ESS & spy.ursnif.a trojan

Discussion in 'ESET Smart Security' started by whscott, Jun 25, 2009.

Thread Status:
Not open for further replies.
  1. whscott

    whscott Registered Member

    Joined:
    Mar 18, 2005
    Posts:
    15
    Where is ESET support on this? ESS & spy.ursnif.a trojan

    ESS just started reporting this yesterday. It will not remove it. How did ESS allow this on my computer? I restored my system from a backup of three weeks ago when I was not getting the ESS alerts, yet I am still getting the threat alert when I boot into the 3 week old restore. Please help me get rid of this trojan! ESS V4.0.417.0.

    Thanks
     
    Last edited: Jun 26, 2009
  2. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hello,

    It might be that the file was there all the time but the definition was just added.

    You could run a SysInspector scan and look for the infected object in the log. What was the infected object and what tried to run the file?

    BFG
     
  3. whscott

    whscott Registered Member

    Joined:
    Mar 18, 2005
    Posts:
    15
    The threat alert comes up using the definition file of May 31, 2009 before ESS has a chance to update definitions.
     
  4. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hi whscott,

    Where's it located (complete path) and what triggered it? What exactly does an On-demand scan say is being done with it when it's found?

    BFG
     
  5. whscott

    whscott Registered Member

    Joined:
    Mar 18, 2005
    Posts:
    15
    From Microsoft:

    TrojanSpy:Win32/Ursnif.gen!H is the generic detection for a trojan that modifies certain system files and settings. It steals information, such as Operating System details and user passwords, which it then sends back to remote servers.


    The threat alert comes up whenever a system file or program file is executed. The only location shown is the location of the system or program file. I (and apparently ESS) have no idea where the main infection is.

    Microsoft lists a location for a particular file and some registry entries but they either do not exist or are hidden and cannot be seen even if show hidden files is active.

    Thanks for you help!
     
  6. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    I seem to be having this problem too. But instead of ESS, my NOD32 is detecting problems from C:\Windows\system32\winlogon.exe and termsrv.dll with "win32/spy.ursnif.a" whenever I try to open anything. I am not sure what's going on. I tried running several other spyware removal programs such as SAS and MBAM. Got nothing, but this error will not go away. It just started as of yesterday (June 24) as well.
     
  7. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hello,

    You should send a log from ESET SysInspector to samples[at]eset.com with this thread's url in the subject. They'll follow up on it.

    BFG
     
  8. TwoLegit

    TwoLegit Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    1
    I, too, have recently encountered this problem. I have ran my computer in safe mode and have scanned it with many programs (MWAB, SAS, Dr. Web CureIt, etc). The most concise information about the virus I've seen is Microsoft's Encyclopedia entry on TrojanSpy:Win32/Ursnif.gen!H (as was referenced above). In safe mode, I went ahead and manually changed the two registry changes concerning TSSessions & Remote Desktop. Microsoft recommended their program Windows Live OneCare, and although I've never heard great things about the product, I allowed my infected computer internet access (I was weary but had no alternatives aside from reformatting) in order for it to complete installation. It detected Spy.Ursnif.A and is attempting to clean it, however it requires to be restarted to clean it..after restarting it detected it and tried to clean it again..I'm not sure if I'm being reinfected or if it never actually cleaned it, but it's done more than other programs have done and that's a start. So my recommendation is to give Windows Live OneCare's free trial a shot at it and see how it goes...

    Note: After installing Windows Live OneCare and rebooting, I no longer get the pop-up notification from NOD32 (perhaps progress, we shall see).
     
  9. Kabigon

    Kabigon Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    11
    Here's an update. After visiting the Microsoft and looking at some of the settings. I think I am infected. I notice when I change the registry settings, another account appears in the fast-switch user screen. So I am pretty sure I am infected. But it's strange that I nor NOD32 cannot get rid of it. The virus is infecting the two files I mentioned above or at least manifesting it in them. I am not sure where the root or source cause is. I might just as well format the computer. *sigh*
     
  10. whscott

    whscott Registered Member

    Joined:
    Mar 18, 2005
    Posts:
    15
    Problem fixed!

    Ran system rescue overnight, it found the 2 infected system file, and allowed me to delete them. System would not boot(naturally), so I ran system repair from XP installation disk. So far, so good!:D
     
Thread Status:
Not open for further replies.