Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected With The Virus "Js:Feebs Family" [RESOLVED]

Started by Chasey_ , May 04 2008 10:33 AM

  • This topic is locked This topic is locked

#1
Chasey_
Posted 04 May 2008 - 10:33 AM

Chasey_

    New Member

  • Member
  • Pip
  • 3 posts
Hello. This is my first time posting to this forum, and hopefully my problem can be resolved.

I've been running Avast! for a while now, but ever since I had made a new user account on my Windows XP computer, avast! has been showing that my computer is infected with the virus "Js: Feebs Family". What's very strange is that there is only one user account that this notice is popping up on (out of three).

When the notice of a virus pops up, I just move the virus to the chest, but the next time I log into that account it happens all over again. It shows in the avast! Viruc Chest that I've had three of the same virus attacking a folder on the account that the avast! notice is popping up on.

Is there anyway to delete this? Thank you ^^
  • 0

Advertisements

#2
greyknight17
Posted 04 May 2008 - 04:51 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Follow all the steps below and post all the requested logs here when ready.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
  • 0

#3
Chasey_
Posted 05 May 2008 - 04:20 PM

Chasey_

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ComboFix 08-05-01.3 - Leechan 2008-05-05 17:42:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503 [GMT -4:00]
Running from: C:\Documents and Settings\Leechan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Administrator\Desktop\Error Cleaner.url
C:\Documents and Settings\Compaq_Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\Compaq_Administrator\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Compaq_Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Compaq_Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Compaq_Administrator\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Leechan\ResErrors.log
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\silc_dll.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FMTR


((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-04 12:41 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 11:29 . 2008-05-04 11:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-14 18:54 . 2008-04-14 20:15 <DIR> d-------- C:\Program Files\IMVU
2008-04-12 09:55 . 2008-04-12 19:56 <DIR> d-------- C:\Documents and Settings\BMW\Contacts
2008-04-12 09:44 . 2008-04-19 19:40 <DIR> d-------- C:\Documents and Settings\BMW\Application Data\MEGAUPLOADTOOLBAR
2008-04-12 09:44 . 2008-04-12 09:44 <DIR> d-------- C:\Documents and Settings\BMW\Application Data\COMCASTTOOLBAR
2008-04-12 09:41 . 2008-04-19 19:34 <DIR> d-------- C:\Documents and Settings\BMW\Application Data\Apple Computer
2008-04-12 09:36 . 2008-04-12 09:36 <DIR> d-------- C:\Documents and Settings\BMW\Application Data\Grisoft
2008-04-12 09:35 . 2006-09-05 21:13 <DIR> d-------- C:\Documents and Settings\BMW\WINDOWS
2008-04-12 09:35 . 2006-09-05 21:14 <DIR> d-------- C:\Documents and Settings\BMW\Application Data\Intuit
2008-04-12 09:35 . 2008-05-04 17:35 <DIR> d-------- C:\Documents and Settings\BMW
2008-04-12 09:35 . 2008-05-05 17:50 1,024 --ah----- C:\Documents and Settings\BMW\ntuser.dat.LOG
2008-04-09 16:55 . 2008-04-09 16:55 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 21:28 --------- d-----w C:\Documents and Settings\Leechan\Application Data\MegauploadToolbar
2008-05-05 21:28 --------- d-----w C:\Documents and Settings\Leechan\Application Data\COMCASTTOOLBAR
2008-05-04 21:35 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-05-04 13:33 --------- d-----w C:\Program Files\AIMTunes
2008-04-28 13:05 --------- d-----w C:\Program Files\Lx_cats
2008-04-23 23:17 --------- d-----w C:\Program Files\Safari
2008-04-23 23:16 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 00:17 --------- d-----w C:\Documents and Settings\Leechan\Application Data\IMVU
2008-04-09 20:55 --------- d-----w C:\Program Files\iTunes
2008-04-09 20:51 --------- d-----w C:\Program Files\QuickTime
2008-03-08 23:13 --------- d-----w C:\Documents and Settings\Leechan\Application Data\GlobalSCAPE
2008-03-08 23:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 23:12 --------- d-----w C:\Program Files\GlobalSCAPE
2008-03-08 17:15 --------- d-----w C:\Program Files\ZiPhone
2008-02-08 01:33 50 ----a-w C:\tmp.bat
2007-09-05 21:16 0 ---h--w C:\Program Files\AppUpdate.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{861EA552-6309-490A-AC97-1F574E730CF1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 00:00 15360]
"SecurePCCleaner"="C:\Program Files\SecurePCCleaner\GDC.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-30 00:01 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 17:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 23:05 16239616 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 18:50 7311360]
"nwiz"="nwiz.exe" [2006-05-09 18:50 1519616 C:\WINDOWS\system32\nwiz.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 01:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 01:34 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 05:23 663552]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-05 21:03 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-09 17:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-09 17:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-09 17:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-09 17:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-09 17:00 455168]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"lxdcmon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" [ ]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-03-05 16:40 20480]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"@"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 00:00 15360]

C:\Documents and Settings\BMW\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-09-05 20:29:28 27136]

C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueSwitchComcast\TrueWizard.exe [2007-07-02 05:16:26 1003520]

C:\Documents and Settings\Leechan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-09-05 20:29:28 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-09-05 21:18:55 36903]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40 18432]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-03-11 16:11:41 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\fscagent.exe"=
"C:\\WINDOWS\\system32\\clubbox.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcwbgw.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22030:TCP"= 22030:TCP:BitComet 22030 TCP
"22030:UDP"= 22030:UDP:BitComet 22030 UDP
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"2445:UDP"= 2445:UDP:Windows Media Format SDK (firefox.exe)
"2444:UDP"= 2444:UDP:Windows Media Format SDK (firefox.exe)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-04-30 16:03]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-04-30 16:04]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 00:17:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 17:51:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 115

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-05-05 17:59:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-05 21:59:05

Pre-Run: 72,157,425,664 bytes free
Post-Run: 73,848,115,200 bytes free

221 --- E O F --- 2008-04-11 10:30:29


Above is the log for ComboFix, but while loading ActiveScan it says "Sorry, loading is incomplete due to an error. Please try again." (By the way, since I had ran the ATF Cleaner, some websites, including this forum, have not been appearing as it did before I ran it. Is this supposed to happen?)

Thank you.
  • 0

#4
greyknight17
Posted 05 May 2008 - 07:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

What do you mean some websites are not appearing as they did before? The ATF Cleaner tool will clear out all your temp and cookie settings for your browser. Try doing a hard refresh by holding down the Ctrl key and click on the Refresh button to see if it helps.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#5
Chasey_
Posted 07 May 2008 - 02:09 PM

Chasey_

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Posted Image

Above is an example of what I mean by websites appearing as they didn't before. This only happens in Firefox, not Opera or Internet Explorer.

Everything seems to be alright now. Thank you so much for your help :)
  • 0

#6
greyknight17
Posted 08 May 2008 - 08:53 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP