XP logs off right after logging in(virus)

[miflandia]

Quote:

Originally Posted by zr79

A challenge is not the issue, if a user has say 50+ apps installed, some of them needing license keys(yes you can dig out the keys before you format etc, and some of these apps are older, they are no longer being distributed, and the user has say lost a couple of cds, there goes those apps. That will be a lot of work, building the system back to where it was, and unless you image the drive with the OS, you are looking at a full install + updates + tweaking and then as i said reinstalling dozens of apps, that could be 6 hours work all going well. Now with a good knowledge of the registry you should be able to kill any viruses from starting from the registry, possibly 10mins work. I don't think this way is harder, just some once off ground work to do to understand various keys.

(not virus-wise)
As others mentioned, and i agree(i do it with my own pc), every OS need to be rebuilt depends on the usage( i do mine every 6months)
So even if you find the flu, i would get all those keys, data, etc, etc and re-build the system, and when it is ready make a copy of the system and find a good data backup solution.
So this work seems to be unavoidable to me.

[beaumontdvd]

Quote:

Originally Posted by miflandia

(not virus-wise)
As others mentioned, and i agree(i do it with my own pc), every OS need to be rebuilt depends on the usage( i do mine every 6months)
So even if you find the flu, i would get all those keys, data, etc, etc and re-build the system, and when it is ready make a copy of the system and find a good data backup solution.
So this work seems to be unavoidable to me.

I agree 100%

[dmarsh]

Quote:

Originally Posted by zr79

Funnily enough i did actually start writing an AV application in VB6 but i realised it was going to be too slow to compete against anything mainstream, in saying that though Microsoft's AntiSpyware(now abandonware) was actually written in VB6, which was quite impressive considering the speed it scanned at, so maybe still possible. I did even look into coding it is assembler but i gave up after a while as it is not the nicest language to work with and hard to find any decent documentation for this specific task.

Actually the engine of an AV scanner is not too difficult, it is fairly standard to write a recursive search algo. You then need to open each file in memory and check for a signature which you would have set.

Lot of work involved maintaining updates and signature definitions may have another go though!

Yeah sounds really easy ! Assembler is not hard, loads decent stuff on 80x86 assembler on the net, most people no longer write programs 100% in assembler, the main portion would be in C/C++ and a small amount of either inline asm or they would link to an object file or library from an assembler.

Writing a production ready virus scanner is reasonably hard and would likely take one person 6+ months, and thats without the millions man hours that must go into building a signature database and creating removal plans.

Did you look at Autoruns ? Its designed to show all the common reg keys that launch apps, there are like 200+ such keys. Its a user friendly app for people that just want to see the horrendous mess the registry can be !

Registry viewing and export tools normally conform to a subset of the full API functionality, therefore there are ways people can store hidden keys or hidden suffixes on keys.

Viruses can adopt other tactics as well, they can attach themselves to pucker executables, therefore they need not change the registry at all ! If its a pucker executable that runs regularly then the trojan can get into memory and start executing and doing what it wants. If the executable is not monitored by system restore and the virus signature is not in the AV then you're gonna get pwned !

Rootkits can alter filesystem drivers and make themselves totally invisible to any program that uses standard OS call's to read the filesystem! They don't just rely on the registry autorun functionality, they could change a bootsector etc.

They could load a fake driver or service, yes this would appear in the registry, but possibly not where you expect, they could even share a service host with legitimate services.

Wow, VB6 programmer, you must be l33t !

[zr79]

Quote:

Originally Posted by dmarsh

Yeah sounds really easy ! Assembler is not hard, loads decent stuff on 80x86 assembler on the net, most people no longer write programs 100% in asssembler, the main portion would be in C/C++ and a small amount of either inline asm or they would link to an object file or library from an assembler.

Writing a production ready virus scanner is reasonably hard and would likely take one person 6+ months, and thats without the millions man hours that must go into building a signature database and creating removal plans.

