Results 1 to 3 of 3

Thread: System Startup applications Tea Timer

  1. #1
    Junior Member
    Join Date
    Jun 2009
    Posts
    2

    Default System Startup applications Tea Timer

    Would you please tell me what the string "S-1-5-21-2775514201-1248352304-3043785832-1002" found in Tea Timer (see below) means?

    I searched the internet about it, but there was no information available. What is even strange is that the same string was found by another anti-malware application as being malicious cookies named Gostats and Com.com.

    The whole report is as follows:


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2009-06-04 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-01-26 advcheck.dll (1.6.2.15)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2009-05-19 Includes\Adware.sbi
    2009-06-02 Includes\AdwareC.sbi
    2009-01-22 Includes\Cookies.sbi
    2009-05-19 Includes\Dialer.sbi
    2009-06-02 Includes\DialerC.sbi
    2009-01-22 Includes\HeavyDuty.sbi
    2009-05-26 Includes\Hijackers.sbi
    2009-06-09 Includes\HijackersC.sbi
    2009-05-06 Includes\Keyloggers.sbi
    2009-06-09 Includes\KeyloggersC.sbi
    2004-11-29 Includes\LSP.sbi
    2009-06-10 Includes\Malware.sbi
    2009-06-09 Includes\MalwareC.sbi
    2009-03-25 Includes\PUPS.sbi
    2009-06-05 Includes\PUPSC.sbi
    2009-01-22 Includes\Revision.sbi
    2009-01-13 Includes\Security.sbi
    2009-06-02 Includes\SecurityC.sbi
    2008-06-03 Includes\Spybots.sbi
    2008-06-03 Includes\SpybotsC.sbi
    2009-04-07 Includes\Spyware.sbi
    2009-06-02 Includes\SpywareC.sbi
    2009-06-08 Includes\Tracks.uti
    2009-06-02 Includes\Trojans.sbi
    2009-06-09 Includes\TrojansC.sbi
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    Located: HK_LM:Run, Ad-Watch
    command: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    file: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    size: 518488
    MD5: 12761AC7AAAFDC75860F9905068056FF

    Located: HK_LM:Run, ccApp
    command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    size: 107112
    MD5: D12509C433C20D2818E8C03C401A256F

    Located: HK_LM:Run, osCheck
    command: "C:\Program Files\Norton Internet Security\osCheck.exe"
    file: C:\Program Files\Norton Internet Security\osCheck.exe
    size: 22696
    MD5: 9F9169BA9B0E44B6C86A5247CEC2CDEE

    Located: HK_LM:Run, RtHDVCpl
    command: RtHDVCpl.exe
    file: C:\Windows\RtHDVCpl.exe
    size: 3784704
    MD5: A503A47A5E7EA8024379A8CC6059B74A

    Located: HK_LM:Run, Symantec PIF AlertEng
    command: "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    file: C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-c61-B58F-2F227FCA9A08}\PIFSvc.exe
    size: 583048
    MD5: 2D1389E05A807D956829F44BD4B60389

    Located: HK_LM:Run, Windows Defender
    command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    file: C:\Program Files\Windows Defender\MSASCui.exe
    size: 1008184
    MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E

    Located: HK_CU:Run, SpybotSD TeaTimer
    where: S-1-5-21-2775514201-1248352304-3043785832-1002...
    command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    size: 2260480
    MD5: 390679F7A217A5E73D756276C40AE887

  2. #2
    Senior Member
    Join Date
    Jul 2006
    Location
    Croatia
    Posts
    735

    Default

    IMHO, that's user generated code which is probably used for identifying username. All HK_CU startups can have S-1-5-## (which is usually, 15,18,20 for system accounts and 21 for default users, the exception of this is ".DEFAULT" which could be current user). If you go to HKEY_USERS using Registry Editor, you'll see these codes and when you expand one of them, you'll see registry settings of selected user.

  3. #3
    Junior Member
    Join Date
    Jun 2009
    Posts
    2

    Default

    Thank you very much for the information.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •