I just downloaded the latest SB S&D and noticed it was blocking something called S-1-5-18.

Ok, now I don’t know off hand if this S-1-5-18 is the exact same thing I saw all in my infected PC, or if it was just something that looked very similar but, every month-two months or so (usually) I will be LOCKED OUT of my hard drive and I will need make it a slave and retrieve all my data each time this happens.

I know something quite similar happens when you try and crack Vista (or after the 30 trial is up.)

I have been thinking for quite some time now that it has something to do with Microsoft, and or other companies, using Microsofts update software like ASP.net framework, MSXML Service Packs etc, and perhaps many other “security updates” causing this problem, by seeking out pirated copyrighted softwares on my computer and then screwing my hard drive up if it detects anything “fishy”.

My questions are…does anyone else know anything else about this S-1-5-18 deal?

Has anyone been locked out of their hard drives after installing pirated software like Adobe Premiere Elements or anything like that?

Could this really be what I feel so certain it really is, or is it something completly different?

Each time this happens I find ophaned file corruption and a buncha crap like S-1-5-18 in my PC ALL OVER THE PLACE!

Any help, ideas, comments, suggestions or replies would be greatly apprecited.

I would like to try and get to the bottom of this because I am completely f;ing sick of it.

P.S. Please don’t bash me too hard about the illegal software, thanks!

All I can say is that S-1-5-18 is a system identifier for the “Local system” account (see here). So, this is a core “part” of any Windows (you can find the corresponding subkeys in Windows registry, for example) and I don’t think this has anything to do with your problem.

You have to be more specific as the registry key S-1-5-18 has much information in it, I also doubt S&D is blocking S-1-5-18, rather it is blocking something from modifying a key or value in S-1-5-18 ?

S-1-5-18 is just a User identification in HKEY_USERS (\S-1-5-18) with many sub keys, see image. There is nothing wrong in having HKEY_USERS\S-1-5-18 in the registry.

So I think S&D should have more information than simply S-1-5-18.

Ah, I see…well…

I do still have a strong feeling it is software companies using net framework doing this to me lol.

I wish I knew what it was thats doing this…whatever it is, Avast doesn’t catch it, nor does AVG Anti-spyware or Spybot which are the three programs I primarily use as protection.

Here is an attachment pic of the latest Spybot that made me curious.

This last hard drive infection, I found and installed a program called Bart’s PeBuilder to gain access to my hard drive so I could gain full read/write privilages etc. and I noticed those keys looked familiar and I had no control of many of them. I can’t remember all the places I had problems off hand cause it was a nightmare trying to kill off the orphaned files etc.

My suspicions were raised also about the new root certificates thing…I saw alot of very suspicious things in there about validation etc. and the users name was S-1-5-18 and similar for these root certificates area I was viewing at the time and I was blocked from accessing them until I used the PeBuilder.

But, I don’t know how windows registry works that well about users and stuff, so I may be sounding pretty stupid right now.

These are the new protection policy of Spybot, a greater immunization feature. I see nothing strange with it. Is it a problem for you? Why?

Well that image looks like the S&D immunisation and it looks like it has edited the registry HKEY_USERS\S-1-5-18 (and HKEY_USERS\S-1-5-19, HKEY_USERS\S-1-5-20) to add registry keys to prevent Internet Explorer saving any Cookies (classed as suspect) or visiting any Domains or IPs that might be malicious.

You need to look further into the image to see that these are the numbers of Protected items in each particular section Cookies, Domains and IPs. So nothing looks untoward to me. Though I don’t use the latest version of S&D and the earlier one (which I used for a time) didn’t display this information in that way.

You really ned to look inside the registry for the HKEY_USERS\S-1-5-18 Cookies, Domains and IPs to see what values are there, but I don’t believe there will be anything there other than blocking certain cookies (probably by domain) and blocked domains and IP addresses.

I can’t find any domains from Microsoft being blocked by Spybot.