Ursnif.A

To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

Reply to Discussion

Options

sneekypeeks

New to the neighborhood

4 Posts

27 Jun 2009, 4:26am

Eset has been going stupid and all the fixes I have tried have not worked to remove this from my computer. I get this box everytime I do something on my computer.

Object:
C:\WINDOWS\system32\winlogon.exe

Threat:
Win32/Spy.Ursnif.A virus

Any information you could give me to help get rid of this would be greatly appreciated. Also, I have had this for a couple of days, I have not checked any private information like my bank and such, but I store my passwords. Should I change them?

Thanks

chiaz

Spyware Mod

1,219 Posts

27 Jun 2009, 4:46am

Hello.

Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include C:\ComboFix.txt for further review (copy and paste it), so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

sneekypeeks

New to the neighborhood

4 Posts

27 Jun 2009, 5:02am

ComboFix 09-06-26.02 - LOVE 06/26/2009 22:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1516 [GMT -5:00]
Running from: c:\documents and settings\LOVE\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LOVE\nah_log.dat
c:\windows\kb913800.exe
c:\windows\system32\drivers\tdssserv.sys

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 03:43 . 2009-06-27 03:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-27 03:07 . 2009-06-27 03:16 -------- d-----w- c:\program files\Exterminate It!
2009-06-27 00:07 . 2009-06-27 00:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-27 00:04 . 2009-06-27 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 00:04 . 2009-06-27 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 00:54 . 2009-06-26 00:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-25 02:57 . 2009-06-25 02:57 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2009-06-20 18:27 . 2009-06-27 03:43 -------- d-----w- c:\program files\GMATPrep
2009-06-12 01:19 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-12 01:19 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 03:43 . 2008-11-12 06:01 -------- d-----w- c:\documents and settings\LOVE\Application Data\Move Networks
2009-06-27 03:37 . 2008-01-03 07:30 -------- d-----w- c:\documents and settings\LOVE\Application Data\skypePM
2009-06-27 03:31 . 2009-02-01 00:28 -------- d-----w- c:\documents and settings\LOVE\Application Data\Skype
2009-06-27 03:31 . 2009-06-27 03:33 177770 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-06-24 02:57 . 2007-12-15 20:33 32200 ----a-w- c:\documents and settings\LOVE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-20 18:27 . 2007-12-15 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 03:37 . 2007-12-23 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 05:15 . 2006-03-15 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-08 01:31 . 2009-05-08 01:31 127877 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\uninstall.exe
2009-05-08 01:31 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-08 01:31 . 2009-05-08 01:31 1685856 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-07 15:32 . 2006-03-15 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 04:39 . 2009-05-04 04:39 299352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-04 04:39 . 2009-05-04 04:39 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-04 04:39 . 2009-05-04 04:39 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-04 04:39 . 2009-02-01 18:21 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-04 04:39 . 2009-05-04 04:39 165728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-04 04:39 . 2009-05-04 04:39 343888 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-04 04:39 . 2009-05-04 04:39 289632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-04 04:39 . 2009-05-04 04:39 82784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-04 04:38 . 2009-05-04 04:38 1629024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-04 04:38 . 2009-05-04 04:38 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-04 04:38 . 2009-05-04 04:38 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-04 04:38 . 2009-05-04 04:38 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-04 04:38 . 2009-02-01 05:24 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-04 04:38 . 2009-05-04 04:38 632680 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-04 04:38 . 2009-05-04 04:37 539512 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-04 04:37 . 2009-05-04 04:37 552808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-04 04:37 . 2009-05-04 04:37 2324808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-04 04:37 . 2009-05-04 04:37 626000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-04 04:37 . 2009-05-04 04:37 516440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-04 04:37 . 2009-05-04 04:37 953168 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-02 22:09 . 2009-05-02 21:24 -------- d-----w- c:\program files\SPSSStudent
2009-05-01 23:12 . 2008-01-16 06:46 -------- d-----w- c:\documents and settings\LOVE\Application Data\Image Zone Express
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-17 12:26 . 2006-03-15 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-03-15 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 21:34 . 2009-04-11 21:34 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-29 04:25 . 2009-03-29 04:25 69664 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-03-29 04:25 . 2009-03-29 04:25 274792 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-03-29 04:25 . 2009-03-29 04:25 73064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2008-07-04 03:33 . 2008-07-04 03:07 1283912 ----a-w- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
2009-05-31 23:50 . 2009-05-31 23:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-05-31 23:50 . 2009-05-31 23:50 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-05-31 23:50 . 2009-05-31 23:50 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

