S&D unable to successfully remove "Win32.Small.dp" and "Nat"

[Rupin]

pskelley asked me to post this as we're interested in getting feedback from experts on the Spybot S&D program since we *may* have ran into a new variant.

A link to my other post with all the exact history and scan logs is attached below, but in a nutshell the issue that I was virused by a hostile website that uploaded something(?) onto my PC. I believe most of that *something* was removed/blocked by my AV (Semantec Corporate) and S&D. However, when running S&D I repeatedly find two HKEY_USERS entries for Nat & one for Win32.Small.dp, and they still show up after fixing/cleaning and then rebooting. Also, AVG 7.5 scans reveal Proxy.Small.ck in memory ([2808] VM_00BF0000). No other signs of attack are showing (no error messages, no reduced functionality), but I'm afraid of what's around the corner as long as these problems are showing up on the scans. Please help if you can. Thanks!

Here's a link to the previous post: http://forums.spybot.info/showthread...7866#post77866

As requested, here is a copy of my uninstall list. After that will be the S&D log for everything that occurred since the initial attack:

ACT! 2000
ActiveFax
Ad-Aware SE Personal
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Canon FAXPHONE L75
Compline Assistant 32-bit
EVGA Display Driver
Forms Boss Plus 5.2
Google Earth
GoToMyPC
HijackThis 1.99.1
InStar SR-8.1.2 Update
InStar SR-8.2.4 Update
Intel(R) Graphics Media Accelerator Driver
IsOffice v1.8.2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Small Business Edition 2003
Nero BurnRights
Nero OEM
Panda ActiveScan
PowerDVD
QuickBooks Pro 2000
QuickTime
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus Client
Symantec pcAnywhere
TimePilot 2.76
Timepilot V2.54
Timepilot V2.57
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Watchtower Library 2006 - English Edition
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781




S&D log
NOTE: To conserve space I deleted the repetitions of the first entry except for the first & last as these are identical but occurred hundreds of times before I figured out what was causing them (winlogon.exe) & stopped it.

4/1/2007 9:45:47 PM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:26:16 AM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:49:02 AM Allowed value "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" (new data: "") deleted in Browser Helper Object!
4/2/2007 1:43:16 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:44:19 AM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
4/2/2007 1:46:30 AM Allowed value "" (new data: "") added in System Startup global entry!
4/2/2007 1:46:42 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:59:53 AM Allowed value "Search Bar" (new data: "") deleted in Browser page!
4/2/2007 2:00:09 AM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
4/2/2007 2:00:48 AM Allowed value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
4/2/2007 2:00:54 AM Allowed value "load" (new data: "") deleted in NT startup!
4/2/2007 2:01:00 AM Allowed value "scrnsave.exe" (new data: "") deleted in Desktop settings!
4/2/2007 2:09:25 AM Allowed value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE") added in System Startup user entry!
4/2/2007 2:09:28 AM Allowed value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP") added in System Startup global entry!
4/2/2007 2:41:34 AM Allowed value "AVG7_Run" (new data: "") deleted in System Startup user entry!
4/2/2007 3:32:22 AM Allowed value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
4/2/2007 4:57:56 AM Allowed value "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" (new data: "") added in ActiveX Distribution Unit!
4/2/2007 5:03:19 AM Denied value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 9:06:42 AM Allowed value "{EFA24E61-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 10:53:47 AM Allowed value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!


Please let me know if you see what might be causing this. Thanks!

[md usa spybot fan]

I personally have no idea what the detections "Nat" and "Win32.Small.dp" are.

From Spybot's update history:

• Updates - The home of Spybot-S&D!
  http://www.spybot.info/en/updatehistory/index.html

The detection for "Nat" appears to have been added 2005-11-04 and last updated 2006-02-17. "Win32.Small.dp" appears to have been added 2006-05-02 and not updated since.

If you post a log of the actual Spybot detections you are getting, perhaps someone can tell you more. To do that:

• Run another scan.
• When the scan completes, right click on the results list, select "Copy results to clipboard".
• Then paste (Ctrl+V) those results to a new post in this thread.

re: The following denied startup entries:

Code:

4/1/2007 9:45:47 PM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:26:16 AM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!

Although the location of "winlogon.exe" is different, those startup entries look remarkable similar to the following CastleCops startup entry listing:

• CastleCops Firewall auto setup winlogon.exe Startup and file information
  http://www.castlecops.com/s13864-winlogon_exe.html

[Rupin]

Thanks for helping, MD. Here's what a fresh S&D scan shows:


Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Desktop\host

Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Desktop\id

Win32.Small.dp: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Security\host


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-02-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-04 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-04-04 Includes\DialerC.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-04 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-04-04 Includes\KeyloggersC.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-04-04 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-04-04 Includes\PUPSC.sbi (*)
2007-04-04 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-04-04 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-04 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-04-04 Includes\Trojans.sbi (*)
2007-04-04 Includes\TrojansC.sbi (*)

Ideas?

[md usa spybot fan]

Zenobia pointed out the following:

• Alerts & Vulnerabilities - March 2007 - MS-ISAC Info Bulletin MS Internet Explorer 7 Phishing E-mail March 30 2007
  http://itsecurity.wi.gov/sublink.asp...d=673&locid=89

The registry entries picked up by Spybot as well as the startup entry that you denied match the registry entries in that article.

This Security Alert by AplusWebMaster

• IE7.0.exe from - SPAM malware
  http://forums.spybot.info/showthread.php?t=12571

Lead me to this F-Secure write-up:

• F-Secure Malware Information Pages Trojan-ProxyW32-Grum.A
  http://www.f-secure.com/v-descs/troj....shtml#details

I have asked someone to follow up with you to see if we can resolve your problem.

[Rupin]

Thanks md and thanks too to Zenobia!

I read the articles and see the connection, but I don't recall any advertisements for IE7, so if this is similar it's now a different skin.

Thanks for having someone follow-up w/me, I'll look for the next post! In the meantime, did anyone look at the other post mentioned above and see the log from the Rootkit Revealer scan that found so many notable entries just hours after the intial attack? Is this just coincidence?

[Rupin]

Here's the post again, just for convenience: http://forums.spybot.info/showthread...7866#post77866

[Rupin]

Correction, that's now a dead link. Here's the right one: http://forums.spybot.info/showthread...7866#post77866

The Rootkit Revealer log is in the third post in the thread.

[MisterW]

Hello,
these keys left by Spybot looks like a false positive. But I think the products are from 2005 and 2006 as md posted in one of the threads before. I am out of the office because of easter and so i can not surely say that it is a false positive.
We will try to find the problem until the next update scheduled for wednesday. if it is a false positive we fill fix it then.

Hope I could help you a little bit,
regards

Markus
Team Spybot

[tricky006]

Hi

I have the same problem where I can't remove win32.small.dp and nat identified by S&D also I have a virus proxy.small.ct that can be removed with ewido online scanner but reloads itself back into memory. My gut feeling is the two issues are related. I have tried the various suggestions in the thread but with no luck and my HJT log looks ok. I was just wandering whether anyone manged to get to the bottem of the problem

Thanks in advance

Tricky006

[Rupin]

I just downloaded the update to S&D and scanned, which found the same problems again and "fixed" them. I then rebooted and scanned again, and again found the same problems. Still no other syptoms, but still need to get rid of these issues. Any recommendations?

Thanks!