Did you look at Autoruns ? Its designed to show all the common reg keys that launch apps, there are like 200+ such keys. Its a user friendly apps for people that just wanna see the horrendous mess the registry can be !

Registry viewing and export tools normally conform to a subset of the full API functionality, therefore there are ways people can store hidden keys or hidden suffixes on keys.

Viruses can adopt other tactics as well, they can attach themselves to pucker executables, therefore they need not change the registry at all ! If its a pucker executable that runs regularly then the trojan can get into memory and start executing and doing what it wants. If the executable is not monitored by system restore and the virus signature is not in the AV then you're gonna get pwned !

Rootkits can alter filesystem drivers and make themselves totally invisible to any program the uses standard OS call's to read the filesystem! They don't just rely on the registry autorun functionality, they could change a bootsector etc.

They could load a fake driver or service, yes this would appear in the registry, but possibly not where you expect, they could even share a service host with legitimate services.

Wow, VB6 programmer, you must l33t !

Good answer.

I should have known about viruses injecting themselves into the memory space of valid executables such as explorer or internet explorer.

Been a while since i used to look into this in depth, actually about 6 years ago.

I used to digg up the source code of well know viruses and learn how the worked.

Also as you say patching valid dlls is another method, and there will be many more exploits. Just seems a pain that by being able to remove a file or two and a registry key or two you save yourselves a lot of unnecessary trouble.

Ok thanks for disscussion, been a good help.

[BosonMichael]

Quote:

Originally Posted by dmarsh

Viruses can adopt other tactics as well, they can attach themselves to pucker executables, therefore they need not change the registry at all ! If its a pucker executable that runs regularly then the trojan can get into memory and start executing and doing what it wants. If the executable is not monitored by system restore and the virus signature is not in the AV then you're gonna get pwned !

Rootkits can alter filesystem drivers and make themselves totally invisible to any program that uses standard OS call's to read the filesystem! They don't just rely on the registry autorun functionality, they could change a bootsector etc.

They could load a fake driver or service, yes this would appear in the registry, but possibly not where you expect, they could even share a service host with legitimate services.

Yep, this is similar to what I was going to say in response to the comment that it can ONLY be due to a registry key. It can absolutely be any of these things. Repped.

[zr79]

Quote:

Originally Posted by Sparky

You might want to try a repair install of the OS to replace\repair explorer.exe. Also have youi tried a system restore? This *may* put the registry back to condition where you can at least log on.

There were no system restore points, which also added to the burden.

[pete.grant]

Why is it reading this guys posts I get the impression he is just trying to impress!? In the time it has taken to follow and reply to posts on this thread he could have done what everyone has advised three times over - backup and re-image.

dmarsh - love your l33t comment!

[beaumontdvd]

Quote:

Originally Posted by pete.grant

Why is it reading this guys posts I get the impression he is just trying to impress!? In the time it has taken to follow and reply to posts on this thread he could have done what everyone has advised three times over - backup and re-image.

Agreed, I had that impression too. Maybe it wasn't even a question he just wanted to gloat about programming skills

[zr79]

No gloating here, i haven't programmed for a few years and most of the code i used was from free code sites i just modified the code here and there.

Anyway i came up with a better solution, obvious as it is, and that would be to remove the drive and add it to another system as a secondary drive, instead of having to reset registries etc to allow me to even boot in.

This still means i have to digg through the regsitry to remove the bad stuff, but it should make the process a bit quicker.

The is an app called regmon which may help out here.

[Sparky]

Quote:

Originally Posted by zr79

The is an app called regmon which may help out here.

As the drive is a second drive the registry wont actually be doing anything here, the main drive will have the live registry so to speak.

[zebulebu]

Quote:

Originally Posted by zr79

Anyway i came up with a better solution, obvious as it is, and that would be to remove the drive and add it to another system as a secondary drive, instead of having to reset registries etc to allow me to even boot in.

Wow - you came up with that yourself... after me and at least one other person on this thread suggested the exact same thing, like, two days ago?

Kudos.

[Sparky]

Just a quick point, does the customer not want his\her laptop back yet mate?