Hi Friends,
My recent Spybot S&D scan turned up a threat called LSA. But there's no information about it in the info area of the scan window. I went to the Spybot S&D website (safer-networking.net or something close to that), where I found a Threat search page. But when I enter LSA, no results are found. I've also posted this same request in the Spybot S&D forums (net-integration.net or something close to that). But looks like that board is moving slow, on this Sunday...maybe they all are??? Anyway, thought I'd see if anyone's online, here. Here are my questions:
Can someone tell me where to look up the threat info for the LSA? Or maybe just link me to it?
Thanks very much :-)
(ps -- I'll post when I find the info, one way or another, so you don't worry you might be wasting time by answering ;-)
Hi, Brynn. Welcome to LzD Forum. Yes, both SWI and N-I are very busy sites. However, it isn't generally a good idea to cross-post at multiple forums.
I did not see LSA in the SBSD Threat List either. So let's start with a logfile. Please follow the instructions below.
Thanks.
Launch SpyBot and on the toolbar menu select mode and switch to advanced mode:
-- Click Mode, scroll to and click Advanced
-- Cliick 'Yes' at the "warning" screen
On the left lower down select tools > view report.
Ensure all the options are selected except
Uncheck[ ] Do not report disabled or known legitimate Items,
Uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Select (near the top) View report.
-- Click mouse on text file, right click and scroll to 'Select All'.
-- Click 'Copy'.
-- Paste the logfile as a reply.
Hi Corrine,
Oh, well I would never post on 2 forums to troubleshoot a problem. But since I was only asking where to find this threat info, and since neither forum looked very busy today, I figured posting in both would get an answer sooner. As it turns out, I fell asleep right after posting! LOL!! Anyway, now I will either delete the other message, or post I found the answer, in a reply. So, I'm all yours! :lol:
Ok, I've made it through your instructions through the first uncheck item. The 2nd and 3rd options are not there. However there are 8 options which are similar, and I'm assuming it's just a matter of terminology, and what you want me to uncheck is probably there. Unfortunately I can't figure out which ones they are. But I'll guess. Ok, one item is "Include list of Winsock LSPs in report" Since the S in LSP is Services, I'm going to uncheck it, and hope it's the list of services not to include. Ok, and in the Tools menu (along the left) has an item called Uninstall Info, which appears not to be included in the list in the first place. So hopefully this it what you want. If not, just let me know.
--- Search result list ---
LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa
LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1659004503-1965331169-682003330-1003\SYSTEM\CurrentControlSet\Control\Lsa
LSA: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa
--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-08-12 Includes\Dialer.sbi
2005-08-12 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-08-12 Includes\Malware.sbi
2005-08-12 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-08-06 Includes\Security.sbi
2005-08-12 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-08-12 Includes\Trojans.sbi
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB834707
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB887797
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900930)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58992
MD5: 35e1f41f9cea284f8484172180dc1012
Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 118784
MD5: 66a5047df0c0cec911b95b5b1e24cebc
Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 155648
MD5: d24b9b36c06ca0acf7ca2c69d9bb25b5
Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe
Located: HK_LM:Run, Microsoft Works Portfolio
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 28738
MD5: 5ac34c17115d3818dc9c9f5b2d909858
Located: HK_LM:Run, MMTray
command: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
file: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 90112
MD5: 9d20ca8871a7a138f0a0f63553eb2d57
Located: HK_LM:Run, Share-to-Web Namespace Daemon
command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 57344
MD5: d4f5faa2fd2dc5923c82ee5808beed7c
Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 100056
MD5: f9418981ee4d7e995d359833adab59d5
Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe
Located: HK_LM:Run, WorksFUD
command: C:\Program Files\Microsoft Works\wkfud.exe
file: C:\Program Files\Microsoft Works\wkfud.exe
size: 24576
MD5: 8f13ea2d495ae946b1f33898ada8fdd5
Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74e6e96c6f0e2eca4edbb7f7a468f259
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d
Located: Startup (common), HPAiODevice(hp psc 700 series) - 1.lnk
command: C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
file: C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
size: 487484
MD5: 4f465e03aa8cfa07755b76b49f353887
Located: Startup (common), Internet Answering Machine.lnk
command: C:\Program Files\CallWave\IAM.exe
file: C:\Program Files\CallWave\IAM.exe
size: 1061984
MD5: 7b6f470379196e954b3ae266edd2aa38
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a
Located: Startup (common), Microsoft Works Calendar Reminders.lnk
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 39fdfd34f7b04290d1bc53e3d6ec7d83
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx
AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 12/31/2004 3:42:32 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 3/2/2001 1:02:04 PM
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 0.1.0.0
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 2:03:00 AM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 5/12/2004 2:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} (Norton Internet Security)
BHO name: Norton Internet Security
CLSID name: CNisExtBho Class
description: NIS 2004,
classification: Legitimate
known filename: NISShExt.dll
info link: http://www.symantec.com/sabu/nis/nis_pe/
info source: TonyKlein
Path: C:\Program Files\Common Files\Symantec Shared\AdBlocking\
Long name: NISShExt.dll
Short name:
Date (created): 8/31/2004 3:29:54 AM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 8/31/2004 3:29:54 AM
