Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Logging off just after logging in initiates


  • Please log in to reply
No replies to this topic

#1 markevens

markevens

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 14 June 2011 - 08:38 PM

So I'm working on a vista machine where 2 user accounts (both with administrative rights) log off just after the log in initiates. As soon as I click the user picture (no passwords) the screen shows "Welcome" with the blue circle. In about 1-2 seconds it changes to "Logging off" then turns black, and then I'm back at the log in screen.

I can log in to them in safe mode, but not normal mode.

I can also log onto the Admin and Administrator acounts without problem in normal mode.

Does anyone know what might be causing this or how I would correct it?

edit: it also has a fake AV trojan on it.
edit: Part of the trojan appears to be attached to the userinit.exe
edit: This is what the log shows:

Infection c:\programdata\gdujiwcdlsmla.exe Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter->EnabledV8:1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusDisableNotify:0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->FirewallDisableNotify:0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->UpdatesDisableNotify:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\->DisableTaskMgr:0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\->DisableTaskMgr:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Associations->LowRiskFileTypes HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments->SaveZoneInformation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon->Userinit:C:\Windows\system32\Userinit.exe HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\->NoActiveDesktopChanges:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\->NoSetActiveDesktop:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Internet Explorer\Desktop\General->Wallpaper HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1001\Software\Microsoft\Internet Explorer\Desktop\General->Wallpaper HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1002\Software\Microsoft\Internet Explorer\Desktop\General->Wallpaper HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Internet Explorer\Download->CheckExeSignatures:yes HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Run->GDUjiwcDlsMLa Browser Cache


Edited by hamluis, 15 June 2011 - 03:13 PM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users