Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ursniff, appears to breeds others...?

  • Please log in to reply
1 reply to this topic

#1 frostybaby13


  • Members
  • 7 posts
  • Local time:01:35 AM

Posted 02 September 2009 - 03:56 AM


Yesterday, my system was perfectly clean. I went to Blizzard.com to download a patch for Warcraft III. The site said it was busy and directed me to a "mirrorsite" where I couldn't quite understand exactly what patch to download so I shouldn't have clicked, but I did. Opened in WinRar, and tried to paste the files where it said in the games's program files.

I suddenly got the "fake antivirus 2010" alert, appearing as an icon at the bottom next to the clock. Then it began to pretend to be downloading the 'appropriate software removal', so I hurried and disconnected the internet and immediately opened Malwarebytes. (the only other Trogan experience I'd had was Vundo a few months back, and MBAM took care of that, no problem)

Meanwhile, my computer's antivirus CA has a "quick spybot scan" I used and in 20 seconds it showed me the following problems:
1. Ursniff
2. eldycow (during the course of my scans sometimes this would read "eldycowgeneric"
3. Win32/Cutwail.ATB

When Malwarebytes was finished with the first scan, it found about 20 problems. I clicked to removal all and was told to reboot.

Upon rebooting, I ran the CA "quick scan" again, and Ursniff was still coming up. So I ran Malwarebytes again. While MBAM was running, CA popped up with an alert about 2 files called: Win32/Cutwail.ATB (which it said it found and immediately deleted. This time the resulting Malwarebytes scan found 2 or 3 problems, I followed the instructions and rebooted.

Repeat this process several times (checking CA to get a 'preview' of what my Malwarescan would find), running Malwarebytes, rebooting as instructed. I got Malwarebytes scan down to ONE problem file, termed by MBAM as "Malware.Trace" which I copied here:

Documents and Settings/HP_Administraitor/Application Data/wiaserva.log

I clicked to remove and reboot, but upon opening my computer and running Malwarebytes - the same problem file appears again and again. The CA "quick spyware scan" comes out clean.

With just the one file left, I finally reconnected to the internet to search that file in google and see if it was "the root core" and if there were some instructions on how to remove it. Bad idea. Even though I used dial-up to connect, to prevent any strange things happening quickly, almost immediately I recieved the same "Fake 2010 antivirus" with it's fake icon.

So I repeated everything that I had done before, running Malwarebytes over and over (about 3 times) to get it down to that one single " /wiaserva.log " file.

I have reconnected to the internet, to post my problem here...and so far, no fake antivirus has appeared, and CA is still showing no traces. But if I run Malwarebytes, it will continuously show me that " wiaserva.log " and ask me to reboot, only to find it again the next run through.

Any help would be appreciated. I am using Windows XP, my browser is Internet Explorer.

For added information (other steps I took): I did check my Windows Firewall, and whatever this virus was has disabled it. I have clicked to turn it back on and allow NO EXCEPTIONS, but each time I open it after rebooting, it says "Windows Security Service is not available, because Window's security was not started or was stopped...to turn it back on, close this window and reboot, OR reopen Security Center" I do not know how to "reopen it" as I didn't close it.

Also, I did try to find the " Documents & settings/...wiaserva.log " manually, through my computer. But "Application Data" must be a hidden file because I couldn't locate it there. But I could locate it using my CA antivirus programs "manually scan" function... it opens a box that looks like 'my computer' and actually showed the hidden files 'faded' but I could click them and see the contents. I made CA scan the offending file, but it read clean. Also, I cannot delete anything from within CA or I would have tried to delete that particular file.

Lastly, although CA has made no mention or found any traces, each time the MalwareBytes scan would run during the time that the 'fake antivirus' appeared, it would show traces of having found Vundo. On my google search for the entire file name: Documents & Settings/HP_administrator/Application Data/wiaserva.log I found a webpage that said this file was one of the "visible symptoms" and then it listed 2 (what looked like registry files) that were found with 'deeper analysis'. The Ursniff was rated "critical" on CA's explanation site, saying it was a keylogger. There was no information listed for the " Win32/Cutwail.ATB " alert from CA either.

Right now, I've been online for over an hour without incident, but there is the one corrupt file left in all Malwarebytes scans. As mentioned, I had gotten it down to 1 before, but as soon as I connected to internet - I blew up with alerts as if the entire thing had happened again. This time, that has not happened. I'm not sure why, the steps between the two internet connects were the same.

(Just now: running Malwarebytes after being online produced 8 problem results - I assume, all stemming from the initial one that was left. 2 Vundo, 5 trogan agents, and the 1 infamous " wiaserve.log " that never goes away depite all my scanning) I hesitate to term this problem Vundo, as Malwarebytes totally cleaned that before. This seems to all come from the one wiaserve file, making other infections appear if I connect to the internet. I spotted two .run files in the Malwarebytes logs, so I'm sure there's a downloader...but the scans seem to take care of those, until the moment internet connection goes live. :thumbsup:

Edited by frostybaby13, 02 September 2009 - 08:22 AM.

BC AdBot (Login to Remove)


#2 frostybaby13

  • Topic Starter

  • Members
  • 7 posts
  • Local time:01:35 AM

Posted 03 September 2009 - 05:03 AM

:thumbsup: ISSUE SOLVED! :flowers:

Thanks so much, the advice to other posters with similar problems helped me solve the problem.

Incase this helps anyone else who experiences the same... I read most people on the forum with wanky virus activities like mine were asked to do the Dr. Web-Cureit in Safe mode (see other posts for appropriate instructions). That was the miracle working step. Dr Web's quick scan found 3 troganesque items, and the lengthy 5 hr scan that followed found 11 problems in all, including two trogan downloaders, and one trogan.copy self. Rebooted back to regular, scanned with Malwarebytes NO INFECTED FILES!!! :D CA quick scan? NO SPYWARE!!! :D Nervously logged back online, NO ANTISPYWARE2010 flashing!! :D

Long story short: Ursnif, eldycow!generic, Vundo traces, all taken care of by Malwarebytes followed by DrWeb-Cureit!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users