Filesize: 103568
Attributes: archive
MD5: C022E044C7693F7581FFA624BC61BA16
CRC32: AAC028CD
Version: 0.8.0.0
{BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\Norton Internet Security\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 8/30/2004 7:34:34 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 1/10/2005 1:20:36 PM
Filesize: 218736
Attributes: archive
MD5: 46CE9AE4F88ED616A149924F40EB10D7
CRC32: 5BC5C6AE
Version: 0.11.0.0
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 8/3/2005 10:33:42 AM
Filesize: 520456
Attributes: archive
MD5: 386D5DD972E4F6A1CF7F626751FD29F7
CRC32: 3C9940B2
Version: 0.1.0.3
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)
DPF name:
CLSID name: LSSupCtl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: LSSupCtl.dll
Short name:
Date (created): 10/27/2004 3:10:26 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 10/27/2004 3:10:26 PM
Filesize: 111752
Attributes: archive
MD5: C8FEBEA460AAD5C1B6817F9676E03F78
CRC32: 807349F9
Version: 0.3.0.1
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: avsniff.dll
Short name:
Date (created): 10/26/2004 7:14:08 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 10/26/2004 7:14:08 PM
Filesize: 197760
Attributes: archive
MD5: 8C505A352CE49B8BB0822D67EF8892E6
CRC32: 6768F662
Version: 7.212.0.6
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 10/8/2004 4:01:22 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 10/8/2004 4:01:22 PM
Filesize: 372736
Attributes: archive
MD5: D2ED523BB0FE94F8F492BEFE1C336040
CRC32: C4677625
Version: 0.10.0.0
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 8/3/2004 2:59:06 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 5/26/2005 4:16:30 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 0.5.0.8
{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 10/26/2004 7:14:18 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 10/26/2004 7:14:18 PM
Filesize: 160928
Attributes: archive
MD5: 7FC8A8D89A80ED7443F00C31AEDAC9A9
CRC32: 3EC34C3D
Version: 7.212.0.6
{9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control)
DPF name:
CLSID name: MSN File Upload Control
Path: C:\WINDOWS\DOWNLO~1\
Long name: MsnUpld.dll
Short name:
Date (created): 5/19/2003 3:30:40 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 5/19/2003 3:30:40 PM
Filesize: 205880
Attributes: archive
MD5: 0F6F48E86D0F5FE47E4C7D364B7C579B
CRC32: 72C6AB39
Version: 0.9.0.0
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class)
DPF name:
CLSID name: ActiveDataInfo Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SymAData.dll
Short name:
Date (created): 12/20/2004 7:03:36 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 12/20/2004 7:03:36 PM
Filesize: 157288
Attributes: archive
MD5: D39C8355D0587B6A3FD2325DA7E2919C
CRC32: B639D5B5
Version: 0.2.0.0
--- Process list ---
Spybot - Search && Destroy process list report, 8/14/2005 10:21:52 PM
PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 172 ( 540) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 416 ( 4) \SystemRoot\System32\smss.exe
PID: 472 ( 416) csrss.exe
PID: 496 ( 416) \??\C:\WINDOWS\system32\winlogon.exe
PID: 540 ( 496) C:\WINDOWS\system32\services.exe
PID: 552 ( 496) C:\WINDOWS\system32\lsass.exe
PID: 696 ( 704) C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
PID: 704 ( 540) C:\WINDOWS\system32\svchost.exe
PID: 752 ( 540) svchost.exe
PID: 792 ( 540) C:\WINDOWS\System32\svchost.exe
PID: 836 ( 704) C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
PID: 848 ( 540) svchost.exe
PID: 940 ( 540) svchost.exe
PID: 1164 ( 540) C:\WINDOWS\system32\spoolsv.exe
PID: 1172 (1124) C:\WINDOWS\Explorer.EXE
PID: 1308 ( 540) C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
PID: 1340 (1172) C:\WINDOWS\system32\hkcmd.exe
PID: 1348 (1172) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PID: 1388 (1172) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 1408 (1172) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
PID: 1432 (1172) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 1464 ( 704) C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
PID: 1524 (1172) C:\Program Files\Messenger\msmsgs.exe
PID: 1532 (1172) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 1564 ( 540) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1596 ( 540) C:\Program Files\Norton Internet Security\ISSVC.exe
PID: 1612 (1172) C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
PID: 1628 (1172) C:\Program Files\CallWave\IAM.exe
PID: 1644 (1172) C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
PID: 1664 ( 540) C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
PID: 1776 ( 540) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PID: 1796 ( 540) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PID: 1884 ( 540) C:\WINDOWS\System32\svchost.exe
PID: 1908 ( 540) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1980 ( 540) wdfmgr.exe
PID: 2064 ( 836) C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
PID: 2584 (1172) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 2724 ( 540) alg.exe
PID: 3484 (3972) C:\Program Files\Outlook Express\msimn.exe
PID: 3972 (1172) C:\Program Files\Internet Explorer\iexplore.exe
--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 8/14/2005 10:21:52 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://groups.msn.com/SupportforChronicPain
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
You probably already know this, but it's the top 3 items which are the threats that were found. And I just wanted to know what they are before I "Fix" them. Thanks very much :)
Hhm. I put LSA in Google, and found this:
http://www.microsoft.com/technet/security/bulletin/ms99-020.mspx
and this:
http://www.insecure.org/sploits/NT.LSA.secrets.html
Neither of which I understand, or helps me to understand the Spybot threat :?
Hi, Brynn. Let's start with SpyBot. You need to uninstall version 1.3 and install version 1.4. Please follow the instructions in the linked topics below.
Spybot-S&D 1.4 Final has been released.
Uninstalling Previous Spybot-S&D (http://www.safer-networking.org/en/faq/27.html)
Download (http://net-integration.net/spybotsd.html)
News (http://forums.net-integration.net/index.php?showtopic=31735#)
It is possible that the old version combined with the new update is picking up on an old MS patch for the denial of service vulnerability.
