Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Home Post Infection Repair


  • Please log in to reply
5 replies to this topic

#1 Norm@Home

Norm@Home

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 30 April 2011 - 11:42 AM

I've got a computer that belongs to a friend of mine that had some phony AV program infect his system. It's a system running Windows XP Home and I managed to start the system in safe mode; login as the administrator and install and run Malwarebytes anti-malware as well as running a few other repair utilities. Malwarebytes managed to remove the trojan AV but now I'm stuck with a system thats disabled in a number of ways.

The phony AV had removed or disabled all desktop icons as well as all start menu entries and one tool that I ran managed to restore the desktop icons while I'm logged in as administrator but not as the one and only other user account. I have a script that I'd located and used successfully in other instances of Phony AV problems like this but it requires two utilities: subinacl and secedit I was able to extract secedit from a Windows XP Pro cd but I can not get subinacl to install, I keep getting the message "The system administrator has set policies to prevent this installation". I've Googled on this message and found dozens of threads about it (including a couple here) and I've tried a number of things that have all failed to fix this including running "secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose" as per Microsoft KB313222.

I was referred to this forum from the "I'm infected what do I do" forum. One of the moderators had mentioned using Control Panel / Administrative Tools / Local Security Policy to fix this, however I believe that XP Home lacks this applet and I'm hoping that someone here can tell me how to undo this without having access to that?

Thanks,

- Norm

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,381 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:17 PM

Posted 30 April 2011 - 12:14 PM

System manufacturer and model?

Do you have a MS Genuine XP CD...either retail, upgrade, or OEM/system builder version?

Louis

#3 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 30 April 2011 - 01:15 PM

It's a Gateway 500GR, I do have an XP Home retail CD. I really didn't want to try a repair install without exhausting all other options since you never know if the OEM product key on the machine will work with the retail CD after the install. I've been there and done that and if the install won't take the product key you're finished, no other choice but to backup data from the drive and reinstall from scratch and I want to avoid that if possible.

Thanks,

- Norm

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,381 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:17 PM

Posted 30 April 2011 - 02:08 PM

I understand that members/users...routinely have the highest expectations when things go wrong.

I would suggest that you abandon such...and try to clearly see the situation as it appears to me.

You have a system which had malware and that has been neutralized.

Either the malware or the process of removing it...has probably damaged any number of key system files.

You have a Gateway system, Gateway's answer to such situations is restore to factory defaults via the software they installed.

You have an XP Home CD...so you don't necessarily have use the restore-to-factory-defaults mechanism.

If your CD reflects the same SP as your system...you can then use it to either run the sfc /scannow command or attempt a repair install. Neither of these is necessarily going to be effective, since we really don't know what is ailing the system. These two things are just typical ways of attempting to overcome system problems that are due to damaged system files (which is my presumption, not fact).

If the nature of the problem does not rest with Windows but is either hardware or malware...the two attempted remedies I mention will be ineffective.

FWIW: I know of no reason why a valid key for the system it applies to...would not work with a MS Genuine XP CD that is either retail, update, or OEM version. The installation files for Windows are the same, the system is the same...the key should be acceptable for installation purposes. I don't buy "name brand" systems so I can assert such and be wrong...but, logically, the key should work with any valid MS XP Home disk.

How To Use Sfc.exe To Repair System Files - http://www.bleepingcomputer.com/forums/topic43051.html

Slipstreaming Windows XP To Create a Bootable Windows XP CD or DVD - http://www.bleepingcomputer.com/tutorials/slipstreaming-windows-xp-to-create-bootable-cd/

Louis

There are others here who are far more experienced/knowledgeable about such situations as yours...perhaps they will suggest something that I either do not know or have forgotten to suggest.

Edited by hamluis, 02 May 2011 - 10:26 AM.


#5 BrainyTehBrain

BrainyTehBrain

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Location:Mississauga, Ontario
  • Local time:06:17 PM

Posted 01 May 2011 - 12:37 PM

I believe SAS has a feature that repairs changes made by malware in the preference section. See if that helps

#6 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 01 May 2011 - 09:26 PM

With all respect, my friends bring me their computers to fix because I've been administering PC Networks and programming computers for 25 years and have some experience with this, although I would not claim to be an expert. Although, obviously no one person can know everything and I'm not above asking for help when I need it. In my experience there's very little that can be done to a computer that in one way or another can't be undone. Yes, there are some cases where the virus or malicious software has so mangled the operating system (internally) that only a repair install can fix it and in some cases even that can't fix the problem and as Microsoft (in their infinite wisdom) has removed that ability from Vista and Windows 7 choices are limited in those situations. I like to be optimistic rather than pessimistic and say "Lets cross that bridge when we come to it".

I've actually made some pretty good progress: After running the System Files Checker and a number of other utilities, the owners desktop icons have reappeared and I believe that they were just hidden. I checked the start menu folder and sure enough the start menu had the folder and all entries hidden and after un-hiding those the start menu is now back to normal. At this point I was finally able to install subinacl and run the script that I had found to fix file and registry permission problems caused by these phony AV viruses:

cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive%\ /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

I've now got two problems only one of which I'm having problems fixing:

The more serious one that I've not been able to make much headway on this: The system restore service is stopped even though it's not manually turned off and when I try and start it I get the error message "Access Denied". It's set to use the local system account the same as many other services which are able to start using that account. So if the local system account is not the problem what could have been changed that would not have been fixed by "subinacl /subdirectories %SystemDrive%\ /grant=administrators=f /grant=system=f"?

Thanks,

- Norm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users