Originally Posted by
PepiMK
Hives not loaded? I doubt that
Perhaps I should have been a little clearer. If you schedule Spybot to "Run as: NT AUTHORITY\SYSTEM", then start or re-start the system and do not logon as a user before the scheduled Spybot runs, Spybot will run under System and not see any user account hives.
Proof:
I modified the system registry to pick up the following detection:
Code:
--- Report generated: 2007-09-25 08:53 ---
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-03 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-09-19 Includes\Beta.sbi
2007-08-21 Includes\Beta.uti
2007-09-19 Includes\Cookies.sbi
2007-07-25 Includes\Dialer.sbi
2007-09-19 Includes\DialerC.sbi
2007-08-29 Includes\Hijackers.sbi
2007-09-19 Includes\HijackersC.sbi
2007-07-25 Includes\Keyloggers.sbi
2007-09-19 Includes\KeyloggersC.sbi
2007-09-12 Includes\Malware.sbi
2007-09-19 Includes\MalwareC.sbi
2007-09-05 Includes\PUPS.sbi
2007-09-19 Includes\PUPSC.sbi
2007-09-19 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi (*)
2007-09-19 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi
2007-09-19 Includes\SpybotsC.sbi
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi
2007-09-19 Includes\TrojansC.sbi
2008-12-24 Plugins\TCPIPAddress.dll
I added the following scheduled task:
- Run: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose /taskbarhide
- Run as: NT AUTHORITY\SYSTEM
- Scheduled Task: At System Startup
I then restarted the system and Spybot ran reporting the following:
Code:
--- Report generated: 2007-09-25 09:06 ---
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-03 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-09-19 Includes\Beta.sbi
2007-08-21 Includes\Beta.uti
2007-09-19 Includes\Cookies.sbi
2007-07-25 Includes\Dialer.sbi
2007-09-19 Includes\DialerC.sbi
2007-08-29 Includes\Hijackers.sbi
2007-09-19 Includes\HijackersC.sbi
2007-07-25 Includes\Keyloggers.sbi
2007-09-19 Includes\KeyloggersC.sbi
2007-09-12 Includes\Malware.sbi
2007-09-19 Includes\MalwareC.sbi
2007-09-05 Includes\PUPS.sbi
2007-09-19 Includes\PUPSC.sbi
2007-09-19 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi (*)
2007-09-19 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi
2007-09-19 Includes\SpybotsC.sbi
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi
2007-09-19 Includes\TrojansC.sbi
2008-12-24 Plugins\TCPIPAddress.dll