If SpyBot still returns the same threat after v1.4 is installed & updated, please post a new logfile. You will see those additional options to uncheck with v1.4. Please do let us know if there are no findings as well. :)
Oh geez!
Well I had just scanned with Spybot a few days before -- Thursday -- and it was clean. So either I just picked up this LSA, or I just got the definition to detect it....I guess...???
Ok, then I should just do nothing with these LSA threats, or maybe they're "threats"? What about Hijack This? Not to be disrespectful, but normally I give brand new versions (of anything) a few months before I use them, just to make sure those surprise glitches, which seem to often occur with new versions (of anything), get worked out before I use it.
....SIGH!!!....
Ok, well, I need to get the new v of Ad-Aware. And I just read where there's a new v of Hijack This. So I will ignore...I mean personally I will ignore the LSA, for now, not that I'm going to tell Spybot to ignore it ;) Then I will go and get brand neweverything, brand new definitions, and scan with everything! :lol:
Yes, I will definitely keep you posted, one way or another. Thank you very much.
Geez, this security business is beginning to take more time than what I spend online in the first place! AAaaaarrrggh!!!
:lol: Brynn. Yes, staying up to date does take a lot of time to keep your computern protected. But, you have a major investment in those bits & bytes.
Don't forget to uninstall SpyBot & upgrade to the new version. That could be the source of the issue with LSA.
If you want to post an Ad-Aware log, you can do that as a reply in this thread.
Hi Corrine,
Ok, I finally finished uninstalling, downloading, and installing new versions of CWShredder, Ad-Aware SE Personal, Spybot S&D, IE-SpyAd, and CCleaner (which I realize is not a security program, but useful just the same). I thought I had read there was a new version of Hijack This, but it turns out I have the newest version. In any case, all my scans are now clean. You were right about the LSA threat in my last scan with the old Spybot S&D version. It does not show up in scans with the new version. So yeehaa!! :gwave:
OH! But wow :shock: the scan goes super fast with the new version!! It's like a flash! I ran 3 scans in a row, thinking the scan was somehow aborting, immediately after it started. I mean, when I was downloading the new version, it did say it was a little faster. I just didn't expect it to be this fast. My goodness, the scan used to take 10 or 15 minutes, and with the new version, it takes about 5 seconds, no kidding! I wish Ad-Aware and Norton would make their scans that fast :)
Well anyway, many, many, many thanks, Corrine! I so appreciate your patience, help and support. All best :D
Great news, Brynn! Thanks for letting me know.
You can keep track of "updates" by subscribing to the threads in our Update forum here. Then you'll know when all your favorite security programs have been updated.
Forgive the intrusion in this thread ...
I see you are running Acrobat Reader 5.0 ... you might wish to update to 7.0.3.
Also, you might wish to consider a few other security applications:
Javacool's SpywareBlaster and SpywareGuard: http://www.javacoolsoftware.com/downloads.html
Eric Howe's IE-Spyad restricted list: https://netfiles.uiuc.edu/ehowes/www/resource.htm
Personally, I consider them essential on any computer I use.
Great suggestions, Winchester73! Thanks & please step in any time. :)
Guns and computers, huh? ...interesting!
Ok, just kidding :D
Thanks, winchester73. I more than welcome any tip from a professional!
But darn it, it seems like I just downloaded a current Acrobat Reader. Maybe I didn't install it right, or something. I'll look into it. But I do use IE-SpyAd, and just got the newest version (per my last message).
On the new security programs, can you please tell me, what are the benefits of Javacool's SpywareBlaster and SpywareGuard? It's just I'm starting to feel like I'm bordering on over-kill, with all this security stuff. But of course I want to be protected. Anyway, what do these programs do, that all my other programs don't? I know I can follow your link and read about it, but I'm hoping you can make it easier for me? LOL!! I don't mean to be insulting, like I'm using you or wasting your time. I'm just plain lazy. Veeerrry lazy! As I intimated earlier, the whole computer security industry, or maybe more the whole need for so much security, is overwhelming to me, and I assume most "average" computer/internet users. So anyway, if it's too much trouble for you to explain, don't worry about it. I will go and read about. I very, very much appreciate your comments already.
All best :)
Quote from: Brynn on August 19, 2005, 08:10:34 AM
OH! But wow :shock: the scan goes super fast with the new version!! It's like a flash! I ran 3 scans in a row, thinking the scan was somehow aborting, immediately after it started. I mean, when I was downloading the new version, it did say it was a little faster. I just didn't expect it to be this fast. My goodness, the scan used to take 10 or 15 minutes, and with the new version, it takes about 5 seconds, no kidding! I wish Ad-Aware and Norton would make their scans that fast :)
Well anyway, many, many, many thanks, Corrine! I so appreciate your patience, help and support. All best :D
I would like to jump in here too. I apologize if someone else noted this but I didn't see it. The reason your scan is only taking 5 seconds is that the newest immunizations and detections are not enabled. Just about everybody mentioned this at CNET when they first downloaded and ran 1.4 and the reason is because it is only scanning for the detections that first came with the original download of the program which were extremely minimal. Open Spybot and check for updates one more time to make sure there are no more. Then on the left side of the program, click the "Immunization shield". That will take you to the "immunization" page. Make sure there is a checkmark in the bottom box that says "enable permanent blocking of all bad addresses in Internet Explorer". I would also select "block all bad pages silently" in the dropdown box so you don't get a notice every time something is blocked. Then at the top of the program, click the green "+" sign. Then close the program and open it again and see if it does a normal scan. :)
Excellent advice, Roddy!