------- Sigcheck -------

[-] 2005-03-10 07:49 295424 C29A5286E64D97385178452D5F307B98 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2006-03-15 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtUninstallKB895961$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-30 02:45 295424 !HASH: ERROR_LOCK_VIOLATION ! c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-11-14 1410304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-04 516440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\downloads\Drivers\Printer\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"odserv"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Downloads\\Photoshop\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bejeweled 2 deluxe\\WinBej2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony\\EverQuest\\EQVoiceService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2009 12:24 AM 64160]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/14/2007 3:05 PM 455936]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 953168]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [12/15/2007 3:11 PM 20160]
S3 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\downloads\Photoshop\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 3:02 PM 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 04:37]

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-NVIDIA nTune - c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\LOVE\Application Data\Mozilla\Firefox\Profiles\jysjgdve.default\
FF - prefs.js: browser.startup.homepage - hxxp://mymcneese.mcneese.edu/cp/home/loginf
FF - plugin: c:\documents and settings\LOVE\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 22:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\downloads\Drivers\Printer\Digital Imaging\bin\hpqste08.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-06-27 23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 04:01

Pre-Run: 182,338,371,584 bytes free
Post-Run: 183,190,642,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=AlwaysOff /fastdetect

211 --- E O F --- 2009-06-12 03:37

chiaz

Spyware Mod

1,219 Posts

27 Jun 2009, 5:31am

Please open Notepad
Click Start, then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

http://icrontic.com/forum/showthread.php?p=693356

Suspect::
c:\windows\system32\termsrv.dll

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll|c:\windows\system32\termsrv.dll

Save the above as CFScript.txt.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Post the fresh log in your reply.

**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.
A browser will open. DO NOT close that browser.
Simply follow the instructions to copy/paste/send the requested file.

sneekypeeks

New to the neighborhood

4 Posts

27 Jun 2009, 10:32pm

ComboFix 09-06-26.02 - LOVE 06/27/2009 16:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1456 [GMT -5:00]
Running from: c:\documents and settings\LOVE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LOVE\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

