Spybot S&D Threat Descriptions?

Brynn · August 15, 2005, 01:05:07 AM

Hi Friends,
My recent Spybot S&D scan turned up a threat called LSA. But there's no information about it in the info area of the scan window. I went to the Spybot S&D website (safer-networking.net or something close to that), where I found a Threat search page. But when I enter LSA, no results are found. I've also posted this same request in the Spybot S&D forums (net-integration.net or something close to that). But looks like that board is moving slow, on this Sunday...maybe they all are??? Anyway, thought I'd see if anyone's online, here. Here are my questions:

Can someone tell me where to look up the threat info for the LSA? Or maybe just link me to it?

Thanks very much :-)
(ps -- I'll post when I find the info, one way or another, so you don't worry you might be wasting time by answering ;-)

Corrine · August 15, 2005, 01:42:31 AM

Hi, Brynn. Welcome to LzD Forum. Yes, both SWI and N-I are very busy sites. However, it isn't generally a good idea to cross-post at multiple forums.

I did not see LSA in the SBSD Threat List either. So let's start with a logfile. Please follow the instructions below.

Thanks.

Launch SpyBot and on the toolbar menu select mode and switch to advanced mode:
-- Click Mode, scroll to and click Advanced
-- Cliick 'Yes' at the "warning" screen

On the left lower down select tools > view report.

Ensure all the options are selected except
Uncheck[ ] Do not report disabled or known legitimate Items,
Uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Select (near the top) View report.
-- Click mouse on text file, right click and scroll to 'Select All'.
-- Click 'Copy'.
-- Paste the logfile as a reply.

Brynn · August 15, 2005, 04:34:05 AM

Hi Corrine,
Oh, well I would never post on 2 forums to troubleshoot a problem. But since I was only asking where to find this threat info, and since neither forum looked very busy today, I figured posting in both would get an answer sooner. As it turns out, I fell asleep right after posting! LOL!! Anyway, now I will either delete the other message, or post I found the answer, in a reply. So, I'm all yours! :lol:

Ok, I've made it through your instructions through the first uncheck item. The 2nd and 3rd options are not there. However there are 8 options which are similar, and I'm assuming it's just a matter of terminology, and what you want me to uncheck is probably there. Unfortunately I can't figure out which ones they are. But I'll guess. Ok, one item is "Include list of Winsock LSPs in report" Since the S in LSP is Services, I'm going to uncheck it, and hope it's the list of services not to include. Ok, and in the Tools menu (along the left) has an item called Uninstall Info, which appears not to be included in the list in the first place. So hopefully this it what you want. If not, just let me know.

--- Search result list ---
LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1659004503-1965331169-682003330-1003\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa

--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-08-12 Includes\Dialer.sbi
2005-08-12 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-08-12 Includes\Malware.sbi
2005-08-12 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-08-06 Includes\Security.sbi
2005-08-12 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-08-12 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB834707
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB887797
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900930)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)

--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58992
MD5: 35e1f41f9cea284f8484172180dc1012

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 118784
MD5: 66a5047df0c0cec911b95b5b1e24cebc

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 155648
MD5: d24b9b36c06ca0acf7ca2c69d9bb25b5

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_LM:Run, Microsoft Works Portfolio
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 28738
MD5: 5ac34c17115d3818dc9c9f5b2d909858

Located: HK_LM:Run, MMTray
command: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
file: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 90112
MD5: 9d20ca8871a7a138f0a0f63553eb2d57

Located: HK_LM:Run, Share-to-Web Namespace Daemon
command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 57344
MD5: d4f5faa2fd2dc5923c82ee5808beed7c

Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 100056
MD5: f9418981ee4d7e995d359833adab59d5

Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_LM:Run, WorksFUD
command: C:\Program Files\Microsoft Works\wkfud.exe
file: C:\Program Files\Microsoft Works\wkfud.exe
size: 24576
MD5: 8f13ea2d495ae946b1f33898ada8fdd5

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74e6e96c6f0e2eca4edbb7f7a468f259

