1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XP logs off right after logging in(virus)

Discussion in 'Software' started by zr79, Feb 5, 2010.

  1. zr79

    zr79 Byte Poster

    199
    1
    17
    I had a pc(XP) with a virus. So i booted into a live linux cd and ran a virus scan, it picked up quite a few viruses, but the virus had also set a registry key so that the user was logged off right after it starting logging in. From pevious experience the key that was most likely changed would be

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon C:\WINDOWS\system32\userinit.exe

    to something like

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon C:\WINDOWS\system32\Virus.exe

    but i could see from using a registry editor in the live cd that this key was as it should be, so how would i go about finding the rouge key?
     
    Certifications: A+
  2. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    It could be done via the HKCU key rather than HKLM.

    What happens if you log on in safe mode?
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  3. zr79

    zr79 Byte Poster

    199
    1
    17
    Safe mode same thing, logs off, second time i have dealt with this logging off trick. The first time i copied the reg files from windows\repair to window\system32\config which obvioulsy reset windows to default which the customer didn't mind, so i never actually looked to see if the userinit.exe had been changed, this time however they wan't their current profiles back. I have removed all the viruses but there is one rouge key still there. I did actually look in HKCU.
     
    Certifications: A+
  4. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    It's probably more hassle that it's worth, especially if it had numerous viruses.

    Slave the drive, copy off important data and then reimage it.

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  5. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    If you don't know what the rogue key is, then how do you know you have a rogue key? :blink Just because you get logged off immediately after logging on doesn't necessarily mean you have a bad registry key...
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  6. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    I had a similar virus to this whenever I logged in I was logged off, do you have more than one user account setup on the xp machine? Try logging into another, it may not log you in completely but may log you in without running the explorer.exe so basically you will have moreless a blank screen. then cntrl shift escape to get task mgr up, end processes that look abnormal and run the process explorer.exe from tsk mgr .this starts up the UI then run spybot and avg ect.. I found that the user account logged in that had the virus was the one you could log into without logging off. But this was a few monthes back and all virus's are differnt. Try it see what happens.

    Regards,
    Dave
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  7. zr79

    zr79 Byte Poster

    199
    1
    17
    Trust me, it is a changed reg key. There must be a few that can do this, i have another possibility @
    HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    which i will try soon enough, but i am sure there are more.

    @ QS, i really don't think it as bad as you say, i think it is just the one key that needs fixed, the virus scan and various other check leave me thinking all the raw viruses are removed, just a key to fix.
     
    Certifications: A+
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Wow, how did you work that one it out?

    If that key is playing up then just delete it..... 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. zr79

    zr79 Byte Poster

    199
    1
    17
    It easy enough to log on, i just boot to a live cd and backup windows\system32\config and then replace this dir with windows\repair and i can log in to a default profile fine. But not very good as the current profiles are lost until and restore the registry. I ran malewarebytes and AVG.

    But neither picked up the bd key, so i am left with trying to find a needle in a haystack.

    But there must only be a number of keys that will allow this.
     
    Certifications: A+
  10. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Isnt there an option in spybot to test and remove bad reg keys?
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  11. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Why do you say 'Trust me it;s a bad registry key'? What evidence do you have to support that? As others have said on here, there are dozens of things that could be causing this - just because you've had experience of that causing the problem in the past, doesn't mean it's going to be that same fix every time you encounter a similar problem.

    FWIW, the only way to be absolutely sure you've cleaned all the crud out of a badly-hosed system (e.g. one that had 'a few' viruses when you scanned it first time round) is to vape it and start from scratch. Pull the drive, stick it on another cable and grab the data then format & reinstall - if you'd done that originally it would have been a damn sight quicker than trying to figure out what was causing the problem to start with.
     
    Certifications: A few
    WIP: None - f*** 'em
  12. zr79

    zr79 Byte Poster

    199
    1
    17
    This is the last time i explain this. THere are 5 files in windows\system32\config that are the registry, sam, security, software, default and system. If i back these up and replace these 5 files with the corresponding 5 files in windows\repair i can then log in. So hence it is a registry problem.
     
