Infected!!!

Discussion in 'ESET Smart Security' started by MasterTB, Mar 7, 2008.

Thread Status:
Not open for further replies.
  1. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    This is absolutely outrageous!!! I've been infected with "Win32/Jeefo.A" a well known virus detected by NOD since 2006, at least this is the name they gave to it !!!! It is on every copy of my Svchost file and I detected it with Hijack free!!!! and not NOD, which runs everyday!!!

    I'am in total shock, since I run a scan in safemode and it does not detect the damn thing!!!!

    WHAT THE HELL IS WRONG WITH V3 OF NOD!!!! how can a 2 years old virus infect my machine!!!!!!!!

    And why the hell does NOD leave it infecting every copy of Svchost and does not desinfec or delet ito_O!!!!

    PS here's a little info on the bug: http://www.vsantivirus.com/jeefo-a.htm
     
  2. JVM

    JVM Registered Member

    Joined:
    Dec 24, 2005
    Posts:
    328
    Why did you link to that site which is in another language? Would have been better had you linked to a site in English. :rolleyes:
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The fact that NOD32 has a definition for that sample doesn't mean that the signature covers all known and unknown variants. It might be a new variant which isn't caught by that signature.
    The best you can do is contact ESET support (support [at] eset.sk) with samples of this malware (password-protected ZIPs), a log of ESET SysInspector and a link to this thread.
    Because he (probably) speaks Spanish.
    Check here :)
     
  4. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send a couple of such files in an archive protected with the password "infected" and this thread's url in the subject to samples[at]eset.com. I'm very doubtful that Jeefo would actually slip through NOD32; we need to check your files.
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Marcos,

    Will ESET really pay any attention at all to these submissions, or is this just lip service on your company's own support forum for the sake of damage control to ESET's reputation?

    The reason I'm asking is because I have a handful of trojans delivered by live internet exploits that breeze right through NOD32 v3. I don't submit samples, because ESET does absolutely nothing and they go undetected after weeks and months, but if you can tell me it won't be a waste of my time, I might be willing to give that exercise another shot.
     
  7. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Huh. I must be doing something wrong, because every sample i've removed from a clients PC over the last few years has either been detected by NOD32 when it gets back here, or is detected within 24-48 hours of submission to NOD........
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send a log from ESET SysInspector to support[at]eset.com with this thread's url enclosed.
     
  9. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Because I´m from Argentina and I did the search in Spanish, my native language. I'm sure you can find a page in english or use Google TRanslator, It is not that hard if you try.
     
  10. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Well that's all nice and good, but I was hoping ESET would quit dragging its bum and wait for me to get infected before they finally decide to add detection for those viruses. I thought ESET prided itself a great deal on proactive protection.
     
  11. THE_BAD_BOY

    THE_BAD_BOY Registered Member

    Joined:
    Nov 15, 2007
    Posts:
    40
    i Agree .. with you .. :thumbd:
     
  12. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Even when ESS tells me everything is clean, HijackThis keeps alerting me about svchost being infected, and more, ESS keeps creating a log of svchost trying to connect to this ip: 224.0.0.22, and the connections come from my machine but with a non existing IP that only ESS can see, because it is not there to ipconfig.... so ... WHAT THE HELL IS GOING ONo_O

    PS. I have already filed a support ticket to Eset. See this thread: https://www.wilderssecurity.com/showthread.php?t=202500 I think it is all connected.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  14. wiak

    wiak Registered Member

    Joined:
    Sep 10, 2006
    Posts:
    107
  15. Banger696

    Banger696 Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    274
    Why scan in Safe mode? Will the virus be detected in that way? If it locates itself in the run key (dropper) then safe mode may not detect the dropper? What OS is the OP using? Hope you get disinfected easily.
     
  16. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina

    Thanks for the info, I know what IGMP is and I don't use multicast, so I have it disabled, the reason I'm worried is what in the machine is trying to use multicast?? I know ESS is stopping the requests both ways, and thankfully that could be enough, I just wish ESS could find the bastard and eliminate it..

    To Banger696: The scan in safemode is because even when Jeefo has not been seen on Vista, it infects Svchost, so when running in Safemode that process is usually not loaded, ergo not locked to the AV.
     
  17. wiak

    wiak Registered Member

    Joined:
    Sep 10, 2006
    Posts:
    107
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    IMO, you have some issues with your network configuration.
     
  19. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    I am not saying you aren't infected, but read this from the HijackThis home page ( http://www.spywareinfoforum.com/~merijn/programs.php#hijackthis):
    Note: The underlining was done bt me...
     
  20. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    thanks for the tool, I had not run this... well, I did not find jeefo, so, I gues NOD didn't fail me...
    Still I cannot resolve the issue of windows (or something else acting as svchost.exe) trying to get another IP other than the one stablished as fixed..
     
  21. shansmi

    shansmi Registered Member

    Joined:
    Feb 19, 2008
    Posts:
    130
    well if you think it is a task, use process explorer off the microsoft website to look/kill any tasks that should not be running. it will also tell you the path to the appliation that launched / owns the service
     
  22. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Well, after all, it seems that even when you tell windows to use a fixed private IP on the home network, it will still try to connect to some DHCP server to obtain an IP, and since I cannot disable DHCP on the notebook because I'm not allways at home, I will have to deal with i some other way.
    There is however a way in which Eset could help: I remember from my Kerio times that it gave you the option to disable some common network protocols like DHCP and others in a simple Nwtwork Security Window making it easy to enable/disable protocols on the fly, without having to start/stop services on your windows... I think Eset could incorporate something similar to the firewall in ESS, It would be of great help when dealing with multiple networks.
     

    Attached Files:

Thread Status:
Not open for further replies.