ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
C:\WINDOWS\svchost.exe: W32.Jeefo FOUND - False Positive???
mikeysrealm


Joined: 31 Dec 2005
Posts: 3
Reply with quote
Running: Clamwin 0.87.1, main: 34, daily: 1219
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


ClamWin detected w32.Jeefo on my system, and following some research on the net, I found that this virus typically installs a registry key called "PowerManager" - yet no such key exists on my system (I searched manually and with the "find" feature). Here is the virus log output:

--------------------------------------
Scan started: Sat Dec 31 02:00:00 2005

ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY
ERROR: Can't open file C:\WINDOWS\system32\config\SAM
ERROR: Can't open file C:\WINDOWS\system32\config\SYSTEM
ERROR: Can't open file C:\WINDOWS\system32\config\SOFTWARE
ERROR: Can't open file C:\WINDOWS\system32\config\DEFAULT
ERROR: Can't open file C:\WINDOWS\system32\CatRoot2\tmp.edb
ERROR: Can't open file C:\WINDOWS\SoftwareDistribution\EventCache\{A4C816E4-EE0D-4C62-8E5A-3ED5FC90B944}.bin
C:\WINDOWS\svchost.exe: W32.Jeefo FOUND
C:\Documents and Settings\Mik W\My Documents\Downloads\Password-Crackers\brutus\brutus-aet2.zip: Virtool.Brutus.A FOUND
C:\Documents and Settings\Mik W\My Documents\Downloads\Password-Crackers\brutus\BrutusA2.exe: Virtool.Brutus.A FOUND
C:\Documents and Settings\Mik W\My Documents\Website\2005-12-mikeysrealm\ie-vun.htm: Trojan.URLspoof.gen FOUND
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP50\A0006149.exe: Virtool.Brutus.A FOUND
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP50\A0006466.exe: W32.Jeefo FOUND
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP50\A0006467.exe: W32.Jeefo FOUND

-- summary --
Known viruses: 42042
Engine version: 0.87.1
Scanned directories: 6042
Scanned files: 113023
Infected files: 7
Data scanned: 59811.58 MB
Time: 11130.473 sec (185 m 30 s)

I have taken a few SANS courses, so several of the hits are on files that I have downloaded - and the ie-vun.htm page I wrote to illustrate a vulnerability for one of my clients, and a method of stopping it via http proxies (prior to IE patches coming out). These files always hit on the scan and I leave them alone - this way I know that the scanner is working!

Could this possibly be a false positive?

Thanks
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
i don't think it is a false positive, looks like the real virus. You can use http://www.virustotal.com www.virustotal.com to scan the file online with different a/v programs
View user's profileSend private message
mikeysrealm


Joined: 31 Dec 2005
Posts: 3
Reply with quote
Thanks - I did just that - I appears to be a virus file, after deletion and rerunning ClamWin I appear to be fine - no services or registry keys that are unusual....

Mike
View user's profileSend private message
C:\WINDOWS\svchost.exe: W32.Jeefo FOUND - False Positive???
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic