Hands tied

Discussion in 'other security issues & news' started by TechOutsider, Jun 27, 2010.

Thread Status:
Not open for further replies.
  1. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Hi, I have a work computer and most everything is locked down by my work to prevent users from messing around. It has Trend Micro, and it just got infected :eek:.

    I have a standard account, and got AV Security Suite on it. I cannot access any useful webpages - it's blocked by the software via the HOSTS file to redirect to a "buy this software now" page.

    I also cannot boot from a CD or whatever - other than the internal HDD - so Dr. Web won't help. The BIOS is completely locked down ...

    And trying to mess around inside my user account doesn't help - the software blocks things from running like explorer.exe by claiming that "explorer.exe is infected, please activate software now to fix it." So I can't do common stuff like open taskmgr and kill the process, open explorer to delete files, open Combofix, MBAM, etc :ninja: :ninja:.

    And I can't login using safe mode. I think you need special credentials to get into safe mode ...

    As for contacting my work - it's their summer vacation right now for most everyone - including the tech support guys ... who know the password needed to boot from a live CD or get into safe mode.

    Anyway to nuke this junk without the ability to use safe mode, boot from a live CD, or open taskmgr?

    Much appreciated

    Tech
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    as it is a work comp return it to the IT and let them do whatever their policy is in such instances. I don't think it wise, nor is it necessary, to tinker with what is really IT dept job
     
  3. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    You sure there's no IT coverage while regulars are on vacation? If no coverage, my sympathies. I agree it's best left as THEIR job and even though you try to take initiative to solve problem yourself, you could end up in a worse state and then be criticized for that!

    No possibility for YOU to go on vacation until there is IT coverage?:(
     
  4. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    I'd much rather fix it now because it keeps trying to access porn sites and explaining would be rather hard, considering that the IT department is formed of all females that aren't paticularly tech savvy.

    I am able however to login as a different user (not an admin) but this account has not been touched by AV Security Suite. I hope to be able to run an elevated command line to delete the registry values and exes of the rouge software from here ..

    Looks like hope :).
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Last edited: Jun 28, 2010
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    If you have another computer you could access the infected system over your network with something like Metasploit and "Pop a box" to get an admin account installed. Then you could scan away and later delete the extra account.
     
  7. katio

    katio Guest

    I'm not saying you should do this, you are the one who knows best what gets you fired... Anyway the "proper way "to do this is:
    Open the case, take out the HDD, connect it to another PC, image the drive then try to clean it up from the host. If that doesn't work crack the admin password (e.g. ophcrack), connect the HDD back to the PC and boot into safe mode. Alternatively, on most PCs you can still clear the BIOS password by removing the CMOS battery for a bit.
     
  8. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
Thread Status:
Not open for further replies.