Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/spy.ursnif.A removal


  • Please log in to reply
3 replies to this topic

#1 sstanuszek

sstanuszek

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 03 December 2009 - 07:17 PM

I'm infected with win32/spy.ursnif.A My previous anti-virus never picked up. I recently installed ESET NOD32 which picked it up but was unable to clean or delete it. I contacted ESET and have copied and pasted their response and recommendations for removal below my post. I have gotten as far as downloading combofix but have been unable to run it in safe mode because it keeps telling me ESET is still running. I disabled ESET manually and also from the start up menu using msconfig but it keeps telling me it's still running. Not sure what to do....here's a copy of what ESET emailed me.

Hi there, please make sure that you have the latest version of ESET NOD32 Antivirus 4.0 or ESET Smart Security 4.0 (depending upon your license); I am not referring to the “virus signature updates”, I am referring to the actual software version number: 4.0.XXX. You can locate the version number in main ESET Control Center, “Help and Support> About… section: http://kb.eset.com/esetkb/index?page=content&id=SOLN758 You can find the latest product version on our website: www.eset.com in the download section alongside the product that you would like to download.

If you need to UPGRADE to version 4.0, please download and SAVE the installer to your DESKTOP, then UNINSTALL YOUR CURRENT VERSION, only after this install version 4.0.

Next, please complete the following:

1. Clean your Temp folders:
Start > All Programs > Accessories > System Tools > Disk Cleanup > push OK

2. Configure ESET version 4.0 software to maximize scanning: http://kb.eset.com/esetkb/index?page=content&id=SOLN2115

3. Run a “Custom scan” after changing the settings above.

4. Check the scan results.

ONLY if the infection remains, please complete the following:

1. Download and SAVE ComboFix from here: http://www.combofix.org

2. Boot into Safe mode please see the following link:

http://www.pchell.com/support/safemode.shtml - do NOT use the MSCONFIG method.

3. Run ComboFix. Further instructions for its use can be found here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

ONLY if the issue remains please refer to the following ESET Knowledgebase article:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2103

Once you have made a SysRescue CD please boot your computer from it. In order to have your computer boot from the SysRescue Disk, please complete the following:

1. Totally closed down your computer.

2. Power your computer back up. The second you see the black screen with white writing start to populate, use one of the following keys (usually the DELETE key pressed rapidly) to get you into the BIOS setup area.

DELETE
F1
F2
F10
CTRL+ALT+ESC
CTRL+ALT+ENTER
CTRL+ALT+S
CTRL+ALT+INSERT
CTRL+A
CTRL+F1
CTRL+S

3. Once in the BIOS you will need to use the Enter key (on your keyboard), Up/Down keys and Plus Minus keys to navigate with and make the changes, each BIOS is different so you will have to look for the BOOT SEQUENCE AREA and make the changes so that your CD/DVD ROM is the first Boot device, and your Hard Disk Drive is the 2nd device. Once this has been done be sure to SAVE the settings.

4. Reboot your computer with the SysRescue CD/DVD in the drive.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 03 December 2009 - 08:12 PM

Hello as you see you have a serious malware ... It Can ,will and may already have stolen sensitive info,,,,

It is identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


So your Alternatives.. FIRST see the Blue text on ComboFix atop this forum.

Now you either have to post in the HJT forum and remove this or Wipe the drive and reinstall.


Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


To run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sstanuszek

sstanuszek
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 04 December 2009 - 08:02 AM

Well, I had plans to install a new hard drive and install windows7 anyway. My friend works on and builds computers and can get me a new hard drive fairly cheap. Sounds like that may be the way to go. I've already started backing everything up. Thanks for the help and advice!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 AM

Posted 04 December 2009 - 03:36 PM

You're very welcome! Not an unwise decision to make and the one I would have. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Reinstall Windows Vista
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users