Spybot S&D Threat Descriptions?

[Brynn]

Wow, that's great Corrine!
Unfortunately I'm going to have to put this last suggestion on hold, for now.  I've had another security issue present itself, and it's going to take priority.  Since it involves, possibly, Ad-Aware or Spybot S&D, I'm going to start a new topic in the Spyware Forum.  And I will get back to the DCOMbobulator, later.  Thanks for everyone's patience  :)

[Brynn]

Hey Friends,

Nope, I didn't forget about this!  Fortunately it's not a serious issue, though.

I have a question about your last message, Corrine, before I dl and run the above recommended program.  You posted what my registry setting is supposed to display.  But I don't understand whether the DCOMbobulator program changes those settings for me?  Because wouldn't it be easier just to edit the registry settings directly?  Or does the program do something different?  Should I do both -- dl and run the program and edit the registry?  Or just one or the other?

Thanks  :)

[Corrine]

Sorry, Brynn, your post slipped past me. 

Steve Gibson's DCOMbulator program is safe to use and I would use that before doing any registry edits -- it is too easy to mess up the registry so why gamble?

[Brynn]

No problem, Corrine, and thanks  :)
I'm not worried about the program....well, not the safety or integritiy anyway.  It's just that there are so many of these little, bitty, kind of like 'specialty' programs, recommended by trusted support professionals, and intended to tweak one thing or another.  But they've just started to pile up on my c-drive, to where I worry that eventually, they'll begin to conflict with either each other, and/or the rest of my system.  So I wanted to avoid yet another download, if possible.  Plus, I wasn't sure in what order I should perform your instructions.  So, I understand now, and I'll post again with results.

...:idea:....could I just delete this program after it does its thing  :?:

[Brynn]

Hi again Corrine,
Ok, I downloaded and ran it.  But it says I have Windows XP with SP2 which effectively has closed, or disabled the dcom vulnerability.  Are you suggesting that I click the button to disable it, even though it's declaring me safe (as far as the dcom)?

[Brynn]

Ok then, I think I did everything I was supposed to do.  But no change.... :uhm:
Well, things could be so much worse, I'm quite sure of that  :wink:.
I just want to post a final and heartfelt

thank you !!

to everyone who chipped in to help.  I'm sorry things got so long and drawn out.  But just coming out the other side (of the problem) as a whole and functioning system, makes it ok.  I'm so grateful for your help and support!

Best wishes for a beautiful, upcoming holiday season  :D

[Corrine]

Hi, Brynn.  Let's not give up yet.  I'm sure we can find an answer.  There are additional posts showing up in Google with the same unanswered results.  Are the findings the same as before that SpyBot detects? 

--- Search result list ---
LSA: Settings (Registry key, nothing done)
  HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-1659004503-1965331169-682003330-1003\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa

If you are still getting the same, perhaps we can ask the kind folks at Safer Networking. 

[Brynn]

I don't know, Corrine.  The only reason I wanted to know what it is, was to give me more confidence in "Fixing" it.  All my other security programs, if they tell me something's bad, I do what the programs tells me to do, to get rid of it.  But ever since Spybot S&D identified the Windows Security Center as a threat, maybe a year ago or something, I don't remember exactly.  But ever since then, it kind of shook my confidence in the program.  I just wanted to be sure it really is a bad thing -- because back when it first showed up in a scan, I thought that "Fixing" was permanent.  All the promotional material I had read, before installing Spybot S&D, went on and on about how thoroughly it gets rid of the malware, which is so much better than other programs.  It sounded entirely unreversible.  So I didn't know it was even possible to "unfix", or Recover what was Fixed, much less how easy it is.

So now, while it seems to have developed into quite a mystery, which would make solving it somewhat rewarding by itself....I'm feeling content just to Fix it, and move on.  My only concern is that you had seen something in one of my scans, at the time, that is apparently indicative of a....I think is was a virus or trojan. or something worthy of concern.  What I don't know is whether that suspicious result is in any way related, or connected to those 3 LSA threats.  But in the absence of any symptoms of a problem, even yet, I'm thinking the suspicious readings were just a coincidence (as far as a potential virus or trojan).

All that being said, I'm willing to carry this through to the end, i.e. - figure out what is this darn LSA threat.

:Win73:   :Win73:

{{I know this smiley is meant to refer to the member named Winchester, but it's just too cute!  (no offense to Winchester)  My use is to symbolize the hunt for the definition of the LSA threat!}}

So, let's go for it!
Yes, the results are still the same, just as you show them.
Do you mean for me to post at Net-Integration?  Or were you just kind of thinking out loud about doing it yourself?  I'm fine with either, just let me know  :)
And thanks again  :)

[Corrine]

Important issues first -- all of the smilies are available to use.  We just named that one after Winchester73 since it is rather appropriate.  Makes it easier to remember the code too if you use the Quick Reply box as I do. 

I agree, the LSA is a mystery that we have both searched and not found an answer to.  As I've met some of Team Spybot at Safer Networking, I'll start off a post there with cross-site links.  Perhaps we can solve this mystery yet. 

[Corrine]

Here's a link to the post at Safer Networking:  http://forums.spybot.info/showthread.php?p=2568#post2568

[mikey]

Hey Corrine & Brynn, quite an epic you guys have going on here. :)

Forgive me if I read this wrong since I didn't read every word and may have missed something. I'm also assuming that these items were found with an updated v1.4.

As for these 'LSA' items found; I've run into them on a few occasions in both HKLM as well as HKCU...each time was associated with malwares including one or two sdbot variants. I haven't ever seen them in 'normal' conditions. But that isn't why I'm posting.

Anyway, I had an idea that I thought I'd share...an idea I use regularly for lots of events.

The idea; Since SSD has a very good backup routine, I was thinking Brynn might want to just do as I would. I would go ahead and 'fix' but in addition to depending on the backup and/or restore points, I would also use a tool to generate snapshots of the event changes thereby creating a record that would allow me to go back and manually repair any item that may be dealt with erroneously if the backup/restore failed for some reason. While there are now several tools created for this purpose, I still prefer to use InCtrl5 and can furnish a copy to this user if needed.

Anyway, it's just an idea.
Brynn, you should only do what you feel comfortable with but this tool I'm speaking of is really pretty simple to use and I'm sure most here can advise as per the snapshot.

LMK in PM if you should need/want a copy.
HTH

[Brynn]

Hey, mikey  :)
Thanks for your suggestions.
At this point, I'm not even sure what you're saying :oops:.  But I will save your message, for the day that I either understand it, or have trouble with those files, forcing me to learn what it means.  :mrgreen:

Corrine, I haven't been able to find your message at the Spybot S&D forum.  When I click your link, I get a page which has "error 404:" followed by some German language (or something a lot like German).  I went to the Spybot S&D website, and tried to get to it from there, but I got a different error page which is entirely in German.  It's possible that some security setting of mine is blocking the site from me, but I'm not sure where to start tweaking, to get it to open.  Any tips?

[Corrine]

That is strange, Brynn.  I'd suggest clearning cache, history, all that.  Then perhaps try the forum link from http://www.safer-networking.org/en/index.html

[Brynn]

I got in this time, Corrine!
I see there is a German forum there, so maybe some kind of glitch.
But anyway, I'm set to follow that thread now.
Thanks :)

[Corrine]

Excellent, Brynn!