lcg1964
asked on
Does this look Harmful?
I was looking through some of the system startup info on Spybot- S&D. I found three entries that were suspicious
Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4 d9f-84C7-8 8D8A56B10A A}
where: S-1-5-21-3849989511-189834 1264-25574 99271-1370 ...
command: "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe"
file:
size: 0
MD5: D41D8CD98F00B204E9800998EC F8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3849989511-189834 1264-25574 99271-1370 ...
command: C:\WINDOWS\system32\ctfmon .exe
file: C:\WINDOWS\system32\ctfmon .exe
size: 15360
MD5: 24232996A38C0B0CF151C2140A E29FC8
Located: HK_CU:Run, SUPERAntiSpyware
where: S-1-5-21-3849989511-189834 1264-25574 99271-1370 ...
command: C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
file: C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
size: 1318912
MD5: 225E41F95D0F33148D26474608 7017D4
the " S-1-5-21-3849989511-189834 1264-25574 99271-1370 ..." is shown as
User S-1-5-21-3849989511-189834 1264-25574 99271-1370 in the actual program.
I've noticed before that when I right click and hit properties on any icon on the desktop and go to the security tab, there is that user, with a weird white head looking icon. It's not the same as normal user's.
Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4
where: S-1-5-21-3849989511-189834
command: "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor
file:
size: 0
MD5: D41D8CD98F00B204E9800998EC
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3849989511-189834
command: C:\WINDOWS\system32\ctfmon
file: C:\WINDOWS\system32\ctfmon
size: 15360
MD5: 24232996A38C0B0CF151C2140A
Located: HK_CU:Run, SUPERAntiSpyware
where: S-1-5-21-3849989511-189834
command: C:\Program Files\SUPERAntiSpyware\SUP
file: C:\Program Files\SUPERAntiSpyware\SUP
size: 1318912
MD5: 225E41F95D0F33148D26474608
the " S-1-5-21-3849989511-189834
User S-1-5-21-3849989511-189834
I've noticed before that when I right click and hit properties on any icon on the desktop and go to the security tab, there is that user, with a weird white head looking icon. It's not the same as normal user's.
Everything seems OK. The first process belongs to Nero, the second runs with Microsoft Office, and the third is a legit anti-spyware app. As for the the last part about the security tab, I'm really not sure if what you're talking about is different than the standard single-user icon (sounds like it is).
ASKER
No the icon is different, its not a white head but it has a small red question mark and something on the side of it. Don't have too long to look at it so its hard to describe. I'll try and take a print screen when it comes up.
As for the processes yeah they are all legit, but the where: S- blah blah blah is scaring me.
This is what problem spybot found when I ran a check. SuperantiSpyware found nothing, ran the HJT log thru the analyzer and it found nothing harmful just a few neutral. Running VundoFix now but hasn't found anything yet. ComboFix didn't find anything either.
--- Search result list ---
LSA: [SBI $B262365F] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-384998 9511-18983 41264-2557 499271-137 0\SYSTEM\C urrentCont rolSet\Con trol\Lsa
As for the processes yeah they are all legit, but the where: S- blah blah blah is scaring me.
This is what problem spybot found when I ran a check. SuperantiSpyware found nothing, ran the HJT log thru the analyzer and it found nothing harmful just a few neutral. Running VundoFix now but hasn't found anything yet. ComboFix didn't find anything either.
--- Search result list ---
LSA: [SBI $B262365F] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-384998
ASKER
[IMG]http://img.photobucket.com/albums/v144/ic3nyn3/bad.jpg[/IMG]
it was a white head.
it was a white head.
ASKER
Eh, I guess you can't do that.
Here's a link.
http://img.photobucket.com/albums/v144/ic3nyn3/bad.jpg
Here's a link.
http://img.photobucket.com/albums/v144/ic3nyn3/bad.jpg
ASKER
https://filedb.experts-exchange.com/incoming/ee-stuff/5661-hijackthis.txt
Here is my HJT log.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C- 4d9f-84C7- 88D8A56B10 AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
Same thing Spybot came up with.
Here is my HJT log.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
Same thing Spybot came up with.
ASKER
So, these are the two problems Spybot found. I could remove them, but I really don't think it will do much.
LSA: [SBI $B262365F] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-384998 9511-18983 41264-2557 499271-137 0\SYSTEM\C urrentCont rolSet\Con trol\Lsa
Fake.Wget: [SBI $310DEE39] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-384998 9511-18983 41264-2557 499271-137 0\Software \Wget
LSA: [SBI $B262365F] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-384998
Fake.Wget: [SBI $310DEE39] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-384998
ASKER
three questions:
1. does the computer behave strangely? running slowly, unknown network access, or slow response...
2. have you actually installed the programs listed in the logs (except those under Windows folders)?
3. for those items belong to microsoft, do all your diagnosis software suspect them?
regards,
bbao
1. does the computer behave strangely? running slowly, unknown network access, or slow response...
2. have you actually installed the programs listed in the logs (except those under Windows folders)?
3. for those items belong to microsoft, do all your diagnosis software suspect them?
regards,
bbao
ASKER
It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.
I've installed nero 8, not 7.
I'm not sure which software you're talking about. But spybot and superantispyware don't.
I've installed nero 8, not 7.
I'm not sure which software you're talking about. But spybot and superantispyware don't.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Lol, thats funny. I did forget to add the link.
Scanned those files, it didn't find anything so I scanned the originals to the copies and they were clean.
Maybe I'm just paranoid, but everything so far is clean.
Scanned those files, it didn't find anything so I scanned the originals to the copies and they were clean.
Maybe I'm just paranoid, but everything so far is clean.
> It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.
that does happen on every computer, probably because of the link to particular sites.
> I've installed nero 8, not 7.
as the log shows.
> I'm not sure which software you're talking about. But spybot and superantispyware don't.
a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.
don't believe the programs.
that does happen on every computer, probably because of the link to particular sites.
> I've installed nero 8, not 7.
as the log shows.
> I'm not sure which software you're talking about. But spybot and superantispyware don't.
a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.
don't believe the programs.
ASKER
Kaspersky found 2 viruses when I did a C:\ scan.
>> I'm not sure which software you're talking about. But spybot and superantispyware don't.
>a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.
>don't believe the programs.
You still haven't answered which software you're talking about. I've listed everything that the scans have produced.
It's also veryyy slow when I go away from the computer for a half hour or hour and come back. Takes a few minutes before I can click on any task.
>> I'm not sure which software you're talking about. But spybot and superantispyware don't.
>a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.
>don't believe the programs.
You still haven't answered which software you're talking about. I've listed everything that the scans have produced.
It's also veryyy slow when I go away from the computer for a half hour or hour and come back. Takes a few minutes before I can click on any task.
ASKER
Hmm, Kaspersky found 8 viruses that were all in the
C:\System Volume Information\_restore{CE8EF 6F1-7E64-4 167-BF7B-2 368EE1CCEC 8}\RP36\
directory. Should I run killbox and delete every one of them?
C:\System Volume Information\_restore{CE8EF
directory. Should I run killbox and delete every one of them?
spybot and superantispyware.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER