Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: JS.Feebs

  1. #21
    starburst Guest

    Default Re: JS.Feebs

    Thanks. I deleted all three items. I don't know what Vividence is, but I've been trying to rid my machine of all traces of that for awhile!

    Starburst

  2. #22
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS.Feebs

    Open the Add/Remove Programs in the Control Panel. Look for Vividence and if it is listed, then uninstall it and do the usual reboot. Do the same for the other two as well, if they are listed.

    Right click the Start of the taskbar. Select Search and in the More advanced options, click it and in the Type of File select "All files and folders" and select all of the five lower options that under that one. In the dropdown for the "Look in: " use the "My Computer" . In the top labeled "All or part of file name" just type in the Vividence and click the Search button. Wait for the results- take note of the file and folder names and the locations. Right click the item and open the Properties. Click the Version tab and record the Company, Internal name and the Product Name and the Original File name. Use this information for a continued search. When all possibilities are found, record what these are and where and then delete all of these. Continue this procedure for the other two.



    Often there are hidden files and folders involved. To have these shown when doing manual searches to help aid removal and for searches, just do the following to show the hiden files and folders>

    Click Start.

    Open My Computer.

    Select the Tools menu and click Folder Options.

    Select the View Tab.

    Under the Hidden files and folders heading select Show hidden files and folders.

    Uncheck the Hide protected operating system files (recommended) option.

    Click Yes to confirm.

    Click OK.



    The complete and easy breakdown and removal instructions for one of these are available>


    http://www3.ca.com/securityadvisor/p...x?id=453073190

    These include the registry keys to be removed and that makes the job even easier.

    http://www.microsoft.com/resources/d....mspx?mfr=true

    and follow the links

    To find the keys listed, left click the Start in the taskbar and left click the Run and type in regedit and OK. In the toolbar of the registry editor click the edit and select the Find and then type in the items that are listed in the Registry Items box of the eTrust suggestions.

    Do the same for all folders/files and .dlls and .exes that have been found previously in the Search.




    Open the Internet Explorer and left click the Tools and open the Manage Add-ons. In the dropdown labeled Show, select the "Add-ons that have been used by Internet Explorer" and find the three. Record the file and whether it is just a BHO or ActiveX and now click it and use the radio button for the Disable Option. ActiveX have their own hiding special hiding place in the registry. The BHO have their own special hiding place in the registry as well. Ok the panel and close the Internet Explorer.

    Use the file name in the find of the Registry, again, and in the Search of My Computer and delete all revelant keys and files.

    Download and install and run the freeware CCleaner from>

    http://www.majorgeeks.com/CCleaner_S...ish_d4191.html

    Then use these two freewares>

    http://www.download.com/Abexo-Free-R...-10434887.html

    http://www.download.com/Registry-Tra...ml?tag=lst-0-1


    Open the C\WINDOWS\system32\drivers\etc\hosts with the notepad. Please make sure the Read-only of the Properties is unchecked and Apply and OK if changes are to be made. The only safe entry that should be there is 127.0.0.1 listed as localhost. All of the rest can be deleted- just make sure that any security application that is listed is the exact address and not a looks-alike. The three items may have left their addresses in here and these are no longer desired and their removal is recommended. Close the notepad and restore the Read-only of the Properties.


    HKEY_LOCAL_USER\Software\Microsoft\Windows\Current Version\Internet Settings\ZoneMap>Domains> Delete any malware sites, in that column. Sites such as msn.com and your security application sites and any favorites should remain. Doubleclick the malware site and use the delete feature. Remove all entires that are in the Ranges (only the Default should be left).

    Repeat this in the following

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains and Ranges

    HKEY_USERS\DEFAULT\Software\Microsoft\Windows\Curr entversion\Internet Settings\ZoneMap\Domains and Ranges

    And continue this cleaning with the HKEY_USERS\S-1-5-18\ to the end of HKEY_USERS\S-5-21-* listing.

