Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/Spy.Ursnif.A


  • Please log in to reply
22 replies to this topic

#1 Focal08

Focal08

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 August 2009 - 09:53 AM

Hello,

As you can tell I am new to these forums, and in dire need of some help. I have been putting off making this post for far too long - reading over similar googl'd threads and trying the solutions on my own PC. Needless to say, to no avail.

To sum it up - ESET keeps popping up with its little red window saying that the win32/Spy.Ursnif.A virus is detected, yet my only choice is to "ignore" it - it cannot be deleted (I suppose because it binds itself to system files). All and any help will be appreciated - I am standing by the computer and will check the forum at least every hour or so.

Thanks ahead

Edited by The weatherman, 20 August 2009 - 10:22 AM.
Moved from XP to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 20 August 2009 - 08:12 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Focal08

Focal08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 August 2009 - 11:56 PM

Thank you very much, Budapest, I apologize for taking as long as I did to reply - I was at work, as soon as I got home, I proceeded to follow your instructions. Here is the MBAM log, as per request.

[Note: the dashes (------), etc., are my formatting to clearly separate the log from the rest of the email.]
Thanks again!

Contents of "mbam-log-2009-08-20 (23-47-07).txt""
---------------------------------------------(Begin)----------------
Malwarebytes' Anti-Malware 1.40
Database version: 2667
Windows 5.1.2600 Service Pack 2

8/20/2009 11:47:07 PM
mbam-log-2009-08-20 (23-47-07).txt

Scan type: Quick Scan
Objects scanned: 96967
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\chrome\amba.jar (Trojan.Hanam) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfpmp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

--------------------------------------------------------------(End "mbam-log-2009-08-20 (23-47-07).txt")--------------

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 20 August 2009 - 11:59 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check only the Files box: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Focal08

Focal08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 22 August 2009 - 02:12 AM

I work 12 hour shifts Fridays and Saturdays, so I haven't been able to check for Rootkits until just now. Will post the log as soon as I finish. Once again, let me extend my thanks for your help, as well as your patience.

[EDIT: RootRepeal scan of the Files is finished, here is the report]

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/22 02:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==





[EDIT #2: When I first installed RootRepeal, I accidentally ran the scan under the "Drivers" tab (the first one), which turned up nearly two hundred results. I am not sure if you need this information, but i felt obliged to mention it just in case.]

Edited by Focal08, 22 August 2009 - 02:54 AM.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 22 August 2009 - 03:33 AM

There's no need to post the drivers log. RootRepeal didn't turn up anything. Try this:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Focal08

Focal08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 27 August 2009 - 04:45 PM

My apologies for the time it took me.

=====

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/25/2009 at 01:09 AM

Application Version : 4.22.1014

Core Rules Database Version : 3955
Trace Rules Database Version: 1897

Scan type : Quick Scan
Total Scan Time : 00:04:32

Memory items scanned : 422
Memory threats detected : 0
Registry items scanned : 126
Registry threats detected : 0
File items scanned : 0
File threats detected : 0

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 27 August 2009 - 04:52 PM

Please run another Malwarebytes scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Focal08

Focal08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 27 August 2009 - 11:39 PM

Malwarebytes' Anti-Malware 1.40
Database version: 2708
Windows 5.1.2600 Service Pack 2

8/27/2009 10:57:32 PM
mbam-log-2009-08-27 (22-57-32).txt

Scan type: Quick Scan
Objects scanned: 112298
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 27 August 2009 - 11:45 PM

How's your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Focal08

Focal08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 28 August 2009 - 11:47 PM

The same ESET window keeps popping up... By the way, I am running ESET 4.

Thank you for all of your help, my apologies for my PC being difficult :/

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 29 August 2009 - 02:21 AM

Does ESET say where it found this win32/Spy.Ursnif.A?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 Focal08

Focal08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 29 August 2009 - 03:07 AM

Different locations, depending on which program I start up

Eg. 1:
1. Started WolfTeam (MMOFPS by Aeriagames)
2. Pop up -

Threat found
Alert

Object: C:\WINDOWS\system32\winlogon.exe
Threat: Win32/Spy.Ursnif.A virus
Comment: Event occured during an attempt to run the file by the application: C:\AeriaGames\WOlfTeam\Launcher.exe.

Eg. 2:
1. Started up Windows Messenger
2. Pop up -

Threat found
Alert

Object: C:\WINDOWS\system32\winlogon.exe
Threat: Win32/Spy.Ursnif.A virus
Comment: Event occured during an attempt to run the file by the application: C:\Program Files\Messenger\msmgs.exe.


Hope this helps

Thanks

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 29 August 2009 - 05:22 PM

Please upload this file to Jotti for analysis.

C:\WINDOWS\system32\winlogon.exe

Post back the results.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 Focal08

Focal08
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 29 August 2009 - 11:59 PM

Something very strange is going on.... Jotti says "Status: File is empty (0 bytes)!"

Now, I'm no computer expert, but it seems that things are getting "weirder and weirder."

[EDIT]

Okay, so I scrolled through ESET's logs and another file keeps popping up in relevance to the same virus - termsrv.dll. So, naturally, I tried uploading this one to Jotti as well. Same thing - "Status: File is empty (0 bytes)!" I went into Explorer and looked up both files... you guessed it - termsrv.dll is 288 KB, while winlogon.exe is 490 K. Strange, I was able to right click and pull up the Properties window on winlogon.exe earlier, but now everytime I click on the file the ESET alert window pops up and prevents me from doing so. It is still saying the same thing - C:\WINDOWS\system32\winlogon.exe is the undeletable culprit.

Edited by Focal08, 30 August 2009 - 12:06 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users