Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

command lines

Status
Not open for further replies.

j0ckser

Technical User
Jan 4, 2004
302
CA
Dell Latitude D600 running Win2k/SP4; HDD 30mb non-partitioned

The following (command.exe) has recently popped up on my monitor in the last stages of booting my computer. I recognise what I am seeing - commands that might be part of an autoexec.bat file.

3 challenges:
1 - why am I seeing this now?
2 - some of these stike me as a little odd - are they?
3 - I checked my autoexec.bat file and it is empty!

Code:
C:\WINNT>clearlogs -sys
'clearlogs' is not recognised as an internal or external command, operable program or batch file.

C:\WINNT>clearlogs -sec
'clearlogs' is not recognised as an internal or external command, operable program or batch file.

C:\WINNT>clearlogs -app
'clearlogs' is not recognised as an internal or external command, operable program or batch file.

C:\WINNT>net share C$ /del /y
C$ was deleted successfully.

C:\WINNT>net share ADMIN$ /del /y
ADMIN$ was deleted successfully.

C:\WINNT>net share IPC$ /del /y
IPC$ was deleted successfully.

C:\WINNT>net stop "Remote Registry Service"

The Remote Registry Service was stopped successfully

C:\WINNT>net stop "Computer Browser"
The Computer Browser is stopping.
The Computer Browser was stopped successfully.

C:\WINNT>net stop "server"
The Server is stopping.
The Server was stopped successfully.

C:\WINNT>net stop "REMOTE PROCEDURE CALL"
System error 1060 has occurred.

The specified service does not exist as an installed service.

C:\WINNT>net stop "REMOTE PROCEDURE CALL SERVICE"
System error 1060 has occurred.

The specified service does not exist as an installed service.

C:\WINNT>net stop "Remote Access Connection Manager"
The requested pause or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.

C:\WINNT>net stop "telnet"
The Telnet service is not started.

More help is available by typing NET HELPMSG 3521.

C:\WINNT>net stop "messenger"
The Messenger is stopping.
The Messenger was stopped successfully.

C:\WINNT>net stop "netbios"
The NetBIOS Interface service is stopping........
The NetBIOS Interface service could not be stopped.

C:\WINNT>attrib +h c:\winnt\system32\msinfo
Not resetting system file - C:\winnt\system32\msinfo

C:\WINNT>attrib +h c:\winnt\system32\spool\drivers\w32
File not found - c:\winnt\system32\spool\drivers\w32

C:\WINNT>attrib +h "c:\RECYCLER\S-1-5-21-854245398-436374069-1343024091-1050\Dc4\"temp\1"
Not resetting system file C:\RECYCLER\S-1-5-21-854245398-436374069-1343024091-1050\Dc4\"temp\1

C:\WINNT>REGEDIT /S keyreg.txt

per ardua ad astra
 
Is this a network (domain based) computer?

That looks like a startup or logon script (2k doesn't use autoexec.bat - it uses \winnt\system32\autoexec.nt - but in this case read on) - either set up in your user properties (run lusrmgr.msc and have a look) or Local Group Policy settings (run gpedit.msc to have a look) - \WINNT\system32\GroupPolicy\User\Scripts\Logon or \WINNT\system32\GroupPolicy\Machine\Scripts\Logon are default locations for these scripts.

Have you installed any software to improve security/remove 'bloat' etc? - because the script is removing the default admin shares (which some think are security risk) and stopping various services - again could be security or just freeing up resources)
 
Very odd indeed actually, not part of a usual windows system, I might hasten to add.

This lot strikes me as some sort of 'security lockdown' script. It appears to be deleting all default administrative shares - although these are recreated at each startup - and stopping all non-essential services (at least, non-essential to whoever wrote this script)

If I was seriously looking to close any and all potential weaknesses in my system, I might use something like this. Also, the clearlogs command is certainly not something you find in windows, maybe it's a custom application meant to work in tandem with this script?

The final few lines are attempting to modify system files and mark them as hidden (attrib +h) which I find strange as well. the msinfo command could be used to get info about the machine, so again, this could be a security lockdown script.

