w32.jeefo!!!



Abhishek
07-09-2005, 10:50 PM
hi all out there . my name is Abhishek. there is a virus in my system called
w32.jeefo. but my antivirus could not able to clean the file . though its
been quarantined. i update my antivirus too. but it also could not do for
me.
i use nav 2003. plz suggest me what should i do. thanks for ur help in
advance.

What's in a Name?
07-09-2005, 10:50 PM
Abhishek wrote:
> hi all out there . my name is Abhishek. there is a virus in my system called
> w32.jeefo. but my antivirus could not able to clean the file . though its
> been quarantined. i update my antivirus too. but it also could not do for
> me.
> i use nav 2003. plz suggest me what should i do. thanks for ur help in
> advance.
>
>

It is safe in quarantine. Since it is not a system file,it can't be
cleaned. You can delete it.
-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
You can find my e-mail address on my pages.

Galen
07-09-2005, 10:50 PM
In news:42be3664$0$62505$892e7fe2@authen.white.readfreenews.net,
What's in a Name? <spamthis@nomail.afraid.org> had this to say:

My reply is at the bottom of your sent message:

> Abhishek wrote:
>> hi all out there . my name is Abhishek. there is a virus in my
>> system called w32.jeefo. but my antivirus could not able to clean
>> the file . though its been quarantined. i update my antivirus too.
>> but it also could not do for me.
>> i use nav 2003. plz suggest me what should i do. thanks for ur help
>> in advance.
>>
>>
>
> It is safe in quarantine. Since it is not a system file,it can't be
> cleaned. You can delete it.
> -max

And when you're done cleaning reboot, pound the snot out of the F8 key, and
scan again (full scan yes it will take a while) in safe mode without
networking.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes

David H. Lipman
07-09-2005, 10:50 PM
From: "Abhishek" <abhishek_442@hotmail.com>

| hi all out there . my name is Abhishek. there is a virus in my system called
| w32.jeefo. but my antivirus could not able to clean the file . though its
| been quarantined. i update my antivirus too. but it also could not do for
| me.
| i use nav 2003. plz suggest me what should i do. thanks for ur help in
| advance.
|

There is a variant of the Jeefo that is a dropper. Just to make sure, perfom a scan with
another scanner...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

cquirke (MVP Windows shell/user)
07-09-2005, 10:50 PM
On Sun, 26 Jun 2005 09:18:03 +0530, "Abhishek"
<abhishek_442@hotmail.com> wrote:

>hi all out there . my name is Abhishek. there is a virus in my system called
>w32.jeefo. but my antivirus could not able to clean the file . though its
>been quarantined. i update my antivirus too. but it also could not do for
>me.

Could not update? That suggests active malware has clobbered it.

Jeefo.A or Jeefo.B?

Jeefo.A I'm well familiar with - it's a toughie, because it has a
face-hgger effect making it difficult to clean from outside the OS.

http://www.sophos.com/virusinfo/analyses/w32jeefoa.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.jeefo.html

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100277

My general approach is to first detect and rename-away from outside
the OS, then (having deactivated it, so that it is not running in
Windows) I F8 into Safe Mode (Cmd Only, if NT/2000/XP) and then from
there, I run the free Jeefo killer from www.sophos.com i.e...

http://www.sophos.com/support/disinfection/jeefoa.html

If NTFS, then I can't do the first step, and it can get hairy, even
when using the Jeefo killer from Bart's... from a log of such:

<paste>

Trend's PC-cillin missed this, and Trend SysClean detects but cannot
clean it (it's a face-hugger, i.e. creates dependencies)

Cleaned using Sophos JeefoGUI (run off CDR), finds active plus 128
infected or dropped files, incl. newly-added AdAware etc.

Repeat scan finds Creative's CTWAV32.EXE still infected, cannot clean
or delete as "in use"

Bart boot from CDRW drive, run JeefoGUI from other CD drive… finds 317
infected files (esp. in SR data), fixes 289

Bart JeefoGUI repeat scan…can't clean CTWAV32.EXE, scan gets very slow
thereafter

Bart Cmd can't delete CTWAV32.EXE either as it is "in use" -> button
reset to restart Bart

Bart Cmd Ren "C:\Program Files\Creative\CTSnd\Program\CTWav32.exe"
CTWAV32.VXE - OK

Bart Cmd Ren "C:\Program Files\Creative\CTSnd\Program\CTWav32.exe"
CTWAV32.VXE - not found (as expected)

Bart JeefoGUI repeat scan finds several Jeefo in SR data, cannot clean
all, runs briskly though; finds 32, fixes 27

Bart JeefoGUI repeat scan finds several Jeefo in SR data, cannot
clean, still running briskly, finds 5, fixes 0

Bart Cmd Rd "C:\System Volume Information" /S /Q fails to delete
exactly 5 files as "in use" -> button reset to restart Bart

Bart Cmd Rd "C:\System Volume Information" /S /Q - OK

Bart Cmd Rd "C:\System Volume Information" /S /Q - not found (as
expected)

Bart JeefoGUI repeat scan finds nil - OK


Bart-booted SysClean likely missed Jeefo due to inability to "see" HD
installation's registry

This is a good example of why we need a proper maintenance OS for
NTFS.

Check scan of USB stick contents is OK

Note: Jeefo.A spreads via email, or via infected code files (hence
avoid infectable code in data and backup sets)

</paste>

>i use nav 2003. plz suggest me what should i do. thanks for ur help in
>advance.

If it's active, then one might want to approach this formally. Many
malware kill resident av, and even if Jeefo doesn't (I haven't re-read
the descs to see), others may. Jeefo's not new, so if the av missed
it, it's not up to much... OTOH, maybe it didn't miss it, and caught
it at the primary entrance. The incoming Jeefo attackment will be
100% malware, so there's nothing to "clean" (stupid dated terminology)


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -


w32.jeefo!!!