t-437482 I think I might have the w32/feebs-m worm...[HELP!] [Flat] - TribalWar Forums

I think I might have the w32/feebs-m worm...[HELP!]

06-14-2006, 11:20 AM
I'm having a really tough time figuring out exactly what is causing these problems. Basically its popping up these internet explorer windows every few minutes. And I always see these weird processes running (ex: msoe.exe) when I hit ctrl+alt+del.

I read somewhere it may be the w32/Feebs-M worm, but I'm not 100% sure. Here's my hijack log. I'd appreciate if anyone could give me some tips.

Oh yea and Norton won't install, I'm assuming because there's a worm preventing it from installing already

Logfile of HijackThis v1.99.1
Scan saved at 11:16:37 AM, on 6/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss. exe
C:\WINDOWS\system32\winlo gon.exe
C:\WINDOWS\system32\servi ces.exe
C:\WINDOWS\system32\lsass .exe
C:\WINDOWS\system32\svcho st.exe
C:\WINDOWS\System32\svcho st.exe
C:\WINDOWS\system32\spool sv.exe
C:\Program Files\Alias\Maya6.0\docs\ Wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\ wrapper.exe
C:\WINDOWS\System32\nvsvc 32.exe
C:\WINDOWS\System32\svcho st.exe
C:\WINDOWS\System32\Table t.exe
C:\Program Files\Alias\Maya7.0\docs\ jre\bin\java.exe
C:\Program Files\Alias\Maya6.0\docs\ jre\bin\java.exe
C:\WINDOWS\System32\ctfmo n.exe
C:\VIRUSfighter\Nvc\BIN\n ipsvc.exe
C:\Documents and Settings\Floyd Bishop\Desktop\HijackThis .exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm .ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl .dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmo n.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonw v.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonw v.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFI CE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EX E
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EX E
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp 0.dll
O20 - AppInit_DLLs: mshta.dll C:\WINDOWS\System32\mshta .dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\o2rol c931f.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc .exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\ Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Drive r\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodServic e.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\ wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\ Wrapper.conf (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\n ipsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc 32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZip m12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Table t.exe

06-14-2006, 11:21 AM

06-14-2006, 11:22 AM
p.s. it's not my computer, so i'm just trying to help someone out right now

06-14-2006, 11:26 AM
uh huh. a "friend" downloaded some gay porn and suddenly "his" computer is ****ed.

06-14-2006, 11:30 AM
actually the person i'm fixing for downloaded what he thought was a motion blur program from limewire and turned out not to be one at all.

06-14-2006, 11:31 AM
I would get rid of

O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp 0.dll

O20 - AppInit_DLLs: mshta.dll C:\WINDOWS\System32\mshta .dll

Those are the only two suspicious entries i see.

06-14-2006, 11:35 AM

06-14-2006, 11:48 AM
look for the trial version of spysweeper, reboot into safe mode with networking, update it and most likely it will remove that crap

06-14-2006, 12:04 PM
adaware keeps finding: Win32.Trojan.Downloader

any info on that or how i can get rid of it

EvilMonkey, will spysweeper take that off too?

06-14-2006, 12:10 PM
safe mode + antivirus silly *****

06-14-2006, 12:11 PM
ted. most likely yes. i find that using the trial version of spy sweeper + updates in safe mode removes like 95% of spyware

06-14-2006, 12:59 PM
I highly recommend CounterSpy from Sunbelt-Software, a more advanced version of the engine that Microsoft built their anti-spyware app around.

Along with that, NOD32 for anti-virus.

06-14-2006, 01:46 PM
well the spysweeper seemed to get rid of all the big bad stuff (worms/trojans), as well as a bunch of adware and other stuff hooked onto Internet Explorer. SO I'm really not running into any out of place processes running, but I'm still getting pop ups out of nowhere. Any good idea for that? I'm updating my windows to SP2 soon. thanks so far.

06-14-2006, 01:50 PM
I'm updating my windows to SP2 soon. thanks so far.


So you DID download gay porn!


06-14-2006, 01:57 PM
format it