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: Startup (common), HPAiODevice(hp psc 700 series) - 1.lnk
command: C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
file: C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
size: 487484
MD5: 4f465e03aa8cfa07755b76b49f353887

Located: Startup (common), Internet Answering Machine.lnk
command: C:\Program Files\CallWave\IAM.exe
file: C:\Program Files\CallWave\IAM.exe
size: 1061984
MD5: 7b6f470379196e954b3ae266edd2aa38

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: Startup (common), Microsoft Works Calendar Reminders.lnk
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 39fdfd34f7b04290d1bc53e3d6ec7d83

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx
AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 12/31/2004 3:42:32 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 3/2/2001 1:02:04 PM
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 0.1.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 2:03:00 AM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 5/12/2004 2:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{9ECB9560-04F9-4bbc-943D-298DDF1699E1} (Norton Internet Security)
BHO name: Norton Internet Security
CLSID name: CNisExtBho Class
description: NIS 2004,
classification: Legitimate
known filename: NISShExt.dll
info link: http://www.symantec.com/sabu/nis/nis_pe/
info source: TonyKlein
Path: C:\Program Files\Common Files\Symantec Shared\AdBlocking\
Long name: NISShExt.dll
Short name:
Date (created): 8/31/2004 3:29:54 AM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 8/31/2004 3:29:54 AM
Filesize: 103568
Attributes: archive
MD5: C022E044C7693F7581FFA624BC61BA16
CRC32: AAC028CD
Version: 0.8.0.0

{BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\Norton Internet Security\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 8/30/2004 7:34:34 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 1/10/2005 1:20:36 PM
Filesize: 218736
Attributes: archive
MD5: 46CE9AE4F88ED616A149924F40EB10D7
CRC32: 5BC5C6AE
Version: 0.11.0.0

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 8/3/2005 10:33:42 AM
Filesize: 520456
Attributes: archive
MD5: 386D5DD972E4F6A1CF7F626751FD29F7
CRC32: 3C9940B2
Version: 0.1.0.3

{1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class)
DPF name:
CLSID name: LSSupCtl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: LSSupCtl.dll
Short name:
Date (created): 10/27/2004 3:10:26 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 10/27/2004 3:10:26 PM
Filesize: 111752
Attributes: archive
MD5: C8FEBEA460AAD5C1B6817F9676E03F78
CRC32: 807349F9
Version: 0.3.0.1

{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: avsniff.dll
Short name:
Date (created): 10/26/2004 7:14:08 PM
Date (last access): 8/14/2005 10:05:52 PM
Date (last write): 10/26/2004 7:14:08 PM
Filesize: 197760
Attributes: archive
MD5: 8C505A352CE49B8BB0822D67EF8892E6
CRC32: 6768F662
Version: 7.212.0.6

{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 10/8/2004 4:01:22 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 10/8/2004 4:01:22 PM
Filesize: 372736
Attributes: archive
MD5: D2ED523BB0FE94F8F492BEFE1C336040
CRC32: C4677625
Version: 0.10.0.0

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 8/3/2004 2:59:06 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 5/26/2005 4:16:30 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 0.5.0.8

{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 10/26/2004 7:14:18 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 10/26/2004 7:14:18 PM
Filesize: 160928
Attributes: archive
MD5: 7FC8A8D89A80ED7443F00C31AEDAC9A9
CRC32: 3EC34C3D
Version: 7.212.0.6

{9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control)
DPF name:
CLSID name: MSN File Upload Control
Path: C:\WINDOWS\DOWNLO~1\
Long name: MsnUpld.dll
Short name:
Date (created): 5/19/2003 3:30:40 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 5/19/2003 3:30:40 PM
Filesize: 205880
Attributes: archive
MD5: 0F6F48E86D0F5FE47E4C7D364B7C579B
CRC32: 72C6AB39
Version: 0.9.0.0

