PDA

View Full Version : S&D still showing Win32.Small.dp and Nat after "fixing"...



Rupin
2007-04-02, 15:49
Hello, would appreciate help on the following: After running S&D and it finding & fixing 2 HKEY_USERS entries for Nat & 1 for Win32.Small.dp, they still show up after rebooting.

Have followed instructions in BEFORE YOU POST, so here are the logs (nothing solved by running S&D in Safe mode):

(Pandasoftware ActiveScan)

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Larry St John\Cookies\larry st john@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Larry St John\Cookies\larry st john@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Larry St John\Cookies\larry st john@com[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Larry St John\Cookies\larry st john@entrepreneur[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Larry St John\Cookies\larry st john@go[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Larry St John\Cookies\larry st john@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Larry St John\Cookies\larry st john@xiti[1].txt
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Outlookbkup\PSKILL.EXE
Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:45:44 AM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ActiveFax\Client\ActFaxClient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TimePilot Applications\Time and Attendance\InOut.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ActiveFax Client] C:\Program Files\ActiveFax\Client\ActFaxClient.exe -Autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: In-Out Manager.lnk = C:\Program Files\TimePilot Applications\Time and Attendance\InOut.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (CitrixOnline GoToMeeting Downloader) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


Any help on how to clean this up is appreciated. Thanks!
Larry

pskelley
2007-04-03, 18:09
Welcome to the forum, I see nothing but cookies and what looks like this: http://www.microsoft.com/technet/sysinternals/utilities/pskill.mspx
being id'ed as a pup by Panda. In the HJT log I see nothing except a Java program that needs an update. What exactly is the malware problem you are having.

I see here: http://securityticker.blogspot.com/2006/05/spybot-search-and-destroy-has-update.html
Trojan: SpywareQuake, Pimasoft.Spy Sniper, Win32.Small.ama, Win32.Horst.o, Win32.Agent.io, Win32.PdPinch.ce, Win32.Small.dp, Win32.Small.hi, Win32.KillAV.hd, Win32.Agent.air
That item was added to Spybot on Tuesday, May 02, 2006 and I have no idea what this is: Nat

Are you sure your databases are up to date? If you have malware issues please give me more information about them, including symptoms and any error messages you are receiving word for word.
If you are up to date with Spybot and are still having issues with the Spybot results, post those questions here:
http://forums.spybot.info/forumdisplay.php?f=4

Thanks

Rupin
2007-04-04, 21:36
All my S&D databases are up to date. What occurred was I got virused around 9:45pm on 4/1/7 (an email link sent me to a hostile website). S&D immediately started registering attempts to change the registry. I grabbed a trial version of Security Task Manager and it identified that winlogon.exe was actually trojan "Generic3.QQY". Quarintining & then deleting the infected file stopped the registry change attempts that S&D was stopping (log shown below). Nothing else is showing in AVG or MacAffee AV scans. However the three items listed in my previous post are still showing up when I do a complete S&D scan after a reboot.

This morning when rebooting after windows automatically downloaded a security update, AVG updated its definitions and then ran a complete scan and noted that user32.dll had been "changed", but offered no other explanation. When I did a search on this I found a forum post on a similar occurrence that recommended downloading RootkitReavealer to scan & see if I had a Rootkit installed. I ran the scan and have listed the log below: it shows what I consider to be suspicious activity because of the date of several registry entries are within a couple hours of the initial attack. I have no idea how to verify if these entries mean I really have a rootkit, nor do I know how to fix it if I do. Any help in figuring this out (or even just saving time and telling me its hopeless and I need to FDISK, reformat and reinstall windows will save time and be helpful). Given that so much of the attack was stopped by the different AV programs I'm running, I'm hoping that the system can be cleaned and salvaged, but please let me know.


Here's the RootkitRevealer scan log:
HKU\.DEFAULT\Control Panel\International 4/2/2007 3:03 AM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 4/2/2007 3:03 AM 0 bytes Security mismatch.
HKU\S-1-5-21-2009023888-1003630021-121160640-1007\Control Panel\International 4/2/2007 3:03 AM 0 bytes Security mismatch.
HKU\S-1-5-21-2009023888-1003630021-121160640-1007\Control Panel\International\Geo 4/2/2007 3:03 AM 0 bytes Security mismatch.
HKU\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Command Processor 4/2/2007 3:03 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 4/2/2007 3:03 AM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 4/2/2007 3:03 AM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 5/26/2004 5:42 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 5/26/2004 5:42 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 4/2/2007 3:03 AM 0 bytes Security mismatch.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\I2_LDVP.TMP\dec 4/4/2007 10:31 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Larry St John\Cookies\larry st john@www.rootkit[1].txt 4/4/2007 10:42 AM 75 bytes Hidden from Windows API.
C:\Documents and Settings\Larry St John\Cookies\larry st john@www.rootkit[2].txt 4/4/2007 10:24 AM 75 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1CM73LX\ADSAdClient31[1].htm 4/4/2007 10:38 AM 2.22 KB Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1CM73LX\no[1].gif 4/4/2007 10:42 AM 1004 bytes Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1CM73LX\ql[1].js 4/4/2007 10:20 AM 8.41 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1CM73LX\ql[2].js 4/4/2007 10:38 AM 8.41 KB Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1TQFFDA\01[1].htm 4/4/2007 10:25 AM 211 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1TQFFDA\showthread[1].htm 4/4/2007 9:54 AM 45.25 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1TQFFDA\showthread[1].php 4/4/2007 10:44 AM 12.54 KB Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\H1TQFFDA\showthread[2].htm 4/4/2007 10:44 AM 45.25 KB Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\QQZZH87R\01[1].htm 4/4/2007 10:38 AM 211 bytes Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\QQZZH87R\ADSAdClient31[1].htm 4/4/2007 10:25 AM 2.22 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\QQZZH87R\default[1].htm 4/4/2007 10:23 AM 34.11 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\QQZZH87R\hoglund[1].jpg 4/4/2007 10:42 AM 4.22 KB Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\QQZZH87R\ratings[1].htm 4/4/2007 10:25 AM 7.45 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\QQZZH87R\ratings[2].htm 4/4/2007 10:38 AM 7.37 KB Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\YXV0XC36\default[3].htm 4/4/2007 10:38 AM 34.11 KB Hidden from Windows API.
C:\Documents and Settings\Larry St John\Local Settings\Temporary Internet Files\Content.IE5\Z59NYE6L\ShowFolder[2] 4/4/2007 9:55 AM 12.18 KB Visible in Windows API, but not in MFT or directory index.
E: 0 bytes Error mounting volume


Also, here's the S&D log for everything that occurred since the initial attack:
NOTE: To conserve space I deleted the repetitions of the first entry except for the first & last as these are identical but occurred hundreds of times before I figured out what was causing them (winlogon.exe) & stopped it.

4/1/2007 9:45:47 PM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:26:16 AM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:49:02 AM Allowed value "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" (new data: "") deleted in Browser Helper Object!
4/2/2007 1:43:16 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:44:19 AM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
4/2/2007 1:46:30 AM Allowed value "" (new data: "") added in System Startup global entry!
4/2/2007 1:46:42 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:59:53 AM Allowed value "Search Bar" (new data: "") deleted in Browser page!
4/2/2007 2:00:09 AM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
4/2/2007 2:00:48 AM Allowed value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
4/2/2007 2:00:54 AM Allowed value "load" (new data: "") deleted in NT startup!
4/2/2007 2:01:00 AM Allowed value "scrnsave.exe" (new data: "") deleted in Desktop settings!
4/2/2007 2:09:25 AM Allowed value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE") added in System Startup user entry!
4/2/2007 2:09:28 AM Allowed value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP") added in System Startup global entry!
4/2/2007 2:41:34 AM Allowed value "AVG7_Run" (new data: "") deleted in System Startup user entry!
4/2/2007 3:32:22 AM Allowed value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
4/2/2007 4:57:56 AM Allowed value "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" (new data: "") added in ActiveX Distribution Unit!
4/2/2007 5:03:19 AM Denied value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 9:06:42 AM Allowed value "{EFA24E61-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 10:53:47 AM Allowed value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!

Rupin
2007-04-04, 23:18
Another thing: the first thing the hostile site did was upload "nsp[1].mov" to my Temporary Internet Files\Content.IE5 folders, which Symantec caught and quarantined, labeling it as a Virus named "Bloodhound.Exploit.109".

pskelley
2007-04-04, 23:20
Well, this is what I said: Are you sure your databases are up to date? If you have malware issues please give me more information about them, including symptoms and any error messages you are receiving word for word.
You are running and posting a lot of information that is usless to me, if you have reason to believe a rootkit is involved, and that there may be other issues, then follow these dirctions.

1) Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.
(do not remove anything, most if not all of the files will be valid)

2) Follow the directions in this link to download install update and run AVG Anto-Spyware. Delete or at least quarantine andything it locates and save the scan report to post.

Restart the computer and post the log from Blacklight, the scan report from AVG Anti-Spyware and NOTHING else.

If you wish to read other posts, that is fine, but remember those fixes and the tools that are used are for a reason. Different infections require different tools. Just be careful, some tools may damage your computer.

