new member, strange problem

Discussion in 'other software & services' started by reklov, Nov 17, 2006.

Thread Status:
Not open for further replies.
  1. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hello all. I am a new member and sure could use some help with a strange problem that I have just discovered on my Toshiba Portege laptop.

    In the xp registry, under HKEY_CURRENT_USER are two Software entries.
    The first one, "Software" appears to be a normal key, but the second one directly below the first one is in capital letters and has a chinese character in the middle where the W should be.
    Expansion of this strange key leads to "Microsoft" and then to the following key... Protected storage system provide (chinese characters)default(chinese characters)local machine (chinese characters)data
    sub key of that is S-1-5-21-80895015-319231102-2130403006-1225

    Has anyone any idea what this is o_O
    Also, cannot delete these keys. :(
     
  2. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Howdy reklov, Welcome to Wilder's!

    S-1-5-21 is an NT non-unique id. What it mean's or how it got there I'm not quite sure based on my limited knowledge of the area in question. More with external link's here. If it's not a previously used computer we're talking about I think in your position I'd take a careful look through my eventlog's and possibly run an intrusion detection program such as ntlast. Do you find any unknown entries running this - control userpasswords2? How about the permission's on that key (you may have to change ownership to remove it), do you have access?

    ~ PS - If you know for certain it doesn't belong, there are other way's of deleting registry key's ~

    Edit: Hold that thought, my attention has focused on this relating to some sort of hardware profile, I just haven't had enough time to research it.
    Can you tell me if there's any unusual hardware mentioned in device manager? How about item's connected to the pc?


    GF
     
    Last edited: Nov 20, 2006
  3. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hi GF, and thanks for the welcome :)
    I think you hit the nail on the head. I did recently play around with the adminetrative rights on my laptop and changed some settings, trying to take complete control. The adminitrator is our IT department.
    Unfortunately I do not remember what " Complete control" setting I changed.
    Regardless, after your comments, I don't think it is anything too serious.
    Nothing else has changed, including any hardware install or connections.
    Should the light bulb come on again regarding what setting on administrative rights setting would clear that entry, please let me know.
    Have a great week.:)

    reklov
     
  4. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    I still haven't had much chance to search, but if removal is your choice ....
    I prefer this method, done OFFLINE!

    • Backup your registry.


    • Start the Task Scheduler service.


    • Open a console shell.


    • Open regedit.exe by issuing the *at* command to run in the near future.

      Example: >at 14:30 /interactive regedit.exe (Here 14:30 is military time, or 2:30 pm).


    • When it open's, it does so with "system credential's!" Delete what you wish, exit regedit.


    • If TS is an un-used service, keep it disabled.


    GF
     

    Attached Files:

  5. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hello GF

    Thanks for your reply and suggestions. Unfortunately I can't log on Offline on my company work laptop.
    Yesterday when I logged on as Administrator, I noticed that the registry does not have that weird SOFT#ARE entry, so there is a clean version on my laptop. Any idea on how I can switch my identity to the administrator setting / version and get rid of my current user name setting/version o_O

    reklov
     
  6. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hi again GF
    Here is something interesting. I did what you recommended, on line though, and when the registry opened at the specified time, that registry version does not have that wierd entry either o_O? even though I was logged on as my user name and not administrator. This is really wierd.
    reklov
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Copy the part below into notepad and save it as sidusracc.vbs

    Code:
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    
    Set objAccount = objWMIService.Get _
     * ("Win32_SID.SID='S-1-5-21-80895015-319231102-2130403006-1225'")
    Wscript.Echo objAccount.AccountName
    
    Doubleclick the file and you will get a prompt with the useraccount name that belongs to the user with the SID: S-1-5-21-80895015-319231102-2130403006-1225

    Regards,

    Pieter
     
  8. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hello Pieter

    Did what you recommended, but when double clicking on file I get the following message:
    Object does not support this property or method
    Code 800A01B6
    Microsoft VBSscript runtime error

    o_O?
    Reklov
     
  9. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    I'm not certain if this has anything to do with that error but in your system32 folder hover over wscript.exe. What is the version reference, less than 5.6.0? Try the script again, this time look in event viewer immediately afterward's (not sure which log), associate the time, dbl-clk the error and let us know to what the problem refer's.

    GF
     
    Last edited: Nov 21, 2006
  10. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    GF, wscript is 5.6.0.800, but there is only the wscript file, not a wscript.exe

    Ran the script, same error message. Cleared event viewer prior to script test, ran the script and there was no entry in the event viewer.
    Since there is no issue with the windows xp version when I log on as administrator, is there a way I can delete "my name" account and start again with the clean version that I have when I log in as an administrator ?

    reklow
     
  11. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    reklov,

    I'm working on it and will return shortly, next day or two. Patience appreciated, thank's.


