• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 201
  • Last Modified:

Windows Server infected Spyware. Can't log on to fix it

Tried to follow this link: http://www.2-spyware.com/remove-pirated-software-has-been-detected-virus.html
It's no luck because I can't log on to the server ( 100% sure password is right ).
So when I selected Safe mode with command line. It comes up error message.
One funny thing is : I can use Remote Desktop Connection to log in Administrator from workstation.
It comes up screen.
It's locked the screen and couldn't do anything. Even I can't open any exe program such as tasks manager to end the tasks.
I can access file via LAN but can't run any program on the server.
Please help?

OS: Windows SBS Server 2011 essentials
Login as Domain Controller
4 Solutions
Prasanna JayaramanCommented:
Have you tried short cuts like Ctrl+Alt+ delete or Windows Keys+ R (run command) ?
Prasanna JayaramanCommented:
Please have a look on this http://blog.mitechmate.com/remove-pirated-software-detected-ransomware-guide/

Symptom: When trying to logon a computer using non administrator ID, you may receive this message: "You cannot log on because the logon method you are using is not allowed on this computer. Please see you network administrator for more details."

Case 1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.
1. Run gpedit.msc.
 2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Allow log on locally" includes Administrators, Backup
 Operators, Domain Users or Users.
Case 2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".
1. Run gpedit.msc.
 2. Expand Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Deny log on locally" is empty.
Case 3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.
Case 4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.
Case 5: Norton Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.

Hope It helps!
Source : http://answers.microsoft.com/en-us/windows/forum/windows_7-security/you-cannot-log-on-because-the-logon-method-you-are/b3ef934d-9ccd-40f4-a8e6-af3726d18c93
David Johnson, CD, MVPOwnerCommented:
boot via your installation dvd or other item
open the registry editor
Boot from Vista install disk, choose recovery, and command prompt.
Open the registry editor: regedit
This loads the registry editor with a temporary registry, not the windows registry from the hard disk.
Select HKEY_LOCAL_MACHINE in the registry tree, and go to the File menu and choose "Load Hive".
Open the registry hive file SOFTWARE from the location: C:\Windows\System32\Config
Give it a random name different to any of the existing names (the name doesn't matter).
Make the necessary changes to the registry hive.

startup locatons:
C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 
C:\ Users\AllUsers\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2. Via Registry.

Navigate to any of the following path according to your requirement and then add a new “String key” and store path of the Program to be run in this key’s value.

For Local Machine-

For Current User-

Other Paths
systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup
systemdrive\Documents and Settings\username\Start Menu\Programs\Startup
[b]ensure that shell=explorer.exe  and Userinit=C:\Windows\system32\userinit.exe,[/b]

Select the registry hive you edited, go to File, and choose "Unload Hive".
Then exit the recovery console and restart. The registry should have been changed.

Open in new window

http://bit.ly/15OBjy3 http://bit.ly/15OBsBG
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Fred MarshallPrincipalCommented:
A common fix is to boot with a USB drive with HitManPro Kickstart on it.
The process can use one of 3 options.
Start with the first option, be patient to see what happens re: booting up as it may appear that Windows goes ahead and boots but HitManPro will run before other things start up.
If the first option does nothing, use the second option, etc.
More details at:
Sean JacksonInformation Security AnalystCommented:
Once you've removed this, I would recommend taking action towards preventing this from happening again. Places to start -- employee training, acceptable use policies. Firewalls. IPS.

You'll get much more bang for your buck starting with employee training.
Joe_LAIAuthor Commented:
I used Lazesoft Recovery Suite to bootup Windows Server but I don't know where is the virus files or registry edit for remove spyware.
Joe_LAIAuthor Commented:
Can't fix it. Reinstall operating system
Joe_LAIAuthor Commented:
Can't fix it. Reinstall operating system
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now