W32/Jeefo.A File Deletion Problem

I tried using the Sophos tools to remove this virus and the tools do not
detect it. My F-Prot Antivirus program keeps detecting this virus but it
seems to kill each instance before it can spread. I don't see the modified
keys in the registry either. However, I am still getting 5 - 10 popups per
day saying F-Prot blocked the file infected with W32/Jeefo.A. It is always
the same file embedded deep in the system at C;\System Volume
Information|.... directory path. The file is A0010718.exe.

Unfortunately, Windows does not allow me access to this directory to blow
this file off my system. Any help is appreciated on how to get rid of this
infected file or access to the System Volume Information directory.

Thank you for your time.

The file in System Restore (System Volume Information) is NOT the file
infecting the system. Unless this is the first malware that can infect a
system from System Restore, then you'd be better off following Trend's
method for removing Jeefo.A :

http://www.trendmicro.com/vinfo/vir...FO%2EA&VSect=Sn

Also, ensure that F-Prot is up to date with the latest definitions, then
boot to Safe Mode, and scan the system from within there :
http://snipurl.com/dmbp

Once the system is clean, then suggest you flush System Restore by right
clicking My Computer (either on the Desktop or the Start Menu), choose
Properties.
Click the System Restore tab and put a check mark next to " Turn off
System Restore "
Click Apply, OK.
This will flush the restore hierarchy.
Reenable it afterwards by unchecking the box, then clicking Apply, OK.

Is this the tool from Sophos that was used ? :
http://www.sophos.com/support/disinfection/jeefoa.html

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============



Jedanor wrote:

> I tried using the Sophos tools to remove this virus and the tools do not
> detect it. My F-Prot Antivirus program keeps detecting this virus but it
> seems to kill each instance before it can spread. I don't see the modified
> keys in the registry either. However, I am still getting 5 - 10 popups per
> day saying F-Prot blocked the file infected with W32/Jeefo.A. It is always
> the same file embedded deep in the system at C;\System Volume
> Information|.... directory path. The file is A0010718.exe.
>
> Unfortunately, Windows does not allow me access to this directory to blow
> this file off my system. Any help is appreciated on how to get rid of this
> infected file or access to the System Volume Information directory.
>
> Thank you for your time.

From: "Jedanor" <Jedanor@discussions.microsoft.com>

| I tried using the Sophos tools to remove this virus and the tools do not
| detect it. My F-Prot Antivirus program keeps detecting this virus but it
| seems to kill each instance before it can spread. I don't see the modified
| keys in the registry either. However, I am still getting 5 - 10 popups per
| day saying F-Prot blocked the file infected with W32/Jeefo.A. It is always
| the same file embedded deep in the system at C;\System Volume
Information|> .... directory path. The file is A0010718.exe.
|
| Unfortunately, Windows does not allow me access to this directory to blow
| this file off my system. Any help is appreciated on how to get rid of this
| infected file or access to the System Volume Information directory.
|
| Thank you for your time.

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

The file is in the System Restore cache. You have two choices.

1. Ignore it and it will eventually cache-out. That is unless you expect to retore from
a previous restore point which could restore the Jeffo.

2. Disable the System Restore cache. Reboot the PC and re-enable the cache and then
create a new Restore point. This will flush out the infector.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Yes. That was the Sophos tool I was using.

And thanks Dave.

I will flush system restore and see what happens from there.

"MowGreen [MVP]" wrote:

> The file in System Restore (System Volume Information) is NOT the file
> infecting the system. Unless this is the first malware that can infect a
> system from System Restore, then you'd be better off following Trend's
> method for removing Jeefo.A :
>
> http://www.trendmicro.com/vinfo/vir...FO%2EA&VSect=Sn
>
> Also, ensure that F-Prot is up to date with the latest definitions, then
> boot to Safe Mode, and scan the system from within there :
> http://snipurl.com/dmbp
>
> Once the system is clean, then suggest you flush System Restore by right
> clicking My Computer (either on the Desktop or the Start Menu), choose
> Properties.
> Click the System Restore tab and put a check mark next to " Turn off
> System Restore "
> Click Apply, OK.
> This will flush the restore hierarchy.
> Reenable it afterwards by unchecking the box, then clicking Apply, OK.
>
> Is this the tool from Sophos that was used ? :
> http://www.sophos.com/support/disinfection/jeefoa.html
>
> MowGreen [MVP 2003-2006]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
>
> Jedanor wrote:
>
> > I tried using the Sophos tools to remove this virus and the tools do not
> > detect it. My F-Prot Antivirus program keeps detecting this virus but it
> > seems to kill each instance before it can spread. I don't see the modified
> > keys in the registry either. However, I am still getting 5 - 10 popups per
> > day saying F-Prot blocked the file infected with W32/Jeefo.A. It is always
> > the same file embedded deep in the system at C;\System Volume
> > Information|.... directory path. The file is A0010718.exe.
> >
> > Unfortunately, Windows does not allow me access to this directory to blow
> > this file off my system. Any help is appreciated on how to get rid of this
> > infected file or access to the System Volume Information directory.
> >
> > Thank you for your time.
>