Spybot 1.6 locking user registry hives

[MrGreg]

Hi Everyone,

I have uncovered an nasty problem with 1.6. I run a weekly scheduled scan using the Administrator account on all of my clients machines. I received several calls this morning from clients saying that they all are receiving the message "Windows cannot find the local profile and is logging you on with a temporary profile." when logging into their limited accounts. Their accounts are limited accounts for security reasons.

I had one of my clients login to the Administrator account to investigate. When we examined the HKEY_USERS hive, we discovered a folder call PE_C_HARVEY. Harvey is the name of the limited user account that is yielding the error message and creating a temporary profile. We unloaded the hive and Harvey was able login with his normal profile. We then checked the scheduled tasks logfile and discovered that the weekly Spybot scan completed successfully with and exit code of 0.

I investigated this further on my machine and discovered that when Spybot runs it creates a folder under HKEY_USERS for each account that is not currently logged in. I assumed that this is done so the immunize and scan functions can process all user accounts on the system. The problem is that when Spybot terminates it is not all ways unloading the temporary hives PE_C_USERNAME that it is creating. Three of my clients also had a folder called PE_C_ALLUSERS in their HKEY_USERS hive. I could reproduce this on my machine but can not understand how this folder would ever be created since the ALLUSERS profile does not even have a registry hive.

I reproduced this problem running Spybot interactively six times in a row closing the program using the red X in the upper right corner. Then I tried terminating the program using File Exit from the menu and the temporary hives were removed. I then went back to closing with the red X and the hives were removed six times in a row. This is very strange and inconsistent behavior.

This problem can be very serious as it will lock the user registy hive forcing Windows to create a temporary profile. A system reboot will not release the hive, you must unload the hive using regedit. This can really mess up the average user that does not understand this stuff. It sounds like this is what happened to ninjat in this recent post...

http://forums.spybot.info/showthread.php?t=33042

The final point that I would like to make is that I did not have any problems with weekly scans using 1.52 with XP Service Pack 2. I updated all of my clients machines to XP Service Pack 3 and Spybot 1.6 at the same time. I am not sure if the SP3 update, or 1.6 or the combination of both is causing this problem. Can anyone else reproduce what I am seeing on multiple systems? Thanks for your support...

[MrGreg]

Can anyone shed some light on this problem? It would be most appreciated.
Thanks for the support..

[MrGreg]

Hi Everyone,

I am still waiting for anyone to reply to this thread. Thanks for the support...

[MrGreg]

Anyone have an answer for me?

[MrGreg]

Hi Everyone,

I keep adding a reply to this post so it will not get lost in the forum. Can anyone assist me with this issue? I would greatly appreciate it. Thanks for the support...

[MrGreg]

Stll waiting on anyone that can shed so light on this one. Thanks...

[md usa spybot fan]

MrGreg:

If you left the thread with a zero (0) reply count rather than bumping the thread daily, perhaps you would have received a reply sooner.

__________

I do not believe that the problem you encountered has anything to do with the loading of user registry hives. The problem is most likely caused because Spybot locks the profile of other user accounts while it is doing a scan and your "clients" are logging on to another user account while the Spybot scan is running.

Because Spybot locks the profile of other user accounts while it is doing a scan, you cannot:

1. Switch users while a Spybot scan is still running.
2. Kill the Spybot scan and then switch users.

If either of these situations occur, reboot the system and everything should return to normal.

[Tivon]

Thank God I'm not the only one having this problem!

I have two people here that have come to me for help on this. Both times I just restored their systems to save myself some time. But then they would go home and run a scan and be right back with me the next day! I figured it was a Trojan or something that might be taking the system down with them once Spybot removed them, but no dice to confirm that because others scanners are working just fine. Kaspersky, Malwarebytes.. Did the SpywareWarriors forum and Found Nothing out of the norm.

Both of these systems have many accounts on their computers. I can confirm that there is no problem without spybot 1.6 on their computers. Just to be safe I've run every scanner there is and found nothing. HiJackThis showed nothing that I could think of that would cause this problem. But sure enough those accounts have been looked from the Registry as decribed above. It seems to happen with the latest Spybot version. After running the spybot scan on their accounts with either Admin or User, they are greeted with the "Temp Profile" even after a full reboot.

If I had to guess Spybot locks parts of the registry while doing scans and malware removel. However at the end of the scan it fails to remove the block on the accounts from the registry, thus causing the Temp Profile problems.

This is a BIG problem for me now! So I'm removing SpyBot S&D from all of these computers that I manage until a comfirmed fix has been done.

If there is anything the Spybot Team needs I'll try to help. Spybot is kickass software and I would like to feel safer using it rather than being scared of it.

P.S. I'm sorry if by me replying to your thread causes this to be bumped again and prolongs the reply of the system admins.

[ajmoyerxr7]

I too can toss in my two cents and say that I'm having the same issue. Didn't start till I downloaded and installed 1.6 TODAY! Been pulling my hair out till I stumbled onto this.

I've got three accounts on this PC, when I've run spybot and then switched to a different user (having let spybot complete its checks and immunizations, and then closing the program) I get a corrupted user profile error, restoring to a previous setpoint seems to take care of this for me, but needless to say I won't be running spybot till it's cleared.

[Bozoleet]

I'm having a similar problem...
After I updated from .5x to .6, scanned and restarted...
the scan didn't show any malware except alexa toolbar...
so it problably isn't related to it...
my computer won't pas by the "blue screen with a windows xp logo" just after the windows xp black loading screen
I guessed that it "deleted" my only user (admin) until I saw this topic
I need some help to fix it...
I have a winxp sp2 install cd with me also