SpywareHammer.com

SpywareHammer Malware Removal Forums => Completed Malware and Rootkit Removal Topics => Topic started by: ACE123 on March 28, 2011, 07:58:56 AM

Title: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 28, 2011, 07:58:56 AM
Windows XP sp3, Kaspersky Internet Security 2011.

Noticed that my aol mail account had been hijacked - it had sent 3 e-mails (to various contacts) from my address book - I have deleted address book and changed password - Looks ok now.

Kaspersky and Malwarebytes didn't show error.
Ran ESET online scanner whiched showed me the error, have read various articles on forums but would really appreciate HELP!!!! of any kind THANKS..

C:\WINDOWS\system32\termsrv.dll Win32/Spy.Ursnif.A virus

I have attached HJT log
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 28, 2011, 08:43:46 AM
Sorry I added HJT as an attachment, I currently have my PC in SAFE mode -  here is the HJT logfile

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 07:43:42, on 28/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\DOCUME~1\ALLUSE~1\AVP9\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - (no file)
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7697 bytes
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 28, 2011, 09:22:14 AM
Greetings ACE123 and Welcome to our Forums,

With the symptoms you describe, the hijackthis utility, although a good starting point, is not going to show us the darker corners of the system where something like this could be hiding. We need to take a deeper look at things:

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here (http://www.bleepingcomputer.com/forums/topic114351.html). Next, please download the free utility DDS from any of these locations...Here (http://download.bleepingcomputer.com/sUBs/dds.scr), Here (http://download.bleepingcomputer.com/sUBs/dds.com)...or Here (http://www.infospyware.net/sUBs/dds).
Note - Some infections may prevent certain executable files from running on your computer. If one of these download locations results in a failed run of the utility, please try the next location until you find one that will work on your machine
Double click dds.scr to run the tool

Next, download this Antirootkit Program (http://www.gmer.net/files.php) to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Next, please perform a rootkit scan:
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 28, 2011, 12:42:44 PM
Hi thanks for the welcome and quick reply, I am still in SAFE mode
Log files as requested -
will post Antirootkit logs when they have completed.

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Compaq_Owner at 18:26:48.00 on 28/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.97 [GMT 1:00]
.
AV: Kaspersky Internet Security *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\AGH29225\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: Microsoft XML Parser for Java
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\docume~1\alluse~1\avp9\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\windows defender\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-10 27632]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-3-24 28552]
S1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-10-19 315408]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 vvlppc2;vvlppc2;c:\windows\system32\drivers\vvlppc2.sys [2005-11-17 30080]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340520]
S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?]
S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\drivers\btkrnbdg.sys --> c:\windows\system32\drivers\btkrnbdg.sys [?]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\drivers\csrbc01.sys --> c:\windows\system32\drivers\csrbc01.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2010-5-26 406016]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe --> c:\program files\magix\common\database\bin\fbserver.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-10-12 13224]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-3-4 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-3-4 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-3-4 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-3-4 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-3-4 77072]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\drivers\pfc027.sys --> c:\windows\system32\drivers\pfc027.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-7-28 90408]
S3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-03-27 14:56:47   --------   d-----w-   c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2011-03-27 14:56:47   --------   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-27 14:56:20   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-27 10:59:57   6792528   ----a-w-   c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{28af1e09-cabd-44d5-bec8-04c40f993faa}\mpengine.dll
2011-03-27 09:47:13   98816   ----a-w-   c:\windows\sed.exe
2011-03-27 09:47:13   89088   ----a-w-   c:\windows\MBR.exe
2011-03-27 09:47:13   256512   ----a-w-   c:\windows\PEV.exe
2011-03-27 09:47:13   161792   ----a-w-   c:\windows\SWREG.exe
2011-03-26 23:25:28   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18:22   --------   d-----w-   c:\documents and settings\compaq_owner\DoctorWeb
2011-03-24 15:41:36   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-12 12:28:40   103864   ----a-w-   c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-10 16:32:05   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20:50   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02:14   --------   d-----w-   C:\$AVG
2011-03-02 22:00:31   --------   d-----w-   c:\docume~1\compaq~1\applic~1\AVG10
2011-03-02 21:48:08   --------   d--h--w-   c:\docume~1\alluse~1\applic~1\Common Files
2011-03-02 20:45:50   --------   d-----w-   c:\docume~1\alluse~1\applic~1\AVG10
2011-03-02 20:04:23   --------   d-----w-   c:\docume~1\alluse~1\applic~1\MFAData
2011-03-02 16:30:19   5943120   ----a-w-   c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-03-02 15:13:26   388096   ----a-r-   c:\docume~1\compaq~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
.
==================== Find3M  ====================
.
2011-02-09 13:53:52   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53:52   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40:23   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19:39   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11:20   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57:06   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44:37   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10:33   1854976   ----a-w-   c:\windows\system32\win32k.sys
.
============= FINISH: 18:27:04.89 ===============
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 28, 2011, 02:39:13 PM
...and the gmer log?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 29, 2011, 01:44:37 AM
Hi, GMER scan has completed, have selected txt to copy but NOTEPAD won't open, when I have gone to check via start menu, all programs, select accessories (empty) and another 10 programs are empty.  my Kaspersky internet security has "Black list is corrupted". Unable to access internet - like notepad nothing comes up.

