Problem in HijackThis

April 26, 2008 on 2:23 pm | In General | 6 Comments

Today (april 26 2008) at 12.36 GMT I downloaded HJTinstall.exe from trendsecure.com

I then installed HijackThis on my Virtual machine running Windows 2000
The header of the log looked like this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:09, on 26-4-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Then I made a reg file with this content

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Consequently HijackThis showed this line:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
which is not justified because no startup was added.
For a file to get started from under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\subkey
the subkey needs to contain a value called DLLname which points to the dll that gets loaded.
To clarify, a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.
This is not the case here, because this value was not created and did not exist.

Changed the regfile to:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“DLLname”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Then HijackThis does the correct thing.
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\System32\ffaabb.dll (file missing)
(file missing) because I didn’t bother to plant one. 🙂

Last try I did on the VM to find out where HJT gets the path to the dll

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”%WINDIR%\\ffaabb.dll”

After merge HJT reports:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
So it does seem to look at the value that is present rather then let us know that the value that is required for the autostart is not present.

Screenshot of regedit looking at this part of the registry:
Winlogon Notify

Finally I downloaded the standalone executable HijackThis.exe from the same source and merged the last regfile on my XP computer.
The result is the same in essence:
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\

HijackThis did remove the subkey in question from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify under all the above circumstances.

I would like to add that I reported this problem over a month ago to Trend at which point I was promised they would look into it and fix it if they could reproduce it.
Since I haven’t heard from them since, even after two reminders, I have to assume that they don’t plan to do anything about it.
This is not a very serious problem, but it can be confusing and with the many users of this program it may lead to wrong decisions being made.

6 Comments »

RSS feed for comments on this post. TrackBack URI

  1. After further tests, helped by some fellow spyware-fighters, we have found a much more serious flaw in HijackThis.

    As far as we were able to establish this only concerns users running Windows 98 and Windows ME
    If I can go on the statistics from the visitors to my site that is about 1% of the Windows users at the moment.

    What goes wrong?
    HijackThis is supposed to check in the system.ini folder (correction, this should be file ofcourse) if anything was altered or added to the Shell entry in the [boot] section.
    example
    It does this on Windows 2000 and Windows XP, where chances of the file ever getting executed are very slim, since the entries are usually overruled in the registry, but it does not flag these entries on the 98/ME computers where, ironically these files do get executed as soon as the computer boots.

    Again, I will try to bring this to the attention of the Trend developers and ask them to fix this problem, but quite honestly, I have given up hope of them doing anything to improve HijackThis.

    Will keep you all posted.

    Comment by metallica — May 9, 2008 #

  2. Looks like we may need another program to help look in to the registry. Hope this is not going to be a trend with Trend……..sorry about the pun.

    Comment by little eagle — May 10, 2008 #

  3. Hi Pieter,

    Great catches.

    So it does seem to look at the value that is present rather then let us know that the value that is required for the autostart is not present.

    It would seem to be. But Regmon shows it enumerates the Notify subkeys. Then it tries to open any of those subkeys not on the Whitelist and query the DllName value.
    It never looks for any other values or data under that subkey. So it never sees any data at all there if other values are present.

    No matter what you do…. Whether you add or subtract values, even if you don’t have one single value present, the result is the same. Hijackthis lists the key and then reports the data as the Path to the Windows directory.

    It will remove the key because it records and removes the entire key when selected. I tested on 1.99.1 too and it happened there as well.

    I’ll boot to 98 later tonight and see what system.ini shows.

    Comment by Mosaic1 — May 10, 2008 #

  4. After booting to Win98 and playing with the system.ini [boot] section, hjt didn’t show the change, but Windows saw it. Filemon showed that hjt was reading the system.ini file, but who knows what it recorded..

    This also was true with 1.99.1

    Back to Winlogon. After running a couple more things, I concluded that unless it gets something from the value data for the key’s DllName, it will write the path to the windows directory.

    Something else troubling is that the whitelist only seems to look at subkey names ( and doesn’t check the file pointed to) to rule out a problem.

    If you change the DllName’s value to another file for one of the whitelisted keys, hjt reports nothing.

    Comment by Mosaic1 — May 10, 2008 #

  5. Thank you Mosaic1

    it will write the path to the windows directory

    That is what Merijn said he suspected to happen.

    Great to see you stopping by. 🙂
    Made it all worth it.

    Comment by metallica — May 10, 2008 #

  6. Thanks Pieter. Good to talk to you!

    Merijn was right!

    Comment by Mosaic1 — May 10, 2008 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^