Solved

Windows Server infected Spyware. Can't log on to fix it

Posted on 2015-01-27
8
186 Views
Last Modified: 2015-02-07
Tried to follow this link: http://www.2-spyware.com/remove-pirated-software-has-been-detected-virus.html
It's no luck because I can't log on to the server ( 100% sure password is right ).
So when I selected Safe mode with command line. It comes up error message.
IMG-1151.JPG
One funny thing is : I can use Remote Desktop Connection to log in Administrator from workstation.
It comes up screen.
IMG-1150.JPG
It's locked the screen and couldn't do anything. Even I can't open any exe program such as tasks manager to end the tasks.
I can access file via LAN but can't run any program on the server.
Please help?

OS: Windows SBS Server 2011 essentials
Login as Domain Controller
0
Comment
Question by:Joe_LAI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Expert Comment

by:Prasanna Jayaraman
ID: 40572495
Have you tried short cuts like Ctrl+Alt+ delete or Windows Keys+ R (run command) ?
0
 
LVL 1

Assisted Solution

by:Prasanna Jayaraman
Prasanna Jayaraman earned 167 total points
ID: 40572517
Please have a look on this http://blog.mitechmate.com/remove-pirated-software-detected-ransomware-guide/

Symptom: When trying to logon a computer using non administrator ID, you may receive this message: "You cannot log on because the logon method you are using is not allowed on this computer. Please see you network administrator for more details."
 

Case 1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.
 
 
 
1. Run gpedit.msc.
 2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Allow log on locally" includes Administrators, Backup
 Operators, Domain Users or Users.
 
 
 
Case 2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".
 
 
 
1. Run gpedit.msc.
 2. Expand Windows Settings\Security Settings\Local Policies
 3. Click on User Rights Assignment
 4. Ensure that "Deny log on locally" is empty.
 
 
 
Case 3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.
 
 
 
Case 4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.
 
Case 5: Norton Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.
 

Hope It helps!
 
Source : http://answers.microsoft.com/en-us/windows/forum/windows_7-security/you-cannot-log-on-because-the-logon-method-you-are/b3ef934d-9ccd-40f4-a8e6-af3726d18c93
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
ID: 40572574
boot via your installation dvd or other item
open the registry editor
Boot from Vista install disk, choose recovery, and command prompt.
Open the registry editor: regedit
This loads the registry editor with a temporary registry, not the windows registry from the hard disk.
Select HKEY_LOCAL_MACHINE in the registry tree, and go to the File menu and choose "Load Hive".
Open the registry hive file SOFTWARE from the location: C:\Windows\System32\Config
Give it a random name different to any of the existing names (the name doesn't matter).
Make the necessary changes to the registry hive.

startup locatons:
C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 
C:\ Users\AllUsers\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2. Via Registry.

Navigate to any of the following path according to your requirement and then add a new “String key” and store path of the Program to be run in this key’s value.

For Local Machine-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

For Current User-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other Paths
HKU\ProgID\Software\Microsoft\Windows\CurrentVersion\Run
systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup
systemdrive\Documents and Settings\username\Start Menu\Programs\Startup
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\ 
[b]ensure that shell=explorer.exe  and Userinit=C:\Windows\system32\userinit.exe,[/b]

Select the registry hive you edited, go to File, and choose "Unload Hive".
Then exit the recovery console and restart. The registry should have been changed.

Open in new window

http://bit.ly/15OBjy3 http://bit.ly/15OBsBG
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 166 total points
ID: 40572802
A common fix is to boot with a USB drive with HitManPro Kickstart on it.
The process can use one of 3 options.
Start with the first option, be patient to see what happens re: booting up as it may appear that Windows goes ahead and boots but HitManPro will run before other things start up.
If the first option does nothing, use the second option, etc.
More details at:
malwaretips.com/blogs/fbi-anti-piracy-warning-moneypak/
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40572847
Once you've removed this, I would recommend taking action towards preventing this from happening again. Places to start -- employee training, acceptable use policies. Firewalls. IPS.

You'll get much more bang for your buck starting with employee training.
0
 

Author Comment

by:Joe_LAI
ID: 40572875
I used Lazesoft Recovery Suite to bootup Windows Server but I don't know where is the virus files or registry edit for remove spyware.
0
 

Accepted Solution

by:
Joe_LAI earned 0 total points
ID: 40583710
Can't fix it. Reinstall operating system
0
 

Author Closing Comment

by:Joe_LAI
ID: 40595390
Can't fix it. Reinstall operating system
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question