Results 1 to 7 of 7

Thread: report of system startup is different from HJT's

  1. #1
    Junior Member
    Join Date
    Oct 2005
    Posts
    10

    Default report of system startup is different from HJT's

    I use Spybot & hijackthis to check the course of my machine startup,It seems either of them lose something in report?

    result of SSD:

    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-05-31 TeaTimer_original.exe (1.4.0.2)
    2005-10-24 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-11-04 Includes\Cookies.sbi
    2005-11-04 Includes\Dialer.sbi
    2005-11-04 Includes\Hijackers.sbi
    2005-11-04 Includes\Keyloggers.sbi
    2004-11-29 Includes\LSP.sbi
    2005-11-04 Includes\Malware.sbi
    2005-11-04 Includes\PUPS.sbi
    2005-11-04 Includes\Revision.sbi
    2005-11-04 Includes\Security.sbi
    2005-11-04 Includes\Spybots.sbi
    2005-02-17 Includes\Tracks.uti
    2005-11-04 Includes\Trojans.sbi

    Located: HK_LM:Run, gcasServ
    command: "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    file: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    size: 473928
    MD5: 263740ede788a60a6c0a47249fc410bf

    Located: HK_CU:Run, SpybotSD TeaTimer
    command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    size: 1415824
    MD5: 8f1862afc3c79c0ea37621e87cc2fe6e

    Located: HK_CU:Run, ctfmon.exe (DISABLED)
    command: C:\WINDOWS\system32\ctfmon.exe
    file: C:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 4cc6277445d2d388a4cd827086a5f5f0

    Located: System.ini, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: System.ini, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: System.ini, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: System.ini, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: System.ini, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: System.ini, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll

    ---------------------------------------------------

    result of HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 21:45:33, on 2005-11-5
    ......
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: NTUSER.DAT
    O4 - Startup: NTUSER.DAT.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: ~
    O4 - Global Startup: NTUSER.DAT
    O4 - Global Startup: NTUSER.DAT.LOG
    .......

    1>why there are different?
    2>It's very strange result of HJT about NTUSER.*
    normally or Trojan possibly?
    3>I can't find something like SSD report in System.ini?

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Why dont we see signs of an antivirus program ?

  3. #3
    Junior Member
    Join Date
    Oct 2005
    Posts
    10

    Default

    Quote Originally Posted by LonnyRJones
    Why dont we see signs of an antivirus program ?
    Thanks for your attention. Do you think it is cause of any virus?
    Yes,I didn't install any antivirus program yet. It's a new workstation and would not be installed much software except one special purpose system. So we don't plan for antivirus program.
    I can't find files of NTUSER.DAT/NTUSER.DAT.LOG/ntuser.ini on local machine,but only '~' file. When and where should OS load them or some normal Startup file just be hooked with them?
    Last edited by amtbcn; 2005-11-06 at 06:39.

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    I think they are there becouse no antivirus is installed, please do install something asap
    If a pc connects to the internet or another pc i needs a antivirus program.

    Have hijackthis fix these if still there
    O4 - Startup: NTUSER.DAT
    O4 - Startup: NTUSER.DAT.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: ~
    O4 - Global Startup: NTUSER.DAT
    O4 - Global Startup: NTUSER.DAT.LOG
    then restart the PC
    Do not attempt to manualy delete those files

    To be honest im unsure what they are, not a good sign though.

  5. #5
    Junior Member
    Join Date
    Oct 2005
    Posts
    10

    Cool

    Thanks for your advice.
    You're quite right it's not a good sign.
    HJT cann't delete it but only show information below :
    ----------------------------
    An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O4 - Startup: NTUSER.DAT)
    Error #76 - 未找到路径 // not find path, remarked by me

    Please email me at merijn@spywareinfo.com, reporting the following:
    * What you were doing when the error occurred
    * How you can reproduce the error

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2800.1106
    HijackThis version: 1.97.2

    This message has been copied to your clipboard.
    ...

    Unable to delete the file
    04 - Startup: NTUSER.DAT

    The file may be in use. Use Task Manager to shutdown the program and run Hijackthis again to delete the file.
    ...
    ---------------------------
    None of them can be fixed!
    It's my mistake the machine was installed an antivirus at the time of setup windows. But it does't work now, maybe attacker damages it. I'm suspicious of something infected this machine when all descriptions of log files' event became invisible. I find a strange SID the past few days. So I figure out maybe a cracker succeed in login this machine. Now i am only interested in what he/she did on log files and how i can read them again. Just like a game!

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    well if the antivirus wont work reinstall it, or another program altogether asap.

    open an explorer and navigate to this folder

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    and remove the dat and log file
    navigate to
    C:\Documents and Settings\your name/account\Start Menu\Programs\Startup
    and remove if there.
    NTUSER.DAT, NTUSER.DAT.LOG, ntuser.ini, and > ~
    You will need to Set windows to show hidden extensions, file's, folder's. http://www.xtra.co.nz/help/0,,4155-1916458,00.html

  7. #7
    Junior Member
    Join Date
    Oct 2005
    Posts
    10

    Default

    I found those files in system and location in every user's directorys.Maybe they are profiles of NT DOMAIN USER? I'm not sure because this machine only a part of a workgroup. I check this with the tab of 'computer name' in 'system' applet and believe it never join a NT DOMAIN by self-determination. The situation of LAN is there are NT SERVERS providing SQL database service. But servers management random by IT department and no information to me about this system accredited by a NT DOMAIN even I asked IT department for this.

    I find many login fail in security event, but no description can be visible instead of showing the meaning of 'the object without attribute'. Maybe the description of event be define to other machine?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •