Articles

Virus causing log-off immidiately after login

March 24, 2011 at 02:36:47
Specs: Windows Server 2003, 1523

Alright guys, our corporate server caught itself a virus. W32.Parite aka W32.Pirite. The longer the virus was resident, the worse things seemed to get.

I've been able to remove it (I THINK!) from two Windows 7 computers, this is a really resilient bitch of a bug!

Now what's going on is, every time I try to log in and attempt to remove the virus, I'm immediately logged back out. This is the case with multiple users. I have no idea how to get around it, but if anyone has any ideas on how I might be able to get around this, please let me know.

In the time being, I'm going to try and burn a boot-able anti-virus CD to see if maybe that will help remedy the issue.

Thanks Guys


See More: Virus causing log-off immidiately after login

Report •


#1
March 24, 2011 at 08:56:31

You got your self a rootkit virus. I hate those. I usually just reimage a computer that has one of these, scan the users backup files and restore their files.

Do you have system images of your workstations? If not then your best bet is to backup the users files and reinstall Windows. Then scan the backup files and restore them.

You might get away with doing a Repair install of Windows to over write the infected system files and then do your virus scan. I leave it up to you because you can not be sure you got rid of a rootkit virus like that without a complete reinstall.

I would be interested to see what others do in case of a rootkit.

Good Luck.


Report •

#2
March 24, 2011 at 12:30:16

Right now I'm running the Dr.Web bootable CD Antivirus scan. It's been going at it for hours, and it's just two 64GB 10k SCSI drives. Should it really take this long??? So are you saying that this isn't the Parite virus and that it's a seperate rootkit???

I log in, says the usual applying your settings or whatever, then without even showing me my desktop it says, Logging off. I've never seen something so hard to fight against. I thought I was only dealing with one virus here though!

I just hope this long ass scan I'm doing at least lets me log in so I can install some software and run some rootkit programs (if you're right about that part). I thought about doing the windows repair deal but figured I'd try this first.

There are no backups of the server. If it wasn't a real server with SCSI drives, I'd have plugged them into my PC and had this fixed days ago, but I had to get my hands on a special cable just to hook a monitor up to this SOB because it doesn't have a regular port for a monitor on it. Requires a special cable that breaks out to a video keyboard mouse.

Blah, I'll let you guys know how I make out... Wish me luck.

J


Report •

#3
March 24, 2011 at 12:48:52

"Parite virus and that it's a seperate rootkit?"

No, a rootkit is a type of virus like Trojan, worm, spyware and so on. Rootkit viruses infect your system files like explore.exe so that they know when you are running an anti-virus and take action. Not only that, if you remove the virus it is usually infected the Microsoft system file backups and will get restored the next time you reboot. They are a real pain to get rid of this is why I don't waist my time fighting them I just re-image. There are some root kit finders out there that will remove them and most anit-viruses (when allowed to run) will get rid of them but sometimes they will take the system files with them and then you can not bootup any more.

That being said, I would backup your data before you do any thing else. If you have an external hard drive to back it up to then it would be better that way you can isolate the infection. Then yes run a virus scan.

You said you ran the virus scan already. I hope you have a backup of your data before you started.

After you get your systems back, DO A DISKIMAGE or SYSTEM STATE BACKUP so you don't have to go through this again. I would do a Diskimage of all of your work stations as well so if they have a problem you can restore.

Good Luck.


Report •

Related Solutions

#4
March 24, 2011 at 13:00:21

I don't know how I would get the data off. Like I said I can't even log into the computer, and I don't have any other systems I can plug the SCSI hard drives into.

I'm pretty screwed. Luckily there's only one program's data that is important, so the odds of it destroying that are nil I think, or should I say hope.


Report •

#5
March 24, 2011 at 15:03:01

You have no data backups either. :( No tape backups or nothing?

Report •

#6
March 24, 2011 at 15:11:07

No. To be honest, I'm a subcontractor IT Guy for the company, and they only want to spend money when something breaks. It's not until something like this where they see the benefits of some preventative protection and forethought. In this economy, you can't blame them much though.

But agreed, this is something they should have had set up back before the crash. Maybe it's partially my fault for not pushing them hard enough? Hindsight is 20/20 though, right?


Report •

#7
March 25, 2011 at 07:51:44

Wow, I guess they will get one now. They do not have to be expensive. A simple 2 TB NAS drive and some backup scripts that backup the system using the built in Micro soft Scheduler is not a back breaking purchase. We have four external drives our selves and I think when it was all said and done it cost us a little less than $1000. If you are just getting one 2 TB NAS for between $150 - $350. I can't see that as some thing hard to buy even in this economy. They might want to look into it.

http://www.google.com/search?q=buy%...


Report •

#8
March 25, 2011 at 08:24:33

I'm just hoping they don't balk at my $400 invoice for all the time I've spent on this server! I plan to include them with a backup solution in that price, just out of the goodness of my heart, to be honest, really. lol

Once they have some expendable income, we'll look at getting them one of those new 2TB NAS Drives.

Thanks for all your advice, I've finally been able to grab the mission critical files off the server with the help of Hiram's Boot CD. Thank god for that wonderful piece of software! God bless Hiram! ;)


Report •

#9
March 25, 2011 at 09:51:17

So "Dr.Web" did not clean the virus? But, yes that was going to be my next suggestion which was to use a Linux Boot to at least get their files and then do a reinstall of server. Looks like you figured it out. :)

Report •

#10
March 25, 2011 at 10:02:38

I actually didn't use linux, I used a nifty little thing Hiram provided called Mini-XP. It allowed me to run SuperAntiSpyware and Avira text mode scanner. It seemed like more and more copies of the Parite virus kept popping up all over the drives somehow, but one of the utilities in Mini-XP was that I could copy the files off of the drives onto a thumb drive.

Saved my client's business to a certain extent. I'm playing with SARDU now, making one hell of a bootable DVD with almost every tool made on it.


Report •

#11
March 25, 2011 at 13:02:24

I will have to try it out. Thanks for the reply.

Report •


Ask Question