Regarding the Javacool software, copied from the website:
SpywareBlaster 3.4
Prevent the installation of spyware and other potentially unwanted software!
SpywareBlaster is freeware. Please consider donating to further our cause! Click here for more information.
Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today.
By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!
The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.
# Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
# Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
# Restrict the actions of potentially unwanted sites in Internet Explorer.
SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
And unlike other programs, SpywareBlaster does not have to remain running in the background.
SpywareBlaster is freeware for personal and educational use.
SpywareGuard 2.2
A real-time protection solution against spyware!
SpywareGuard is freeware. Please consider donating to further our cause!
SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.
SpywareGuard now also features Download Protection and Browser Hijacking Protection!
Features Listing:
* Fast Real-Time Scanning engine - catch and block spyware before it is executed (EXE and CAB files supported) with signature-based scanning for known spyware and heuristic/generic detection capabilities to catch new/mutated spyware
* Download Protection - prevent spyware from being download in Internet Explorer
* Browser Hijacking Protection - stop browser hijacking activity in real-time
* SG LiveUpdate - provides an easy updating solution
* Small size - with a small size and small definition sizes, download and updates are quick
* Report Capabilities - keep a detailed log of all spyware detected
* Spyware files are blocked before being opened or run - they are not simply shut down after they are loaded in memory (and after they have performed their tasks)
* It's a free download
The bottom line about both programs is that they work silently in the background keeping spyware off your system in the first place as well as helping tprevent browser hijacks.
Brynn, if you are finding it a bit much to keep track of security software updates, why not subcribe to the threads in the LzD Forum Updates & Alerts (http://www.landzdown.com/index.php/board,10.0.html) forum. This way, when there is an update to the threads you have subscribed to, you will receive an email notification. That way, you won't miss an update, yet won't be bothered with checking all the time for infrequently updated software programs.
:cry:
Looks like the saga is not over yet, Friends.
I did realize that I had not Immunized with the new version, just before my scan today. So I Immunized and scanned, and the darn LSA shows up again. It gets worse...confusing the LSA, temporarily, with something else, I thought I should tell Spybot S&D to Ignore it. I don't even know what I was thinking about. So the most immediate concern, is how do I "un-Ignore" it. As soon as I can do that, I will post a new log. While waiting for a reply here, I will be trying to figure out how to "un-Ignore" by myself. But if you're reading this and find no new log below, please let me know how.
Thanks Everyone, for all the awesome info posted to this thread.
Ok, I have now "un-Ignored" the LSA threat, scanned again, and logfile posted below.
By the way, I noticed several items checked off in the Ignore lists, but which I did not put there. I don't know if this came with the new version, and are supposed to be Ignored by design, or if they might have come from the previous version. However, in the previous version, I never instructed to Ignore either. :uhm: So I have done nothing with all the other Ignored items which I found, but if anyone knows what's up with that, I would be interested in and appreciative of an explanation. Thanks :)
{Please pardon these experiments with the editor's available formatting. Just curious.}--- Search result list ---
LSA: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa
LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1659004503-1965331169-682003330-1003\SYSTEM\CurrentControlSet\Control\Lsa
LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-08-16 spybotsd14.exe (0.0.0.0)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-16 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-04-26 Includes\Cookies.sbi (*)
2005-08-26 Includes\Dialer.sbi (*)
2005-08-26 Includes\Hijackers.sbi (*)
2005-08-16 Includes\Keyloggers.sbi (*)
2005-08-26 Includes\Malware.sbi (*)
2005-08-12 Includes\PUPS.sbi (*)
2005-04-27 Includes\Revision.sbi (*)
2005-08-25 Includes\Security.sbi (*)
2005-08-16 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-08-26 Includes\Trojans.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB834707
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB887797
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900930)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58992
MD5: 35e1f41f9cea284f8484172180dc1012
Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 118784
MD5: 66a5047df0c0cec911b95b5b1e24cebc
Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 155648
MD5: d24b9b36c06ca0acf7ca2c69d9bb25b5
Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe
Located: HK_LM:Run, Microsoft Works Portfolio
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
file:
Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 28738
MD5: 5ac34c17115d3818dc9c9f5b2d909858
Located: HK_LM:Run, MMTray
command: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
file: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 90112
MD5: 9d20ca8871a7a138f0a0f63553eb2d57
Located: HK_LM:Run, Share-to-Web Namespace Daemon
command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 57344
MD5: d4f5faa2fd2dc5923c82ee5808beed7c
Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 100056
MD5: f9418981ee4d7e995d359833adab59d5
Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe
Located: HK_LM:Run, WorksFUD
command: C:\Program Files\Microsoft Works\wkfud.exe
file: C:\Program Files\Microsoft Works\wkfud.exe
size: 24576
MD5: 8f13ea2d495ae946b1f33898ada8fdd5
Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74e6e96c6f0e2eca4edbb7f7a468f259
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: deb88aef013dd1eefb462d7cad642166
Located: Startup (common), HPAiODevice(hp psc 700 series) - 1.lnk
command: C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
file: C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
size: 487484
MD5: 4f465e03aa8cfa07755b76b49f353887
Located: Startup (common), Internet Answering Machine.lnk
command: C:\Program Files\CallWave\IAM.exe
file: C:\Program Files\CallWave\IAM.exe
size: 1061984
MD5: 7b6f470379196e954b3ae266edd2aa38
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a
Located: Startup (common), Microsoft Works Calendar Reminders.lnk
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 39fdfd34f7b04290d1bc53e3d6ec7d83
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx
AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 12/14/2004 1:56:50 AM
Date (last access): 8/27/2005 11:44:30 AM
Date (last write): 12/14/2004 1:56:50 AM
Filesize: 63136
Attributes: archive
MD5: 42729C3DE75A7A51FC6F9EF6546C9199
CRC32: 4D60BD07
Version: 7.0.0.1333
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 8/16/2005 12:41:02 AM
Date (last access): 8/27/2005 11:44:32 AM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} (Norton Internet Security)
BHO name: Norton Internet Security
CLSID name: CNisExtBho Class
description: NIS 2004,
classification: Legitimate
known filename: NISShExt.dll
info link: http://www.symantec.com/sabu/nis/nis_pe/
info source: TonyKlein
Path: C:\Program Files\Common Files\Symantec Shared\AdBlocking\
Long name: NISShExt.dll
Short name:
Date (created): 8/31/2004 3:29:54 AM
Date (last access): 8/27/2005 11:44:24 AM
Date (last write): 8/31/2004 3:29:54 AM
Filesize: 103568
Attributes: archive
MD5: C022E044C7693F7581FFA624BC61BA16
CRC32: AAC028CD
Version: 8.0.0.64
{BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\Norton Internet Security\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 8/30/2004 7:34:34 PM
Date (last access): 8/27/2005 11:44:32 AM
Date (last write): 1/10/2005 1:20:36 PM
Filesize: 218736
Attributes: archive
MD5: 46CE9AE4F88ED616A149924F40EB10D7
CRC32: 5BC5C6AE
Version: 11.0.9.16
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 8/27/2005 4:46:44 AM
Date (last write): 8/3/2005 10:33:42 AM
Filesize: 520456
Attributes: archive
MD5: 386D5DD972E4F6A1CF7F626751FD29F7
CRC32: 3C9940B2
Version: 1.3.265.0
{1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)
DPF name:
CLSID name: LSSupCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\LSSupCtl.inf
Codebase: https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
description:
classification: Legitimate
known filename: LSSupCtl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: LSSupCtl.dll
Short name:
Date (created): 10/27/2004 3:10:26 PM
Date (last access): 8/27/2005 11:44:12 AM
Date (last write): 10/27/2004 3:10:26 PM
Filesize: 111752
Attributes: archive
MD5: C8FEBEA460AAD5C1B6817F9676E03F78
CRC32: 807349F9
Version: 3.1.0.5
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
Installer: C:\WINDOWS\Downloaded Program Files\avsniff.inf
Codebase: http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: avsniff.dll
Short name:
Date (created): 10/26/2004 7:14:08 PM
Date (last access): 8/27/2005 11:44:10 AM
Date (last write): 10/26/2004 7:14:08 PM
Filesize: 197760
Attributes: archive
MD5: 8C505A352CE49B8BB0822D67EF8892E6
CRC32: 6768F662
Version: 2004.6.23.54
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\WINDOWS\Downloaded Program Files\MSNPupld.inf
Codebase: http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 10/8/2004 4:01:22 PM
Date (last access): 8/27/2005 11:44:12 AM
Date (last write): 10/8/2004 4:01:22 PM
Filesize: 372736
Attributes: archive
MD5: D2ED523BB0FE94F8F492BEFE1C336040
CRC32: C4677625
Version: 10.0.910.0
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102567996858
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 8/3/2004 2:59:06 PM
Date (last access): 8/27/2005 4:48:04 AM
Date (last write): 5/26/2005 4:16:30 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 5.8.0.2469
{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Installer: C:\WINDOWS\Downloaded Program Files\CabSA.inf
Codebase: http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
description:
classification: Legitimate
known filename: rufsi.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 10/26/2004 7:14:18 PM
Date (last access): 8/27/2005 11:44:12 AM
Date (last write): 10/26/2004 7:14:18 PM
Filesize: 160928
Attributes: archive
MD5: 7FC8A8D89A80ED7443F00C31AEDAC9A9
CRC32: 3EC34C3D
Version: 2004.6.23.42
{9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control)
DPF name:
CLSID name: MSN File Upload Control
Installer: C:\WINDOWS\Downloaded Program Files\MsnUpld.inf
Codebase: http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
description:
classification: Open for discussion
known filename: MsnUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: MsnUpld.dll
Short name:
Date (created): 5/19/2003 3:30:40 PM
Date (last access): 8/27/2005 11:44:12 AM
Date (last write): 5/19/2003 3:30:40 PM
Filesize: 205880
Attributes: archive
MD5: 0F6F48E86D0F5FE47E4C7D364B7C579B
CRC32: 72C6AB39
Version: 9.0.305.1501
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38490.7334375
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class)
DPF name:
CLSID name: ActiveDataInfo Class
Installer:
Codebase: https://www-secure.symantec.com/techsupp/asa/SymAData.cab
description:
classification: Open for discussion
known filename: SymAData.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SymAData.dll
Short name:
Date (created): 12/20/2004 7:03:36 PM
Date (last access): 8/27/2005 11:44:12 AM
Date (last write): 12/20/2004 7:03:36 PM
Filesize: 157288
Attributes: archive
MD5: D39C8355D0587B6A3FD2325DA7E2919C
CRC32: B639D5B5
Version: 2.0.0.2
--- Process list ---
PID: 0 ( 0) [System]
PID: 424 ( 4) \SystemRoot\System32\smss.exe
PID: 472 ( 424) \??\C:\WINDOWS\system32\csrss.exe
PID: 496 ( 424) \??\C:\WINDOWS\system32\winlogon.exe
PID: 540 ( 496) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 552 ( 496) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 696 ( 540) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 752 ( 540) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 788 ( 540) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 836 ( 540) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 884 ( 540) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1132 (1112) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1172 ( 540) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1316 (1132) C:\WINDOWS\system32\hkcmd.exe
size: 118784
MD5: 66A5047DF0C0CEC911B95B5B1E24CEBC
PID: 1328 (1132) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 90112
MD5: 9D20CA8871A7A138F0A0F63553EB2D57
PID: 1352 ( 540) C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
size: 235120
MD5: 71AF96E742972836B3FD4EA4B3C96206
PID: 1420 (1132) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 28738
MD5: 5AC34C17115D3818DC9C9F5B2D909858
PID: 1428 (1132) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 57344
MD5: D4F5FAA2FD2DC5923C82EE5808BEED7C
PID: 1436 (1132) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58992
MD5: 35E1F41F9CEA284F8484172180DC1012
PID: 1472 (1132) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
PID: 1488 (1132) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 1536 ( 696) C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
size: 65536
MD5: E508B0095D4871A6DB4AB32B878501EE
PID: 1584 (1132) C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
size: 487484
MD5: 4F465E03AA8CFA07755B76B49F353887
PID: 1592 (1132) C:\Program Files\CallWave\IAM.exe
size: 1061984
MD5: 7B6F470379196E954B3AE266EDD2AA38
PID: 1612 (1132) C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 39FDFD34F7B04290D1BC53E3D6EC7D83
PID: 1656 ( 540) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
size: 181872
MD5: 67DD2CF35CDB1864E06F10F1334C0C17
PID: 1684 ( 540) C:\Program Files\Norton Internet Security\ISSVC.exe
size: 83584
MD5: 64BC5239264896C8D8FCE558CFBA029B
PID: 1724 ( 540) C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
size: 177264
MD5: EAD98778AFDE3F53137A498E0D425B08
PID: 1812 ( 540) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
size: 206552
MD5: 443E397643965E08C5AB6A6CAA732B97
PID: 1844 ( 540) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
size: 173160
MD5: 08FA56B7C13B4CBF0E5D351AECAD92B1
PID: 1920 ( 540) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1932 ( 540) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
size: 819352
MD5: F11341CD0D1DC5EFF5FEFFCC7424984E
PID: 2036 ( 540) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: C81B8635DEE0D3EF5F64B3DD643023A5
PID: 256 ( 540) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
size: 198256
MD5: BEEE55546518F7010779A43F3ADFC3B3
PID: 324 ( 696) C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
size: 299008
MD5: 7E50340CD17EAA1193B810556B62BDC0
PID: 1036 ( 324) C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
size: 290816
MD5: C323AB1C22DCBD61F9BF7CBDD9E4B42E
PID: 2628 ( 540) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1772 (1132) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 408 ( 696) C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
size: 119952
MD5: 3927925DF9F3542DD016D3E65CCC71B1
PID: 3332 (1132) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4048 (1132) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 8/27/2005 11:56:00 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://groups.msn.com/SupportforChronicPain
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{58F27E98-0D84-426D-ACBE-299C43ADE18B}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{58F27E98-0D84-426D-ACBE-299C43ADE18B}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC55C600-8B39-4C9E-B0B8-7D990531A3EF}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC55C600-8B39-4C9E-B0B8-7D990531A3EF}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8B6454C4-BD1F-43B5-B5A6-16D8E5B746E8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8B6454C4-BD1F-43B5-B5A6-16D8E5B746E8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9903E8E-FD11-44B7-A3FC-C2A8CCFF4A11}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9903E8E-FD11-44B7-A3FC-C2A8CCFF4A11}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{87C79C23-3A82-4550-8611-418A1B4321BA}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{87C79C23-3A82-4550-8611-418A1B4321BA}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace[/size]
End of report/file.
Hey, update: I found that yes, there are a few products excluded by default, in this version. So at least that part is no longer a mystery :)
Hi, Brynn. The search results are very minimal and I'm not comfortable with some of the results. Please start with an online A/V scan and a trojan scan, removing anything that is found. Following that, please post a HJT log.
Panda (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
or
TrendMicro (http://housecall.trendmicro.com/housecall/start_corp.asp)
Trojan Hunter (http://castlecops.com/downloads-cat-6.html) <-- Trial
Please download HijackThis from here: http://www.thespykiller.co.uk/files/HJTsetup.exe .
Note: This is a complete installer that installs HijackThis to your computer to at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
At the download prompt, choose "Save". After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it. When the installation is complete, double-click the HijackThis icon on your desktop. Select "Do a system scan and save logfile". Save the logfile and a text file will be produced.. Copy the text file and paste it here as a reply.
Quote from: Brynn on August 27, 2005, 10:34:02 PM
Hey, update: I found that yes, there are a few products excluded by default, in this version. So at least that part is no longer a mystery :)
Sorry, I just saw this. I could have answered that part of the question for you. If I had seen it earlier, I would have provided you with this link so you didn't have to go look for it. :?
http://forums.net-integration.net/index.php?showtopic=31127
Hi Corrine,
What do you mean by "minimal"?
