Solved

Windows Server infected Spyware. Can't log on to fix it

Posted on 2015-01-27
8
171 Views
Last Modified: 2015-02-07
Tried to follow this link: http://www.2-spyware.com/remove-pirated-software-has-been-detected-virus.html
It's no luck because I can't log on to the server ( 100% sure password is right ).
So when I selected Safe mode with command line. It comes up error message.
IMG-1151.JPG
One funny thing is : I can use Remote Desktop Connection to log in Administrator from workstation.
It comes up screen.
IMG-1150.JPG
It's locked the screen and couldn't do anything. Even I can't open any exe program such as tasks manager to end the tasks.
I can access file via LAN but can't run any program on the server.
Please help?

OS: Windows SBS Server 2011 essentials
Login as Domain Controller
0
Comment
Question by:Joe_LAI
8 Comments
 
LVL 1

Expert Comment

by:Prasanna Jayaraman
ID: 40572495
Have you tried short cuts like Ctrl+Alt+ delete or Windows Keys+ R (run command) ?
0
 
LVL 1

Assisted Solution

by:Prasanna Jayaraman
Prasanna Jayaraman earned 167 total points
ID: 40572517
Please have a look on this http://blog.mitechmate.com/remove-pirated-software-detected-ransomware-guide/

Symptom: When trying to logon a computer using non administrator ID, you may receive this message: "You cannot log on because the logon method you are using is not allowed on this computer. Please see you network administrator for more details."
 

Case 1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.
 
 
 
1. Run gpedit.msc.
 2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Allow log on locally" includes Administrators, Backup
 Operators, Domain Users or Users.
 
 
 
Case 2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".
 
 
 
1. Run gpedit.msc.
 2. Expand Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Deny log on locally" is empty.
 
 
 
Case 3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.
 
 
 
Case 4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.
 
Case 5: Norton Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.
 

Hope It helps!
 
Source : http://answers.microsoft.com/en-us/windows/forum/windows_7-security/you-cannot-log-on-because-the-logon-method-you-are/b3ef934d-9ccd-40f4-a8e6-af3726d18c93
0
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
ID: 40572574
boot via your installation dvd or other item
open the registry editor
Boot from Vista install disk, choose recovery, and command prompt.
Open the registry editor: regedit
This loads the registry editor with a temporary registry, not the windows registry from the hard disk.
Select HKEY_LOCAL_MACHINE in the registry tree, and go to the File menu and choose "Load Hive".
Open the registry hive file SOFTWARE from the location: C:\Windows\System32\Config
Give it a random name different to any of the existing names (the name doesn't matter).
Make the necessary changes to the registry hive.

startup locatons:
C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 
C:\ Users\AllUsers\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2. Via Registry.

Navigate to any of the following path according to your requirement and then add a new “String key” and store path of the Program to be run in this key’s value.

For Local Machine-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

For Current User-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other Paths
HKU\ProgID\Software\Microsoft\Windows\CurrentVersion\Run
systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup
systemdrive\Documents and Settings\username\Start Menu\Programs\Startup
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\ 
[b]ensure that shell=explorer.exe  and Userinit=C:\Windows\system32\userinit.exe,[/b]

Select the registry hive you edited, go to File, and choose "Unload Hive".
Then exit the recovery console and restart. The registry should have been changed.

Open in new window

http://bit.ly/15OBjy3 http://bit.ly/15OBsBG
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 166 total points
ID: 40572802
A common fix is to boot with a USB drive with HitManPro Kickstart on it.
The process can use one of 3 options.
Start with the first option, be patient to see what happens re: booting up as it may appear that Windows goes ahead and boots but HitManPro will run before other things start up.
If the first option does nothing, use the second option, etc.
More details at:
malwaretips.com/blogs/fbi-anti-piracy-warning-moneypak/
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40572847
Once you've removed this, I would recommend taking action towards preventing this from happening again. Places to start -- employee training, acceptable use policies. Firewalls. IPS.

You'll get much more bang for your buck starting with employee training.
0
 

Author Comment

by:Joe_LAI
ID: 40572875
I used Lazesoft Recovery Suite to bootup Windows Server but I don't know where is the virus files or registry edit for remove spyware.
0
 

Accepted Solution

by:
Joe_LAI earned 0 total points
ID: 40583710
Can't fix it. Reinstall operating system
0
 

Author Closing Comment

by:Joe_LAI
ID: 40595390
Can't fix it. Reinstall operating system
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question