After entering your password Windows XP logs you off. You can see briefly how it tries to log on, then loads your settings, logs you off and saves your settings. This is usually caused by malware, which change the userinit.exe file in Windows. There are multiple workarounds where you have to restore the userinit.exe file and/or fix the registry value which points to a wrong userinit.exe. In this case none of the given workarounds were successful. I was able to boot the computer into safe mode however, but even then re-checking the registry values for the userinit.exe did not reveal anything abnormal.

So I tried using autoruns to find out whether some service or process is being started automatically upon booting the system. Things were a bit more complicated as I only had remote access to the computer. I was able to enable RDP remotely to test whether login works. Before being able to use RDP I had to disable the Windows firewall by starting compmgmt.msc and connecting remotely to the machine. Then I used psexec to run autorunsc (the console version of autoruns). You have to make sure that you add the “-accepteula” option

C:\Dokumente und Einstellungen\Administrator>”C:\Dokumente und Einstellungen\Administrator\Desktop\PsTools\PsExec.exe” -c \\name-of-pc “C:\temp\autorunsc.exe” -accepteula -a > a.txt

This runs autorunsc.exe remotely on “name-of-pc” and dumps everything into the file a.txt. After inspecting the output dump I found something suspicious

userinit.exe
utqgkzuldd.exe
c:\windows\system32\utqgkzuldd.exe

Checking the filesystem revealed that there was indeed such a file in system32. Deleting/renaming the file was not possible since it was locked by some filehandle. Starting processexplorer showed that crss.exe had a file handle open on that file. I deleted the file handle and then I was able to rename the utqgkzuldd.exe file. After that I was able to log in successfully.

Inspection of the utqgkzuldd.exe file revealed that it was a trojan horse called W32.Qakbot!gen3.