Also, I use Norton AV 2005 (also firewall, ad blocker, spam blocker, pop-up blocker). I just scanned today, following the Spybot S&D scan, and it came up clean. However, my scan on...I think it was Tues night...picked up something called Bloodhound.Morphine (Symantec's terminology). I had that file in Norton quarantine, however, it somehow got deleted this morning. I had called Symantec Wed, after several failed attempts to send them the details, and was advised to just wait a few days, dowload new definitions, and then let Norton repair it. I don't know how it got deleted. It was just there one minute and gone the next! I have run thorough searches, to make sure it's not somewhere else (besides quarantine), but the file is not found on my system. And then I ran another AV scan, which also came up clean. However, considering the nature of the Bloodhound.Morphine threat, at least my understanding of it, it seems possisble I still might have some new/undefined problem or threat, of some sort.
If you think a different virus scan, one of those to which you posted links, would be better, I'll be glad to do it. I also already have Hijack This, and I also scanned with it today already. Of course I'm not anything close to an expert, but I didn't see anything different from what has been called good recently. But, I will be glad to post a log for you.
Thank you and brb with HT logfile :)
Hi again,
I'm assuming you mean for me to post this here, but please move it to the HT forum, if necessary.
Logfile of HijackThis v1.99.0
Scan saved at 5:33:29 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijack This\version 1.99\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SupportforChronicPain
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://groups.msn.com/SupportforChronicPain
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102567996858
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks again!
What I meant by "minimal" was when I searched for the LSA information. In fact, the only finding for one of the lines was your post here. The search results of the other two LSA lines did indicate the possibility of a worm, which is why I suggested an online scan.
Oops, you posted just as I was about to and I see that you have an older version of HJT. Please update to 1.99.1.
We'll move your thread to the HJT forum. That way they'll have the entire history. :)
Oh dear, that was my bad. I thought 1.99.1 and 1.99 would be the same thing. Ok then, 1st scan from 1.99.1 below:
Logfile of HijackThis v1.99.1
Scan saved at 6:01:49 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijack This\HT v1.99.1\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SupportforChronicPain
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://groups.msn.com/SupportforChronicPain
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102567996858
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi
While you're mulling over my HT 1.99.1 logfile, meanwhile, what should I do with the Spybot S&D scan, with LSA threat still waiting to be dealt with? Can I just close the program for now? If I open it later, will the LSA still be there, still waiting for me to Fix or Ignore? Or if I close the program, will I have to scan again?
Hi Corrine and All,
Just wondering if I can get an update from those working on my HT logfile. I've been trying to avoid being on the internet, in case the LSA turns out to be a serious threat. But I also have work to do on the internet, and need to handle this problem and move on asap. Thanks very much, and sorry to be so impatient.
Hi Brynn, sorry for your wait :)
I don't see any evidence of malware in your log, looks clean.
We can get a deeper scan by doing the below
Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named "StartupPrograms" with Your user and date in the filename. Open that txt file and posts it contents in your next post.
Ok, thank you P3-450. I will go and download it now. But before I run it, I need to know what script-blocking software is, so I can make sure it's disabled. (I'm not the savviest internet user.)
Ooooookay.
Mission accomplished, as far as I can tell. LOL!!
When I start the program, I get a large message box with 3 or 4 options. But before I can finish reading them and figuring out whether I need to use them or not, the scan starts. So I guess you could say this is the basic scan. But there are several more options which I haven't used to scan with yet.
Thanks again for your help and support :)
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ss3dfo.scr" [MS]
Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HPAiODevice(hp psc 700 series) - 1" -> shortcut to: "C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe -DeviceID 1102371132" ["Hewlett-Packard Co."]
"Internet Answering Machine" -> shortcut to: "C:\Program Files\CallWave\IAM.exe -start" ["CallWave, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 46 seconds, including 18 seconds for message boxes)
Hi Brynn,
That log looks clean too 8)
Brynn, I just found something!!!
This is likely what the settings should be in your registry:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
Even though you have SP2 and Microsoft fixed the problem before that with an update, try running Steve Gibson's DCOMbulator http://www.grc.com/dcom/ and then run an updates Spybot scan.
Wow, that's great Corrine!
Unfortunately I'm going to have to put this last suggestion on hold, for now. I've had another security issue present itself, and it's going to take priority. Since it involves, possibly, Ad-Aware or Spybot S&D, I'm going to start a new topic in the Spyware Forum. And I will get back to the DCOMbobulator, later. Thanks for everyone's patience :)
Hey Friends,
Nope, I didn't forget about this! Fortunately it's not a serious issue, though.
I have a question about your last message, Corrine, before I dl and run the above recommended program. You posted what my registry setting is supposed to display. But I don't understand whether the DCOMbobulator program changes those settings for me? Because wouldn't it be easier just to edit the registry settings directly? Or does the program do something different? Should I do both -- dl and run the program and edit the registry? Or just one or the other?
Thanks :)
Sorry, Brynn, your post slipped past me.
Steve Gibson's DCOMbulator program is safe to use and I would use that before doing any registry edits -- it is too easy to mess up the registry so why gamble?
No problem, Corrine, and thanks :)
I'm not worried about the program....well, not the safety or integritiy anyway. It's just that there are so many of these little, bitty, kind of like 'specialty' programs, recommended by trusted support professionals, and intended to tweak one thing or another. But they've just started to pile up on my c-drive, to where I worry that eventually, they'll begin to conflict with either each other, and/or the rest of my system. So I wanted to avoid yet another download, if possible. Plus, I wasn't sure in what order I should perform your instructions. So, I understand now, and I'll post again with results.
