lsa and wget

**Zenobia** · 2007-11-06, 22:04

Spybot is detecting LSA and Fake.Wget.It only detected it after I ran combofix.I fixed with Spybot,checked to be sure the registry keys were really gone,then ran Combofix and then Spybot again today to be sure.
Apologies if this fp is known about,but I thought I'd post in case it wasn't.Report was too big,so I shortened it.

--- Search result list ---
LSA: [SBI $B262365F] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-997792472-346656022-3166893597-1002\SYSTEM\CurrentControlSet\Control\Lsa

Fake.Wget: [SBI $310DEE39] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-997792472-346656022-3166893597-1002\Software\Wget

--- Spybot - Search & Destroy version: 1.5 (build: 20071005) ---

2007-10-07 blindman.exe (1.0.0.6)
2007-09-24 SDDelFile.exe (1.0.0.1)
2007-10-07 SDMain.exe (1.0.0.4)
2007-10-07 SDShred.exe (1.0.1.2)
2007-10-07 SDUpdate.exe (1.0.7.4)
2007-10-07 SDWinSec.exe (1.0.0.10)
2007-10-07 SpybotSD.exe (1.5.1.17)
2007-10-07 TeaTimer.exe (1.5.0.11)
2007-10-19 unins000.exe (51.48.0.0)
2007-10-07 Update.exe (1.4.0.5)
2007-10-07 advcheck.dll (1.5.4.2)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-10-07 SDHelper.dll (1.5.0.10)
2007-10-07 Tools.dll (2.1.3.2)
2007-10-31 Includes\Beta.sbi (*)
2007-10-11 Includes\Beta.uti
2007-10-31 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-10-31 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-31 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-31 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-10-24 Includes\Malware.sbi (*)
2007-10-31 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-10-31 Includes\PUPSC.sbi (*)
2007-10-31 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-31 Includes\SecurityC.sbi (*)
2007-10-24 Includes\Spybots.sbi (*)
2007-10-31 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-11-01 Includes\Trojans.sbi (*)
2007-10-31 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows Vista (Build: 6000) (6.0.6000)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB941833)

--- Startup entries list ---
Located: HK_LM:Run, 00PCTFW
command: "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
file: C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
size: 2610744
MD5: B6A85FAC761AD1EC173B8D22DC4C32B9

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 579072
MD5: 8B0A837F1D0AF0621A29C9F3DBF45E9F

Located: HK_LM:Run, Broadcom Wireless Manager UI
command: C:\Windows\system32\WLTRAY.exe
file: C:\Windows\system32\WLTRAY.exe
size: 1540096
MD5: 0BF39994C302AAE4B41015AB8AEAACB6

Located: HK_LM:Run, SigmatelSysTrayApp
command: sttray.exe
file: C:\Windows\sttray.exe
size: 303104
MD5: 10EB9773131BB74757F02ADA18F4081C

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 815104
MD5: BC9E0A68A38E0E57D4F36BEEB75C6E28

Located: HK_CU:Run, AVG7_Run
where: .DEFAULT...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, AVG7_Run
where: S-1-5-19...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1196032
MD5: 43632977504B323F8A41BF7A9965C453

Located: HK_CU:Run, AVG7_Run
where: S-1-5-20...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1196032
MD5: 43632977504B323F8A41BF7A9965C453

Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-20...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Sidebar
where: S-1-5-21-997792472-346656022-3166893597-1002...
command: C:\Program Files\Windows Sidebar\Sidebar.exe /autoRun
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1196032
MD5: 43632977504B323F8A41BF7A9965C453

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-997792472-346656022-3166893597-1002...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2083664
MD5: 1EB2D3D0056A79A5F50A8D1AA2F1AA83

Located: HK_CU:Run, AVG7_Run
where: S-1-5-18...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: Startup (common), Digital Line Detect.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Digital Line Detect\DLG.exe
file: C:\Program Files\Digital Line Detect\DLG.exe
size: 50688
MD5: F03FFC962E18F36A922E61F96BE09925

Located: Startup (common), QuickSet.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
file: C:\Windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
size: 45056
MD5: 1B89D24637B870A9D2041B1B54BCB37C

Located: WinLogon, avgwlntf
command: avgwlntf.dll
file: avgwlntf.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 18/12/2006 4:16:42 AM
Date (last access): 07/02/2007 2:07:44 PM
Date (last write): 18/12/2006 4:16:42 AM
Filesize: 59032
Attributes: archive
MD5: 4EA3A6CD9D20584FFAFDB1E47DBF0E20
CRC32: 7B0A854F
Version: 7.0.9.50

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 19/10/2007 7:46:10 PM
Date (last access): 19/10/2007 7:46:10 PM
Date (last write): 07/10/2007 11:04:24 AM
Filesize: 1545040
Attributes: archive
MD5: 9ED4B9F35CEF4CCEB5F788106ADA1FE6
CRC32: B6379958
Version: 1.5.0.10

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: ssv.dll
Short name:
Date (created): 12/10/2007 11:08:22 PM
Date (last access): 24/09/2007 10:31:44 PM
Date (last write): 25/09/2007 12:11:34 AM
Filesize: 501136
Attributes: archive
MD5: D787E3123FAD2BD58AB45B9A5C360ACD
CRC32: DDC625C2
Version: 6.0.30.5

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 31/08/2006 8:33:06 PM
Date (last access): 07/02/2007 2:25:40 PM
Date (last write): 31/08/2006 8:33:06 PM
Filesize: 322368
Attributes: archive
MD5: E43F7CFDEE2B00A22C96C168147B20D3
CRC32: 2AEACC43
Version: 4.100.313.1

**Yodama** · 2007-11-07, 08:13

Zenobia,

thank you for reporting this, it will be fixed with the upcoming update.

**Zenobia** · 2007-11-07, 08:17

You're welcome.

Thread: lsa and wget

Thread Tools

Display

lsa and wget

Posting Permissions