Thanks

pskelley
2007-04-04, 23:31
Sounds like you are running Symantec and C:\PROGRA~1\Grisoft\AVG7\
See this information: http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html

Here is the Symantec information on the item it appears to have identified:
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-010315-5708-99&tabid=1

I would read and follow the directions they have posted once you get the second antivirus program off the computer.
Especially the directions under the Technical Details tab at the link I have provided.

Thanks

Rupin
2007-04-05, 03:23
I ran the Blacklight scan and have included the log below, however it said it didn't find anything. I am not currently experiencing ANY error messages, only that S&D keeps finding the two entries listed in my first post above everytime I reboot even after I have S&D fix/remove them.

As far as having 2 AVs installed, I installed AVG the day of the initial attack because I didn't see my existing AV, Symantec AV Corporate (not MacAffee as I previously listed) addressing the source of the issues S&D was dealing with. I had previously (before installing and running Blacklight) today rebooted, and then AVG updated it's definitions and ran a complete scan. The log is also attached below. I will now delete anything left in quarantine and then uninstall AVG it as you've recommended since I already have Symantec.


Here's the Blacklight log:
04/04/07 15:13:55 [Info]: BlackLight Engine 1.0.61 initialized
04/04/07 15:13:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/04/07 15:13:55 [Note]: 7019 4
04/04/07 15:13:55 [Note]: 7005 0
04/04/07 15:14:14 [Note]: 7006 0
04/04/07 15:14:14 [Note]: 7011 1652
04/04/07 15:14:15 [Note]: 7026 0
04/04/07 15:14:15 [Note]: 7026 0
04/04/07 15:14:17 [Note]: FSRAW library version 1.7.1021
04/04/07 15:18:27 [Note]: 2000 1012
04/04/07 15:18:27 [Note]: 2000 1012
04/04/07 15:18:27 [Note]: 2000 1012



And here's the AVG log:
- <history>
- <!-- 01c7769fb1032740
-->
- <rec time="2007/04/02 02:10:36" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:987-965;iavi:752-706;</attr>
</rec>
- <rec time="2007/04/02 02:10:57" user="Larry St John" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2007/04/02 02:40:46" user="Larry St John" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2007/04/02 02:59:55" user="Larry St John" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2007/04/02 03:31:29" user="Larry St John" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2007/04/04 09:16:09" user="Larry St John" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2007/04/04 09:16:35" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:989-987;iavi:756-752;</attr>
</rec>
- <rec time="2007/04/04 09:16:55" user="Larry St John" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\All Users\Application Data\SecTaskMan\winlogon.exe.q_46B39000_q</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic3.QQY</attr>
</rec>
- <rec time="2007/04/04 09:57:44" user="Larry St John" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2007/04/04 09:57:46" user="Larry St John" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\All Users\Application Data\SecTaskMan\winlogon.exe.q_46B39000_q</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
</history>


BTW, thanks for helping me on this! Pls let me know what we can do to get those entries from reappearing on S&D.

pskelley
2007-04-05, 04:35
I apologize:sad: I did not post the link to AVG Anti-Spyware 7.5. Here is that link:
http://forums.security-central.us/showthread.php?t=3165

We still have the issue of two anti-virus program that must be addressed. It is almost impossible to troubleshoot issues when you don't know which are being caused by these programs conflicting.
Logfile of HijackThis v1.99.1 Scan saved at 5:45:44 AM, on 4/2/2007

Here is the AVG Anti-Virus program in this HJT log:
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

Here is the Symantec which appears to be NAV Corporate Edition.
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

The BlackLight scan was clean as you suggested. I don't believe we have a rootkit, but if need be we will look more later.

What I need now is the scan report from AVG Anti-Spyware 7.5. Be sure to delete or at least quarantine anything it finds and post that scan report along with a HJT log running one antivirus program. Please add any comments you think will help.

Thanks

Rupin
2007-04-05, 09:50
OK, I've I've temporarily deactivated Symantec, then I downloaded & installed AVG 7.5 and ran a complete scan (found 1 High-threat item “Proxy.Small.ck”, and several nominal tracking cookies). Then I ran the HJT scan (again w/only one AV running). Next I opened S&D, checked for updates (none available) and then Scanned for problems: it again found the Win32.Small.dp and Nat registry issues and I again fixed/removed them. I then rebooted and reran the AVG which found the Proxy.Small.ck item again, and also reran S&D scan which found its two problems again.

Again, nothing seems to be malfunctioning, but this PC is on my work LAN w/my server and 5 other PCs and I don’t want to ignore something that’s going to wreak havoc down the line. I’d rather be paranoid… Thanks again!


