Rupin
2007-04-05, 12:39
pskelley asked me to post this as we're interested in getting feedback from experts on the Spybot S&D program since we *may* have ran into a new variant.
A link to my other post with all the exact history and scan logs is attached below, but in a nutshell the issue that I was virused by a hostile website that uploaded something(?) onto my PC. I believe most of that *something* was removed/blocked by my AV (Semantec Corporate) and S&D. However, when running S&D I repeatedly find two HKEY_USERS entries for Nat & one for Win32.Small.dp, and they still show up after fixing/cleaning and then rebooting. Also, AVG 7.5 scans reveal Proxy.Small.ck in memory ([2808] VM_00BF0000). No other signs of attack are showing (no error messages, no reduced functionality), but I'm afraid of what's around the corner as long as these problems are showing up on the scans. Please help if you can. Thanks!
Here's a link to the previous post: http://forums.spybot.info/showthread.php?p=77866#post77866
As requested, here is a copy of my uninstall list. After that will be the S&D log for everything that occurred since the initial attack:
ACT! 2000
ActiveFax
Ad-Aware SE Personal
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Canon FAXPHONE L75
Compline Assistant 32-bit
EVGA Display Driver
Forms Boss Plus 5.2
Google Earth
GoToMyPC
HijackThis 1.99.1
InStar SR-8.1.2 Update
InStar SR-8.2.4 Update
Intel(R) Graphics Media Accelerator Driver
IsOffice v1.8.2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Small Business Edition 2003
Nero BurnRights
Nero OEM
Panda ActiveScan
PowerDVD
QuickBooks Pro 2000
QuickTime
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus Client
Symantec pcAnywhere
TimePilot 2.76
Timepilot V2.54
Timepilot V2.57
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Watchtower Library 2006 - English Edition
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
S&D log
NOTE: To conserve space I deleted the repetitions of the first entry except for the first & last as these are identical but occurred hundreds of times before I figured out what was causing them (winlogon.exe) & stopped it.
4/1/2007 9:45:47 PM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:26:16 AM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:49:02 AM Allowed value "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" (new data: "") deleted in Browser Helper Object!
4/2/2007 1:43:16 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:44:19 AM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
4/2/2007 1:46:30 AM Allowed value "" (new data: "") added in System Startup global entry!
4/2/2007 1:46:42 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:59:53 AM Allowed value "Search Bar" (new data: "") deleted in Browser page!
4/2/2007 2:00:09 AM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
4/2/2007 2:00:48 AM Allowed value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
4/2/2007 2:00:54 AM Allowed value "load" (new data: "") deleted in NT startup!
4/2/2007 2:01:00 AM Allowed value "scrnsave.exe" (new data: "") deleted in Desktop settings!
4/2/2007 2:09:25 AM Allowed value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE") added in System Startup user entry!
4/2/2007 2:09:28 AM Allowed value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP") added in System Startup global entry!
4/2/2007 2:41:34 AM Allowed value "AVG7_Run" (new data: "") deleted in System Startup user entry!
4/2/2007 3:32:22 AM Allowed value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
4/2/2007 4:57:56 AM Allowed value "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" (new data: "") added in ActiveX Distribution Unit!
4/2/2007 5:03:19 AM Denied value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 9:06:42 AM Allowed value "{EFA24E61-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 10:53:47 AM Allowed value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
Please let me know if you see what might be causing this. Thanks!
A link to my other post with all the exact history and scan logs is attached below, but in a nutshell the issue that I was virused by a hostile website that uploaded something(?) onto my PC. I believe most of that *something* was removed/blocked by my AV (Semantec Corporate) and S&D. However, when running S&D I repeatedly find two HKEY_USERS entries for Nat & one for Win32.Small.dp, and they still show up after fixing/cleaning and then rebooting. Also, AVG 7.5 scans reveal Proxy.Small.ck in memory ([2808] VM_00BF0000). No other signs of attack are showing (no error messages, no reduced functionality), but I'm afraid of what's around the corner as long as these problems are showing up on the scans. Please help if you can. Thanks!
Here's a link to the previous post: http://forums.spybot.info/showthread.php?p=77866#post77866
As requested, here is a copy of my uninstall list. After that will be the S&D log for everything that occurred since the initial attack:
ACT! 2000
ActiveFax
Ad-Aware SE Personal
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
Canon FAXPHONE L75
Compline Assistant 32-bit
EVGA Display Driver
Forms Boss Plus 5.2
Google Earth
GoToMyPC
HijackThis 1.99.1
InStar SR-8.1.2 Update
InStar SR-8.2.4 Update
Intel(R) Graphics Media Accelerator Driver
IsOffice v1.8.2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office Small Business Edition 2003
Nero BurnRights
Nero OEM
Panda ActiveScan
PowerDVD
QuickBooks Pro 2000
QuickTime
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus Client
Symantec pcAnywhere
TimePilot 2.76
Timepilot V2.54
Timepilot V2.57
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Watchtower Library 2006 - English Edition
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
S&D log
NOTE: To conserve space I deleted the repetitions of the first entry except for the first & last as these are identical but occurred hundreds of times before I figured out what was causing them (winlogon.exe) & stopped it.
4/1/2007 9:45:47 PM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:26:16 AM Denied value "Firewall auto setup" (new data: "C:\DOCUME~1\LARRYS~1\LOCALS~1\Temp\winlogon.exe") added in System Startup user entry!
4/2/2007 12:49:02 AM Allowed value "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}" (new data: "") deleted in Browser Helper Object!
4/2/2007 1:43:16 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:44:19 AM Allowed value "QuickTime Task" (new data: "") deleted in System Startup global entry!
4/2/2007 1:46:30 AM Allowed value "" (new data: "") added in System Startup global entry!
4/2/2007 1:46:42 AM Allowed value "" (new data: "") deleted in System Startup global entry!
4/2/2007 1:59:53 AM Allowed value "Search Bar" (new data: "") deleted in Browser page!
4/2/2007 2:00:09 AM Allowed value "Start Page" (new data: "about:blank") changed in Browser page!
4/2/2007 2:00:48 AM Allowed value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
4/2/2007 2:00:54 AM Allowed value "load" (new data: "") deleted in NT startup!
4/2/2007 2:01:00 AM Allowed value "scrnsave.exe" (new data: "") deleted in Desktop settings!
4/2/2007 2:09:25 AM Allowed value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE") added in System Startup user entry!
4/2/2007 2:09:28 AM Allowed value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP") added in System Startup global entry!
4/2/2007 2:41:34 AM Allowed value "AVG7_Run" (new data: "") deleted in System Startup user entry!
4/2/2007 3:32:22 AM Allowed value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
4/2/2007 4:57:56 AM Allowed value "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" (new data: "") added in ActiveX Distribution Unit!
4/2/2007 5:03:19 AM Denied value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 9:06:42 AM Allowed value "{EFA24E61-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
4/4/2007 10:53:47 AM Allowed value "{EFA24E62-B078-11D0-89E4-00C04FC9E26E}" (new data: "") added in User-specific browser toolbar!
Please let me know if you see what might be causing this. Thanks!