t-437482 I think I might have the w32/feebs-m worm...[HELP!] [Flat] - TribalWar Forums

I think I might have the w32/feebs-m worm...[HELP!]

TedBundy
06-14-2006, 11:20 AM
I'm having a really tough time figuring out exactly what is causing these problems. Basically its popping up these internet explorer windows every few minutes. And I always see these weird processes running (ex: msoe.exe) when I hit ctrl+alt+del.

I read somewhere it may be the w32/Feebs-M worm, but I'm not 100% sure. Here's my hijack log. I'd appreciate if anyone could give me some tips.

Oh yea and Norton won't install, I'm assuming because there's a worm preventing it from installing already

Logfile of HijackThis v1.99.1
Scan saved at 11:16:37 AM, on 6/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss. exe
C:\WINDOWS\system32\winlo gon.exe
C:\WINDOWS\system32\servi ces.exe
C:\WINDOWS\system32\lsass .exe
C:\WINDOWS\system32\svcho st.exe
C:\WINDOWS\System32\svcho st.exe
C:\WINDOWS\system32\spool sv.exe
C:\Program Files\Alias\Maya6.0\docs\ Wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\ wrapper.exe
C:\WINDOWS\System32\nvsvc 32.exe
C:\WINDOWS\System32\svcho st.exe
C:\WINDOWS\System32\Table t.exe
C:\Program Files\Alias\Maya7.0\docs\ jre\bin\java.exe
C:\Program Files\Alias\Maya6.0\docs\ jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmo n.exe
C:\VIRUSfighter\Nvc\BIN\n ipsvc.exe
C:\Documents and Settings\Floyd Bishop\Desktop\HijackThis .exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm .ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl .dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmo n.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonw v.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonw v.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFI CE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EX E
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EX E
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp 0.dll
O20 - AppInit_DLLs: mshta.dll C:\WINDOWS\System32\mshta .dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\o2rol c931f.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc .exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\ Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Drive r\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodServic e.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\ wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\ Wrapper.conf (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\n ipsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc 32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZip m12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Table t.exe

Vlasic
06-14-2006, 11:21 AM
owned

TedBundy
06-14-2006, 11:22 AM
p.s. it's not my computer, so i'm just trying to help someone out right now

Pachacutec
06-14-2006, 11:26 AM
uh huh. a "friend" downloaded some gay porn and suddenly "his" computer is ****ed.

TedBundy
06-14-2006, 11:30 AM
actually the person i'm fixing for downloaded what he thought was a motion blur program from limewire and turned out not to be one at all.

Mangan
06-14-2006, 11:31 AM
I would get rid of


O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\System32\x3cqp 0.dll

O20 - AppInit_DLLs: mshta.dll C:\WINDOWS\System32\mshta .dll



Those are the only two suspicious entries i see.

TedBundy
06-14-2006, 11:35 AM
thanks

EvilMonkey
06-14-2006, 11:48 AM
look for the trial version of spysweeper, reboot into safe mode with networking, update it and most likely it will remove that crap

TedBundy
06-14-2006, 12:04 PM
adaware keeps finding: Win32.Trojan.Downloader

any info on that or how i can get rid of it

EvilMonkey, will spysweeper take that off too?

Durak
06-14-2006, 12:10 PM
safe mode + antivirus silly *****

EvilMonkey
06-14-2006, 12:11 PM
ted. most likely yes. i find that using the trial version of spy sweeper + updates in safe mode removes like 95% of spyware

nSpectre
06-14-2006, 12:59 PM
I highly recommend CounterSpy from Sunbelt-Software, a more advanced version of the engine that Microsoft built their anti-spyware app around.

Along with that, NOD32 for anti-virus.

TedBundy
06-14-2006, 01:46 PM
well the spysweeper seemed to get rid of all the big bad stuff (worms/trojans), as well as a bunch of adware and other stuff hooked onto Internet Explorer. SO I'm really not running into any out of place processes running, but I'm still getting pop ups out of nowhere. Any good idea for that? I'm updating my windows to SP2 soon. thanks so far.

nSpectre
06-14-2006, 01:50 PM
I'm updating my windows to SP2 soon. thanks so far.

Ah-HA!

So you DID download gay porn!

:D

link_
06-14-2006, 01:57 PM
format it