Author Topic: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...  (Read 8642 times)

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #30 on: April 02, 2011, 04:05:53 PM »
Hi thanks for info, my friend done combofix from my pc not by remote desktop
I have copied and saved cfscript, will update with logfile when completed. Thanks

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #31 on: April 02, 2011, 07:48:33 PM »
Thanks for that info...then, I take it you DO use the remote desktop feature yourself?
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #32 on: April 03, 2011, 12:35:38 PM »
No never used remote desktop before, wouldn't know how to.
Combofix has completed, my machine rebooted as the power in my house went down today, power back on and combofix completed. Thanks

 ComboFix 11-03-29.06 - Compaq_Owner 03/04/2011   5:18.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.107 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\windows\system32\drivers\pavboot.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\$AVG
c:\$avg\$VAULT\V_00000001.fil
c:\$avg\$VAULT\V_00000002.fil
c:\$avg\$VAULT\vvfolder.idx
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10\Cfg\admin.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\cachesrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\csl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\dav.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\emssrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\erd.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\idp.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrvvsapi.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\malrep.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\setup.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\spsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\tb.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\updatecomps.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\falsealarm.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\krnlall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\updateall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\userall.cfg
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchfi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchmi.dat
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.5
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.6
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.7
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.5
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.6
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrmac.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrmac.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\history.xml
c:\documents and settings\All Users\Application Data\AVG10\log\IDP\log\avgtray_idp_Compaq_Owner.log
c:\documents and settings\All Users\Application Data\AVG10\log\IDP\log\avgui_idp_Compaq_Owner.log
c:\documents and settings\All Users\Application Data\AVG10\log\IDP\log\avgwdsvc_idp_SYSTEM.log
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log.lock
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvcache.dat
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvglbl.dat
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\MFAData
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110302-200423.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110302-203752.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110303-154655.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110302-200423.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110302-203752.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110303-154655.log
c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\dm_marketing_message-hi.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ico-blue-bg.gif
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\OK.png
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Smart-Scanning.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SmartScanning-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Social-Networking.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SocialNetworking-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Thumbs.db
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ui-background.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\dm_marketing_message-en-us.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avgx1204gi.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mis15ni.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mps11fx.bin
c:\documents and settings\All Users\Application Data\MFAData\state.dat
c:\documents and settings\Compaq_Owner\Application Data\AVG10
c:\documents and settings\Compaq_Owner\Application Data\AVG10\cfgall\usergui.cfg
c:\windows\system32\drivers\pavboot.sys
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PAVBOOT
-------\Service_pavboot
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-03 to 2011-04-03  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-02 16:30   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys

R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys

R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys

R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys

R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 vvlppc2;vvlppc2;

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-31 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 15:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4040)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2011-04-03  16:47:45 - machine was rebooted
ComboFix-quarantined-files.txt  2011-04-03 15:47
ComboFix2.txt  2011-03-30 22:28
ComboFix3.txt  2011-03-28 00:18
ComboFix4.txt  2011-03-27 10:53
.
Pre-Run: 5,608,624,128 bytes free
Post-Run: 5,750,247,424 bytes free
.
- - End Of File - - 18099EF6C2ACD7EF2054AD3F587789D4

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #33 on: April 03, 2011, 06:36:52 PM »
Quote
No never used remote desktop before, wouldn't know how to...
OK then, let's do one more. This one will close that open remote desktop port. While we're at it, I see no point in keeping the remnant service driver file left over from your previous installation of Ad-aware.

Please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

File::
c:\windows\system32\DRIVERS\Lbd.sys

Driver::
Lbd

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #34 on: April 03, 2011, 09:42:50 PM »
Hi, running combofix now will post when completed thanks.

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #35 on: April 04, 2011, 08:22:52 AM »
ComboFix 11-03-29.06 - Compaq_Owner 04/04/2011   5:16.5.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.137 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\windows\system32\DRIVERS\Lbd.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LBD
-------\Service_Lbd
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-04 to 2011-04-04  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-02 16:30   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-30 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 21:18 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 vvlppc2;vvlppc2;c:\windows\system32\drivers\vvlppc2.sys [17/11/2005 18:48 30080]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 15:42 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 19:39 19472]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [10/05/2010 22:20 27632]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?]
S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys --> c:\windows\system32\DRIVERS\btkrnbdg.sys [?]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys --> c:\windows\system32\Drivers\csrbc01.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [12/10/2009 15:44 13224]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [04/03/2005 19:08 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [04/03/2005 19:11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [04/03/2005 19:11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [04/03/2005 19:13 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [04/03/2005 19:15 77072]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [28/07/2010 20:58 90408]
S3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-31 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 14:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2011-04-04  15:10:53 - machine was rebooted
ComboFix-quarantined-files.txt  2011-04-04 14:10
ComboFix2.txt  2011-04-03 15:47
ComboFix3.txt  2011-03-30 22:28
ComboFix4.txt  2011-03-28 00:18
ComboFix5.txt  2011-04-04 03:51
.
Pre-Run: 5,708,455,936 bytes free
Post-Run: 5,709,123,584 bytes free
.
- - End Of File - - 2A9AF8398065F9138D9F89688DC85C09

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #36 on: April 04, 2011, 01:02:24 PM »
How's it running now?
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline ACE123

  • Bronze Member
  • Posts: 21
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #37 on: April 07, 2011, 09:49:45 AM »
Hi, ran malwarebytes (took hours) no errors, have used internet/email/ms word had no problems all running smoothly.
May I say a really big thanks for taking me through step by step and making my PC safe and working again.  :p
I will be making a donation as your help has been great.


THANKS  :ty

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #38 on: April 07, 2011, 09:56:50 AM »
Excellent! You can delete these now:
DDS.scr
DDS.txt
Attach.txt
GMER and associated log(s)


Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of malicious software intrusion and infections:

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been satisfied from having tested and used each one of those at one time or another.


Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least one (but not more than one) of these types of third party firewalls running on board:
Sunbelt Personal Firewall

Zone Alarm Beware This download includes the Ask Toolbar...The ZoneAlarm Spy Blocker toolbar is powered by "Ask.com". The "Ask" search engine will cause "targeted" ads to be presented to you based upon the content of the web pages you visit, any personally identifiable information you have provided to "Ask.com", or keywords appearing in your search queries. Many security experts consider this type of behavior offensive...Windows 2k/XP/Vista
Outpost Free

Comodo...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.


Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

 If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from
your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

So how did I get infected in the first place?
Regards, and Happy Surfing!

Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
« Reply #39 on: April 07, 2011, 09:58:25 AM »
This thread is now closed as the issue appears to be resolved.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven