Infected!!!

This is absolutely outrageous!!! I've been infected with "Win32/Jeefo.A" a well known virus detected by NOD since 2006, at least this is the name they gave to it !!!! It is on every copy of my Svchost file and I detected it with Hijack free!!!! and not NOD, which runs everyday!!!

I'am in total shock, since I run a scan in safemode and it does not detect the damn thing!!!!

WHAT THE HELL IS WRONG WITH V3 OF NOD!!!! how can a 2 years old virus infect my machine!!!!!!!!

And why the hell does NOD leave it infecting every copy of Svchost and does not desinfec or delet it!!!!

PS here's a little info on the bug: http://www.vsantivirus.com/jeefo-a.htm

 

Why did you link to that site which is in another language? Would have been better had you linked to a site in English.

 

The fact that NOD32 has a definition for that sample doesn't mean that the signature covers all known and unknown variants. It might be a new variant which isn't caught by that signature.
The best you can do is contact ESET support (support [at] eset.sk) with samples of this malware (password-protected ZIPs), a log of ESET SysInspector and a link to this thread.

Because he (probably) speaks Spanish.

Check here

 

MUST BE FP BY Hijack free(IS NOT A ANTIVIRUS)
SCAN YOUR ALL Svchost file's WITH http://virusscan.jotti.org/ AND TELL US RESULT

 

Please send a couple of such files in an archive protected with the password "infected" and this thread's url in the subject to samples[at]eset.com. I'm very doubtful that Jeefo would actually slip through NOD32; we need to check your files.

 

Marcos,

Will ESET really pay any attention at all to these submissions, or is this just lip service on your company's own support forum for the sake of damage control to ESET's reputation?

The reason I'm asking is because I have a handful of trojans delivered by live internet exploits that breeze right through NOD32 v3. I don't submit samples, because ESET does absolutely nothing and they go undetected after weeks and months, but if you can tell me it won't be a waste of my time, I might be willing to give that exercise another shot.

 

Huh. I must be doing something wrong, because every sample i've removed from a clients PC over the last few years has either been detected by NOD32 when it gets back here, or is detected within 24-48 hours of submission to NOD........

 

Please send a log from ESET SysInspector to support[at]eset.com with this thread's url enclosed.

 

Because I´m from Argentina and I did the search in Spanish, my native language. I'm sure you can find a page in english or use Google TRanslator, It is not that hard if you try.

 

Well that's all nice and good, but I was hoping ESET would quit dragging its bum and wait for me to get infected before they finally decide to add detection for those viruses. I thought ESET prided itself a great deal on proactive protection.

 

i Agree .. with you ..

 

Even when ESS tells me everything is clean, HijackThis keeps alerting me about svchost being infected, and more, ESS keeps creating a log of svchost trying to connect to this ip: 224.0.0.22, and the connections come from my machine but with a non existing IP that only ESS can see, because it is not there to ipconfig.... so ... WHAT THE HELL IS GOING ON

PS. I have already filed a support ticket to Eset. See this thread: https://www.wilderssecurity.com/showthread.php?t=202500 I think it is all connected.

 

Internet Group Management Protocol (IGMP)

 

eset info
http://www.eset.com/threat-center/pedia/virusy/win/win32/jeefoa.htm

 

Why scan in Safe mode? Will the virus be detected in that way? If it locates itself in the run key (dropper) then safe mode may not detect the dropper? What OS is the OP using? Hope you get disinfected easily.

 

Thanks for the info, I know what IGMP is and I don't use multicast, so I have it disabled, the reason I'm worried is what in the machine is trying to use multicast?? I know ESS is stopping the requests both ways, and thankfully that could be enough, I just wish ESS could find the bastard and eliminate it..

To Banger696: The scan in safemode is because even when Jeefo has not been seen on Vista, it infects Svchost, so when running in Safemode that process is usually not loaded, ergo not locked to the AV.

 

this might help
http://www.sophos.com/support/disinfection/jeefoa.html
if not then its a new strain
its like a virus, they can change

 

IMO, you have some issues with your network configuration.

 

I am not saying you aren't infected, but read this from the HijackThis home page ( http://www.spywareinfoforum.com/~merijn/programs.php#hijackthis):

Note: The underlining was done bt me...

 

thanks for the tool, I had not run this... well, I did not find jeefo, so, I gues NOD didn't fail me...
Still I cannot resolve the issue of windows (or something else acting as svchost.exe) trying to get another IP other than the one stablished as fixed..

 

well if you think it is a task, use process explorer off the microsoft website to look/kill any tasks that should not be running. it will also tell you the path to the appliation that launched / owns the service

 

Well, after all, it seems that even when you tell windows to use a fixed private IP on the home network, it will still try to connect to some DHCP server to obtain an IP, and since I cannot disable DHCP on the notebook because I'm not allways at home, I will have to deal with i some other way.
There is however a way in which Eset could help: I remember from my Kerio times that it gave you the option to disable some common network protocols like DHCP and others in a simple Nwtwork Security Window making it easy to enable/disable protocols on the fly, without having to start/stop services on your windows... I think Eset could incorporate something similar to the firewall in ESS, It would be of great help when dealing with multiple networks.