Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Does this look Harmful?

I was looking through some of the system startup info on Spybot- S&D.  I found three entries that were suspicious

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: C:\WINDOWS\system32\ctfmon.exe
   file: C:\WINDOWS\system32\ctfmon.exe
   size: 15360
    MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, SUPERAntiSpyware
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
   file: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
   size: 1318912
    MD5: 225E41F95D0F33148D264746087017D4

the " S-1-5-21-3849989511-1898341264-2557499271-1370..."  is shown as
User S-1-5-21-3849989511-1898341264-2557499271-1370  in the actual program.

I've noticed before that when I right click and hit properties on any icon on the desktop and go to the security tab, there is that user, with a weird white head looking icon.  It's not the same as normal user's.
2 Solutions
lcg1964Author Commented:
Oh, and the white head icon goes away and changes to the user logged in after a few seconds.  Usually you don't even notice it if you're not looking for it.
Everything seems OK.  The first process belongs to Nero, the second runs with Microsoft Office, and the third is a legit anti-spyware app.  As for the the last part about the security tab, I'm really not sure if what you're talking about is different than the standard single-user icon (sounds like it is).
lcg1964Author Commented:
No the icon is different, its not a white head but it has a small red question mark and something on the side of it.  Don't have too long to look at it so its hard to describe.  I'll try and take a print screen when it comes up.

As for the processes yeah they are all legit, but the where: S- blah blah blah is scaring me.

This is what problem spybot found when I ran a check.  SuperantiSpyware found nothing, ran the HJT log thru the analyzer and it found nothing harmful just a few neutral.  Running VundoFix now but hasn't found anything yet.  ComboFix didn't find anything either.

--- Search result list ---
LSA: [SBI $B262365F] Settings (Registry key, nothing done)

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

lcg1964Author Commented:
lcg1964Author Commented:
Eh, I guess you can't do that.  
Here's a link.
lcg1964Author Commented:

Here is my HJT log.  

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Same thing Spybot came up with.
lcg1964Author Commented:
So, these are the two problems Spybot found.  I could remove them, but I really don't think it will do much.

LSA: [SBI $B262365F] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-3849989511-1898341264-2557499271-1370\SYSTEM\CurrentControlSet\Control\Lsa

Fake.Wget: [SBI $310DEE39] Settings (Registry key, nothing done)
lcg1964Author Commented:
bbaoIT ConsultantCommented:
three questions:

1. does the computer behave strangely? running slowly, unknown network access, or slow response...
2. have you actually installed the programs listed in the logs (except those under Windows folders)?
3. for those items belong to microsoft, do all your diagnosis software suspect them?

lcg1964Author Commented:
It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.  
I've installed nero 8, not 7.
I'm not sure which software you're talking about.  But spybot and superantispyware don't.
I noticed the username on your log, I think you emailed me but then you forgot to include the link to your question.
I replied twice but bounced back as "blocked" your email probably blocked gmail.

Those files Spybot found are legit, but then some nasties can duplicate legit system files.

The combofix log, has a file that could be from IndigoRose Software, did you install some Desktop surveilance software?
Some of the legit files showing in CF log seems duplicated.

Can you scan these files at

Also if you could have Kaspersky to do an online check, if it finds any nasties it won't remove it, but we can then remove it manually.
Using Internet Explorer, run Kaspersky Online Scanner
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.
lcg1964Author Commented:
Lol, thats funny.  I did forget to add the link.

Scanned those files, it didn't find anything so I scanned the originals to the copies and they were clean.

Maybe I'm just paranoid, but everything so far is clean.
bbaoIT ConsultantCommented:
> It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.  

that does happen on every computer, probably because of the link to particular sites.

> I've installed nero 8, not 7.

as the log shows.

> I'm not sure which software you're talking about.  But spybot and superantispyware don't.

a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.

don't believe the programs.
lcg1964Author Commented:
Kaspersky found 2 viruses when I did a C:\ scan.

>> I'm not sure which software you're talking about.  But spybot and superantispyware don't.

>a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.

>don't believe the programs.

You still haven't answered which software you're talking about.  I've listed everything that the scans have produced.

It's also veryyy slow when I go away from the computer for a half hour or hour and come back.  Takes a few minutes before I can click on any task.
lcg1964Author Commented:
Hmm, Kaspersky found 8 viruses that were all in the
C:\System Volume Information\_restore{CE8EF6F1-7E64-4167-BF7B-2368EE1CCEC8}\RP36\  
directory.  Should I run killbox and delete every one of them?
bbaoIT ConsultantCommented:
spybot and superantispyware.
"Should I run killbox and delete every one of them?"

Just disable System Restore, and then go back and Re enable it. Those will all go away....

Now I dont know if your original question was answered, about the white head in the Security ACL.....

All that is is an unmapped SID to a username. More than likely, there is a username that no longer exists on your machine, that had an explicit permission set. Now that the Username no longer exists on the local machine, it cant resolve the SID to the freindly name you see on the others....

This is also common in Domain environments, when logged into the local machine.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now