XP logs off right after logging in(virus)

Discussion in 'Software' started by zr79, Feb 5, 2010.

  1. zr79

    zr79 Byte Poster

    199
    1
    17
    So your policy is, have a virus = automatic reformat?

    There are a limited number of registry keys that can load an application into memory on startup.

    If these keys are not set then even if there is a virus on your PC it can do nothing unless it has been initialised on startup.

    I should really make a script to dump all the possible startup keys out and then make another script to replace any exe,com,scr,bat - executables that these point too also at the same time checking whether there are any questionable entries in these keys.

    I can use,

    Code:
    Set objShell = CreateObject("WScript.Shell")
    strRead = objShell.RegRead(strRegRead)
    strCreate = objShell.RegWrite("","", "")
    strDelete = objShell.RegDelete("") 
    
    to do this,

    and,

    Code:
    Set fso = CreateObject("Scripting.FileSystemObject")
    fso.CopyFile "", "",TRUE
    to replace files from the CD.
     
    Certifications: A+
  2. miflandia

    miflandia Byte Poster

    105
    0
    31
    My policy is the format.
    If it is my pc-i have the solution as i keep the image of the new system.
    If it is not mine i explain the danger of running an infected computer to the costumer.
    You focusing on a possible virus, which log off after start up or right after log on. But if you picked up let`s say 6 virus, you did not pick at least 1. But can be an other 10?
    The 1 you fighting triggered with the log on of that user. What about the possible other 9? The next activate 13th of Friday, an other one when you start HTTPS, another one start with e-mail client............
    You are on more advanced level than me with poke around the registry, if you want to go that way you should start developing AV-s, etc, but if you want to fix simple computer issues, the way to do it is the simple way.
    (all these my private opinions, (Terms and conditions apply)) :rolleyes:
     
    Last edited: Feb 7, 2010
    Certifications: Comptia A+
    WIP: Comptia N+
  3. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Fair enough, why not try more antivirus/spyware removal software like I previously said. How do you know the virus hasn't created a hidden scheduled task and saved the files needed in the windows folder? Like I said its not always the case of stopping startup programs. If you want to see programs/services running at startup like I said earlier download spybot it lists all the details and even can repair invalid registry entries.
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  4. zr79

    zr79 Byte Poster

    199
    1
    17
    Funnily enough i did actually start writing an AV application in VB6 but i realised it was going to be too slow to compete against anything mainstream, in saying that though Microsoft's AntiSpyware(now abandonware) was actually written in VB6, which was quite impressive considering the speed it scanned at, so maybe still possible. I did even look into coding it is assembler but i gave up after a while as it is not the nicest language to work with and hard to find any decent documentation for this specific task.

    Actually the engine of an AV scanner is not too difficult, it is fairly standard to write a recursive search algo. You then need to open each file in memory and check for a signature which you would have set.

    Lot of work involved maintaining updates and signature definitions may have another go though!
     
    Certifications: A+
  5. miflandia

    miflandia Byte Poster

    105
    0
    31
    Lol. This is the problem. Everybody want to tell you to go on the easy way, but you want some challenge:duel

    But anyway, i am out, i have no knowledge in this level.
    I follow up, but i do not think i can add anything...
    Have fun
     
    Certifications: Comptia A+
    WIP: Comptia N+
  6. zr79

    zr79 Byte Poster

    199
    1
    17

    A challenge is not the issue, if a user has say 50+ apps installed, some of them needing license keys(yes you can dig out the keys before you format etc, and some of these apps are older, they are no longer being distributed, and the user has say lost a couple of cds, there goes those apps. That will be a lot of work, building the system back to where it was, and unless you image the drive with the OS, you are looking at a full install + updates + tweaking and then as i said reinstalling dozens of apps, that could be 6 hours work all going well. Now with a good knowledge of the registry you should be able to kill any viruses from starting from the registry, possibly 10mins work. I don't think this way is harder, just some once off ground work to do to understand various keys.
     
    Certifications: A+
  7. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    It really depends on what IT environment you look after. If the build of the laptop is going to take ages (like you said) to recreate I would agree that trying to fix the issue is worth a shot.

    However in a corporate environment there should be a base image of the laptop available so putting the image back on and patching is the best way to go.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  8. derkit

    derkit Gigabyte Poster

    1,480
    58
    112
    Absolutely, any admin worth their salt would not spend an extraordinary amount of time on the off chance they can resolve the problem - there are whole AV companies that spend time doing this, so why reinvent the wheel?

    If its a workstation, either home or office, the critical data should be stored elsewhere (ie, on another workstation or server) and backed up, then it doesn't matter what you do with the workstation - easiest way, blow it away! Format!

    If its a server, have an attempt at battling it, but failing that a rebuild is probably not the end of the world considering it seems most of the admins on here are building a server from scratch most weeks. Secondly, if good backups have been taken you should be able to restore from a week, a month, or even a year ago. Every thing else data wise can be removed before format, AV scanned, server formatted and rebuilt, and then the data reinstalled - I believe including stuff like AD etc. if thats what you need.

    You want a challenge great - but most admins here who know what they're talking about have told you the way to resolve it. If you're in IT, then you don't have enough to do, if you're not, then I think you may need to look at how you use your time more effectively!
     
    Certifications: MBCS, BSc(Hons), Cert(Maths), A+, Net+, MCDST, ITIL-F v3, MCSA
    WIP: 70-293
  9. SimonD
    Honorary Member

    SimonD Terabyte Poster

    3,681
    440
    199
    Speaking from my own experience as well, if I have a problem with an OS that's going to take more than say 3 hours to fix I would start again (actually it's my policy to rebuild my machines every 6 - 12 months anyway).
    As far as building pc's go, it takes longer to try and repair it than it does to build it (I can actually have my pc rebuilt in about 40 minutes, that includes a number of apps that are always on here).

