[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

computer is locked! virus? group policy issue?

Posted on 2009-12-27
18
Medium Priority
?
899 Views
Last Modified: 2013-12-06
after I login, no program will run in Normal mode. no Icons on my desktop, I cannt run task manager, cannot access services, can not run gpedit.mmc  nothing!
same happens in ** safe mode **:  the only thing i can do is run the task manager (in my case, it is Process Explorer - sysinternals)
from there I can use file->run, but still I cannot run cmd, regedit, nothing...
cmd will open for a sec and close, same goes for regedit, and any other application.
only thing i could do is reinstall SP2 (i had the setup file on my disk), but this wont change a thing.
if it's a virus, I have read that ComobFix cannot be run in safe mode... *sigh* also no internet aceess..
what can i do?
0
Comment
Question by:KobiK
  • 7
  • 4
  • 3
  • +3
18 Comments
 
LVL 12

Expert Comment

by:jazzIIIlove
ID: 26127092
It's better to boot the machine with a CD having some toolkits in it.

http://www.avira.com/en/support/support_downloads.html

There are other solutions concerning this. Btw, I had combofix run in safemode before.

Best regards.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 26127097
Check if there are any suspicious random process showing in Process Explorer, like a random numbers process and kill it.

Combofix is designed to be run in normal mode but it can be run in safe mode if normal mode is not an option.

If you rename regedit.exe to regedit.com does it run?


Try running these to fix any policies invoke by nasties.

1.  Download this zipfile to your desktop. It's one of the policies corrected.
Unzip it, then rightclick the "VArestorepolicies.inf" and select "Install".
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip



2.  These policies are sometimes caused by nasties.
Download "VArestorepolicies.zip" to fix it and show us a Hijackthis log to check.
Unzip it, then rightclick the "VArestorepolicies.inf" and select "Install".
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip



Also run TDSSKiller in case TDSS rootkit is present:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.
0
 
LVL 1

Expert Comment

by:Bitbull
ID: 26127099
You could try to boot your pc from a Linux live cd (Ubuntu), backup your data, and reinstall your windows (clear format is the most sure solution, i think)
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 1

Expert Comment

by:czelik
ID: 26127100
What happens when you do CTRL-ALT-Del. in regular mode? DO YOu get a message?
0
 
LVL 5

Author Comment

by:KobiK
ID: 26127132
czelik: i get the standard security window i.e "log off", "shut down", "task manager"
hitting he task manager wont do anything.

Bitbull:formatting my disk is my last option which i want to avoid

rpggamergirl: not sure I'll be able to run this from my disk-on-key in safe mode, but I'll give it a try

jazzIIIlove: i'm not sure if combfix will even run .... also, I've noticed it downloads file from the internet when it executes (I've e tested it on other computer)
0
 
LVL 12

Expert Comment

by:jazzIIIlove
ID: 26127171
As in the link, http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Combofix may try to connect to net if you don't have recovery console in your machine. If you don't have installed that, you may install it manually later or may skip it. I recommend running for it in safe mode.

Best regards.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26127197
"I've noticed it downloads file from the internet when it executes (I've e tested it on other computer)"
When ComboFix notices that Recovery Console is not installed in the system, it will download files but you can skip that if RC is already installed.... you can also skip that even if RC is not installed but it's recommended to have RC installed because there are some infections that ComboFix will not attempt to remove unless RC is installed.
You can also manually install RC using Windows CD.
0
 
LVL 5

Author Comment

by:KobiK
ID: 26127205
i will try to run ComboFix later on when I'm back home from the office.
i only strongly doubt it will even run (as i said i cannot run 99% of any programs, except only notepad)...
0
 
LVL 5

Author Comment

by:KobiK
ID: 26130576
after running combfix , I am now at the situation that I cannot even launch task manager in safe mode. :/
all i have is a black screen in safe mode. i can only stare at it...
0
 
LVL 1

Expert Comment

by:czelik
ID: 26131024
0
 
LVL 5

Author Comment

by:KobiK
ID: 26131224
czelik: will I need to reinstall all my drivers again after that?
0
 
LVL 1

Assisted Solution

by:czelik
czelik earned 1000 total points
ID: 26132660
no, You only have to reinstall all drivers if you reinstall the operating system.  What I suggested was a windows repair. The Windows CD gives you the option to install a new operating system, 2- reinstall operating system ( which over-writes the complete operating system and you therefor have to reinstall all the drivers, 3- Repair windows, which means that it backs up all settings, replaces all windows files and then restores all your settings.

You have to make sure to follow these steps,

1-Boot from disk, When you get to the first screen with options you will press enter to install an operating system,
http://www.raymond.cc/images/repair-windows-xp-screen1.png

2- Press F8 to accept the windows licensing agreement, then it will automatically start looking for operating system installed.
3-When you get to the next screen make sure to select the operating system installed. MAKE SURE TO SELECT REPAIR by pressing R!
http://www.raymond.cc/images/r-key-to-repair-windows-xp.png 

Some times your operating system is so corrupt that it wont find the operating system, I therefor stress to make sure you select your operating system and click repair.

Hope this helps!

 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26134408
Did ComboFix produced a logfile?

Are you saying that after ComboFix successfully run and when it reboots you now get a black screen in safe mode?
What about normal mode?

Did you get to install Recovery Console?
Do you have the windows CD?
0
 
LVL 5

Author Comment

by:KobiK
ID: 26137541
hi rpggamergirl,
>>  Are you saying that after ComboFix successfully run and when it reboots you now get a black screen in safe mode?

yes. with no option to execute the task manager
same for normal mode. i see the wallpaper, but no desktop icons, and cannot execute task manager

i'm now in the middle of repair process. i'll give that a shot,
if that wont help,  i'm gonna paint this computer in blue and throw it to the sea
:-P

i really appreciate all your help here!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26137703
I assume that you didn't get to install the Recovery Console?

If you have the windows CD you can boot from it, then you can use ComboFix backup via Recovery Console to undo what happened, to put the system back exactly before CF was run.
0
 
LVL 5

Author Comment

by:KobiK
ID: 26141554
ok, after installing the windows repair, i could enter the safe mode, and actually browse my computer.
but, the task manager is disabled (ive manage to enable it via VArestorepolicies.inf)
and if i try to run it or "process explorer" (or any other process) a pop
up window comes up, "kills" the task manager process and i can see a large window written in Cyrillic or other language I cannot understand, i can see its counting down (now about 2:50 hr  left) and i can read the words "download master" and "sms" (i guess it prompts me to send an sms, and enter some kind of token)
it seems that the only process i can execute is notepad. (tried to rename PE to notepad.exe - wont work)
i guess it's a strong virus, never seen nothing like that b4, but googling wont gave me any results.
Combofix obviously did not fix it, neither booting from the Avira linux based CD and scanning for viruses...

an ideas how to defeat this virus?
0
 
LVL 3

Expert Comment

by:kart4578
ID: 26142604
The following are the option available for u.
1.login to safe mode with networking, u can run online scanner
2.create security boot cd and scan for virus
3.otherwise u try to install webroot internet security or G-data internet security

finally use Advanced system optimizer to repair the registry files.I am sure it will fix ur problem.Thanks kart4578
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question