Endpoint Protection

I am currently using Symantec Endpoint Protection and I was hit with the W32.Jeefo virus.  I was able to delete all traces of the virus itself by using Symantec to remove/quarantine some files and by manually deleteing them myself.  However, now every time I turn on my PC Symantec AntiVirus Detection Results pop up and says that it has cleaned 3 files infected with W32.Jeefo.  These files can not be deleted or quarantined from my PC however .  I have alos looked in the directory that the AntiVirus says they are in and they are not in there for manual deletion.  I would like to stop the detection results from showing up on every start up.  It is slowing my start ups down and also is starting to become somewhat of a nuisance to me.  Thanks in advance for any help you can offer. 

disable the notification; in this case symantec wil do its job and you wont get the pop ups
open sepm
policies
file system autoprotected
select notification and uncheck that
simillary do that for admin defined scans

disable notification , also scan the system in safe mode and delete the file. There is attack signature , has the IPS enabled on this affected system, so that the system is safe from this threat.

Is there any way to get Symantec to realize that file isn't on my computer and to stop it from "cleaning" a ghost file upon every start up?

If you are not able to find the file in that directory it doesn't mean it wont be there..there might be rootkits which is hidden from user API.
What is the action taken by Symantec on those files ? and what is the location of the files ?

It cleans them, but when I try to delete or quarantine them it says it can't and gives three possible reasons why it can not.  It is listed in the C:\Documents and Settings\Local Settings\Temp folder.

any of these ?

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006112010562148

Yes, it says it has cleaned all 3 files.

Asides from turning off notification upon startup is there anything I can do?  It always tells me it cleaned all 3 files and I wouldn't care that it tells me, but it slows down my computer on startups considerably.  Is there any way to reset it's memory or alter a file so that it doesn't think that these ghost files need cleaning?

Stop all symantec services and delete those files.
use wholock me tool to see who exactly is holding those files

The problem is the files are nowhere to be found on the computer.  I've run extensive searches on them and they're not on the computer at all, so Symantec Endpoint Protection is essentially telling me that it is cleaning files that don't exist.  How to I make it realize that these 3 files don't exist?

P.S. The files are DWH3D22.tmp, DWH33207.tmp and APQA.tmp    I know they're temp files, but they're not in the temp folder at all.  That's where Symantec Endpoint Protection says the first 2 are.  The 3rd is in C/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine.  I can't open that folder though, it says access denied.

if u delete the logs do they appear
open sep
click on logs
antivirus logs
delete all the logs; check if they appear again

They're all there under risk logs, but I can not Clean, Delete, Undo or Quarantine.  The only thing I can do is Export.  When I try to delete it gives me this message:

SEP can not perform this action on 1 of the files you selected.
Probably Causes:
The files have been moved or deleted
You are trying to clean files located in an email
You are trying to clean a compressed file in a container

Give permission to the Quarantine folder open it. Delete the files in Side it..
Then Stop SMC server ( start run  smc -stop )
Then Delete all the Logs files from
Then remove your permission from the folder
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint P
Protection\Logs

Then Start the SMC service ( start run smc -start)

Then check if the files get detected again.

How do I give permission to open the quarantine folder?
Remember there is only 1/3 files supposidly inside that quarantine folder and since the other 2 are not where SEP says they are I'm guessing that this one won't be in there either.  I was able to find the "Logs" folder and delete what was in it.  I will restart and hopefully I won't get the notification, I'll update you as soon as I know.

Well I wasn't able to get into the quarantin folder since I'm not sure how to give myself permission to do so, but the folder I deleted the logs from was:  C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs   That still didn't do it though.  I followed all your instructions perfectly, but it still notified me upon startup like it has been.

Hi,

Go to command prompt and browse to the location where the file is, type in the commnad below

attrib -r -a -s -h *.*

You will be back to the command, user the dir command and check if you are able to see those files.

As you mentioned earlier the file is location under "C:\Documents and Settings\Local Settings\Temp" you can also use the command del *.* and then try to reboot the machine and see if you are able to get see those files. 

Also post the names of those files which you are getting detected by Symantec as threat.

Thank you.

I tried using the DEL command in the command prompt, however it said it was unable to find the file(s) I had asked it to del. 

What would be the downside to turning off notifications upon start up?  It seems like that is the only option I have asides from uninstalling it and going with another virus program.

there is no downside, symantec will be doing the job however you wont be notified, you can check the same under logs option
is it possible to post the screen shot....??

Yeah, I'll attach some screenshots for you to take a look at.  Hopefully they help.

Do you tried by turning off the system restore?If no try it.

Turn off the system restore and then do what?

Turning off System Restore will wipe out previous points potentially storing malicious files.  Also, are there any items in the Quarantine?  Maybe remove those items.

You can disable the startup scan:

Title: 'How to disable/enable Startup and Quick Scans within the Symantec Endpoint Protection Manager'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007120615243648

The detections you are getting, however, are Auto-Protect (not startup scan) and the files are being cleaned by deletion.  That's why you can't find them.

From the Security Response page: "W32.Jeefo is a memory resident virus that infects Windows 32-bit portable executable files."  Maybe you need to download the Symantec Endpoint Recovery Tool and boot and scan from it.  You should be able to download that via Fileconnect with your serial number.

sandra

Sorry I haven't gotten back to you guys in awhile, my computer monitor stopped working and I had to order a new one.  Anyways, I turned off system restore and then I restarted with a Full Scan on startup and it did not find anything at all.  I re-scanned a full scan and it again found nothing.  However, when I turned on my computer after turning off the system restore it still brought up the 3 W32.Jeefo viruses that it always does. 

Any other ideas on how to get rid of this?

I took a second look at your screen shots, and presuming the detections are in the same place, I think what you're seeing might be a result of rescanning the Quarantine.  Go into SEP itself and clear out the Quarantine, if there are any items present.

sandra

Alright, I deleted everything in the quarantine.  Is that all I need to do for now?  I'll restart my compuer in a little while and see if it worked.

-I restarted my computer and it still came up. 

Hm, not sure what more to suggest except booting from a SERT disk and scanning that way, as mentioned above

SERT is available via Fileconnect.

Title: 'Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image), How do I use this?'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041409092048

Does any of this fit with what you're seeing?

W32.Jeefo is a parasitic virus that infects 32-bit Windows portable executable files. When an infected executable is run on the system, the virus will create the following file with the System attribute set:
%Windir%\svchost.exe

If the operating system is Windows 9x based, the virus will create the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\"PowerManager" = %WinDir%\SVCHOST.EXE

On Windows NT/2000/XP systems, the virus installs itself as a service with the following properties:

Name: Power Manager
Description: Manages the power save features of the computer
Startup Type: Automatic
Log On As: LocalSystem

Once the virus is memory resident, it periodically searches the system for portable executable files to infect.

From:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-060316-1105-99&tabid=2

sandra

Yes, the virus itself kept creating files that were empty files but it kept doing so, so that it could spread.  I found the virus and the "mother file" so to speak and elimitated it.

You need to right click on the quarantine folder and add your credentials and give full rights. From there you can open the folder and delete all files. I'm not sure what version you're running but it doesn't sound like RU6a. I would upgrade if possible.