...:idea:....could I just delete this program after it does its thing :?:
Hi again Corrine,
Ok, I downloaded and ran it. But it says I have Windows XP with SP2 which effectively has closed, or disabled the dcom vulnerability. Are you suggesting that I click the button to disable it, even though it's declaring me safe (as far as the dcom)?
Ok then, I think I did everything I was supposed to do. But no change.... :uhm:
Well, things could be so much worse, I'm quite sure of that :wink:.
I just want to post a final and heartfelt
thank you !!
to everyone who chipped in to help. I'm sorry things got so long and drawn out. But just coming out the other side (of the problem) as a whole and functioning system, makes it ok. I'm
so grateful for your help and support!
Best wishes for a beautiful, upcoming holiday season :D
Hi, Brynn. Let's not give up yet. I'm sure we can find an answer. There are additional posts showing up in Google with the same unanswered results. Are the findings the same as before that SpyBot detects?
--- Search result list ---
LSA: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa
LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1659004503-1965331169-682003330-1003\SYSTEM\CurrentControlSet\Control\Lsa
LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa
If you are still getting the same, perhaps we can ask the kind folks at Safer Networking.
I don't know, Corrine. The only reason I wanted to know what it is, was to give me more confidence in "Fixing" it. All my other security programs, if they tell me something's bad, I do what the programs tells me to do, to get rid of it. But ever since Spybot S&D identified the Windows Security Center as a threat, maybe a year ago or something, I don't remember exactly. But ever since then, it kind of shook my confidence in the program. I just wanted to be sure it really is a bad thing -- because back when it first showed up in a scan, I thought that "Fixing" was permanent. All the promotional material I had read, before installing Spybot S&D, went on and on about how thoroughly it gets rid of the malware, which is so much better than other programs. It sounded entirely
unreversible. So I didn't know it was even possible to "unfix", or Recover what was Fixed, much less how easy it is.
So now, while it seems to have developed into quite a mystery, which would make solving it somewhat rewarding by itself....I'm feeling content just to Fix it, and move on. My only concern is that you had seen something in one of my scans, at the time, that is apparently indicative of a....I think is was a virus or trojan. or something worthy of concern. What I don't know is whether that suspicious result is in any way related, or connected to those 3 LSA threats. But in the absence of any symptoms of a problem, even yet, I'm thinking the suspicious readings were just a coincidence (as far as a potential virus or trojan).
All that being said, I'm willing to carry this through to the end, i.e. - figure out what is this darn LSA threat.
:Win73: :Win73:
{{I know this smiley is meant to refer to the member named Winchester, but it's just too cute! (no offense to Winchester) My use is to symbolize the hunt for the definition of the LSA threat!}}
So, let's go for it!
Yes, the results are still the same, just as you show them.
Do you mean for me to post at Net-Integration? Or were you just kind of thinking out loud about doing it yourself? I'm fine with either, just let me know :)
And thanks again :)
Important issues first -- all of the smilies are available to use. We just named that one after Winchester73 since it is rather appropriate. Makes it easier to remember the code too if you use the Quick Reply box as I do.
I agree, the LSA is a mystery that we have both searched and not found an answer to. As I've met some of Team Spybot at Safer Networking, I'll start off a post there with cross-site links. Perhaps we can solve this mystery yet.
Here's a link to the post at Safer Networking: http://forums.spybot.info/showthread.php?p=2568#post2568
Hey Corrine & Brynn, quite an epic you guys have going on here. :)
Forgive me if I read this wrong since I didn't read every word and may have missed something. I'm also assuming that these items were found with an updated v1.4.
As for these 'LSA' items found; I've run into them on a few occasions in both HKLM as well as HKCU...each time was associated with malwares including one or two sdbot variants. I haven't ever seen them in 'normal' conditions. But that isn't why I'm posting.
Anyway, I had an idea that I thought I'd share...an idea I use regularly for lots of events.
The idea; Since SSD has a very good backup routine, I was thinking Brynn might want to just do as I would. I would go ahead and 'fix' but in addition to depending on the backup and/or restore points, I would also use a tool to generate snapshots of the event changes thereby creating a record that would allow me to go back and manually repair any item that may be dealt with erroneously if the backup/restore failed for some reason. While there are now several tools created for this purpose, I still prefer to use InCtrl5 and can furnish a copy to this user if needed.
Anyway, it's just an idea.
Brynn, you should only do what you feel comfortable with but this tool I'm speaking of is really pretty simple to use and I'm sure most here can advise as per the snapshot.
LMK in PM if you should need/want a copy.
HTH
Hey, mikey :)
Thanks for your suggestions.
At this point, I'm not even sure what you're saying :oops:. But I will save your message, for the day that I either understand it, or have trouble with those files, forcing me to learn what it means. :mrgreen:
Corrine, I haven't been able to find your message at the Spybot S&D forum. When I click your link, I get a page which has "error 404:" followed by some German language (or something a lot like German). I went to the Spybot S&D website, and tried to get to it from there, but I got a different error page which is entirely in German. It's possible that some security setting of mine is blocking the site from me, but I'm not sure where to start tweaking, to get it to open. Any tips?
That is strange, Brynn. I'd suggest clearning cache, history, all that. Then perhaps try the forum link from http://www.safer-networking.org/en/index.html
I got in this time, Corrine!
I see there is a German forum there, so maybe some kind of glitch.
But anyway, I'm set to follow that thread now.
Thanks :)
Excellent, Brynn!