what should I do?

thanks
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 29, 2011, 01:55:45 AM

I am currently using my daughters pc to access the internet, triied going into MY COMPUTER [right click] manage - message comes up "Insufficient system resources exist to complete the requested service"

Should I do a full reboot? Thanks
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 29, 2011, 06:37:45 AM
Please download This File (http://download.bleepingcomputer.com/grinler/unhide.exe)...double-click the executable to run it...this will unhide your files even those you may have hidden purposely. You should then be able to find those programs that appeared to be empty...then, look for and post back the gmer log. If you still can't get notepad to open, just right-click in the gmer file and select "Select all-->.copy", then paste the content in your reply. Thanks!
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 29, 2011, 07:47:18 AM
I am using my daughters pc, I have downloaded unhide onto a memory stick but can not do anything on my pc - SORRY to be a pain , should I reboot and re-run  GMER in normal mode?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 29, 2011, 08:45:40 AM
Are you saying that unhide would not run on your PC? If so, please tell me exactly what happens when you try to run it so I can inform the author of that tool. So far, you are the only one that has had issues with the tool. I'm sure the developer would be interested. Thanks!
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 29, 2011, 09:48:01 AM
No, I am unable to install or do anything on pc, when I try to select a program if it isn't empty, the message I get is Insufficient system resources exist to complete the requested service"

unable to use memory stick,

I am still in SAFE mode, should I reboot normally?

Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 29, 2011, 09:56:10 AM
Yes...reboot. Post back and let us know if you are able to boot up to a stable desktop. Thanks!
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 29, 2011, 11:52:01 AM
Yes, I have rebooted ok, Unable to connect to internet via IE8 - Internet Explorer cannot display page, - It appears you are connected to the internet but you might want to try to reconnect to the internet. Tried various web addresses, still the same.
Do you want me to run GMER again and the post log?
 
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 29, 2011, 12:19:05 PM
Yes, I have rebooted ok, Unable to connect to internet via IE8 - Internet Explorer cannot display page, - It appears you are connected to the internet but you might want to try to reconnect to the internet. Tried various web addresses, still the same.
Do you want me to run GMER again and the post log?
 
If you are able to run gmer, you have me wondering why you are unable to run unhide.exe. Further, how you will be able to post the gmer log if notepad wont open.

Do you have your installation disk handy?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 29, 2011, 12:38:30 PM
Hi, SORRY if I have confused you a little.

When I said that I couldn't run unhide.exe this was because I couldn't Install/Run or do anything on my pc, Now after rebooting I can use notepad etc. The only thing I cant do is use Internet Explorer 8 to connect to internet.

I have downloaded firefox v4 from my daughters pc and installed onto my pc which has allowed me to connect to the internet, will run GMER and post log.
Hope that makes a bit more sense.
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 29, 2011, 01:27:07 PM
Hi, SORRY if I have confused you a little.

When I said that I couldn't run unhide.exe this was because I couldn't Install/Run or do anything on my pc, Now after rebooting I can use notepad etc...
OK, then I'd also like you to run unhide. Let me know those results too. Thanks!
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 30, 2011, 02:20:24 AM
I have attached the GMER  ASK.log.
The message that came up upon completion of scan was:-
GMER has found system modification caused in ROOTKIT activity.




Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 30, 2011, 04:52:56 AM
We'll get to it but you must follow my lead...please go back and re-read my last post. Take your time and read carefully. If I ask something, please answer...if I ask FOR something, please provide it or an answer as to why you cannot. Thanks for you cooperation!
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 30, 2011, 10:38:32 AM
Hi, I have downloaded and run UNHIDE.EXE - completed ok with message - your files should now be visible.
I don't have any installation disks as my PC was pre-installed from shop.

Do I need to run a fresh GMER?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 30, 2011, 11:58:12 AM
Quote
The message that came up upon completion of scan was:-
GMER has found system modification caused in ROOTKIT activity.

...Do I need to run a fresh GMER?
Not needed...I don't see indication of that in the log you posted.

Please download combofix from This Webpage (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 30, 2011, 04:49:35 PM
I have run Combofix as requested

ComboFix 11-03-29.06 - Compaq_Owner 30/03/2011  21:11:43.3.1 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-28 to 2011-03-30  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys
R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys
R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 vvlppc2;vvlppc2;
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - pgldrpow
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 22:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-30  23:27:34
ComboFix-quarantined-files.txt  2011-03-30 22:26
ComboFix2.txt  2011-03-28 00:18
ComboFix3.txt  2011-03-27 10:53
.
Pre-Run: 5,615,308,800 bytes free
Post-Run: 5,632,970,752 bytes free
.
- - End Of File - - CEA23687A63C9540E008168D0886EB6E
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 30, 2011, 08:15:39 PM
The log is showing that combofix has been run three times on that system. May I see logs numbers one and two please?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 31, 2011, 11:10:25 AM
Hi I have checked for the log files and can't find them, I have spoken to my friend who knows a bit more on pc's than me and had a quick look at my PC, He told me he had run combofix, then deleted the logs and the combo program to the recycle bin - Not there I have checked, Sorry.
He said he had run a couple of checks after reading them on your site - I apologize did not know everything he had done. 

After combofix had completed last night, I enabled my kaspersky and the system rebooted, when I have logged in I got the message Windows has recovered from a serious error.
According to the message it was to do with my antivirus program, do you want me to post them.
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 31, 2011, 01:06:00 PM
Please tell me when your friend ran the combofix utility and why.
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 31, 2011, 01:57:24 PM
I think it was sunday, he has has told me he thought he might have been able to fix my PC. He told me he had read about this on forums by searching via GOOGLE and thought by running the program that it would fix the virus, which I know is not right because now I realise all PC's are different and needs a professional to check it out as it says in the tutorial on combofix.
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on March 31, 2011, 02:00:28 PM
Please open the qoobox folder and tell me how many text files you see there named combofix.txt...there may be variations of that, such as combofix2.txt, combofix3.txt etc.
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on March 31, 2011, 09:36:56 PM
Hi, there are 3 combo files - ComboFix-quarantined-files.txt, ComboFix2.txt, ComboFix3.txt
Do you want me to attach all 3 files?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on April 01, 2011, 08:42:29 AM
Please let me see combofix2.txt, combofix3.txt and...at the root of the drive, you should see just one text file named combofix.txt...please post all three of those. Thanks!
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on April 01, 2011, 03:35:43 PM
Files posted as requested

Combofix2.txt as  requested

ComboFix 11-03-27.01 - Compaq_Owner 28/03/2011   1:02.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.219 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-28 to 2011-03-28  )))))))))))))))))))))))))))))))
.
.
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-27 14:01 . 2011-03-27 14:02   --------   d-----w-   c:\program files\SpywareBlaster
2011-03-27 10:59 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{28AF1E09-CABD-44D5-BEC8-04C40F993FAA}\mpengine.dll
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-02-23 09:35   5943120   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
.
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 . 3B58675ED2C6A68C38624681C2548862 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-30 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\docume~1\ALLUSE~1\AVP9\kloehk.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 21:18 36880]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 15:42 32272]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [10/05/2010 22:20 27632]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [24/03/2011 16:41 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 vvlppc2;vvlppc2;c:\windows\system32\drivers\vvlppc2.sys [17/11/2005 18:48 30080]
S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?]
S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys --> c:\windows\system32\DRIVERS\btkrnbdg.sys [?]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys --> c:\windows\system32\Drivers\csrbc01.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [26/05/2010 15:33 406016]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe --> c:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [12/10/2009 15:44 13224]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [04/03/2005 19:08 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [04/03/2005 19:11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [04/03/2005 19:11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [04/03/2005 19:13 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [04/03/2005 19:15 77072]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 19:39 19472]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [28/07/2010 20:58 90408]
S3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 01:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1032)
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-28  01:18:48
ComboFix-quarantined-files.txt  2011-03-28 00:18
ComboFix2.txt  2011-03-27 10:53
.
Pre-Run: 1,025,875,968 bytes free
Post-Run: 989,618,176 bytes free
.
- - End Of File - - 8884E342069C8D4736F6EB37846888A2

