W32.Conycspa.G@mm

[Xaneden]

Hey Guys,
A few days back, I got an alert from Symantec Antivirus that I had a virus. It picked up 3 seperate things, all within 30 seconds.

Initally, it picked up 2 instances of a generic trojan. Then it picks up "W32.Conycspa.G@mm". All 3 things can be quarentined/deleted without any errors. I then get IE loading, trying to connect me to a website. However, the site (which I'm sure is an IP) does not have any full stops. For instance, one of the addresses was http://20089/, so it obviously doesn't load; it just gives me a generic Page not found error. I also tried changing my generic browser to Firefox, but it opened up the address in that browser too

This popup webpage usually occurs just before/after Symantec picks the virus up (so they're clearly connected), but the whole process repeats itself every hour or so. I've done full system scans using Symantec Antivirus, NOD32, BullGuard etc, and even an online scan. Symantec sometimes finds an instance of the viruses (usually within the 1 hour popup timeframe), but apart from that, it finds nothing (i.e. no regeneration files, which would be necessary for this to keep coming back). I have disabled system restore so those files can be scanned too.

Does anyone have any advice for me? I am obviously concerned about this, and hope to clear it up asap. I have a lot of work to do over the weekend, so reinstallation is not plausible unfortunately.

[Xaneden]

Forgot to mention, the main 'W32.Conycspa.G@mm' virus is found in 'C:\WINDOWS\inet20089\alg.exe' and the generic trojans are found in 'C:\WINDOWS\inet20089\skiller.exe'.

[Norky]

http://securityresponse.symantec.com...cspa.g@mm.html

Try reading that, hope this helps

[Xaneden]

Thanks for the link Norky, but I've desperately read that about 5 times already tonight

I've tried doing what it says, but it comes to no avail. I also have a firewall etc so I don't see how this is getting through.

Oh, and I didn't get this via an email.

[muddyfox470]

try microsoft antispyware, it has a browser restore function, if and when the browser becomes hijacked.

tho i dont know whether that will help you at all...

ian

[Xaneden]

Ok, I updated NOD32 this morning, and it located a 'services.exe' in the same directory as the other viruses, but stated it was an unknown virus

Also, I am now getting Symantec picking up lots of seperate temporary files all seemingly infected with the Conycspa virus.

[Paul Adams]

I would start by backing up the entire registry and then booting into Safe Mode

Run Autoruns to check what is starting up when I boot and logon.
Delete all references to files in C:\Windows\inet20089 - that folder should not be there

Then check the system with Rootkit Revealer to see if it shows you anything hidden on the system that AV may only pick up when it becomes a running process (read the page for "interpreting the output" as not everything it reports indicates a problem)

Then a full AV scan of the system after a refresh of the virus definitions.

If you really didn't get it via email then you ran an executable you downloaded or received via IM or something similar (AOL Instant Messenger apparently has some nasties running around in it at the moment).

[Xaneden]

Thanks for the advice, I'll try that stuff out now. And no, I didn't get any files over any IMs lately, or via a downloaded file. I was browsing through a widescreen wallpaper website, when I got a warning that the virus had infected, how though, I do not know, as I did not accept any ActiveX notifications etc.