    GF
     
  12. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    reklov,

    This favor if you would. From explorer goto tool's - folder option's - file type's, then let us know what's listed for the "open's with" under VBS. Also, check for the existance of wsh.inf (look for it in your windows\inf folder). If it's there you'll find in your reply to post window (scroll down) "manage attachment's." Clking it bring's up a dialog box allowing you to browse for this file. Choose it, let it appear in the window, then select upload.

    It would be very helpful to have the WSH available for the purposes you seek, or if you can determine if something else on your system is preventing it from running. Consider doing an advanced search of your system for wscript.exe in the meantime. I would prefer to know these detail's before providing a file association fix should that be the scenario. I suspect Pieter may return with a task or two. :ninja::D

    "Enjoy The Holiday People!"


    GF
     
  13. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    GF, first of all, hope you will have a great Thanksgiving :)
    I have decided to eliminate this weird issue by just simply deleting my regular user name profile from my lap top and just run my laptop as the administrator.
    The registry was never affected there, just under my username.
    GF, I can tell you this, that I will continue to use this forum from now on, especially because of people like you, and I mean that cincerely. So thank you so much for all your support and help :thumb:

    Hopefully I will be able to help someone else here in the near future :)
    All the best
    Reklov
    PS: VBS opens with "windows based script host".
     
  14. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hey reklov, Thanksgiving already has that warm feeling thank's to your generous sentiment's (even though my replies weren't quite what you were after).

    "I have decided to eliminate this ...." Now why didn't I think of that? :D

    Forgive me for not mentioning when executing that "run as system" gig you wouldn't have seen the key's as if you were looking under your user account, instead they'd have been found in hkey_users, under YOUR sid account. Remember .... TS opened regedit as "system," hence the difference. Proof this by creating a new key under hkcu named software2, open regedit as system, then navigate, open and confirm under your user sid in hku.

    Originally you wanted to determine what that strange key was and how to go about removing it. Well, like Pieter jumped in, the WSH has the provision's to extract a slew of information not normally accessed through common system dialog's. This is where the Scripting Guy's come in, and the insight behind Pieter's slick, suggested retrieval method. Third one down look familiar? There's plenty more here - http://www.microsoft.com/technet/scriptcenter/resources/qanda/all.mspx

    I forgot about this too .... a small detail concerning WSH. Previously I asked you to open windows explorer - tools menu - folder option's - file type's and see which program was chosen for the "open's with" heading. Take it a couple of step's further this time selecting the advanced tab - choose open under action's - then edit on your right. The line under "Application used to perform action" should read ....

    %SYSTEMDRIVE%\WINDOWS\System32\WScript.exe "%1" %* where systemdrive will correspond to the drive letter your partition is installed on. In the event it doesn't (the procedure should you actually have wscript.exe, you didn't mention what a system search returned), clk browse while still inside the dialog, navigate to your system32 folder and select wscript.exe as the program. OK three time's to apply and exit.

    Finally, if at some point you feel the WSH could be of use someday cleanup any remnant's (just run the bat and follow all prompt's) prior to downloading a fresh copy, then keep it in check with noscript (screenshot). I'd like to thank you too for being a pleasure to work with. Perhap's we both walk away with a few fresh idea's, ay? ;)

    BTW, I'll be looking forward to this - "Hopefully ...." I'm sure you will reklov, in due time.


    Kind Regard's,
    GF
     

    Attached Files:

    Last edited: Nov 24, 2006
  15. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hi GF. Thanks very much for your reply. Did a quick check and found that everything is in order :rolleyes:
    As I said before, the pleasure was all mine :)
    Enjoy the rest of this weekend, and I plan to spend some time on this site and see if by chance I can help some real novice out :D

    reklov
     
  16. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hey GF, used wrong icon in my last reply...should have been a big smile :)

    reklov
     
  17. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Oh, OK. ;) Everything make sense now?

    GF
     
  18. reklov

    reklov Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    10
    Hi GF
    Back again with a question regarding my home desktop computer.
    I have a registry entry LEGACY_MCHINJDRV that I can't delete.
    Do you or anyone else have any knowledge of this issue ?

    Look forward to your reply :)

    reklov
     
  19. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Careful with vague information. Are you running SpySweeper by choice - http://www.experts-exchange.com/Security/Win_Security/Q_21564654.html
    Googling that "piece" of key you gave me you'll find both Sarc/Symantec and CC's have posted some additional note's.

    If it's unwanted company you've managed to pick up, consider posting an HJT log on one of the forum's that participate, not here.


    GF
     
    Last edited: Dec 3, 2006
Loading...
Thread Status:
Not open for further replies.