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class)
DPF name:
CLSID name: ActiveDataInfo Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SymAData.dll
Short name:
Date (created): 12/20/2004 7:03:36 PM
Date (last access): 8/14/2005 10:05:54 PM
Date (last write): 12/20/2004 7:03:36 PM
Filesize: 157288
Attributes: archive
MD5: D39C8355D0587B6A3FD2325DA7E2919C
CRC32: B639D5B5
Version: 0.2.0.0

--- Process list ---
Spybot - Search && Destroy process list report, 8/14/2005 10:21:52 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 172 ( 540) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 416 ( 4) \SystemRoot\System32\smss.exe
PID: 472 ( 416) csrss.exe
PID: 496 ( 416) \??\C:\WINDOWS\system32\winlogon.exe
PID: 540 ( 496) C:\WINDOWS\system32\services.exe
PID: 552 ( 496) C:\WINDOWS\system32\lsass.exe
PID: 696 ( 704) C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
PID: 704 ( 540) C:\WINDOWS\system32\svchost.exe
PID: 752 ( 540) svchost.exe
PID: 792 ( 540) C:\WINDOWS\System32\svchost.exe
PID: 836 ( 704) C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
PID: 848 ( 540) svchost.exe
PID: 940 ( 540) svchost.exe
PID: 1164 ( 540) C:\WINDOWS\system32\spoolsv.exe
PID: 1172 (1124) C:\WINDOWS\Explorer.EXE
PID: 1308 ( 540) C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
PID: 1340 (1172) C:\WINDOWS\system32\hkcmd.exe
PID: 1348 (1172) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PID: 1388 (1172) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 1408 (1172) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
PID: 1432 (1172) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 1464 ( 704) C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
PID: 1524 (1172) C:\Program Files\Messenger\msmsgs.exe
PID: 1532 (1172) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 1564 ( 540) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1596 ( 540) C:\Program Files\Norton Internet Security\ISSVC.exe
PID: 1612 (1172) C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
PID: 1628 (1172) C:\Program Files\CallWave\IAM.exe
PID: 1644 (1172) C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
PID: 1664 ( 540) C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
PID: 1776 ( 540) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PID: 1796 ( 540) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PID: 1884 ( 540) C:\WINDOWS\System32\svchost.exe
PID: 1908 ( 540) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1980 ( 540) wdfmgr.exe
PID: 2064 ( 836) C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
PID: 2584 (1172) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 2724 ( 540) alg.exe
PID: 3484 (3972) C:\Program Files\Outlook Express\msimn.exe
PID: 3972 (1172) C:\Program Files\Internet Explorer\iexplore.exe

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 8/14/2005 10:21:52 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://groups.msn.com/SupportforChronicPain
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

You probably already know this, but it's the top 3 items which are the threats that were found. And I just wanted to know what they are before I "Fix" them. Thanks very much :)

Brynn · August 15, 2005, 06:18:10 AM

Hhm. I put LSA in Google, and found this:
http://www.microsoft.com/technet/security/bulletin/ms99-020.mspx
and this:
http://www.insecure.org/sploits/NT.LSA.secrets.html

Neither of which I understand, or helps me to understand the Spybot threat :?

Corrine · August 15, 2005, 11:41:38 AM

Hi, Brynn. Let's start with SpyBot. You need to uninstall version 1.3 and install version 1.4. Please follow the instructions in the linked topics below.

Spybot-S&D 1.4 Final has been released.
Uninstalling Previous Spybot-S&D

Download

News

It is possible that the old version combined with the new update is picking up on an old MS patch for the denial of service vulnerability.

If SpyBot still returns the same threat after v1.4 is installed & updated, please post a new logfile. You will see those additional options to uncheck with v1.4. Please do let us know if there are no findings as well. :)

Brynn · August 15, 2005, 01:16:34 PM

Oh geez!
Well I had just scanned with Spybot a few days before -- Thursday -- and it was clean. So either I just picked up this LSA, or I just got the definition to detect it....I guess...???

Ok, then I should just do nothing with these LSA threats, or maybe they're "threats"? What about Hijack This? Not to be disrespectful, but normally I give brand new versions (of anything) a few months before I use them, just to make sure those surprise glitches, which seem to often occur with new versions (of anything), get worked out before I use it.

....SIGH!!!....
Ok, well, I need to get the new v of Ad-Aware. And I just read where there's a new v of Hijack This. So I will ignore...I mean personally I will ignore the LSA, for now, not that I'm going to tell Spybot to ignore it ;) Then I will go and get brand neweverything, brand new definitions, and scan with everything! :lol:

Yes, I will definitely keep you posted, one way or another. Thank you very much.
Geez, this security business is beginning to take more time than what I spend online in the first place! AAaaaarrrggh!!!

Corrine · August 17, 2005, 11:38:04 PM

:lol: Brynn. Yes, staying up to date does take a lot of time to keep your computern protected. But, you have a major investment in those bits & bytes.

Don't forget to uninstall SpyBot & upgrade to the new version. That could be the source of the issue with LSA.

If you want to post an Ad-Aware log, you can do that as a reply in this thread.

Brynn · August 19, 2005, 08:10:34 AM

Hi Corrine,
Ok, I finally finished uninstalling, downloading, and installing new versions of CWShredder, Ad-Aware SE Personal, Spybot S&D, IE-SpyAd, and CCleaner (which I realize is not a security program, but useful just the same). I thought I had read there was a new version of Hijack This, but it turns out I have the newest version. In any case, all my scans are now clean. You were right about the LSA threat in my last scan with the old Spybot S&D version. It does not show up in scans with the new version. So yeehaa!! :gwave:

OH! But wow :shock: the scan goes super fast with the new version!! It's like a flash! I ran 3 scans in a row, thinking the scan was somehow aborting, immediately after it started. I mean, when I was downloading the new version, it did say it was a little faster. I just didn't expect it to be this fast. My goodness, the scan used to take 10 or 15 minutes, and with the new version, it takes about 5 seconds, no kidding! I wish Ad-Aware and Norton would make their scans that fast :)

Well anyway, many, many, many thanks, Corrine! I so appreciate your patience, help and support. All best :D

Corrine · August 19, 2005, 11:18:30 AM

Great news, Brynn! Thanks for letting me know.

You can keep track of "updates" by subscribing to the threads in our Update forum here. Then you'll know when all your favorite security programs have been updated.

winchester73 · August 19, 2005, 11:57:29 AM

Forgive the intrusion in this thread ...

I see you are running Acrobat Reader 5.0 ... you might wish to update to 7.0.3.

Also, you might wish to consider a few other security applications:

Javacool's SpywareBlaster and SpywareGuard: http://www.javacoolsoftware.com/downloads.html

Eric Howe's IE-Spyad restricted list: https://netfiles.uiuc.edu/ehowes/www/resource.htm

Personally, I consider them essential on any computer I use.

Corrine · August 19, 2005, 01:56:00 PM

Great suggestions, Winchester73! Thanks & please step in any time. :)

Brynn · August 20, 2005, 02:20:21 AM

Guns and computers, huh? ...interesting!
Ok, just kidding :D

Thanks, winchester73. I more than welcome any tip from a professional!
But darn it, it seems like I just downloaded a current Acrobat Reader. Maybe I didn't install it right, or something. I'll look into it. But I do use IE-SpyAd, and just got the newest version (per my last message).

On the new security programs, can you please tell me, what are the benefits of Javacool's SpywareBlaster and SpywareGuard? It's just I'm starting to feel like I'm bordering on over-kill, with all this security stuff. But of course I want to be protected. Anyway, what do these programs do, that all my other programs don't? I know I can follow your link and read about it, but I'm hoping you can make it easier for me? LOL!! I don't mean to be insulting, like I'm using you or wasting your time. I'm just plain lazy. Veeerrry lazy! As I intimated earlier, the whole computer security industry, or maybe more the whole need for so much security, is overwhelming to me, and I assume most "average" computer/internet users. So anyway, if it's too much trouble for you to explain, don't worry about it. I will go and read about. I very, very much appreciate your comments already.

