Thread: w32.conycspa.g@mm and Trojan.spamforo keep poping up
View Single Post
Old 12-06-2005, 04:22 PM   #5 (permalink)
canadieneh02
Registered User
 
Join Date: Dec 2005
Posts: 9
OS: XP


Sorry it took so long
here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:18:30 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Here is Ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:42:49 PM, 12/5/2005
+ Report-Checksum: 388973F0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3DE88907-3E38-11D4-BEB2-CBE76C0598DD} -> Spyware.BandObjects : Cleaned with backup
HKLM\SOFTWARE\ISPInstaller\RegistryBackup\HKCR\CLSID\{3DE88907-3E38-11D4-BEB2-CBE76C0598DD} -> Spyware.BandObjects : Cleaned with backup
HKU\S-1-5-21-1030656839-1065937116-3454538618-500\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1030656839-1065937116-3454538618-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-1030656839-1065937116-3454538618-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\HJT\backups\backup-20050317-200652-914.dll -> Spyware.Ihbo : Cleaned with backup
C:\Downloads\DinerDashSetup-dm[1].exe -> Spyware.Trymedia : Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\Portal\41AB737B.exe -> Worm.Delf.i : Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\Portal\42060B17.exe -> Worm.Delf.i : Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\Portal\4F574C27.exe -> Logger.Agent.ig : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/WINDOWS/NDNuninstall6_38.exe -> Spyware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/WINDOWS/NDNuninstall6_90.exe -> Adware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/WINDOWS/NDNuninstall6_98.exe -> Adware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/uninstall6_38.exe -> Spyware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/newdotnet6_98.dll -> Spyware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/uninstall6_98.exe -> Adware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/newdotnet6_98.to_be_deleted -> Spyware.NewDotNet : Error during cleaning
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\inet20002\3.00.11.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\inetdata\1.02.11.dll -> Spyware.Ihbo : Cleaned with backup


::Report End

Here is Panda

Incident Status Location

Adware:adware/cws.yexe Not disinfected C:\messanger.ini
Spyware:spyware/new.net Not disinfected Windows Registry
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\Desktop\HJT\backups\backup-20050317-200653-495.inf
Virus:Trj/Downloader.TC Not disinfected C:\Documents and Settings\Administrator\lc.html
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[NDNuninstall6_38.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[NDNuninstall6_90.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[NDNuninstall6_98.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[uninstall6_38.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[newdotnet6_98.dll]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[uninstall6_98.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[newdotnet6_98.to_be_deleted]
Virus:Trj/Downloader.AOU Not disinfected C:\WINDOWS\inetdata\winlogon.exe
Virus:Trj/Downloader.TC Not disinfected C:\WINDOWS\system32\lc.html
canadieneh02 is offline