Problem in HijackThis

April 26, 2008 on 2:23 pm | In General | 6 Comments

Today (april 26 2008) at 12.36 GMT I downloaded HJTinstall.exe from trendsecure.com

I then installed HijackThis on my Virtual machine running Windows 2000
The header of the log looked like this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:09, on 26-4-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Then I made a reg file with this content

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Consequently HijackThis showed this line:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
which is not justified because no startup was added.
For a file to get started from under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\subkey
the subkey needs to contain a value called DLLname which points to the dll that gets loaded.
To clarify, a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.
This is not the case here, because this value was not created and did not exist.

Changed the regfile to:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“DLLname”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Then HijackThis does the correct thing.
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\System32\ffaabb.dll (file missing)
(file missing) because I didn’t bother to plant one. 🙂

Last try I did on the VM to find out where HJT gets the path to the dll

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”%WINDIR%\\ffaabb.dll”

After merge HJT reports:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
So it does seem to look at the value that is present rather then let us know that the value that is required for the autostart is not present.

Screenshot of regedit looking at this part of the registry:
Winlogon Notify

Finally I downloaded the standalone executable HijackThis.exe from the same source and merged the last regfile on my XP computer.
The result is the same in essence:
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\

HijackThis did remove the subkey in question from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify under all the above circumstances.

I would like to add that I reported this problem over a month ago to Trend at which point I was promised they would look into it and fix it if they could reproduce it.
Since I haven’t heard from them since, even after two reminders, I have to assume that they don’t plan to do anything about it.
This is not a very serious problem, but it can be confusing and with the many users of this program it may lead to wrong decisions being made.

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^