Solved

Windows Server infected Spyware. Can't log on to fix it

Posted on 2015-01-27
8
160 Views
Last Modified: 2015-02-07
Tried to follow this link: http://www.2-spyware.com/remove-pirated-software-has-been-detected-virus.html
It's no luck because I can't log on to the server ( 100% sure password is right ).
So when I selected Safe mode with command line. It comes up error message.
IMG-1151.JPG
One funny thing is : I can use Remote Desktop Connection to log in Administrator from workstation.
It comes up screen.
IMG-1150.JPG
It's locked the screen and couldn't do anything. Even I can't open any exe program such as tasks manager to end the tasks.
I can access file via LAN but can't run any program on the server.
Please help?

OS: Windows SBS Server 2011 essentials
Login as Domain Controller
0
Comment
Question by:Joe_LAI
8 Comments
 
LVL 1

Expert Comment

by:Prasanna Jayaraman
Comment Utility
Have you tried short cuts like Ctrl+Alt+ delete or Windows Keys+ R (run command) ?
0
 
LVL 1

Assisted Solution

by:Prasanna Jayaraman
Prasanna Jayaraman earned 167 total points
Comment Utility
Please have a look on this http://blog.mitechmate.com/remove-pirated-software-detected-ransomware-guide/

Symptom: When trying to logon a computer using non administrator ID, you may receive this message: "You cannot log on because the logon method you are using is not allowed on this computer. Please see you network administrator for more details."
 

Case 1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.
 
 
 
1. Run gpedit.msc.
 2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Allow log on locally" includes Administrators, Backup
 Operators, Domain Users or Users.
 
 
 
Case 2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".
 
 
 
1. Run gpedit.msc.
 2. Expand Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Deny log on locally" is empty.
 
 
 
Case 3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.
 
 
 
Case 4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.
 
Case 5: Norton Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.
 

Hope It helps!
 
Source : http://answers.microsoft.com/en-us/windows/forum/windows_7-security/you-cannot-log-on-because-the-logon-method-you-are/b3ef934d-9ccd-40f4-a8e6-af3726d18c93
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
Comment Utility
boot via your installation dvd or other item
open the registry editor
Boot from Vista install disk, choose recovery, and command prompt.
Open the registry editor: regedit
This loads the registry editor with a temporary registry, not the windows registry from the hard disk.
Select HKEY_LOCAL_MACHINE in the registry tree, and go to the File menu and choose "Load Hive".
Open the registry hive file SOFTWARE from the location: C:\Windows\System32\Config
Give it a random name different to any of the existing names (the name doesn't matter).
Make the necessary changes to the registry hive.

startup locatons:
C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 
C:\ Users\AllUsers\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2. Via Registry.

Navigate to any of the following path according to your requirement and then add a new “String key” and store path of the Program to be run in this key’s value.

For Local Machine-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

For Current User-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other Paths
HKU\ProgID\Software\Microsoft\Windows\CurrentVersion\Run
systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup
systemdrive\Documents and Settings\username\Start Menu\Programs\Startup
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\ 
[b]ensure that shell=explorer.exe  and Userinit=C:\Windows\system32\userinit.exe,[/b]

Select the registry hive you edited, go to File, and choose "Unload Hive".
Then exit the recovery console and restart. The registry should have been changed.

Open in new window

http://bit.ly/15OBjy3 http://bit.ly/15OBsBG
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 166 total points
Comment Utility
A common fix is to boot with a USB drive with HitManPro Kickstart on it.
The process can use one of 3 options.
Start with the first option, be patient to see what happens re: booting up as it may appear that Windows goes ahead and boots but HitManPro will run before other things start up.
If the first option does nothing, use the second option, etc.
More details at:
malwaretips.com/blogs/fbi-anti-piracy-warning-moneypak/
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 5

Expert Comment

by:Sean Jackson
Comment Utility
Once you've removed this, I would recommend taking action towards preventing this from happening again. Places to start -- employee training, acceptable use policies. Firewalls. IPS.

You'll get much more bang for your buck starting with employee training.
0
 

Author Comment

by:Joe_LAI
Comment Utility
I used Lazesoft Recovery Suite to bootup Windows Server but I don't know where is the virus files or registry edit for remove spyware.
0
 

Accepted Solution

by:
Joe_LAI earned 0 total points
Comment Utility
Can't fix it. Reinstall operating system
0
 

Author Closing Comment

by:Joe_LAI
Comment Utility
Can't fix it. Reinstall operating system
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now