Author Topic: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...  (Read 8641 times)

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #15 on: March 29, 2011, 01:27:07 PM »
Hi, SORRY if I have confused you a little.

When I said that I couldn't run unhide.exe this was because I couldn't Install/Run or do anything on my pc, Now after rebooting I can use notepad etc...
OK, then I'd also like you to run unhide. Let me know those results too. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #16 on: March 30, 2011, 02:20:24 AM »
I have attached the GMER  ASK.log.
The message that came up upon completion of scan was:-
GMER has found system modification caused in ROOTKIT activity.





Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #17 on: March 30, 2011, 04:52:56 AM »
We'll get to it but you must follow my lead...please go back and re-read my last post. Take your time and read carefully. If I ask something, please answer...if I ask FOR something, please provide it or an answer as to why you cannot. Thanks for you cooperation!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #18 on: March 30, 2011, 10:38:32 AM »
Hi, I have downloaded and run UNHIDE.EXE - completed ok with message - your files should now be visible.
I don't have any installation disks as my PC was pre-installed from shop.

Do I need to run a fresh GMER?

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #19 on: March 30, 2011, 11:58:12 AM »
Quote
The message that came up upon completion of scan was:-
GMER has found system modification caused in ROOTKIT activity.

...Do I need to run a fresh GMER?
Not needed...I don't see indication of that in the log you posted.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #20 on: March 30, 2011, 04:49:35 PM »
I have run Combofix as requested

ComboFix 11-03-29.06 - Compaq_Owner 30/03/2011  21:11:43.3.1 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-28 to 2011-03-30  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys

R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys

R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys

R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys

R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 vvlppc2;vvlppc2;

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - pgldrpow
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 22:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-30  23:27:34
ComboFix-quarantined-files.txt  2011-03-30 22:26
ComboFix2.txt  2011-03-28 00:18
ComboFix3.txt  2011-03-27 10:53
.
Pre-Run: 5,615,308,800 bytes free
Post-Run: 5,632,970,752 bytes free
.
- - End Of File - - CEA23687A63C9540E008168D0886EB6E

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #21 on: March 30, 2011, 08:15:39 PM »
The log is showing that combofix has been run three times on that system. May I see logs numbers one and two please?
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #22 on: March 31, 2011, 11:10:25 AM »
Hi I have checked for the log files and can't find them, I have spoken to my friend who knows a bit more on pc's than me and had a quick look at my PC, He told me he had run combofix, then deleted the logs and the combo program to the recycle bin - Not there I have checked, Sorry.
He said he had run a couple of checks after reading them on your site - I apologize did not know everything he had done. 

After combofix had completed last night, I enabled my kaspersky and the system rebooted, when I have logged in I got the message Windows has recovered from a serious error.
According to the message it was to do with my antivirus program, do you want me to post them.

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #23 on: March 31, 2011, 01:06:00 PM »
Please tell me when your friend ran the combofix utility and why.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #24 on: March 31, 2011, 01:57:24 PM »
I think it was sunday, he has has told me he thought he might have been able to fix my PC. He told me he had read about this on forums by searching via GOOGLE and thought by running the program that it would fix the virus, which I know is not right because now I realise all PC's are different and needs a professional to check it out as it says in the tutorial on combofix.

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #25 on: March 31, 2011, 02:00:28 PM »
Please open the qoobox folder and tell me how many text files you see there named combofix.txt...there may be variations of that, such as combofix2.txt, combofix3.txt etc.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #26 on: March 31, 2011, 09:36:56 PM »
Hi, there are 3 combo files - ComboFix-quarantined-files.txt, ComboFix2.txt, ComboFix3.txt
Do you want me to attach all 3 files?