In any case, check your startup folder (in start menu) and if theres no script/link there, open up regedit and look in the registry under HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN and see if any of the reg. keys in there look familiar - if it is in there the key will probably invoke 'cmd' or 'command' with an argument pointing to the script in question.

Alternatively, if this is a batch script (appears to be) you can search your harddrive for "*.bat" or for any file containing the word "clearlogs" - this should unearth the actual script file.

Lastly, I would think maybe this script was installed as part of some security lockdown package, however it also looks a little 'homebrew' or like something a system admin might create custom-made for his/her needs.

See if you can't get rid of it with the suggestion above.

Best of luck to you

Terry-Lee Blay
MCP, A+, Net+, Server+, APS, IBM Thinkpads/Portables
webwarrior@angelfire.com
 
If the computer is on a domain, I'd try wolluf's suggestions first, definately.

:)

Terry-Lee Blay
MCP, A+, Net+, Server+, APS, IBM Thinkpads/Portables
webwarrior@angelfire.com
 
I knew you people were good, but I didn't expect such speed. WOW and THANKS.

My apologies; I left out a couple of vital pieces:
1. this is a standalone installation
2. I am my own sys admin
3. I had some trouble in the spring (computer purchased in Sept) and I had to reload eveything. The problem was virus and I have since been very careful to ensure NAV is up-to-date.
4. I use AdAware to remove spy ads.
5. This has started only in the last week or so. Since then I ran a full system virus scan with the most up-to-date definitions - clean.

contents of autoexec.nt:
Code:
@echo off

REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
REM different startup file is specified in an application's PIF.

REM Install CD ROM extensions
lh %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
lh %SystemRoot%\system32\redir

REM Install DPMI support
lh %SystemRoot%\system32\dosx

No *.bat files with the command list shown.

While I don't regularly scan the registry, a check of the \RUN key doesn't show anything that I would consider out of place.

Very little in any of the 4 startup folders (admin, all, default, "own")

No file with the text 'clearlogs'.


I may do a safe boot and see what I get. I'll keep you posted.

per ardua ad astra
 
Further update:
Tried debug mode: no use as it only identified which drivers are loaded and which are not.
Tried safe mode: helped somewhat because the cmd.exe did not execute. Of 40 processes normally operating, I had only 14.

I rebooted after this and paused the boot process. There is a file Dsentry.exe that executes just before cmd.exe. Could this be the culprit? I found it in the WINNT\System32 folder, but it looks innocent - modified date is 6-feb-03.

How do I check Scheduled tasks (per bcastner suggestion)?

per ardua ad astra
 
Indeed, I googled dsentry.exe out and it appears to be Dell supplied anti-spyware software.

This fits with all the facts, indeed it might be installed as part of a dell driver update.

I have supplied the link below so you can see for yourself


If it is indeed supplied by a 'reputable' party ie Dell, then I guess it is more or less up to you to decide whether or not you'd like to keep it...

Hope this helps

Terry-Lee Blay
MCP, A+, Net+, Server+, APS, IBM Thinkpads/Portables
webwarrior@angelfire.com
 
thanks bcastner - the only thing there is Symantec Ndetect (liveupdate).

thanks Tels - dsentry probably isn't the culprit. I'll try to couple task manager with booting to see what happens as each process starts.

thanks tsuji - don't think it's a trojan.

per ardua ad astra
 
I would also check what is in the "keyreg.txt" file. It might provide some useful insight as to what else this thing is doing.

It is certainly stopping a lot of built in services that would allow normal management of the system on a network. Not a problem if you want to block all access to the computer. What concerns me most is it looks to be trying to erase the system, application and security logs. These losg would leave traces of access and problems with the system and clearing them on boot up is not exactly a good idea.

Nathan aka: zaz (zaznet)
zaz@zaz.net
 
j0ckser,

It is good suggestion to locate keyret.txt. Also what if cannot find it anymore?

Then I would say, it is very likely those commands are out of a textbased files. I would use "search" facility to locate any file containing some characteristic line like for instance :
[tt] attrib +h "c:\RECYCLER\S-1-5-21-854245398-436374069-1343024091-1050\Dc4\"temp\1"[/tt]

- tsuji
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top