    Certifications: A+
  13. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,369
    85
    190
    Fella,

    You either listen to their advice and follow it or you ignore it and do what you will.

    Trust me, it is quite simple.
     
  14. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Thanks for that whistle-stop tour of the system32\config directory.

    However, since you have singularly failed to indicate that you have read my advice directly below, I suggest that you read my post again, and take the advice onboard. Also, since the vast majority of your posts here are made when you have a problem with a customer/user PC, and you are obviously using us to assist you in doing your job, might I suggest that you take a slightly less confrontational tone when responding to posts? It's enough of a piss-take for those of us who have to help other people that they actually work with to do their jobs - much less someone they've never met.
     
    Certifications: A few
    WIP: None - f*** 'em
  15. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  16. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    That's pretty amazing, that talent you've got there. Could I borrow it to determine tomorrow night's lottery winner, perhaps? Because after all, I've encountered exactly what you're describing, and it wasn't because of any wonky registry key! :biggrin

    Let me know when you've got that lottery winner, 'k? Thanks. :thumbleft
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  17. miflandia

    miflandia Byte Poster

    105
    0
    31
    My opinion:
    I never heard about 100% anti-virus(What i have is quiet good actually but not 100%)
    If it is your pc and you like the challenges, than go ahead and try to fix it.
    If it is a job, do what the others say because i do not think they will be happy with the bill of 78 hours of work(which would be 1 the other way).
    My practice:
    If i have a virus(even if i have only 1, and you talk about multiple viruses), i reinstall the OS straight away.
    It does not take long and100% fix(i am not even sure about that, i heard about funny virus which dodge this as well). Nowadays when you do internet-banking, ordering online, e-mail, etcetcetc nobody should take that risk, you might just give your or your costumer personal details away.
     
    Certifications: Comptia A+
    WIP: Comptia N+
  18. zr79

    zr79 Byte Poster

    199
    1
    17
    Have to say i am a bit surprised at these answers. Take some virus xyz.exe. Now for that virus to start after a reboot there has to be a registry keys set to run it. There are a variety of well known and not so well known keys that allow this.

    The other option as has been said was that a file such as userinit.exe or explorer.exe has been replaced with a
    modified version which would make sense, i know that the AV may not pick this up. What i was after though was a list of possible keys that could allow this, i have so far,

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    Startup="C:\windows\start menu\programs\startup"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
    Startup="C:\windows\start menu\programs\startup"
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
    "Common Startup"="C:\windows\start menu\programs\startup"
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
    "Common Startup"="C:\windows\start menu\programs\startup"
    [HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon C:\WINDOWS\system32\userinit.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
    [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
    [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
    [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
    [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
    StubPath=C:\PathToFile\Filename.exe


    Ok i think that is most of them will check these out, and replace userinit and explorer. Think about it if by changing one registry key you can then save rebuilding the OS, and keep the users profile and currently installed apps seems reasonable to me to have a look through the registry for 10mins or so.
     
    Last edited: Feb 7, 2010
    Certifications: A+
  19. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    You might want to try a repair install of the OS to replace\repair explorer.exe. Also have youi tried a system restore? This *may* put the registry back to condition where you can at least log on.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  20. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Yeah but like everyones saying virus's are designed to not be found, so why try and look for them in a registry which contains many possible outcomes of where it could be? This will take a lot of time and the effective way is to reformat. If your luckily enough to find the key and change it and it logs on fine, whats to say there wasn't another key changed which can intercept bank details ect, really your just avoiding the obvious decision and making things harder for yourself. These people know what there talking about and wouldn't advise you to do something if there was an easier way out. But thats just my opinion, also as far as you've mentioned you've only scanned with AVG? why not scan with more antivirus / spyware software to see if another one can pick up the virus?
     
    Last edited: Feb 7, 2010
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade

Share This Page

Loading...