Combofix3.txt as  requested

ComboFix 11-03-26.01 - Compaq_Owner 27/03/2011  10:52:52.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.248 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Compaq_Owner\new.txt
c:\program files\Common Files\Temp
c:\program files\Common Files\Temp\wbrp.exe
c:\program files\Common Files\Temp\wbrpdw.exe
c:\windows\dbxesellerate.exe
c:\windows\system32\tmp.reg
D:\Autorun.inf
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ASC3550U
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-27 to 2011-03-27  )))))))))))))))))))))))))))))))
.
.
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-22 19:14 . 2011-02-23 09:35   5943120   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{599214AE-F79A-442A-83EC-EC5F1613B11E}\mpengine.dll
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-02-23 09:35   5943120   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys
R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys
R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S2 vvlppc2;vvlppc2;
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 11:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\HP\HP Software Update\HPWUCli.exe
.
**************************************************************************
.
Completion time: 2011-03-27  11:53:22 - machine was rebooted
ComboFix-quarantined-files.txt  2011-03-27 10:52
.
Pre-Run: 1,220,530,176 bytes free
Post-Run: 867,250,176 bytes free
.
- - End Of File - - 43EE95ED1C693F9DC2824D03373FD2E2

Combofix.txt as  requested



ComboFix 11-03-29.06 - Compaq_Owner 30/03/2011  21:11:43.3.1 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-28 to 2011-03-30  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-24 15:41 . 2009-06-30 10:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
2011-03-03 01:02 . 2011-03-03 01:02   --------   d-----w-   C:\$AVG
2011-03-02 22:00 . 2011-03-02 22:00   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\AVG10
2011-03-02 21:48 . 2011-03-02 21:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\Common Files
2011-03-02 20:45 . 2011-03-03 16:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-03-02 20:04 . 2011-03-02 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-03-02 16:30 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 16:27 . 2011-03-02 16:27   --------   d-----w-   c:\program files\Windows Defender
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys
R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys
R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 vvlppc2;vvlppc2;
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - pgldrpow
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-24 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 22:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-30  23:27:34
ComboFix-quarantined-files.txt  2011-03-30 22:26
ComboFix2.txt  2011-03-28 00:18
ComboFix3.txt  2011-03-27 10:53
.
Pre-Run: 5,615,308,800 bytes free
Post-Run: 5,632,970,752 bytes free
.
- - End Of File - - CEA23687A63C9540E008168D0886EB6E
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on April 01, 2011, 07:37:10 PM
It seems your friend ran combofix for you by remote desktop? Is that the case? If so, fine...but if you don't use remote desktop yourself for any reason, you might want to close this port, especially since combofix already removed a stealthed trojan when your friend ran it last Sunday:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
...and I see there were other issues that weren't dealt with from that run.

Please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


KILLALL::

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll

File::
c:\windows\system32\drivers\pavboot.sys

DDS::
uURLSearchHooks: H -
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} -
TB: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

Folder::
C:\$AVG
c:\documents and settings\Compaq_Owner\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\MFAData

Driver::
pavboot

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Registry::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@=-
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on April 02, 2011, 04:05:53 PM
Hi thanks for info, my friend done combofix from my pc not by remote desktop
I have copied and saved cfscript, will update with logfile when completed. Thanks
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on April 02, 2011, 07:48:33 PM
Thanks for that info...then, I take it you DO use the remote desktop feature yourself?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on April 03, 2011, 12:35:38 PM
No never used remote desktop before, wouldn't know how to.
Combofix has completed, my machine rebooted as the power in my house went down today, power back on and combofix completed. Thanks