Here's the first (before S&D scan & fix & reboot) AVG scan log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:05:26 PM 4/4/2007

+ Scan result:



[2960] VM_00BF0000 -> Proxy.Small.ck : Cleaned with backup (quarantined).
C:\Documents and Settings\Larry St John\Cookies\larry st john@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@www.safer-networking[1].txt -> TrackingCookie.Safer-networking : Ignored.
C:\Documents and Settings\Larry St John\Cookies\larry st john@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Larry St John\Cookies\larry st john@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end



Here's the HJT scan log:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:36 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ActiveFax\Client\ActFaxClient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TimePilot Applications\Time and Attendance\InOut.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
Z:\UserNT1\OMNIS7.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ActiveFax Client] C:\Program Files\ActiveFax\Client\ActFaxClient.exe -Autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: In-Out Manager.lnk = C:\Program Files\TimePilot Applications\Time and Attendance\InOut.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (CitrixOnline GoToMeeting Downloader) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

pskelley
2007-04-05, 12:59
Thanks again for returning your information and your feedback.

Looking at the results of the scans, as you said AVG cleaned some cookies and quarantined one item. Since antivirus purveyors call trojans by different names, it might be that trojan is the one your are concerned with, and that Spybot is calling it something different. Spybot may well see that item in the AVG quarantine folder. I would like you to clean out that quarantine folder:
Clean the quarantine folder
You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes

Logfile of HijackThis v1.99.1 Scan saved at 10:37:36 PM, on 4/4/2007 As far as I can see and my scanners, this HJT log has no malware in it. A few items I don't know, but they appear legit. Take a look down the log, do you see anything you know should not be there?

Let's have a look at your uninstall list:
add/remove in the control panel.
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Unless I missed the information, I still have no idea what this is: Nat
http://www.google.com/search?hl=en&q=Nat&btnG=Google+Search

after you post the uninstall list, and since as you saw in the information I posted that the trojan you mention was part of a recent update for Spybot. I would like you to post the information there so Spybot experts can advise you. http://forums.spybot.info/forumdisplay.php?f=4
Along with the uninstall list, post a link to your topic at the Spybot forum so I can see what they have to say. Perhaps they will know what "Nat" is, and why Spybot is not removing that trojan.

Thanks

Rupin
2007-04-05, 13:42
Went to empy the contents of AVG's quarantine bin, but it was already empty. So I ran the scan again and located the particular offinder (Proxy.Small.ck) in memory ([2808] VM_00BF0000). So I deleted and ran the scan again and it was still there! How do I get rid of this thing???


I posted the new thread like you asked, and the link's at the bottom. In the mean time, here's the list of Uninstall list:

ACT! 2000
ActiveFax
Ad-Aware SE Personal
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Canon FAXPHONE L75
Compline Assistant 32-bit
EVGA Display Driver
Forms Boss Plus 5.2
Google Earth
GoToMyPC
HijackThis 1.99.1
InStar SR-8.1.2 Update
InStar SR-8.2.4 Update
Intel(R) Graphics Media Accelerator Driver
IsOffice v1.8.2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Small Business Edition 2003
Nero BurnRights
Nero OEM
Panda ActiveScan
PowerDVD
QuickBooks Pro 2000
QuickTime
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus Client
Symantec pcAnywhere
TimePilot 2.76
Timepilot V2.54
Timepilot V2.57
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Watchtower Library 2006 - English Edition
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781



Finally, here's the link to the new thread I posted like you asked: http://forums.spybot.info/showthread.php?p=78355#post78355

Talk to you soon! Thanks~

pskelley
2007-04-05, 13:54
Uninstall list: I am looking for malware and security issues, it's a great chance for you to look for programs you no longer use.

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
I believe you need an update now. Download the newest version and uninstall all old versions in Add Remove Programs

Thanks

Rupin
2007-04-06, 01:18
ok, I uninstalled all the Sun Java entries and then went to their site and downloaded the latest (5.0 update 11). I've also received a reply to my other post, although it's not conclusive. Please let me know what you come up with.

Here's my updated Uninstall list:


ACT! 2000
ActiveFax
Ad-Aware SE Personal
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Canon FAXPHONE L75
Compline Assistant 32-bit
EVGA Display Driver
Forms Boss Plus 5.2
Google Earth
GoToMyPC
HijackThis 1.99.1
InStar SR-8.1.2 Update
InStar SR-8.2.4 Update
Intel(R) Graphics Media Accelerator Driver
IsOffice v1.8.2
iTunes
J2SE Runtime Environment 5.0 Update 11
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Small Business Edition 2003
Nero BurnRights
Nero OEM
Panda ActiveScan
PowerDVD
QuickBooks Pro 2000
QuickTime
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)

pskelley
2007-04-07, 14:00
There is no malware or any security issues in your uninstall list that I can see.
Thanks

tashi
2007-04-16, 23:37
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.


Thank you pskelley.