PDA

View Full Version : S&D unable to successfully remove "Win32.Small.dp" and "Nat"


Rupin
2007-04-05, 12:39
pskelley asked me to post this as we're interested in getting feedback from experts on the Spybot S&D program since we *may* have ran into a new variant.

A link to my other post with all the exact history and scan logs is attached below, but in a nutshell the issue that I was virused by a hostile website that uploaded something(?) onto my PC. I believe most of that *something* was removed/blocked by my AV (Semantec Corporate) and S&D. However, when running S&D I repeatedly find two HKEY_USERS entries for Nat & one for Win32.Small.dp, and they still show up after fixing/cleaning and then rebooting. Also, AVG 7.5 scans reveal Proxy.Small.ck in memory ([2808] VM_00BF0000). No other signs of attack are showing (no error messages, no reduced functionality), but I'm afraid of what's around the corner as long as these problems are showing up on the scans. Please help if you can. Thanks!

Here's a link to the previous post: http://forums.spybot.info/showthread.php?p=77866#post77866

As requested, here is a copy of my uninstall list. After that will be the S&D log for everything that occurred since the initial attack:

ACT! 2000
ActiveFax
Ad-Aware SE Personal
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Canon FAXPHONE L75
Compline Assistant 32-bit
EVGA Display Driver
Forms Boss Plus 5.2
Google Earth
GoToMyPC
HijackThis 1.99.1
InStar SR-8.1.2 Update
InStar SR-8.2.4 Update
Intel(R) Graphics Media Accelerator Driver
IsOffice v1.8.2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Small Business Edition 2003
Nero BurnRights
Nero OEM
Panda ActiveScan
PowerDVD
QuickBooks Pro 2000
QuickTime
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus Client
Symantec pcAnywhere
TimePilot 2.76
Timepilot V2.54
Timepilot V2.57
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Watchtower Library 2006 - English Edition
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781




S&D log
NOTE: To conserve space I deleted the repetitions of the first entry except for the first & last as these are identical but occurred hundreds of times before I figured out what was causing them (winlogon.exe) & stopped it.

4/1/2007 9:45:47 PM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:26:16 AM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:49:02 AM Allowed value "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" (new data: "") deleted in Browser Helper Object!
4/2/2007 1:43:16 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:44:19 AM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
4/2/2007 1:46:30 AM Allowed value "" (new data: "") added in System Startup global entry!
4/2/2007 1:46:42 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:59:53 AM Allowed value "Search Bar" (new data: "") deleted in Browser page!
4/2/2007 2:00:09 AM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
4/2/2007 2:00:48 AM Allowed value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
4/2/2007 2:00:54 AM Allowed value "load" (new data: "") deleted in NT startup!
4/2/2007 2:01:00 AM Allowed value "scrnsave.exe" (new data: "") deleted in Desktop settings!
4/2/2007 2:09:25 AM Allowed value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE") added in System Startup user entry!
4/2/2007 2:09:28 AM Allowed value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP") added in System Startup global entry!
4/2/2007 2:41:34 AM Allowed value "AVG7_Run" (new data: "") deleted in System Startup user entry!
4/2/2007 3:32:22 AM Allowed value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
4/2/2007 4:57:56 AM Allowed value "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" (new data: "") added in ActiveX Distribution Unit!
4/2/2007 5:03:19 AM Denied value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 9:06:42 AM Allowed value "{EFA24E61-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 10:53:47 AM Allowed value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!


Please let me know if you see what might be causing this. Thanks!
md usa spybot fan
2007-04-05, 15:58
I personally have no idea what the detections "Nat" and "Win32.Small.dp" are.

From Spybot's update history:
Updates - The home of Spybot-S&D!
http://www.spybot.info/en/updatehistory/index.html
The detection for "Nat" appears to have been added 2005-11-04 and last updated 2006-02-17. "Win32.Small.dp" appears to have been added 2006-05-02 and not updated since.

If you post a log of the actual Spybot detections you are getting, perhaps someone can tell you more. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.
re: The following denied startup entries:


4/1/2007 9:45:47 PM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:26:16 AM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
Although the location of "winlogon.exe" is different, those startup entries look remarkable similar to the following CastleCops startup entry listing:
CastleCops Firewall auto setup winlogon.exe Startup and file information
http://www.castlecops.com/s13864-winlogon_exe.html
Rupin
2007-04-06, 00:13
Thanks for helping, MD. Here's what a fresh S&D scan shows:


Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Desktop\host

Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Desktop\id

Win32.Small.dp: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Security\host


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-02-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-04 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-04-04 Includes\DialerC.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-04 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-04-04 Includes\KeyloggersC.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-04-04 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-04-04 Includes\PUPSC.sbi (*)
2007-04-04 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-04-04 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-04 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-04-04 Includes\Trojans.sbi (*)
2007-04-04 Includes\TrojansC.sbi (*)

Ideas?
md usa spybot fan
2007-04-06, 06:37
Zenobia (http://forums.spybot.info/member.php?u=145) pointed out the following:
Alerts & Vulnerabilities - March 2007 - MS-ISAC Info Bulletin MS Internet Explorer 7 Phishing E-mail March 30 2007
http://itsecurity.wi.gov/sublink.asp?linksubcat2id=1148&linksubcatid=2005&linkcatid=1487&linkid=673&locid=89
The registry entries picked up by Spybot as well as the startup entry that you denied match the registry entries in that article.

This Security Alert by AplusWebMaster (http://forums.spybot.info/member.php?u=222)
IE7.0.exe from admin@microsoft.com - SPAM malware
http://forums.spybot.info/showthread.php?t=12571
Lead me to this F-Secure write-up:
F-Secure Malware Information Pages Trojan-ProxyW32-Grum.A
http://www.f-secure.com/v-descs/trojan-proxy_w32_grum_a.shtml#details
I have asked someone to follow up with you to see if we can resolve your problem.
Rupin
2007-04-06, 08:57
Thanks md and thanks too to Zenobia!

I read the articles and see the connection, but I don't recall any advertisements for IE7, so if this is similar it's now a different skin.

Thanks for having someone follow-up w/me, I'll look for the next post! In the meantime, did anyone look at the other post mentioned above and see the log from the Rootkit Revealer scan that found so many notable entries just hours after the intial attack? Is this just coincidence?
Rupin
2007-04-06, 08:58
Here's the post again, just for convenience: http://forums.spybot.info/showthread...7866#post77866
Rupin
2007-04-06, 09:00
Correction, that's now a dead link. Here's the right one: http://forums.spybot.info/showthread.php?p=77866#post77866

The Rootkit Revealer log is in the third post in the thread.
MisterW
2007-04-06, 16:37
Hello,
these keys left by Spybot looks like a false positive. But I think the products are from 2005 and 2006 as md posted in one of the threads before. I am out of the office because of easter and so i can not surely say that it is a false positive.
We will try to find the problem until the next update scheduled for wednesday. if it is a false positive we fill fix it then.

Hope I could help you a little bit,
regards

Markus
Team Spybot
tricky006
2007-04-11, 14:11
Hi

I have the same problem where I can't remove win32.small.dp and nat identified by S&D also I have a virus proxy.small.ct that can be removed with ewido online scanner but reloads itself back into memory. My gut feeling is the two issues are related. I have tried the various suggestions in the thread but with no luck and my HJT log looks ok. I was just wandering whether anyone manged to get to the bottem of the problem

Thanks in advance

Tricky006
Rupin
2007-04-12, 11:04
I just downloaded the update to S&D and scanned, which found the same problems again and "fixed" them. I then rebooted and scanned again, and again found the same problems. Still no other syptoms, but still need to get rid of these issues. Any recommendations?

Thanks!
Rupin
2007-04-21, 03:32
Again I downloaded the update and scanned with the same results noted above. Can anyone help me on this? Please and thanks!
tashi
2007-05-07, 17:47
Hello.

Sorry this appears to have been overlooked, :oops: after the latest updates are you still experiencing the same problem?
Yodama
2007-05-08, 08:48
hi,

the "Firewall auto setup" with the fake Winlogon.exe is a trojan horse, that is creating those entries still being found. It usally enters its own IP Adress at those locations.
This trojan horse is also able to hide the real Winlogon.exe from the Windows API (it is usually located in \Windows\System32\ and \Windows\System32\dllcache\ ).

Infection can cause system instability and seemingly loss of network drives.

@Rupin
if you still encounter the issues with

Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Desktop\host

Nat: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Desktop\id

Win32.Small.dp: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2009023888-1003630021-121160640-1007\Software\Microsoft\Internet Explorer\Security\host

then please click on the registry symbol on the right side of the scan result within Spybot, the first click will open the regedit, a second one will have regedit browse to the location of the key. Please export those keys and attach them here.

Please also check if your winlogon is still present, just browse to the locations named above, if absent download and run the rootkitrevealer: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
If it finds anything, please save and attach the log.

And lastly also attach the most recent Spybot S&D scanning and fixing report.
Rupin
2007-05-09, 18:35
Hooray, this problem seems to be solved! Credit to an update to my AV, Symantec Corp ed. Write up on the problem & solution here: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-033016-1857-99&tabid=2

Note: Winlogon.exe was actually discovered and deleted by my AV within minutes of it first appearing. The problem was the registry entries kept reappearing.

A recent update to Symantic corporate AV resolved this issue by discovering a W32.Grum.A infection, which infects all the executable files referenced in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (ironically enough, the infected file by this key wound up being Teatimer.exe), and this was apparently a payload of the Winlogon.exe attack when it was initially active, according to the Symantic write-up on it. However after the AV update and following the instructions exactly in the Symantic article above it was able to find AND fix it and the registry entries haven't come back. System seems to be clean now.

Here's the link to the other issue that was discovered some weeks back by AVG Anti-Spyware: http://forums.majorgeeks.com/showthread.php?t=121874
This was showing Proxy.Small.ck in memory, but again all clean now after cleaning W32.Grum.A.

Hope this helps others!