 ComboFix 11-03-29.06 - Compaq_Owner 03/04/2011   5:18.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.107 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\windows\system32\drivers\pavboot.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\$AVG
c:\$avg\$VAULT\V_00000001.fil
c:\$avg\$VAULT\V_00000002.fil
c:\$avg\$VAULT\vvfolder.idx
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10\Cfg\admin.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\cachesrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\csl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\dav.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\emssrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\erd.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\idp.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrvvsapi.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\malrep.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\setup.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\spsrv.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\tb.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\updatecomps.cfg
c:\documents and settings\All Users\Application Data\AVG10\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\falsealarm.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\krnlall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\updateall.cfg
c:\documents and settings\All Users\Application Data\AVG10\cfgall\userall.cfg
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchfi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\66b09336b0930ba5\avgcchmi.dat
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.5
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.6
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.7
c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log
c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.2
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.3
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.4
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.5
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.6
c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.1
c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrmac.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgsrmac.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log
c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log
c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log.lock
c:\documents and settings\All Users\Application Data\AVG10\log\history.xml
c:\documents and settings\All Users\Application Data\AVG10\log\IDP\log\avgtray_idp_Compaq_Owner.log
c:\documents and settings\All Users\Application Data\AVG10\log\IDP\log\avgui_idp_Compaq_Owner.log
c:\documents and settings\All Users\Application Data\AVG10\log\IDP\log\avgwdsvc_idp_SYSTEM.log
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log
c:\documents and settings\All Users\Application Data\AVG10\log\vault.log.lock
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvcache.dat
c:\documents and settings\All Users\Application Data\AVG10\lsdb\prev\prvglbl.dat
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\AVG10\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\MFAData
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110302-200423.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110302-203752.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110303-154655.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110302-200423.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110302-203752.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110303-154655.log
c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\dm_marketing_message-hi.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ico-blue-bg.gif
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\OK.png
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Smart-Scanning.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SmartScanning-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Social-Networking.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SocialNetworking-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Thumbs.db
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ui-background.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\dm_marketing_message-en-us.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avgx1204gi.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mis15ni.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mps11fx.bin
c:\documents and settings\All Users\Application Data\MFAData\state.dat
c:\documents and settings\Compaq_Owner\Application Data\AVG10
c:\documents and settings\Compaq_Owner\Application Data\AVG10\cfgall\usergui.cfg
c:\windows\system32\drivers\pavboot.sys
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PAVBOOT
-------\Service_pavboot
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-03 to 2011-04-03  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-02 16:30   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys
R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys
R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2009-10-12 13224]
R3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
R3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
R3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
R3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2005-03-04 79248]
R3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
R3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2008-06-04 90408]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 vvlppc2;vvlppc2;
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2009-09-14 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-05-10 27632]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-31 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 15:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4040)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2011-04-03  16:47:45 - machine was rebooted
ComboFix-quarantined-files.txt  2011-04-03 15:47
ComboFix2.txt  2011-03-30 22:28
ComboFix3.txt  2011-03-28 00:18
ComboFix4.txt  2011-03-27 10:53
.
Pre-Run: 5,608,624,128 bytes free
Post-Run: 5,750,247,424 bytes free
.
- - End Of File - - 18099EF6C2ACD7EF2054AD3F587789D4
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on April 03, 2011, 06:36:52 PM
Quote
No never used remote desktop before, wouldn't know how to...
OK then, let's do one more. This one will close that open remote desktop port. While we're at it, I see no point in keeping the remnant service driver file left over from your previous installation of Ad-aware.

Please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


KILLALL::

File::
c:\windows\system32\DRIVERS\Lbd.sys

Driver::
Lbd

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on April 03, 2011, 09:42:50 PM
Hi, running combofix now will post when completed thanks.
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on April 04, 2011, 08:22:52 AM
ComboFix 11-03-29.06 - Compaq_Owner 04/04/2011   5:16.5.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.382.137 [GMT 1:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\windows\system32\DRIVERS\Lbd.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LBD
-------\Service_Lbd
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-04 to 2011-04-04  )))))))))))))))))))))))))))))))
.
.
2011-03-30 16:54 . 2011-03-15 04:05   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C6C3482B-DB51-46CF-ABC1-1C4A517CD51A}\mpengine.dll
2011-03-28 17:31 . 2011-03-28 17:31   --------   d-----w-   C:\ARK
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-27 14:56 . 2011-03-27 14:56   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-26 23:25 . 2011-03-26 23:25   --------   d-----w-   c:\program files\ESET
2011-03-26 10:18 . 2011-03-26 10:18   --------   d-----w-   c:\documents and settings\Compaq_Owner\DoctorWeb
2011-03-12 12:28 . 2011-03-12 12:28   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-10 16:32 . 2011-03-10 16:32   --------   d-----w-   c:\program files\iPod
2011-03-07 08:20 . 2011-03-07 08:20   --------   d-----w-   c:\program files\Bonjour
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-02 16:30   6792528   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-02 15:13 . 2011-03-02 15:13   388096   ----a-r-   c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-09 13:53 . 2004-08-04 12:00   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-18 10:37   472808   -c--a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-18 10:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 17:11 . 2009-10-03 00:40   222080   -c----w-   c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 12:00   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 12:00   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2011-03-18 17:53 . 2011-03-29 17:54   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-10-19 340520]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-30 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 21:18 36880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 vvlppc2;vvlppc2;c:\windows\system32\drivers\vvlppc2.sys [17/11/2005 18:48 30080]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 15:42 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 19:39 19472]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [10/05/2010 22:20 27632]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?]
S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys --> c:\windows\system32\DRIVERS\btkrnbdg.sys [?]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys --> c:\windows\system32\Drivers\csrbc01.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [12/10/2009 15:44 13224]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [04/03/2005 19:08 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [04/03/2005 19:11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [04/03/2005 19:11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [04/03/2005 19:13 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [04/03/2005 19:15 77072]
S3 PAC207;CamMaestro 3.01 DU PC Camera;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [28/07/2010 20:58 90408]
S3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 09:00]
.
2011-03-31 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-01-15 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Send To &Bluetooth
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\xkqzqf47.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 14:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2011-04-04  15:10:53 - machine was rebooted
ComboFix-quarantined-files.txt  2011-04-04 14:10
ComboFix2.txt  2011-04-03 15:47
ComboFix3.txt  2011-03-30 22:28
ComboFix4.txt  2011-03-28 00:18
ComboFix5.txt  2011-04-04 03:51
.
Pre-Run: 5,708,455,936 bytes free
Post-Run: 5,709,123,584 bytes free
.
- - End Of File - - 2A9AF8398065F9138D9F89688DC85C09
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on April 04, 2011, 01:02:24 PM
How's it running now?
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: ACE123 on April 07, 2011, 09:49:45 AM
Hi, ran malwarebytes (took hours) no errors, have used internet/email/ms word had no problems all running smoothly.
May I say a really big thanks for taking me through step by step and making my PC safe and working again.  :p
I will be making a donation as your help has been great.


THANKS  :ty
Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on April 07, 2011, 09:56:50 AM
Excellent! You can delete these now:
DDS.scr
DDS.txt
Attach.txt
GMER and associated log(s)


Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of malicious software intrusion and infections:

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html).

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
AntiVir Personal Edition Classic (http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html)
Avast! 4 Home Edition (http://www.avast.com/eng/download-avast-home.html)

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been satisfied from having tested and used each one of those at one time or another.


Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least one (but not more than one) of these types of third party firewalls running on board:
Sunbelt Personal Firewall (http://www.sunbelt-software.com/Kerio-download.cfm)

Zone Alarm (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?dc=12bms&ctry=US&lang=en) Beware This download includes the Ask Toolbar...The ZoneAlarm Spy Blocker toolbar is powered by "Ask.com". The "Ask" search engine will cause "targeted" ads to be presented to you based upon the content of the web pages you visit, any personally identifiable information you have provided to "Ask.com", or keywords appearing in your search queries. Many security experts consider this type of behavior offensive...Windows 2k/XP/Vista
Outpost Free (http://www.agnitum.com/products/outpostfree/index.php)

Comodo (http://www.personalfirewall.comodo.com/)...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us). Make it easy on yourself, and set this feature to Automatic (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx).


Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox (http://www.mozilla.org/). If you don't already have "Firefox", please consider installing and using this browser for surfing.

 If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner (http://www.ccleaner.com/download/builds) often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from
your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279)
Regards, and Happy Surfing!

Title: Re: [Resolved] Unable to remove Win32/Spy.Ursnif.A virus...
Post by: 1972vet on April 07, 2011, 09:58:25 AM
This thread is now closed as the issue appears to be resolved.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.