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #27 on: April 01, 2011, 08:42:29 AM »
Please let me see combofix2.txt, combofix3.txt and...at the root of the drive, you should see just one text file named combofix.txt...please post all three of those. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #28 on: April 01, 2011, 03:35:43 PM »
Files posted as requested

Combofix2.txt as  requested

ComboFix 11-03-27.01 - Compaq_Owner 28/03/2011   1:02.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.219 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-28 to 2011-03-28  )))))))))))))))))))))))))))))))
.
.
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-27 14:01 . 2011-03-27 14:02   --------   d-----w-   c:\program files\SpywareBlaster
2011-03-27 10:59 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{28AF1E09-CABD-44D5-BEC8-04C40F993FAA}\mpengine.dll
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-02-23 09:35   5943120   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
.
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 . 3B58675ED2C6A68C38624681C2548862 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-30 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\docume~1\ALLUSE~1\AVP9\kloehk.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 21:18 36880]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 15:42 32272]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [10/05/2010 22:20 27632]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [24/03/2011 16:41 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 vvlppc2;vvlppc2;c:\windows\system32\drivers\vvlppc2.sys [17/11/2005 18:48 30080]
S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?]
S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys --> c:\windows\system32\DRIVERS\btkrnbdg.sys [?]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys --> c:\windows\system32\Drivers\csrbc01.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [26/05/2010 15:33 406016]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe --> c:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [12/10/2009 15:44 13224]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [04/03/2005 19:08 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [04/03/2005 19:11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [04/03/2005 19:11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [04/03/2005 19:13 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [04/03/2005 19:15 77072]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 19:39 19472]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [28/07/2010 20:58 90408]
S3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 01:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1032)
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-28  01:18:48
ComboFix-quarantined-files.txt  2011-03-28 00:18
ComboFix2.txt  2011-03-27 10:53
.
Pre-Run: 1,025,875,968 bytes free
Post-Run: 989,618,176 bytes free
.
- - End Of File - - 8884E342069C8D4736F6EB37846888A2

Combofix3.txt as  requested

ComboFix 11-03-26.01 - Compaq_Owner 27/03/2011  10:52:52.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.248 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Compaq_Owner\new.txt
c:\program files\Common Files\Temp
c:\program files\Common Files\Temp\wbrp.exe
c:\program files\Common Files\Temp\wbrpdw.exe
c:\windows\dbxesellerate.exe
c:\windows\system32\tmp.reg
D:\Autorun.inf
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ASC3550U
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-27 to 2011-03-27  )))))))))))))))))))))))))))))))
.
.
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-22 19:14 . 2011-02-23 09:35   5943120   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{599214AE-F79A-442A-83EC-EC5F1613B11E}\mpengine.dll
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-02-23 09:35   5943120   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys

R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys

R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys

R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys

R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys

R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 vvlppc2;vvlppc2;

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 11:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\HP\HP Software Update\HPWUCli.exe
.
**************************************************************************
.
Completion time: 2011-03-27  11:53:22 - machine was rebooted
ComboFix-quarantined-files.txt  2011-03-27 10:52
.
Pre-Run: 1,220,530,176 bytes free
Post-Run: 867,250,176 bytes free
.
- - End Of File - - 43EE95ED1C693F9DC2824D03373FD2E2

Combofix.txt as  requested



ComboFix 11-03-29.06 - Compaq_Owner 30/03/2011  21:11:43.3.1 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-28 to 2011-03-30  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys

R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys

R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys

R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys

R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 vvlppc2;vvlppc2;

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - pgldrpow
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 22:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-30  23:27:34
ComboFix-quarantined-files.txt  2011-03-30 22:26
ComboFix2.txt  2011-03-28 00:18
ComboFix3.txt  2011-03-27 10:53
.
Pre-Run: 5,615,308,800 bytes free
Post-Run: 5,632,970,752 bytes free
.
- - End Of File - - CEA23687A63C9540E008168D0886EB6E

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #29 on: April 01, 2011, 07:37:10 PM »
It seems your friend ran combofix for you by remote desktop? Is that the case? If so, fine...but if you don't use remote desktop yourself for any reason, you might want to close this port, especially since combofix already removed a stealthed trojan when your friend ran it last Sunday:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
...and I see there were other issues that weren't dealt with from that run.

Please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll

File::
c:\windows\system32\drivers\pavboot.sys

DDS::
uURLSearchHooks: H -
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} -
TB: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

Folder::
C:\$AVG
c:\documents and settings\Compaq_Owner\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\MFAData

Driver::
pavboot

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Registry::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@=-
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven