View Full Version : report of system startup is different from HJT's

2005-11-05, 16:55
I use Spybot & hijackthis to check the course of my machine startup,It seems either of them lose something in report?

result of SSD:

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (
2005-05-31 SpybotSD.exe (
2005-05-31 TeaTimer.exe (
2005-05-31 TeaTimer_original.exe (
2005-10-24 unins000.exe (
2005-05-31 Update.exe (
2005-05-31 advcheck.dll (
2005-05-31 aports.dll (
2005-05-31 borlndmm.dll (
2005-05-31 delphimm.dll (
2005-05-31 SDHelper.dll (
2005-05-31 Tools.dll (
2005-05-31 UnzDll.dll (
2005-05-31 ZipDll.dll (
2005-11-04 Includes\Cookies.sbi
2005-11-04 Includes\Dialer.sbi
2005-11-04 Includes\Hijackers.sbi
2005-11-04 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-11-04 Includes\Malware.sbi
2005-11-04 Includes\PUPS.sbi
2005-11-04 Includes\Revision.sbi
2005-11-04 Includes\Security.sbi
2005-11-04 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-11-04 Includes\Trojans.sbi

Located: HK_LM:Run, gcasServ
command: "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
file: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
size: 473928
MD5: 263740ede788a60a6c0a47249fc410bf

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 8f1862afc3c79c0ea37621e87cc2fe6e

Located: HK_CU:Run, ctfmon.exe (DISABLED)
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 4cc6277445d2d388a4cd827086a5f5f0

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll


result of HJT:

Logfile of HijackThis v1.99.1
Scan saved at 21:45:33, on 2005-11-5
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O4 - Startup: ~
O4 - Global Startup: NTUSER.DAT
O4 - Global Startup: NTUSER.DAT.LOG

1>why there are different?
2>It's very strange result of HJT about NTUSER.*
normally or Trojan possibly?
3>I can't find something like SSD report in System.ini?

2005-11-05, 17:48
Why dont we see signs of an antivirus program ?

2005-11-06, 04:53
Why dont we see signs of an antivirus program ?

Thanks for your attention. Do you think it is cause of any virus?
Yes,I didn't install any antivirus program yet. It's a new workstation and would not be installed much software except one special purpose system. So we don't plan for antivirus program.
I can't find files of NTUSER.DAT/NTUSER.DAT.LOG/ntuser.ini on local machine,but only '~' file. When and where should OS load them or some normal Startup file just be hooked with them?

2005-11-06, 16:23

I think they are there becouse no antivirus is installed, please do install something asap
If a pc connects to the internet or another pc i needs a antivirus program.

Have hijackthis fix these if still there
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O4 - Startup: ~
O4 - Global Startup: NTUSER.DAT
O4 - Global Startup: NTUSER.DAT.LOG
then restart the PC
Do not attempt to manualy delete those files

To be honest im unsure what they are, not a good sign though.

2005-11-07, 17:10
Thanks for your advice.
You're quite right it's not a good sign.
HJT cann't delete it but only show information below :
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O4 - Startup: NTUSER.DAT)
Error #76 - 未找到路径 // not find path, remarked by me

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.97.2

This message has been copied to your clipboard.

Unable to delete the file
04 - Startup: NTUSER.DAT

The file may be in use. Use Task Manager to shutdown the program and run Hijackthis again to delete the file.
None of them can be fixed!
It's my mistake the machine was installed an antivirus at the time of setup windows. But it does't work now, maybe attacker damages it. I'm suspicious of something infected this machine when all descriptions of log files' event became invisible. I find a strange SID the past few days. So I figure out maybe a cracker succeed in login this machine. Now i am only interested in what he/she did on log files and how i can read them again. Just like a game!

2005-11-07, 17:36

well if the antivirus wont work reinstall it, or another program altogether asap.

open an explorer and navigate to this folder

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
and remove the dat and log file
navigate to
C:\Documents and Settings\your name/account\Start Menu\Programs\Startup
and remove if there.
NTUSER.DAT, NTUSER.DAT.LOG, ntuser.ini, and > ~
You will need to Set windows to show hidden extensions, file's, folder's. http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2005-11-09, 04:48
I found those files in system and location in every user's directorys.Maybe they are profiles of NT DOMAIN USER? I'm not sure because this machine only a part of a workgroup. I check this with the tab of 'computer name' in 'system' applet and believe it never join a NT DOMAIN by self-determination. The situation of LAN is there are NT SERVERS providing SQL database service. But servers management random by IT department and no information to me about this system accredited by a NT DOMAIN even I asked IT department for this.

I find many login fail in security event, but no description can be visible instead of showing the meaning of 'the object without attribute'. Maybe the description of event be define to other machine?