dafaher 0 Posted April 28, 2023 Share Posted April 28, 2023 Hello community, I hope everyone's doing well. I was wondering if you could help me. I've been having issues with this virus for a couple of weeks, and it looks like ESET Smart Security Premium isn't able to clean it. When I try to remedy it I get an error so I tried to remove it. According to ESET, the virus is eliminated but it always returns after a few days. It infected the file svchost.exe and it seems that it also infected other programs, such as Adobe Acrobat DC Pro, etc. Any idea on how to fix this issue? If possible, I would like to avoid having to format my pc, but at this point I'll do whatever it takes to get rid of it. Thanks in advance for any suggestion or help you can provide! Link to comment Share on other sites More sharing options...
itman 1,665 Posted April 28, 2023 Share Posted April 28, 2023 (edited) Post the related detection entry from the Eset Detections log. You can so by left button mouse click on the entry and select "Copy." Then paste into your forum reply. Also, here's Eset's write up on this malware: https://www.virusradar.com/en/Win32_Jeefo.A/description Edited April 28, 2023 by itman Link to comment Share on other sites More sharing options...
dafaher 0 Posted April 28, 2023 Author Share Posted April 28, 2023 58 minutes ago, itman said: Post the related detection entry from the Eset Detections log. You can so by left button mouse click on the entry and select "Copy." Then paste into your forum reply. Also, here's Eset's write up on this malware: https://www.virusradar.com/en/Win32_Jeefo.A/description Thank you very much for your reply. I used the export option, so I'm attaching the file here, it's in spanish though. Thanks again! ESET.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted April 29, 2023 Administrators Share Posted April 29, 2023 According to the logs, the infected files were either cleaned or deleted if they contained only the virus itself. Make sure that all security updates available for your Windows system are installed. If you have folders shared with write permissions, I'd recommend changing the password for those accounts and consider disabling admin shares too, if not needed. Link to comment Share on other sites More sharing options...
dafaher 0 Posted April 29, 2023 Author Share Posted April 29, 2023 4 hours ago, Marcos said: According to the logs, the infected files were either cleaned or deleted if they contained only the virus itself. Make sure that all security updates available for your Windows system are installed. If you have folders shared with write permissions, I'd recommend changing the password for those accounts and consider disabling admin shares too, if not needed. Hi Marcos, thank you very much for your reply! The problem is that after being cleaned or deleted, the virus continues to infect the same or other files, and it's been like that for almost 2 weeks. For example, yesterday I shared a log that included two infected files. Now, I was replying to you and ESET notified me that 9 new files were infected (logs attached). It is as if the virus wasn't cleaned after all, so it continues to infect everything in its path. I don't share folders or anything, and all the programs installed on my PC are original, with the latest security patches, including Windows. I deleted the folders and registry entries that this virus creates, but it seems that didn't help much. I'm considering taking advantage of the weekend to format my pc, I didn't want to do it but I prefer to avoid more serious future problems. Thanks again! New infected files.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted April 29, 2023 Administrators Share Posted April 29, 2023 The files are getting infected by the virus running on another machine in the network. It spreads via shares. That's why I suggested to change the password for accounts with write permissions and consider disabling admin shares as well. Make sure that ESET is installed on all machines in the network and run a full disk scan to make sure that the virus is not active and running. You could enable advanced logging under Help and support -> Technical support, wait until the detection occurs (unless it takes longer), stop logging, collect logs with ESET Log Collector and upload the generated archive here. Link to comment Share on other sites More sharing options...
itman 1,665 Posted April 29, 2023 Share Posted April 29, 2023 (edited) Additional mitigations are; 1. Change Eset established network connection/s on your PC from Trusted to Untrusted. This will cause the Eset firewall to block all inbound local network connections to your device other than DHCP and DNS traffic. 2. Minimally, disable file and and printer sharing service in Eset Firewall settings per below screen shot. The result of either of the above will be you won't be able to access files on other devices within the local network or other devices on the local network. Finally, this malware must be removed from all PC's on the local network. If it is left on just one PC, that device will continually infect all other PC's on the network. Edited April 29, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,665 Posted April 29, 2023 Share Posted April 29, 2023 1 hour ago, dafaher said: I'm considering taking advantage of the weekend to format my pc, I didn't want to do it but I prefer to avoid more serious future problems. This won't eliminate the issue. The minute your PC reconnects to the local network, you will be reinfected. Link to comment Share on other sites More sharing options...
itman 1,665 Posted April 29, 2023 Share Posted April 29, 2023 Win32/Jeefo.A is old worm malware dating to Win 2000 days. If a device running Win XP for example is connected to the local network, it is most likely the source of the malware. Link to comment Share on other sites More sharing options...
dafaher 0 Posted April 29, 2023 Author Share Posted April 29, 2023 Thank you so very much @Marcosand @itman, for all the information you provided to me. I had no idea it can be related to the local network, I thought it was just *.exe files. I guess I have some work ahead. I'll start right now, thanks again guys! Link to comment Share on other sites More sharing options...
itman 1,665 Posted April 29, 2023 Share Posted April 29, 2023 I also forgot to mention that worms can be spread through USB and NAS devices. Let's say an infected USB drive was connected to another PC on your network that does not scan the drive for malware by default as Eset does. It infects that PC. The infected PC then proceeds to infect all other PC's on the network. Refs.: https://www.makeuseof.com/dangerous-raspberry-robin-worm-targeting-windows-users/ https://www.tutorialspoint.com/what-are-autorun-worms-how-do-they-spread-how-to-remove-how-to-prevent Link to comment Share on other sites More sharing options...
dafaher 0 Posted April 29, 2023 Author Share Posted April 29, 2023 56 minutes ago, itman said: I also forgot to mention that worms can be spread through USB and NAS devices. Let's say an infected USB drive was connected to another PC on your network that does not scan the drive for malware by default as Eset does. It infects that PC. The infected PC then proceeds to infect all other PC's on the network. Refs.: https://www.makeuseof.com/dangerous-raspberry-robin-worm-targeting-windows-users/ https://www.tutorialspoint.com/what-are-autorun-worms-how-do-they-spread-how-to-remove-how-to-prevent Super useful info, I'll take a look at it now. Thank you very much!! Link to comment Share on other sites More sharing options...
Recommended Posts