    As far as an Enterprise solution goes, a desktop engineer is more likely to rebuild the pc if after 1 hour if he can't fix it than he is to spend multiple days to try and resolve it (all the time the engineer is 'trying' to fix it the customer isn't working). That's why there are application servers like SMS 2003, SCCM 2007 or Altiris Deployment Server, the OS get's blasted onto it followed by the applications.

    As an example of my home solutions, if I have a user who requires a consistant backup and working machine then I suggest investing in a WHS server, this allows for the machine to be backed up on a nightly basis with data retention being configured to what they want.

    Spending more time on a problem trying to fix it isn't beneficial, it's a waste of my time, the clients time and there is always the issue of whether it was fully cleaned and actually trust worthy.

    Oh and always use an AV product, even MSE is worth installing if you have to (and I actually use it at home along with ESET Nod 32).

    Whilst it's nice to understand the registry, never expect to fully understand the way a virus product distributes it's payload because I can tell you that I have friends who can write a package that you simply wouldn't find in the registry but would cause you all sorts of issues.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
  10. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Everyones saying the same thing, and I agree completely with the last two posts, if you can determine where a virus will base itself or replicate itself then you are a man of talent lol. Considering you could eliminate one virus and in the code it will say to replicate another 500 times. so it asks me the question. Why ask a question if you dont like/appreciate the responses. Then you do totally the opposite. Was there any point in anyone asnwering this question if your going to answer it yourself?
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  11. miflandia

    miflandia Byte Poster

    105
    0
    31
    (not virus-wise)
    As others mentioned, and i agree(i do it with my own pc), every OS need to be rebuilt depends on the usage( i do mine every 6months)
    So even if you find the flu, i would get all those keys, data, etc, etc and re-build the system, and when it is ready make a copy of the system and find a good data backup solution.
    So this work seems to be unavoidable to me.:rolleyes:
     
    Certifications: Comptia A+
    WIP: Comptia N+
  12. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    I agree 100% :)
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  13. dmarsh
    Honorary Member 500 Likes Award

    dmarsh Petabyte Poster

    4,305
    503
    259
    Yeah sounds really easy ! Assembler is not hard, loads decent stuff on 80x86 assembler on the net, most people no longer write programs 100% in assembler, the main portion would be in C/C++ and a small amount of either inline asm or they would link to an object file or library from an assembler.

    Writing a production ready virus scanner is reasonably hard and would likely take one person 6+ months, and thats without the millions man hours that must go into building a signature database and creating removal plans.

    Did you look at Autoruns ? Its designed to show all the common reg keys that launch apps, there are like 200+ such keys. Its a user friendly app for people that just want to see the horrendous mess the registry can be !

    Registry viewing and export tools normally conform to a subset of the full API functionality, therefore there are ways people can store hidden keys or hidden suffixes on keys.

    Viruses can adopt other tactics as well, they can attach themselves to pucker executables, therefore they need not change the registry at all ! If its a pucker executable that runs regularly then the trojan can get into memory and start executing and doing what it wants. If the executable is not monitored by system restore and the virus signature is not in the AV then you're gonna get pwned !

    Rootkits can alter filesystem drivers and make themselves totally invisible to any program that uses standard OS call's to read the filesystem! They don't just rely on the registry autorun functionality, they could change a bootsector etc.

    They could load a fake driver or service, yes this would appear in the registry, but possibly not where you expect, they could even share a service host with legitimate services.

    Wow, VB6 programmer, you must be l33t !
     
    Last edited: Feb 8, 2010
  14. zr79

    zr79 Byte Poster

    199
    1
    17
    Good answer.

    I should have known about viruses injecting themselves into the memory space of valid executables such as explorer or internet explorer.

    Been a while since i used to look into this in depth, actually about 6 years ago.

    I used to digg up the source code of well know viruses and learn how the worked.

    Also as you say patching valid dlls is another method, and there will be many more exploits. Just seems a pain that by being able to remove a file or two and a registry key or two you save yourselves a lot of unnecessary trouble.

    Ok thanks for disscussion, been a good help.
     
    Certifications: A+
  15. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Yep, this is similar to what I was going to say in response to the comment that it can ONLY be due to a registry key. It can absolutely be any of these things. Repped.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  16. zr79

    zr79 Byte Poster

    199
    1
    17
    There were no system restore points, which also added to the burden.
     
    Certifications: A+
  17. PPD2387

    PPD2387 Byte Poster

    149
    9
    37
    Why is it reading this guys posts I get the impression he is just trying to impress!? In the time it has taken to follow and reply to posts on this thread he could have done what everyone has advised three times over - backup and re-image.

    dmarsh - love your l33t comment!
     
    Last edited: Feb 8, 2010
  18. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Agreed, I had that impression too. Maybe it wasn't even a question he just wanted to gloat about programming skills :rolleyes:
     
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  19. zr79

    zr79 Byte Poster

    199
    1
    17
    No gloating here, i haven't programmed for a few years and most of the code i used was from free code sites i just modified the code here and there.

    Anyway i came up with a better solution, obvious as it is, and that would be to remove the drive and add it to another system as a secondary drive, instead of having to reset registries etc to allow me to even boot in.

    This still means i have to digg through the regsitry to remove the bad stuff, but it should make the process a bit quicker.

    The is an app called regmon which may help out here.
     
    Certifications: A+
  20. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    As the drive is a second drive the registry wont actually be doing anything here, the main drive will have the live registry so to speak.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.