iuzar Posted July 23, 2004 Am pus-o de un virus de toata frumusetea: w32.jeefo mi-a infectat deja 220 fisiere in comp...acum pentru meseriasi: asta infecteaza svchost.exe pe care nu am cum sa-l sterg pt ca nu mai merge uindoza fara el...dati-mi o idee cum sa scap de el pt ca de fiecare data cand pornesc calculatorul imi mai infecteaza inca 30-40 fisiere...pliz Share this post Link to post
Mishu Posted July 23, 2004 Fa un update la anti-v, eventual poate gasesti un tool de curatare si porneste in safe-mode ca nu mai iti pune toate serviciile si incearca atunci. Eu asa am scapat de unii virusi. Share this post Link to post
iuzar Posted July 23, 2004 up-date la anti-v am facut...partea proasta e ca mi-a infectat liveupdate-ul NAV-ului si winupdate32.exe asa ca pina la urma cred ca va trebui sa reinstall... "> ...tool de curatare n-am gasit inca... Share this post Link to post
Mishu Posted July 23, 2004 Am avut si eu unul care omora procesele NAV-ului. De 2 saptamani mie nu imi mergea www.symantec.com si ma miram cind dracu o sa puna aia situl la loc! In realitate imi trecuse in fisierul "etchosts" din windows tot ce era site antivirus la 127.0.0.1. Am luat update-ul am intrat in safe mode si am dat clean. Am scapat, mi-am pus firewall si de atunci nu mai am probleme. Share this post Link to post
florinbad Posted July 23, 2004 Iuzar, my friend, du-te repede aici: http://www.sophos.com/support/disinfection/jeefoa.html Share this post Link to post
iuzar Posted July 23, 2004 sar'na florin...dar oare o merge tool-ul asta pentru varianta pe care o am eu? W32.Jeefo...ca acolo scrie doar de W32/Jeefo-A (o alterare a virusului original, presupun) ca il curata... Share this post Link to post
NFS Posted July 23, 2004 "etchosts" din windows :speriat: Aicea ceva pute... Share this post Link to post
florinbad Posted July 23, 2004 Mai încearca varianta scanarii on-line de la RAV-antivirus numai pentru folderul/folderele care consideri ca ti-au fost atacate. Dureaza cam mult, dar poate ti-l scoate...( pentru tot discul dureaza foarte mult ). In lista virusilor NU am gasit si w32jeefo. Bafta, eu între timp mai fac sapaturi! Share this post Link to post
Mishu Posted July 23, 2004 "etchosts" din windows :speriat: Aicea ceva pute... C:WINDOWSsystem32driversetc Era W32-Donk.Q (http://securityresponse.symantec.com/avcenter/venc/data/w32.donk.q.html) Si pt Jeefo gasii asta: http://securityresponse.symantec.com/avcen.../w32.jeefo.html Disable System Restore (Windows Me/XP). Update the virus definitions. Restart the computer in Safe mode or VGA mode. Run a full system scan and delete all the files detected as W32.Jeefo. Delete the value that was added to the registry (Windows 95/98/Me). Bafta! Share this post Link to post
iuzar Posted July 23, 2004 Mai încearca varianta scanarii on-line de la RAV-antivirus numai pentru folderul/folderele care consideri ca ti-au fost atacate. Dureaza cam mult, dar poate ti-l scoate...( pentru tot discul dureaza foarte mult ). In lista virusilor NU am gasit si w32jeefo. Bafta, eu între timp mai fac sapaturi! Din pacate la ultima scanare de azi dimineata imi afectase toate trei partitiile de pe hard...nu stiu cum a reusit dar jeefo mi-a infectat chiar si fisiere de symbian arhivate cu winrar...e VARZA! Share this post Link to post
iuzar Posted July 23, 2004 Si pt Jeefo gasii asta:http://securityresponse.symantec.com/avcen.../w32.jeefo.html Bafta! sar'na. asta o gasisem si eu, am listat-o si o sa ma instalez cu ea in brate in fata calcului acasa...dar mai intai o sa incerc tool-ul...mersic mult... Share this post Link to post
Shenck Posted July 23, 2004 Booteaza de pe un CD, restureaza fisierele .exe ale Windowsului (cele infecate svchost.exe , etc) reboteaza de pe hdd si dezinfecteaza folosind un av competent. Dupa ce scapi de el mergi cu un monitor in background. Share this post Link to post
florinbad Posted July 23, 2004 Mai este o varianta de devirusare (daca nu cumva ai ajuns si pe aici!): What to do if you are infected by a dropper.jeefo, W32 Hi-Drag or W32Jeefo or Jeefo a Virus. On a W2k system or a WIN-XP system it is fairly easy to abort the spread. The W32 Jeefo is spread by a 'dropper' exe that is inserted into the hosts root folder, WINNT or Windows, as a generic svchost.exe that then creates a service called 'Power Manager' that starts automaticaly each time the computer is booted up. First the user needs to kill the svchost.exe in the infected computers root directory in order to stop the spread of this virus during disinfection. When attempting to delete the file svchost.exe the user will be told that it is in use and cannot be deleted; still, it MUST be deleted. Task Manager will not let you delete this file either and the same 'in-use' message will appear. A great piece of software that I keep handy on a floppy disk is ProgKill, it kills whatever you tell it to; or, use the SysInternals software called ProcExp (links to both homepages are at the bottom of this page) Now shut down the svchost.exe with either of those programs. Immediatly after terminating the process delete the file svchost.exe and go to the next step. (In a native Windows root directory there is no svchost.exe) Go into 'Administrative Tools' and open 'Services' Find Power Manager and right click to go to its properties. Disable the bastard to start with, and stop its running, thus stopping its reloading at next system boot; and, stopping its continuous spread during disinfection. Next, go into 'Add/Remove Hardware' in the control panel and click on view hidden devices, scroll down until you find 'Power Manager' and uninstall it as a piece of hardware and thus a service. Next use a good AntiVirus program such as SRNMicro Solo Anti Virus or Sophos Anti Virus (both at the top of our Top ten AV Software, and as yet, uncracked) Have your AV software run a scan and clean and delete all infected files; it is a good idea to put your original OS (Windows) CD in the drive in case a system file needs to be deleted. Next, open your start tab and click 'Run' type CMD into the text box and hit enter. The command prompt DOS-like shell will open. Type 'SFC /purgecache' and, with your Windows CD in the main CD-Rom drive, hit enter. This will force Windows to purge its DLL cache and repopulate with clean system files. After the scan/purge/clean is finished type 'SFC /Enable' and hit enter again. This will make sure that your OS has its System File Checker enabled. (For notes on Windows System File Checker and related commands click HERE) http://www.agreyarea.com/win32hidrag.html Share this post Link to post
iuzar Posted July 23, 2004 aici n-am ajuns inca dar am sa incerc si varianta asta..mersic mult florin Share this post Link to post
brusli Posted July 23, 2004 up-date la anti-v am facut...partea proasta e ca mi-a infectat liveupdate-ul NAV-ului si winupdate32.exe asa ca pina la urma cred ca va trebui sa reinstall... "> ...tool de curatare n-am gasit inca... parerea mea: nav este un big ca_ca ca AV...e degeaba. ndd-ul si toate celelalte foote windows la greu produse norton buuuune: nc, nghost. nu se pun 2 antivirusi pe un calc. Share this post Link to post
iuzar Posted July 24, 2004 Dupa ce scapi de el mergi cu un monitor in background. Sar'na! Poti dezvolta, te rog, faza cu monitor in background? ca habar n-am ce zici. Share this post Link to post
