XP logs off right after logging in(virus)

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I had a pc(XP) with a virus. So i booted into a live linux cd and ran a virus scan, it picked up quite a few viruses, but the virus had also set a registry key so that the user was logged off right after it starting logging in. From pevious experience the key that was most likely changed would be

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon C:\WINDOWS\system32\userinit.exe

to something like

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon C:\WINDOWS\system32\Virus.exe

but i could see from using a registry editor in the live cd that this key was as it should be, so how would i go about finding the rouge key?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

It could be done via the HKCU key rather than HKLM.

What happens if you log on in safe mode?

 

Safe mode same thing, logs off, second time i have dealt with this logging off trick. The first time i copied the reg files from windows\repair to window\system32\config which obvioulsy reset windows to default which the customer didn't mind, so i never actually looked to see if the userinit.exe had been changed, this time however they wan't their current profiles back. I have removed all the viruses but there is one rouge key still there. I did actually look in HKCU.

 

It's probably more hassle that it's worth, especially if it had numerous viruses.

Slave the drive, copy off important data and then reimage it.

Qs

 

If you don't know what the rogue key is, then how do you know you have a rogue key? Just because you get logged off immediately after logging on doesn't necessarily mean you have a bad registry key...

 

I had a similar virus to this whenever I logged in I was logged off, do you have more than one user account setup on the xp machine? Try logging into another, it may not log you in completely but may log you in without running the explorer.exe so basically you will have moreless a blank screen. then cntrl shift escape to get task mgr up, end processes that look abnormal and run the process explorer.exe from tsk mgr .this starts up the UI then run spybot and avg ect.. I found that the user account logged in that had the virus was the one you could log into without logging off. But this was a few monthes back and all virus's are differnt. Try it see what happens.

Regards,
Dave

 

Trust me, it is a changed reg key. There must be a few that can do this, i have another possibility @
HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
which i will try soon enough, but i am sure there are more.

@ QS, i really don't think it as bad as you say, i think it is just the one key that needs fixed, the virus scan and various other check leave me thinking all the raw viruses are removed, just a key to fix.

 

It easy enough to log on, i just boot to a live cd and backup windows\system32\config and then replace this dir with windows\repair and i can log in to a default profile fine. But not very good as the current profiles are lost until and restore the registry. I ran malewarebytes and AVG.

But neither picked up the bd key, so i am left with trying to find a needle in a haystack.

But there must only be a number of keys that will allow this.

 

Isnt there an option in spybot to test and remove bad reg keys?

 

Why do you say 'Trust me it;s a bad registry key'? What evidence do you have to support that? As others have said on here, there are dozens of things that could be causing this - just because you've had experience of that causing the problem in the past, doesn't mean it's going to be that same fix every time you encounter a similar problem.

FWIW, the only way to be absolutely sure you've cleaned all the crud out of a badly-hosed system (e.g. one that had 'a few' viruses when you scanned it first time round) is to vape it and start from scratch. Pull the drive, stick it on another cable and grab the data then format & reinstall - if you'd done that originally it would have been a damn sight quicker than trying to figure out what was causing the problem to start with.

 

This is the last time i explain this. THere are 5 files in windows\system32\config that are the registry, sam, security, software, default and system. If i back these up and replace these 5 files with the corresponding 5 files in windows\repair i can then log in. So hence it is a registry problem.

 

Fella,

You either listen to their advice and follow it or you ignore it and do what you will.

Trust me, it is quite simple.

 

Thanks for that whistle-stop tour of the system32\config directory.

However, since you have singularly failed to indicate that you have read my advice directly below, I suggest that you read my post again, and take the advice onboard. Also, since the vast majority of your posts here are made when you have a problem with a customer/user PC, and you are obviously using us to assist you in doing your job, might I suggest that you take a slightly less confrontational tone when responding to posts? It's enough of a piss-take for those of us who have to help other people that they actually work with to do their jobs - much less someone they've never met.

 

You could try Autoruns :-

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

However I agree with the rest, while this may be an interesting exercise, the only way you will ever be 100% sure the machine is clean is to re-image it.

 

That's pretty amazing, that talent you've got there. Could I borrow it to determine tomorrow night's lottery winner, perhaps? Because after all, I've encountered exactly what you're describing, and it wasn't because of any wonky registry key!

Let me know when you've got that lottery winner, 'k? Thanks.

 

My opinion:
I never heard about 100% anti-virus(What i have is quiet good actually but not 100%)
If it is your pc and you like the challenges, than go ahead and try to fix it.
If it is a job, do what the others say because i do not think they will be happy with the bill of 78 hours of work(which would be 1 the other way).
My practice:
If i have a virus(even if i have only 1, and you talk about multiple viruses), i reinstall the OS straight away.
It does not take long and100% fix(i am not even sure about that, i heard about funny virus which dodge this as well). Nowadays when you do internet-banking, ordering online, e-mail, etcetcetc nobody should take that risk, you might just give your or your costumer personal details away.

 

Have to say i am a bit surprised at these answers. Take some virus xyz.exe. Now for that virus to start after a reboot there has to be a registry keys set to run it. There are a variety of well known and not so well known keys that allow this.

The other option as has been said was that a file such as userinit.exe or explorer.exe has been replaced with a
modified version which would make sense, i know that the AV may not pick this up. What i was after though was a list of possible keys that could allow this, i have so far,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
[HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon C:\WINDOWS\system32\userinit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\PathToFile\Filename.exe


Ok i think that is most of them will check these out, and replace userinit and explorer. Think about it if by changing one registry key you can then save rebuilding the OS, and keep the users profile and currently installed apps seems reasonable to me to have a look through the registry for 10mins or so.

 

Yeah but like everyones saying virus's are designed to not be found, so why try and look for them in a registry which contains many possible outcomes of where it could be? This will take a lot of time and the effective way is to reformat. If your luckily enough to find the key and change it and it logs on fine, whats to say there wasn't another key changed which can intercept bank details ect, really your just avoiding the obvious decision and making things harder for yourself. These people know what there talking about and wouldn't advise you to do something if there was an easier way out. But thats just my opinion, also as far as you've mentioned you've only scanned with AVG? why not scan with more antivirus / spyware software to see if another one can pick up the virus?