    HKEY_LOCAL_USER and the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run> delete any malware entry


    Also for some extra assurance>

    Download and run the LSP-Fix and take note of LSP entries and google the findings and then delete the malware entries, using the LSP-Fix removal utility>

    http://www.majorgeeks.com/LSP-Fix_d4180.html



    That is the end of the task. The machine should be completely clean of the three and is probably even cleaner than before it started out. The IE should be a little faster and your privacy has improved. If there is an area that I did not explain properly and something is unclear or there is not enough description or explaination, just ask in the next post and it will be covered.

    Oldsod
    Best regards.
    oldsod

  3. #23
    starburst Guest

    Default Re: JS.Feebs

    Wow! That was incredibly thorough!! I think I've got most of it down and am in the middle of the process. Just a couple clarifications.

    Would this be something to delete? It's the same address but does not say localhost:

    127.0.0.1
    count.exitexchange.com
    In the registry, it says HKEY_CURRENT_USER instead of HKEY_LOCAL_USER... is that ok? Because under there, after I followed the path, there is an amazing amount of sites that are obviously spam of some kind. Do you mean I leave the "default" in *only* the Ranges? But I can *fully* delete all of these *other* sites? (Just wanted to make sure since it's Registry stuff.) Also, is there any faster way to delete than to click on each one individually? It would take an incredibly long time to do that.

    Thanks for all the time you've spent on this! I'm getting into issues I didn't even know my computer had.

    Also, I will be leaving town midday tomorrow for the weekend, so I won't be able to respond for a bit after that.

    Starburst

    Message Edited by starburst on 12-15-200607:40 PM

  4. #24
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS.Feebs

    Delete the 127.0.0.1 count.exitexchange.com Just the localhost should be the one with 127.0.0.1 and perhaps some type of server software.

    Just record it first and then delete it and if something is not working properly, just retype it back in.


    Yes leave the Default intact and remove the others. PC will work Ok without the others just fine. Leave intact any msn or hotmail or security site (but look twice since many types of malware use a site that is just slightly off the usual site-i.e symentec.com instead of the proper symantec.com)

    If you did make an honest mistake, the software on the PC usually corrects its and replaces it's own site back. So there maybe a certain slowness in updates or getting connected, but once they have restored their site back in, that issue will disappear.

    A word of advise: certain antispy software such as Spybot S&D and SpySweeper and SpywareBlaster and IEspyAd will place these sites in those particular places of the registry. So these are often a legit part of their protection. If these are not installed and being used, then delete these.

    Also check the Safe Sites of the Internet Settings of that section found in the

    HKEY_LOCAL_MACHINE


    Quote:
    "In the registry, it says HKEY_CURRENT_USER instead of HKEY_LOCAL_USER... is that ok?"

    Yes this OK It IS My Typo Mistake.


    Quote:
    " there is an amazing amount of sites that are obviously spam of some kind."

    If it looks like spam then it is spam. These are the direct result of the three items from before. They placed these sites in the Windows OS to allow those sites to have easier access to your PC.


    Hey StarBurst, it is understandable if you take a break and return later. This is a fair amount of work and if one is unfamiliar with the steps, it takes a little longer and some double checking is very normal. Actually I did think you are just moving along quickly.

    After that work is finished, then use these freeware for a good spyware checkup:

    http://www.superantispyware.com/

    http://www.ewido.net/en

    (personally I favor the online scanner from the ewido/avg antispy site, since it just use a Temp folder and after the online scan is finished, just clean the Temp folder and there is no leftover .exes or .dlls from the scanner that would be found if the actual scanner is installed. The downloaded/installed scanner is slowing becoming a pest that runs an .exe even when the manual scanner is off)

    http://www.lavasoftusa.com/products/...e_personal.php

    http://www.sophos.com/products/free-...i-rootkit.html

    http://www.microsoft.com/technet/sys...tRevealer.mspx

    (before using the rootkit finders from sophos and MS, please first clean all browser caches and Temp folder and have the Disk cleaned. Or just do a cleanup with the CCleaner. A file in the browser cache or Temp folder can cause a false positive. This method of clean first and then scan is a better result.)

