Solved

Does this look Harmful?

Posted on 2007-11-16
17
235 Views
Last Modified: 2013-12-04
I was looking through some of the system startup info on Spybot- S&D.  I found three entries that were suspicious


Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
   file:
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: C:\WINDOWS\system32\ctfmon.exe
   file: C:\WINDOWS\system32\ctfmon.exe
   size: 15360
    MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, SUPERAntiSpyware
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
   file: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
   size: 1318912
    MD5: 225E41F95D0F33148D264746087017D4


the " S-1-5-21-3849989511-1898341264-2557499271-1370..."  is shown as
User S-1-5-21-3849989511-1898341264-2557499271-1370  in the actual program.

I've noticed before that when I right click and hit properties on any icon on the desktop and go to the security tab, there is that user, with a weird white head looking icon.  It's not the same as normal user's.
0
Comment
Question by:lcg1964
17 Comments
 

Author Comment

by:lcg1964
ID: 20300983
Oh, and the white head icon goes away and changes to the user logged in after a few seconds.  Usually you don't even notice it if you're not looking for it.
0
 
LVL 4

Expert Comment

by:Harry_Truman
ID: 20301192
Everything seems OK.  The first process belongs to Nero, the second runs with Microsoft Office, and the third is a legit anti-spyware app.  As for the the last part about the security tab, I'm really not sure if what you're talking about is different than the standard single-user icon (sounds like it is).
0
 

Author Comment

by:lcg1964
ID: 20301242
No the icon is different, its not a white head but it has a small red question mark and something on the side of it.  Don't have too long to look at it so its hard to describe.  I'll try and take a print screen when it comes up.

As for the processes yeah they are all legit, but the where: S- blah blah blah is scaring me.

This is what problem spybot found when I ran a check.  SuperantiSpyware found nothing, ran the HJT log thru the analyzer and it found nothing harmful just a few neutral.  Running VundoFix now but hasn't found anything yet.  ComboFix didn't find anything either.


--- Search result list ---
LSA: [SBI $B262365F] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-3849989511-1898341264-2557499271-1370\SYSTEM\CurrentControlSet\Control\Lsa


0
 

Author Comment

by:lcg1964
ID: 20301288
0
 

Author Comment

by:lcg1964
ID: 20301304
Eh, I guess you can't do that.  
Here's a link.
http://img.photobucket.com/albums/v144/ic3nyn3/bad.jpg
0
 

Author Comment

by:lcg1964
ID: 20301448
https://filedb.experts-exchange.com/incoming/ee-stuff/5661-hijackthis.txt

Here is my HJT log.  

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Same thing Spybot came up with.
0
 

Author Comment

by:lcg1964
ID: 20301513
So, these are the two problems Spybot found.  I could remove them, but I really don't think it will do much.


LSA: [SBI $B262365F] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-3849989511-1898341264-2557499271-1370\SYSTEM\CurrentControlSet\Control\Lsa

Fake.Wget: [SBI $310DEE39] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-3849989511-1898341264-2557499271-1370\Software\Wget
0
 

Author Comment

by:lcg1964
ID: 20301629
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20303685
three questions:

1. does the computer behave strangely? running slowly, unknown network access, or slow response...
2. have you actually installed the programs listed in the logs (except those under Windows folders)?
3. for those items belong to microsoft, do all your diagnosis software suspect them?

regards,
bbao
0
 

Author Comment

by:lcg1964
ID: 20305492
It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.  
I've installed nero 8, not 7.
I'm not sure which software you're talking about.  But spybot and superantispyware don't.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 350 total points
ID: 20305799
I noticed the username on your log, I think you emailed me but then you forgot to include the link to your question.
I replied twice but bounced back as "blocked" your email probably blocked gmail.

Those files Spybot found are legit, but then some nasties can duplicate legit system files.

The combofix log, has a file that could be from IndigoRose Software, did you install some Desktop surveilance software?
Some of the legit files showing in CF log seems duplicated.

Can you scan these files at http://virusscan.jotti.org/
C:\WINDOWS\system32\snmpoids.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\wininet(2).dll
C:\WINDOWS\system32\urlmon(2).dll
C:\WINDOWS\system32\shlwapi(2).dll
C:\WINDOWS\system32\shdocvw(2).dll


Also if you could have Kaspersky to do an online check, if it finds any nasties it won't remove it, but we can then remove it manually.
Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
   
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.
0
 

Author Comment

by:lcg1964
ID: 20312598
Lol, thats funny.  I did forget to add the link.

Scanned those files, it didn't find anything so I scanned the originals to the copies and they were clean.

Maybe I'm just paranoid, but everything so far is clean.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20312916
> It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.  

that does happen on every computer, probably because of the link to particular sites.

> I've installed nero 8, not 7.

as the log shows.

> I'm not sure which software you're talking about.  But spybot and superantispyware don't.

a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.

don't believe the programs.
0
 

Author Comment

by:lcg1964
ID: 20313486
Kaspersky found 2 viruses when I did a C:\ scan.

>> I'm not sure which software you're talking about.  But spybot and superantispyware don't.

>a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.

>don't believe the programs.

You still haven't answered which software you're talking about.  I've listed everything that the scans have produced.

It's also veryyy slow when I go away from the computer for a half hour or hour and come back.  Takes a few minutes before I can click on any task.
0
 

Author Comment

by:lcg1964
ID: 20314131
Hmm, Kaspersky found 8 viruses that were all in the
C:\System Volume Information\_restore{CE8EF6F1-7E64-4167-BF7B-2368EE1CCEC8}\RP36\  
directory.  Should I run killbox and delete every one of them?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20314166
spybot and superantispyware.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 150 total points
ID: 20315138
"Should I run killbox and delete every one of them?"

Just disable System Restore, and then go back and Re enable it. Those will all go away....

Now I dont know if your original question was answered, about the white head in the Security ACL.....

All that is is an unmapped SID to a username. More than likely, there is a username that no longer exists on your machine, that had an explicit permission set. Now that the Username no longer exists on the local machine, it cant resolve the SID to the freindly name you see on the others....

This is also common in Domain environments, when logged into the local machine.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques. This attack comes as a nightmare trifecta for email filtering services; sent from a familiar contact, using authentic tone and verbi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now