file zipped: c:\windows\system32\Suspect_termsrv.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-27 04:00 . 2009-06-27 04:00 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-27 03:43 . 2009-06-27 03:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-27 03:07 . 2009-06-27 03:16 -------- d-----w- c:\program files\Exterminate It!
2009-06-27 00:07 . 2009-06-27 00:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-27 00:04 . 2009-06-27 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 00:04 . 2009-06-27 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 00:54 . 2009-06-26 00:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-25 02:57 . 2009-06-25 02:57 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2009-06-20 18:27 . 2009-06-27 03:43 -------- d-----w- c:\program files\GMATPrep
2009-06-12 01:19 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-12 01:19 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 21:06 . 2008-01-03 07:30 -------- d-----w- c:\documents and settings\LOVE\Application Data\skypePM
2009-06-27 03:43 . 2008-11-12 06:01 -------- d-----w- c:\documents and settings\LOVE\Application Data\Move Networks
2009-06-27 03:31 . 2009-02-01 00:28 -------- d-----w- c:\documents and settings\LOVE\Application Data\Skype
2009-06-27 03:31 . 2009-06-27 03:33 177770 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-06-24 02:57 . 2007-12-15 20:33 32200 ----a-w- c:\documents and settings\LOVE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-20 18:27 . 2007-12-15 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 03:37 . 2007-12-23 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 05:15 . 2006-03-15 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-08 01:31 . 2009-05-08 01:31 127877 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\uninstall.exe
2009-05-08 01:31 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-08 01:31 . 2009-05-08 01:31 1685856 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-07 15:32 . 2006-03-15 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 04:39 . 2009-05-04 04:39 299352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-04 04:39 . 2009-05-04 04:39 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-04 04:39 . 2009-05-04 04:39 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-04 04:39 . 2009-02-01 18:21 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-04 04:39 . 2009-05-04 04:39 165728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-04 04:39 . 2009-05-04 04:39 343888 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-04 04:39 . 2009-05-04 04:39 289632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-04 04:39 . 2009-05-04 04:39 82784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-04 04:38 . 2009-05-04 04:38 1629024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-04 04:38 . 2009-05-04 04:38 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-04 04:38 . 2009-05-04 04:38 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-04 04:38 . 2009-05-04 04:38 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-04 04:38 . 2009-02-01 05:24 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-04 04:38 . 2009-05-04 04:38 632680 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-04 04:38 . 2009-05-04 04:37 539512 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-04 04:37 . 2009-05-04 04:37 552808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-04 04:37 . 2009-05-04 04:37 2324808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-04 04:37 . 2009-05-04 04:37 626000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-04 04:37 . 2009-05-04 04:37 516440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-04 04:37 . 2009-05-04 04:37 953168 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-02 22:09 . 2009-05-02 21:24 -------- d-----w- c:\program files\SPSSStudent
2009-05-01 23:12 . 2008-01-16 06:46 -------- d-----w- c:\documents and settings\LOVE\Application Data\Image Zone Express
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\LOVE\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-17 12:26 . 2006-03-15 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-03-15 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 21:34 . 2009-04-11 21:34 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2008-07-04 03:33 . 2008-07-04 03:07 1283912 ----a-w- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
2009-05-31 23:50 . 2009-05-31 23:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-05-31 23:50 . 2009-05-31 23:50 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-05-31 23:50 . 2009-05-31 23:50 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_03.56.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-27 04:00 . 2008-10-16 20:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-27 04:00 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-27 04:00 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-27 04:00 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-27 04:00 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-27 04:00 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-27 04:00 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-27 04:00 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-27 04:00 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-27 04:00 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2007-12-15 19:51 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\termsrv.dll
+ 2009-06-27 04:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-27 04:00 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-27 04:00 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-27 04:00 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-27 04:00 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-27 04:00 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-27 04:00 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-27 04:00 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-27 04:00 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-27 04:00 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-27 04:00 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-27 04:00 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-27 04:00 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-11-14 1410304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-04 516440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\downloads\Drivers\Printer\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"odserv"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Downloads\\Photoshop\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bejeweled 2 deluxe\\WinBej2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony\\EverQuest\\EQVoiceService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2009 12:24 AM 64160]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/14/2007 3:05 PM 455936]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 953168]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [12/15/2007 3:11 PM 20160]
S3 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\downloads\Photoshop\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 3:02 PM 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 04:37]

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\LOVE\Application Data\Mozilla\Firefox\Profiles\jysjgdve.default\
FF - prefs.js: browser.startup.homepage - hxxp://mymcneese.mcneese.edu/cp/home/loginf
FF - plugin: c:\documents and settings\LOVE\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-27 16:30
ComboFix-quarantined-files.txt 2009-06-27 21:29
ComboFix2.txt 2009-06-27 04:01

Pre-Run: 183,257,333,760 bytes free
Post-Run: 183,238,307,840 bytes free

207 --- E O F --- 2009-06-12 03:37
Upload was successful

The virus alert did not show up when I restarted my computer this morning.

chiaz

Spyware Mod

1,219 Posts

28 Jun 2009, 1:46am

Log looks fine to me!

Run your computer for a day or so; if everything is running fine please return and let me know so that we can close this thread.

We can also have you run another scanner just to make sure things are clean.

Let me know, it's your choice.

sneekypeeks

New to the neighborhood

4 Posts

28 Jun 2009, 3:33am

Thank you very much for all of your help! I will let you know Monday or so how it is running.

chiaz

Spyware Mod

1,219 Posts

28 Jun 2009, 7:58am

You're welcome. Waiting to hear from you.

Katana

MRU Expert

1,682 Posts

16 Jul 2009, 9:18pm

Inactive

Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you. This topic is now closed. Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread. If you are not the user who started this thread, you must start your own Thread instead

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Please Help! Ursnif.A and Ursnif.B	djp200	Resolved / Inactive	9	28 Jun 2009 9:51pm
Help! Trojan ursnif.A	drkdx64	Resolved / Inactive	6	27 Jun 2009 11:52am
Help: Ursnif.A virus	apezam	Resolved / Inactive	10	27 Jun 2009 3:59am
VirTool:Win32/Ursnif.A	cpaz	Resolved / Inactive	16	20 Jun 2009 7:58pm
Ursnif Virus Warning	romaniaamir	Resolved / Inactive	40	4 Jun 2009 10:09am

		Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Ursnif.A

Jump to

This Thread	Search this Thread
Print Email	Search this Thread: Advanced Search

Username
Password	Forgot?
Remember me