All best :)

roddy32 · August 20, 2005, 12:21:25 PM

Quote from: Brynn on August 19, 2005, 08:10:34 AM

OH! But wow :shock: the scan goes super fast with the new version!! It's like a flash! I ran 3 scans in a row, thinking the scan was somehow aborting, immediately after it started. I mean, when I was downloading the new version, it did say it was a little faster. I just didn't expect it to be this fast. My goodness, the scan used to take 10 or 15 minutes, and with the new version, it takes about 5 seconds, no kidding! I wish Ad-Aware and Norton would make their scans that fast :)

Well anyway, many, many, many thanks, Corrine! I so appreciate your patience, help and support. All best :D

I would like to jump in here too. I apologize if someone else noted this but I didn't see it. The reason your scan is only taking 5 seconds is that the newest immunizations and detections are not enabled. Just about everybody mentioned this at CNET when they first downloaded and ran 1.4 and the reason is because it is only scanning for the detections that first came with the original download of the program which were extremely minimal. Open Spybot and check for updates one more time to make sure there are no more. Then on the left side of the program, click the "Immunization shield". That will take you to the "immunization" page. Make sure there is a checkmark in the bottom box that says "enable permanent blocking of all bad addresses in Internet Explorer". I would also select "block all bad pages silently" in the dropdown box so you don't get a notice every time something is blocked. Then at the top of the program, click the green "+" sign. Then close the program and open it again and see if it does a normal scan. :)

Corrine · August 20, 2005, 05:45:30 PM

Excellent advice, Roddy!

Regarding the Javacool software, copied from the website:

SpywareBlaster 3.4

Prevent the installation of spyware and other potentially unwanted software!
SpywareBlaster is freeware. Please consider donating to further our cause! Click here for more information.

Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today.
By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!

The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.

# Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
# Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
# Restrict the actions of potentially unwanted sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
And unlike other programs, SpywareBlaster does not have to remain running in the background.
SpywareBlaster is freeware for personal and educational use.

SpywareGuard 2.2

A real-time protection solution against spyware!
SpywareGuard is freeware. Please consider donating to further our cause!

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.

SpywareGuard now also features Download Protection and Browser Hijacking Protection!

Features Listing:

* Fast Real-Time Scanning engine - catch and block spyware before it is executed (EXE and CAB files supported) with signature-based scanning for known spyware and heuristic/generic detection capabilities to catch new/mutated spyware
* Download Protection - prevent spyware from being download in Internet Explorer
* Browser Hijacking Protection - stop browser hijacking activity in real-time
* SG LiveUpdate - provides an easy updating solution
* Small size - with a small size and small definition sizes, download and updates are quick
* Report Capabilities - keep a detailed log of all spyware detected
* Spyware files are blocked before being opened or run - they are not simply shut down after they are loaded in memory (and after they have performed their tasks)
* It's a free download

The bottom line about both programs is that they work silently in the background keeping spyware off your system in the first place as well as helping tprevent browser hijacks.

Brynn, if you are finding it a bit much to keep track of security software updates, why not subcribe to the threads in the LzD Forum Updates & Alerts forum. This way, when there is an update to the threads you have subscribed to, you will receive an email notification. That way, you won't miss an update, yet won't be bothered with checking all the time for infrequently updated software programs.

Brynn · August 27, 2005, 05:29:13 PM

:cry:
Looks like the saga is not over yet, Friends.
I did realize that I had not Immunized with the new version, just before my scan today. So I Immunized and scanned, and the darn LSA shows up again. It gets worse...confusing the LSA, temporarily, with something else, I thought I should tell Spybot S&D to Ignore it. I don't even know what I was thinking about. So the most immediate concern, is how do I "un-Ignore" it. As soon as I can do that, I will post a new log. While waiting for a reply here, I will be trying to figure out how to "un-Ignore" by myself. But if you're reading this and find no new log below, please let me know how.

Thanks Everyone, for all the awesome info posted to this thread.