Hands tied

Hi, I have a work computer and most everything is locked down by my work to prevent users from messing around. It has Trend Micro, and it just got infected .

I have a standard account, and got AV Security Suite on it. I cannot access any useful webpages - it's blocked by the software via the HOSTS file to redirect to a "buy this software now" page.

I also cannot boot from a CD or whatever - other than the internal HDD - so Dr. Web won't help. The BIOS is completely locked down ...

And trying to mess around inside my user account doesn't help - the software blocks things from running like explorer.exe by claiming that "explorer.exe is infected, please activate software now to fix it." So I can't do common stuff like open taskmgr and kill the process, open explorer to delete files, open Combofix, MBAM, etc .

And I can't login using safe mode. I think you need special credentials to get into safe mode ...

As for contacting my work - it's their summer vacation right now for most everyone - including the tech support guys ... who know the password needed to boot from a live CD or get into safe mode.

Anyway to nuke this junk without the ability to use safe mode, boot from a live CD, or open taskmgr?

Much appreciated

Tech

 

as it is a work comp return it to the IT and let them do whatever their policy is in such instances. I don't think it wise, nor is it necessary, to tinker with what is really IT dept job

 

You sure there's no IT coverage while regulars are on vacation? If no coverage, my sympathies. I agree it's best left as THEIR job and even though you try to take initiative to solve problem yourself, you could end up in a worse state and then be criticized for that!

No possibility for YOU to go on vacation until there is IT coverage?

 

I'd much rather fix it now because it keeps trying to access porn sites and explaining would be rather hard, considering that the IT department is formed of all females that aren't paticularly tech savvy.

I am able however to login as a different user (not an admin) but this account has not been touched by AV Security Suite. I hope to be able to run an elevated command line to delete the registry values and exes of the rouge software from here ..

Looks like hope .

 

If you can get a scan down with Malwarebytes and the AV Suite exe has been seen before then it should get rid of it.

Funny thing about that rogue is that on one test install it did kill explorer and on reboot it didn't kill explorer.

Removal Instructions for AV Security Suite

Edit, Seems the instructions for getting around the exe killing capabilities of the rogue aren't included above. The link below provides as such.

http://forums.malwarebytes.org/index.php?showtopic=45511

 

If you have another computer you could access the infected system over your network with something like Metasploit and "Pop a box" to get an admin account installed. Then you could scan away and later delete the extra account.

 

I'm not saying you should do this, you are the one who knows best what gets you fired... Anyway the "proper way "to do this is:
Open the case, take out the HDD, connect it to another PC, image the drive then try to clean it up from the host. If that doesn't work crack the admin password (e.g. ophcrack), connect the HDD back to the PC and boot into safe mode. Alternatively, on most PCs you can still clear the BIOS password by removing the CMOS battery for a bit.

 

You can download SUPERAntiSpyware Portable to a USB and try scanning:
http://www.superantispyware.com/portable