Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By S-1-5-21-42098 00439-1324676987-253 04762-1005


  • This topic is locked This topic is locked
4 replies to this topic

#1 LakeshoreBaby

LakeshoreBaby

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Montreal
  • Local time:12:04 PM

Posted 02 February 2007 - 01:23 PM

Hi there. I recently bought a system with an Asus p5w64-ws motherboard, core 2 duo, and windows XP home. I downloaded some things from the internet, and ended up getting an infection :flowers: . The problem doesn't show up on standard antivirus programs like Bit-Defender, Kaspersky and AVG7.5. It wrote hundreds and hundreds of adware folders in the windows registry that I deleted by hand. But a problem persists in that the registry seems to have a mind of it's own now. It continues to write useless registry entries by the name of S-1-5-21-4209800439-1324676987-25304762-1005, until my system eventually slows. There is nothing in my start-up registries other than what should be there. Of note is that in the hidden windows directory C:\RECYCLER there is a recycle bin by the same name of S-1-5-21-4209800439-1324676987-25304762-1005. I cannot delete this bin (I'm not even sure I should but I'm pretty certain it should not be called that). Some thing did show up when I did a process and boot sector scan with Ad-aware:

MRU List Object Recognized!
Location: : S-1-5-21-4209800439-1324676987-25304762-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-4209800439-1324676987-25304762-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-4209800439-1324676987-25304762-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

... but quarantining and deleting these MRUs does not work and my registry keeps getting written with entries of the same number and thereabouts. Here is my Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 12:59:03 PM, on 02/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\Program Files\SiteAdvisor\6009\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Advanced WindowsCare V2\Awc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\drivers\soundmax\5.12.1.3713_trad_ch_fix2\SM_Panel\Sys\SMax4.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PurgeIE\PURGEIE.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O2 - BHO: CKeyScramblerBHO Object - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Personal] "C:\Program Files\Advanced WindowsCare V2\Awc.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMax] "C:\drivers\soundmax\5.12.1.3713_trad_ch_fix2\SM_Panel\Sys\SMax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Unknown owner - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Unknown owner - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe (file missing)
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6009\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

The only thing I can see that is not normal is the Outpost Firewall entry, which I cannot delete using HijackThis. It will always reappear on the next scan. It makes sense to me that Outpost Firewall might be causing this problem because even tho it was a good firewall, when I installed it, it weaved it's way into my system and was a complete b**ch to uninstall (although I finally managed to do it and there are no Outpost files left I can see on my system), no matter if I used their uninstaller or the windows or other uninstallers. Otherwise I did all the other suggestions to prepare for this post, including McAfee Stinger, and all came up negative. Can anyone help me? I'm at my wits end. :thumbsup: Thank you!

Oh... the other thing is that there are some temporary internet files in the C:\Documents and Settings\Tim\Local Settings\Temp and Temporary Internet Files directories and the C:\Windows\temp directory, as seen by Purge IE, that are locked and cannot be deleted. Is it possble that these files are writing continually to the registry from bootup?

Thank you so much! L.B. :huh:

BC AdBot (Login to Remove)

 


#2 LakeshoreBaby

LakeshoreBaby
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Montreal
  • Local time:12:04 PM

Posted 02 February 2007 - 05:01 PM

Anyways I found out that there is an undeletable IE Broswer page file in the C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\ folder that continually writes new JPEG files to the same directory and I believe into the registry too.

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:04 PM

Posted 09 February 2007 - 10:04 PM

Hello LakeshoreBaby and welcome to the BC HijackThis forum. There are a couple of things we need to address in the log.

To start with, it appears that there are multiple anti-virus applications running on this computer (AVG and BitDefender). It is not recommended to have this because it can cause file access issues and if there is an infection the multiple programs can block each other from dealing with the infected file. I highly recommend that you choose which application you want to keep and uninstall the other one(s) to prevent these problems.

Next, there are some 015 entries that need to be corrected.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Unknown owner - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

The S-1-5-21 number is called a SID (Security IDentifier). It is Windows way of telling what belongs to each user on the computer and what they have access to. This is normal. It keeps track of everything a particular user does. Windows is constantly writing to this key. It is supposed to do that.

The Recycler folder has a separate folder for each user on a machine. It keeps track of files and folders deleted by user (thus SID) so that those files or folders can be deleted and also it holds all restore points for each user so that the user can use System Restore. There is supposed to be a SID folder in the Recycler folder for each user.

There will always be graphics files (.gif, .jpg, wmf etc) in the temporary internet folder. Every web page that is visited places any graphics images on the page in those folders so that they can be displayed in the browser when viewing a page. That is how browsing the internet works. These folders should be cleaned from time to time but they will never be empty.

Other than that, things look fine. Reboot the machine, run HijackThis and post a new log back here so I can check the items we fixed.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 LakeshoreBaby

LakeshoreBaby
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Montreal
  • Local time:12:04 PM

Posted 10 February 2007 - 03:39 AM

Wow, thank you. :thumbsup: I guess I was freaking out over nothing. I know at some point there was something weird going on, but I think AVG cleared it up. And also, getting Outpost Firewall out of my system was driving me nuts. I can't stand it when programs ask you certain options like not to be involved with online feedback and then do it anyway and put stuff in your start up. And when you uninstall them and there are still active components and stuff running. Grrrrrrrrrrrrrr :flowers: . So after all that I see my computer slowing noticibly on start up and the drive light going nuts even when on complete idle, and so started to search my whole system, not really knowing what I was doing. And I see this S-1-5- 21 thing and figured that there is no way Microsoft would name something so bizarre if it was meant to be there. Anyways. I have another problem now, but I'll figure it out on my own or do a fresh install of XP. I uninstalled quicktime and now can't reinstall it because there are still active components in the registry telling the installer that it's still on my system. Anyways, I probably fricked up the whole thing when I was messing with the registry....lol. But my system is working fine for the moment so I'm gonna practice not panicking and figure it out over time when I know a little more... :huh: . Thank you so much for your time and advice and your kind welcome. Very much appreciated. I will make a donation to Bleeping Computer when I recover from buying my computer...lol. Have a super day!!! :huh:

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:04 PM

Posted 11 February 2007 - 08:10 AM

You are very welcome LakeshoreBaby. I'm glad that we could help.

I will now close this topic. If you have any new malware related questions or isues in the future please start a new topic.

Cheers and Happy Computing :thumbsup:

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users