Shenck Posted July 24, 2004 Av-urile care se respecta inafara de modulul de scanat mai au un modul rezident care scaneza tot ce accesezi. Kav-ul vine cu un monitor care tinde spre 0% incarcare CPU ,foloseste destul de putine resurse. Monitorul este un program care intercepteaza executia de program si read/write de fisiere. Orice faci trece inti prin el si este scanat. Daca fisierul este virusat iti blocheaza accesul la el. Chiar daca nu ai tote patch-urile la zi monitorul va tzipa, iti da sema ca ai o brese in sys de securitate si cautzi patchurile pt win. Dezactiveaza Firewallul de windows care ese o mare prorcarie si pune-ti un firewall serios. Share this post Link to post
iuzar Posted July 24, 2004 Dragos, am pe teava pe de ce si kav-ul prof si bitdef prof...care e mai bun?... si ca firewall?...sa pun sygate? mersic mult Share this post Link to post
Shenck Posted July 24, 2004 Eu merg cu Kav. BitDef l-am testat si da multe alarme false. Ca firewall eu folosesc Zone Alarm. Are o singura hiba, gasita de mine: nu mai merge bine de ce++, dar nu e bai ca tot nu foloseam app de p2p. Share this post Link to post
iuzar Posted July 27, 2004 Gata! Rezolvat problema dupa ce ajunsesem la aprox 400 de fisiere virusate... luat tool-ul special pt jeefo care a reusit sa-mi curete si svchost.exe... Urmatoarele actiuni: trimis NAV-ul la mama lui symantec, sa-l foloseasca ea, instalat Kav, Zone Alarm Pro si Spybot, reinstalat toate aplicatiile facute terci de jeefo. Mersic mult tuturor pentru ajutor! Share this post Link to post
hitman Posted October 22, 2004 Scriu aici ca sa nu mai deschid un topic nou: Am virusul W32/Deborm-Q Am Spohos ca program antivir, instalat de adminul retelei pe laptopul meu (sint logat la o companie si ere musai ca sa fiu company compliant). Nu am prea mari dreptul la Sophos dar e ok pt. ce am nevoie. Am fost aici http://www.sophos.com/virusinfo/analyses/w...w32debormq.html Am respectat instructiuniile in afara de sfatul cu registrii ca nu vreau sa ma bag. Degeaba: in primul rind cind Sophosul ruleaza si gaseste nu poate sa stearga, spuna ca 'Error deleting file W32/Deborm-Q'. Wormul asta instaleaza niste trojani (conform cu datele de pe situl Sophos). Cind da de trojanul Litmus instalat de Deborm-Q il sterge. Mai gaseste si niste chestii din astea pe directorul Temp din IE6. Adminu' nu e aici ca sa-l intreb ce sa fac. Problema e ca tot timpul cind ma duc pe net Sophosul ma fte la creieri cu mesaje de atentionare. Ce sa fac? Please help!! Share this post Link to post
VAXXi Posted October 22, 2004 Bagă-te fără frică la registry, n-ai ce să strici. HKLMSoftwareMicrosoftWindowsCurrentVersionRunNAV Live Update Aici se găsesc intrările programelor care sunt pornite automat la pornirea calculatorului (practic, un program ce porneşte automat odată cu ţompul - aşa cum sunt viermii ăştia, poate fi lansat din 3 locuri: registry, startup sau win.ini). Deci trebuie să ştergi cheia asta şi adios. Share this post Link to post
NFS Posted October 22, 2004 Pai, destul de simplu... umbla si in registrii (cum spune pe site), altfel nu rezolvi nimic. Share this post Link to post
hitman Posted October 22, 2004 Am ajuns la Run. Dar nu e nimic interesant. Cind clikai pe el am in drepta (inauntru ferestrei regedit) ab(Default) / REG_SZ / (value not set). Acum tot aici in directorul Run mai am un subdirector OtionalComponets cu subdirectoarele IMAIL, MAPI, MSFS. In subdirectorul corespunzator am: IMAIL- in drepta am doua rinduri ab(Default) / REG_SZ / (value not set) si ab Installed / REG_SZ / 1 MAPI- in dreapta am trei rinduri: ab(Default) / REG_SZ / (value not set) si ab Installed / REG_SZ / 1 si abNoChange / REG_SZ / 1 MSFS-in drepta am doua rinduri ab(Default) / REG_SZ / (value not set) si ab Installed / REG_SZ / 1 WTF???? Share this post Link to post
VAXXi Posted October 22, 2004 Verifică şi ramura similară HKCU (current user), e exact aceeaşi cale. Share this post Link to post
