Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible trojan preventing log on?


  • Please log in to reply
No replies to this topic

#1 markevens

markevens

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 15 June 2011 - 12:54 AM

I posted this in the Vista forums and later realized there was a trojan that may be causing this problem. Since I've found a trojan, I thought I would post in here too.

So I'm working on a vista machine where 2 user accounts (both with administrative rights) log off just after the log in initiates. As soon as I click the user picture (no passwords) the screen shows "Welcome" with the blue circle. In about 1-2 seconds it changes to "Logging off" then turns black for another 1-2 seconds, and then I'm back at the log in screen.

In safe mode I can log into the accounts no problem, but not when I start normally.

When they brought the computer to me, there was a 3rd account, Administrator, which they told me they had forgotten the password for. I used Offline NT password and registry editor to remove the password for that account, and I can log into that one just fine. There was a 4th, hidden account, Admin, that Offline NT showed. I unlocked it and can log into that one normally as well.

Does anyone know what might be causing this or how I would correct it?

edit: it also has a fake AV trojan on it, the Windows Vista Recovery one.
edit: Part of the trojan appears to be attached to the userinit.exe
edit: This is what the log shows:

Infection c:\programdata\gdujiwcdlsmla.exe Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter->EnabledV8:1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusDisableNotify:0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->FirewallDisableNotify:0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->UpdatesDisableNotify:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\->DisableTaskMgr:0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\->DisableTaskMgr:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Associations->LowRiskFileTypes HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments->SaveZoneInformation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon->Userinit:C:\Windows\system32\Userinit.exe HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\->NoActiveDesktopChanges:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\->NoSetActiveDesktop:0 HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Internet Explorer\Desktop\General->Wallpaper HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1001\Software\Microsoft\Internet Explorer\Desktop\General->Wallpaper HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1002\Software\Microsoft\Internet Explorer\Desktop\General->Wallpaper HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Internet Explorer\Download->CheckExeSignatures:yes HKEY_USERS\S-1-5-21-1216465043-2391130241-1587470046-1000\Software\Microsoft\Windows\CurrentVersion\Run->GDUjiwcDlsMLa Browser Cache



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users