Solved

Does this look Harmful?

Posted on 2007-11-16
17
234 Views
Last Modified: 2013-12-04
I was looking through some of the system startup info on Spybot- S&D.  I found three entries that were suspicious


Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
   file:
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: C:\WINDOWS\system32\ctfmon.exe
   file: C:\WINDOWS\system32\ctfmon.exe
   size: 15360
    MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, SUPERAntiSpyware
  where: S-1-5-21-3849989511-1898341264-2557499271-1370...
command: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
   file: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
   size: 1318912
    MD5: 225E41F95D0F33148D264746087017D4


the " S-1-5-21-3849989511-1898341264-2557499271-1370..."  is shown as
User S-1-5-21-3849989511-1898341264-2557499271-1370  in the actual program.

I've noticed before that when I right click and hit properties on any icon on the desktop and go to the security tab, there is that user, with a weird white head looking icon.  It's not the same as normal user's.
0
Comment
Question by:lcg1964
17 Comments
 

Author Comment

by:lcg1964
ID: 20300983
Oh, and the white head icon goes away and changes to the user logged in after a few seconds.  Usually you don't even notice it if you're not looking for it.
0
 
LVL 4

Expert Comment

by:Harry_Truman
ID: 20301192
Everything seems OK.  The first process belongs to Nero, the second runs with Microsoft Office, and the third is a legit anti-spyware app.  As for the the last part about the security tab, I'm really not sure if what you're talking about is different than the standard single-user icon (sounds like it is).
0
 

Author Comment

by:lcg1964
ID: 20301242
No the icon is different, its not a white head but it has a small red question mark and something on the side of it.  Don't have too long to look at it so its hard to describe.  I'll try and take a print screen when it comes up.

As for the processes yeah they are all legit, but the where: S- blah blah blah is scaring me.

This is what problem spybot found when I ran a check.  SuperantiSpyware found nothing, ran the HJT log thru the analyzer and it found nothing harmful just a few neutral.  Running VundoFix now but hasn't found anything yet.  ComboFix didn't find anything either.


--- Search result list ---
LSA: [SBI $B262365F] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-3849989511-1898341264-2557499271-1370\SYSTEM\CurrentControlSet\Control\Lsa


0
 

Author Comment

by:lcg1964
ID: 20301288
0
 

Author Comment

by:lcg1964
ID: 20301304
Eh, I guess you can't do that.  
Here's a link.
http://img.photobucket.com/albums/v144/ic3nyn3/bad.jpg
0
 

Author Comment

by:lcg1964
ID: 20301448
https://filedb.experts-exchange.com/incoming/ee-stuff/5661-hijackthis.txt

Here is my HJT log.  

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Same thing Spybot came up with.
0
 

Author Comment

by:lcg1964
ID: 20301513
So, these are the two problems Spybot found.  I could remove them, but I really don't think it will do much.


LSA: [SBI $B262365F] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-3849989511-1898341264-2557499271-1370\SYSTEM\CurrentControlSet\Control\Lsa

Fake.Wget: [SBI $310DEE39] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-3849989511-1898341264-2557499271-1370\Software\Wget
0
 

Author Comment

by:lcg1964
ID: 20301629
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20303685
three questions:

1. does the computer behave strangely? running slowly, unknown network access, or slow response...
2. have you actually installed the programs listed in the logs (except those under Windows folders)?
3. for those items belong to microsoft, do all your diagnosis software suspect them?

regards,
bbao
0
 

Author Comment

by:lcg1964
ID: 20305492
It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.  
I've installed nero 8, not 7.
I'm not sure which software you're talking about.  But spybot and superantispyware don't.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 350 total points
ID: 20305799
I noticed the username on your log, I think you emailed me but then you forgot to include the link to your question.
I replied twice but bounced back as "blocked" your email probably blocked gmail.

Those files Spybot found are legit, but then some nasties can duplicate legit system files.

The combofix log, has a file that could be from IndigoRose Software, did you install some Desktop surveilance software?
Some of the legit files showing in CF log seems duplicated.

Can you scan these files at http://virusscan.jotti.org/
C:\WINDOWS\system32\snmpoids.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\wininet(2).dll
C:\WINDOWS\system32\urlmon(2).dll
C:\WINDOWS\system32\shlwapi(2).dll
C:\WINDOWS\system32\shdocvw(2).dll


Also if you could have Kaspersky to do an online check, if it finds any nasties it won't remove it, but we can then remove it manually.
Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
   
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.
0
 

Author Comment

by:lcg1964
ID: 20312598
Lol, thats funny.  I did forget to add the link.

Scanned those files, it didn't find anything so I scanned the originals to the copies and they were clean.

Maybe I'm just paranoid, but everything so far is clean.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20312916
> It runs slow sometimes when I have more than a few firefox tabs open, but usually its fine.  

that does happen on every computer, probably because of the link to particular sites.

> I've installed nero 8, not 7.

as the log shows.

> I'm not sure which software you're talking about.  But spybot and superantispyware don't.

a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.

don't believe the programs.
0
 

Author Comment

by:lcg1964
ID: 20313486
Kaspersky found 2 viruses when I did a C:\ scan.

>> I'm not sure which software you're talking about.  But spybot and superantispyware don't.

>a lot of AV software and anti-spyware software produce false results. you cannot only depend on this. sometimes, those software report nothing but actually your computer has an unknown spyware sending your sensitive data to the internet.

>don't believe the programs.

You still haven't answered which software you're talking about.  I've listed everything that the scans have produced.

It's also veryyy slow when I go away from the computer for a half hour or hour and come back.  Takes a few minutes before I can click on any task.
0
 

Author Comment

by:lcg1964
ID: 20314131
Hmm, Kaspersky found 8 viruses that were all in the
C:\System Volume Information\_restore{CE8EF6F1-7E64-4167-BF7B-2368EE1CCEC8}\RP36\  
directory.  Should I run killbox and delete every one of them?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20314166
spybot and superantispyware.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 150 total points
ID: 20315138
"Should I run killbox and delete every one of them?"

Just disable System Restore, and then go back and Re enable it. Those will all go away....

Now I dont know if your original question was answered, about the white head in the Security ACL.....

All that is is an unmapped SID to a username. More than likely, there is a username that no longer exists on your machine, that had an explicit permission set. Now that the Username no longer exists on the local machine, it cant resolve the SID to the freindly name you see on the others....

This is also common in Domain environments, when logged into the local machine.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now