has a hard time killing viruses that are memory resident, or present in the boot sector. Follow the above instructions, but if you really want to be safe, try ViRobot from

http://www.globalhauri.com.

Read this article...

Matt

http://www.brienposey.com/KB/articleofweek.asp.asp

 

[96TMaMi]

I can't seem to get anything done following all those instructions to remove this W32_Jeefo virus. Will I be able to get rid of it by simply reinstalling my Windows XP? Is there any other solution out there?

 

[mapleleaf]

96TMaMi,

Give us some examples of things you could do, but can't do now.

Ian

Everyday the Computer Gods pick one person to be "it". Maybe, today is your day !!