    Oldsod
    Best regards.
    oldsod

  5. #25
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS.Feebs

    Other places to check out>

    Check the C\ for malware folders and in the C\Program Files. Check the C\WINDOWS and the C\WINDOWS\system32 and the dllcache and the drivers subfolders. The folder/file search utility of the Explorer should be used in addition to a manual searches.

    Check the Documents and Settings- especially the Application Data, Local Settings and Start Menus. Check all subfolders.

    Check the MSOCache and the C\WINDOWS\system32\config\systemprofile


    Open the Poperties of the NIC of the View Network Connections of the My Network Places. Click the Internet Protocol (TCP/IP) and then the Properties. Click the Advanced of the General tab and in the DNS should be your ISP DNS server(s) or a blank. Correct the DNS IP(s) if it is incorrect. Disable the LMHOSTS lookup of the WINS tab (optional is Disable the NetBIOS over TCP/IP) Ok all windows and Close.



    If your homepage/search in the IE had changed to another unwanted site, then check this>

    In the HKEY_LOCAL_USER\Software\Microsoft\InternetExplore r\Main
    a) Look for the SearchPage and doubleclick it. Select the Modify. In the ValueData box, delete the malware entry enter your own search.
    b). Look for the Start Page and doubleclick it. Select the modify. In the ValueSata box, delete the malware entry and enter your own start usual home page. Repeat this in the HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExpl orer\Main.




    Also>

    In the DCOM Config of My Computer of the Component Services of the Administrative Tools look for any malware entry and find it's value (Application ID) in the Properties and then use this value in the Find of the Registry to remove (delete) it. Also optional is to disable the Windows Messenger (disable the startup by unchecking all in the Location tab found in the Properties of the doubleclickof the item).

    Optional tools to see if there is any suspicious activity on the machine and great tools for the user-approved software that is used and just has trouble>

    Download and run the freeware Process Explorer and look for strange .exes and .dlls>

    http://www.microsoft.com/technet/sys...sExplorer.mspx

    also the Listdll tool will show all .dll loaded and used>

    http://www.microsoft.com/technet/sys.../ListDlls.mspx

    The freeware TCPViewer will show all active connections, source and detination and applications>

    http://www.microsoft.com/technet/sys...g/TcpView.mspx

    Oldsod
    Best regards.
    oldsod

  6. #26
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: JS.Feeb in Gmail

    Yes, I think it is really a false positive...Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #27
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: JS.Feebs

    Exitexchange is a parasitic pop under type. Remove all traces of it, after trying the uninstall in the Add/Remove Programs in the Control panel.



    BTW If you would like to post a HJT log, then do so. A great tool for finding the hidden parasites and spyware.

    Post both the hijackthis.log and the startuplist.txt (found in the Misc Tools of the Config... and click both boxes next to the Generate StartupList Log).

    Download and just run it and post both the log and the txt.
    Do not do anything else with it until I can see what there is and figure it out.

    Download from>

    http://majorgeeks.com/download3155.html


    Oldsod

    Message Edited by Oldsod on 12-16-2006 08:38 AM
    Best regards.
    oldsod

  8. #28
    karenaria Guest

    Default Re: JS.Feebs

    Hello,I have been a ZASS user for a couple of years.
    I read posts in the forum, but have never written anything here, or asked a question.
    I have been using gmail for a couple of months.
    My last virus scan reported that I had JS/feeb and that it could not be treated.
    I have all ZASS updates.
    When I rebooted and scanned again, JS/feeb was not reported.
    Does this mean it was, infact treated and is gone?
    I cannot find it anywhere on my system, but I am not the most computer savvy user.
    I do not see anything unusual running in the task manager.
    I have searched my hard drive for the name, and variations of the name JS/feeb, js.feeb, feeb, etc and have found nothing.
    Can I feel safe that this virus has been removed by ZASS if it is no longer detected in the virus scan?
    I would appreciate any information.
    I have read pages on the forum, but I am unsure after reading them, if I need to take further action myself.
    Please advise me.
    Thank you in advance for any assistance and information.
    Karen

  9. #29
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: JS.Feebs

    Hi Karen,it is a false positive. You do not need to take any futher action. Regards,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Page 3 of 3 FirstFirst 123

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •