Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Question re: infection on a multi-user system

Started by Longden , Jan 11 2006 10:53 PM

  • Please log in to reply

#1
Longden
Posted 11 January 2006 - 10:53 PM

Longden

    New Member

  • Member
  • Pip
  • 2 posts
I've had a recent go with the SpyAxe malware and its associated trojans on my Windows XP notebook, but all seems OK now for the last few weeks.

My question is regarding virus infections in general which modifies a user's Windows Registry such as what happened on my system.

My understanding is that the registry is NTUSER.DAT in the user's "Documents and Settings" folder. So what happens on a multi-user system (which is almost always the case in XP, where you have "Administrator" and the main user) where there are different copies of the registry. Does each userID's registry get infected in turn as you log into that ID? Or are viruses able to modify the other NTUSER.DAT files without a login?

Is the advice to refrain from changing IDs till the infection is dealt with on the primary ID, or must each ID be "cleaned", in turn ... or is that even necessary if the person never changed IDs from the start of the attack till it was cleaned out (on the one ID)?

Thx.

Longden
  • 0

Advertisements

#2
dsenette
Posted 12 January 2006 - 08:43 AM

dsenette

    Je suis Napoléon!

  • Community Leader
  • 26,047 posts
  • MVP
of course..this isn't a complete explanation..and i'm sure there will be a malware expert to explain a little better...and...i'm going off of my hardware and software knowledge not malware....so i may have an error or two..but i'm pretty sure this is how it works..but...the registry you see in regedit....has a few different parts...most of which are global registry areas hkey_classes_root, hkey_users and hkey_current config..are all global..those affect each user...the hkey_current_user...is just for your logon....a vast majority of the malware out there....targets those global ones...because..in all honesty...if they just targeted a single user on the machine...all you'd have to do is delete that user to get rid of their stuff....not a big deal....where as targeting the global lsections means..no matter who uses the machine...they got the funk... now...this doesn't mean that some malware doesn't just get one user registry section..but most of it goes after the whole machine...their purpose in life...is to make it hard to get rid of their software....
  • 0

#3
Longden
Posted 12 January 2006 - 10:10 AM

Longden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
OK, I did more research on the Registry and it appears that under XP, the registry is built from several external files (ie, not just NTUSER.DAT). So regedit makes it look like one "hive" but it's actually several, and the software and system pieces (the "global" keys you mentioned) are in a common folder for all users, so you're right that an attack on the global part affects everyone.

My misunderstanding was how that happened because I orginally thought ALL registry information (user and global) were in NTUSER.DAT, but they're not.

Thanks for chiming in. Consider this closed.

Longden
  • 0
Back to Windows XP, 2000, 2003, NT · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Windows XP, 2000, 2003, NT

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP