Categories: SpyTrojan

How to remove “TrojanSpy:Win32/Ursnif.HP!bit”?

The TrojanSpy:Win32/Ursnif.HP!bit is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What TrojanSpy:Win32/Ursnif.HP!bit virus can do?

  • Executable code extraction
  • Injection with CreateRemoteThread in a remote process
  • Creates RWX memory
  • Attempts to connect to a dead IP:Port (10 unique times)
  • Reads data out of its own binary image
  • A process created a hidden window
  • Drops a binary and executes it
  • Performs some HTTP requests
  • Uses Windows utilities for basic functionality
  • A system process is generating network traffic likely as a result of process injection
  • Installs itself for autorun at Windows startup
  • Attempts to modify proxy settings
  • Creates a copy of itself
  • Harvests information related to installed mail clients
  • Creates a slightly modified copy of itself
  • Anomalous binary characteristics

Related domains:

z.whorecord.xyz
a.tomx.xyz
resolver1.opendns.com
myip.opendns.com
artkar.it
dsnmont.at
www.artkar.it
ceyanor.at
exolink.at
advanceroyaltysolutions.com
ilisso.com
www.ilisso.com
gabrielecella.com
www.gabrielecella.com
madeinitalysolutions.com
www.madeinitalysolutions.com
lucchesecomputers.eu
www.lucchesecomputers.eu
moonlock.at

How to determine TrojanSpy:Win32/Ursnif.HP!bit?



File Info:

crc32: 350C449Amd5: 61d8698595c4a204ad6c47a5f0dab52ename: 61D8698595C4A204AD6C47A5F0DAB52E.mlwsha1: 4b2483cc97c57fcaf5476d3c99f3508cd1137440sha256: 519d8daf54b20fa64bc36afffcaa36f66327d34cb2d6b20fb289e9741ff69d08sha512: 1c0eaf6730de8d87d8902e1273d9fbcf8dbafe7c5234d8afab3d03a768f8c8e803d2b8849ef4566d428ec2e62b0d29eb7330d1bb6f2da7b7215830c992e53a72ssdeep: 6144:PwRwrDT1VfnN4sHrXy0yjOflISwEhOA9X9/gI0jqLs0gdiydPbxDka:PwRwr9VfnzTylKlnF9XhC0g7Ftype: PE32 executable (GUI) Intel 80386, for MS Windows

Version Info:

LegalCopyright: Copyright (C) 2003 Ind Software Corp.          InternalName: ffff.exeFileVersion: 1.00.0000                                                    CompanyName: SmartSound Software Inc                                     Comments:                                                             ProductName: SmartSound Music Library for Pinnacle                                ProductVersion: 1.00.0000                                                   FileDescription: fsdffdrtteter                                             OriginalFilename: ffff.exeTranslation: 0x0409 0x04e4

TrojanSpy:Win32/Ursnif.HP!bit also known as:

Bkav W32.AIDetect.malware1
MicroWorld-eScan Trojan.GenericKD.43597998
FireEye Generic.mg.61d8698595c4a204
ALYac Trojan.GenericKD.43597998
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Win32.Foreign.j!c
Sangfor Ransom.Win32.Foreign.niqs
K7AntiVirus Trojan ( 0055dd191 )
BitDefender Trojan.GenericKD.43597998
K7GW Trojan ( 0055dd191 )
Cybereason malicious.595c4a
Symantec Packed.Generic.521
APEX Malicious
Avast Win32:Malware-gen
Kaspersky Trojan-Ransom.Win32.Foreign.niqs
Alibaba Ransom:Win32/Foreign.f9694838
NANO-Antivirus Trojan.Win32.RiskGen.ejqpzl
Rising Ransom.Foreign!8.292 (C64:YzY0Oiz/m53dwe0+)
Ad-Aware Trojan.GenericKD.43597998
Sophos Mal/Generic-S
F-Secure Trojan.TR/Crypt.XPACK.ltllm
DrWeb Trojan.PWS.Papras.2514
TrendMicro WORM_HPKASIDET.SM0
McAfee-GW-Edition BehavesLike.Win32.Dropper.gh
Emsisoft Trojan.GenericKD.43597998 (B)
Ikarus Trojan.Win32.Lethic
Jiangmin Trojan.Foreign.gwb
Webroot W32.Trojan.Gen
Avira TR/Crypt.XPACK.ltllm
MAX malware (ai score=88)
Antiy-AVL Trojan[Ransom]/Win32.Foreign
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft TrojanSpy:Win32/Ursnif.HP!bit
Arcabit Trojan.Generic.D29940AE
ZoneAlarm Trojan-Ransom.Win32.Foreign.niqs
GData Trojan.GenericKD.43597998
Cynet Malicious (score: 90)
McAfee Artemis!61D8698595C4
TACHYON Ransom/W32.Foreign.475136
VBA32 TrojanRansom.Foreign
Malwarebytes Generic.Malware/Suspicious
Panda Trj/GdSda.A
ESET-NOD32 a variant of Win32/Kryptik.FTMZ
TrendMicro-HouseCall WORM_HPKASIDET.SM0
Tencent Win32.Trojan.Foreign.Wozw
Yandex Trojan.GenAsa!EDackJAd2bM
eGambit Unsafe.AI_Score_74%
Fortinet W32/Kryptik.FKLI!tr
BitDefenderTheta Gen:NN.ZexaF.34590.Dq0@aqOrz@li
AVG Win32:Malware-gen
Paloalto generic.ml
CrowdStrike win/malicious_confidence_100% (D)
Qihoo-360 Win32/Trojan.Foreign.HwoCGS8A

How to remove TrojanSpy:Win32/Ursnif.HP!bit?

  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.
Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment
Share
Published by
Paul Valéry
Tags: a.tomx.xyzadvanceroyaltysolutions.comartkar.itceyanor.atdsnmont.atexolink.atffff.exegabrielecella.comilisso.comlucchesecomputers.eumadeinitalysolutions.commoonlock.atmyip.opendns.comresolver1.opendns.comTrojanSpy:Win32/Ursnif.HP!bitwww.artkar.itwww.gabrielecella.comwww.ilisso.comwww.lucchesecomputers.euwww.madeinitalysolutions.comz.whorecord.xyz
3 years ago

Recent Posts

Troj/Luder-A information

The Troj/Luder-A is considered dangerous by lots of security experts. When this infection is active,…

7 mins ago

How to remove “Malware.AI.2017919460”?

The Malware.AI.2017919460 is considered dangerous by lots of security experts. When this infection is active,…

28 mins ago

Should I remove “Malware.AI.2861677099”?

The Malware.AI.2861677099 is considered dangerous by lots of security experts. When this infection is active,…

1 hour ago

Malware.AI.4183435755 information

The Malware.AI.4183435755 is considered dangerous by lots of security experts. When this infection is active,…

2 hours ago

Dropped:Application.Generic.3571726 removal instruction

The Dropped:Application.Generic.3571726 is considered dangerous by lots of security experts. When this infection is active,…

2 hours ago

What is “Trojan.Generic.35245150”?

The Trojan.Generic.35245150 is considered dangerous by lots of security experts. When this infection is active,…

2 hours ago