Acquired An "Account Unknown"

Don’t know exactly where this problem should fall in the forum, so I am starting with general “Help” topic.
As a quick note, I have recovered from my problem, not without considerable effort on my part, and now have my Vista SP2 Home Edition restored back to before “the incident”.

The incident is what I would like help in understanding, how it happened, what steps I could put in place to have prevented it happening in the first place.

The Incident: one day I started to receive alerts from my sandbox portion of my free CIS (see attached jpg), asking me if I should run a program called “AV1.exe” inside the sandbox or outside of the sandbox. I took a snapshot of the alert with a program called “Screen Capture” which saved the alert box as the attached jpg file. But when I went to attach this save picture file “AV1_2.jpg” I was told I didn’t have permission to open or basically do anything with this file. So I check the security settings under properties for the jpg file and noticed I had an additional “New Account” along with my other normal accounts, one I didn’t recognize at all.
It was titled "Account Unknown {S-1-5-21-910487229-3244187171-1295908170-1001} and it seemed to have pretty much taken over control of the security of my hard drive.

I should also mention that besides Comodo Internet Security Suite ver. 4.1.150349.920, I run SuperAntiSpyware free edition, Malwarebytes full edition, and ThreatFire alll of which I keep up to date with nearly daily downloads (for the non-automatic editions).

Yet with all of this coverage, something slipped through a ■■■■■ in my armor. If anyone could shed some light as to how this account was established (possibly what program was the culprit), I might be better able to defend myself in the future.

[attachment deleted by admin]

I did a Google search for av1.exe. Definitely a rogue: , .

Did you manage to get rid of it? It gets installed in C:/Documents and Settings/All Users/Application Data/AV1/AV1.exe which is not protected with v5.

Registry run key, HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run/”AV1″, is protected with v5. Can you see if it is with v4?


Thanks for the quick response. As I had mentioned in my post, I restored my system the hard way, not too hard fortunately. I had a fairly recent full backup, you know lost a few emails, photos, documents, for me since I am retired nothing critical. Suspected some variation of “AntiVirus” scareware early on, but I have worked on at least 30 different versions on the same theme and they just seem to get stronger and harder to remove. Haven’t seen my first case of “ransomware” in the wild yet, but I’m just holding my breath, it’s only a matter of time. Past the point of "chasing the file " now, just formatted, restored back to a know good backup and loaded what files I could find among my 3 other systems. I usually spend my days volunteering removing other peoples “problems”, so by the time I come home and find one on one of my systems (first one in longer than I can remember, honest!). I am too tired to fight for very long and a restore is usually the quickest solution for me. I’m fighting a trojan right now on two systems at our local “Habitat for Humanity” and it’s been kicking my ■■■■. Might need to pick your brain again on this one.
I have two files that keep showing up in c:\system volume\microsoft on XP Pro SP3 machines. Can’t remember the exact names,(they are written down on a sticky pad near the systems) but I will bring them home with me the next time I go back to the Habitat and share my headache with you.

Thanks again, I guess we can close this post out as “Solved/Solution Found/Completed”

John J. baglione

Your links, EricJH, remind us how to get rid of it, but not how cis (assuming it’s used by the op) would protect agianst this particular rogues and all rogues generally speaking outside, of course, of not clicking everywhere without a second thought in mail, social networks, porn…


Yes, sometimes it seems you are taking extreme measures (paranoid) to stay clean (uninfected) only to fall victim to hijacking and drive-bys. I think I was probably a victim of a drive-by. But as “they” say, “once burned, twice shy”.

Still having fun cleaning up after another mutant version of AV whatever! I volunteer my services to the local
Habitat for Humanity here in Beaufort, SC. Lucky, only two of their 5 systems have caught the “bug”. Still trying to stomp the last two files out of those systems, but you know how “Trojans” can be, they make copies of themselves and stash files everywhere.

These last two files, “smss.exe” and “services.exe” I found lurking in the hidden folder C:\System Volume Information\Microsoft on two XP Pro machines. I know that’s not where they belong, should be over in C:\Windows\system32 and no place else or they are bogus. I think I have a handle on them now, will try turning off the System Restore Point and rebooting and check and see if that deleted them. If it did I can safely turn Sys Restore back on.

Probably will have to check a few places in the registry for “lurkers”. Most likely in HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run to see if anything looks suspicious.

Thanks for letting me bend your ear and the words of encouragement.

John Baglione a.k.a. TaiChiBabbo

That link is promoting SpyHunter which has a bad reputation, so take care.