Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Question re: infection on a multi-user system


  • Please log in to reply

#1
Longden

Longden

    New Member

  • Member
  • Pip
  • 2 posts
I've had a recent go with the SpyAxe malware and its associated trojans on my Windows XP notebook, but all seems OK now for the last few weeks.

My question is regarding virus infections in general which modifies a user's Windows Registry such as what happened on my system.

My understanding is that the registry is NTUSER.DAT in the user's "Documents and Settings" folder. So what happens on a multi-user system (which is almost always the case in XP, where you have "Administrator" and the main user) where there are different copies of the registry. Does each userID's registry get infected in turn as you log into that ID? Or are viruses able to modify the other NTUSER.DAT files without a login?

Is the advice to refrain from changing IDs till the infection is dealt with on the primary ID, or must each ID be "cleaned", in turn ... or is that even necessary if the person never changed IDs from the start of the attack till it was cleaned out (on the one ID)?

Thx.

Longden
  • 0

Advertisements


#2
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
of course..this isn't a complete explanation..and i'm sure there will be a malware expert to explain a little better...and...i'm going off of my hardware and software knowledge not malware....so i may have an error or two..but i'm pretty sure this is how it works..but...the registry you see in regedit....has a few different parts...most of which are global registry areas hkey_classes_root, hkey_users and hkey_current config..are all global..those affect each user...the hkey_current_user...is just for your logon....a vast majority of the malware out there....targets those global ones...because..in all honesty...if they just targeted a single user on the machine...all you'd have to do is delete that user to get rid of their stuff....not a big deal....where as targeting the global lsections means..no matter who uses the machine...they got the funk... now...this doesn't mean that some malware doesn't just get one user registry section..but most of it goes after the whole machine...their purpose in life...is to make it hard to get rid of their software....
  • 0

#3
Longden

Longden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
OK, I did more research on the Registry and it appears that under XP, the registry is built from several external files (ie, not just NTUSER.DAT). So regedit makes it look like one "hive" but it's actually several, and the software and system pieces (the "global" keys you mentioned) are in a common folder for all users, so you're right that an attack on the global part affects everyone.

My misunderstanding was how that happened because I orginally thought ALL registry information (user and global) were in NTUSER.DAT, but they're not.

Thanks for chiming in. Consider this closed.

Longden
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP