Virus/Malware
Nov. 22nd, 2014 06:50 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
kengrMy main machine seems to have picked up something nasty.
Thursday night I noticed that BitTorrent wasn't running any longer. And attempts to run it failed.
A reinstall got some really weird outgoing connection attempts, and a few other things were acting odd.
So I rebooted. To discover that a "software restriction policy" had disabled the firewall I use, Windows Firewall (which was turned off anyway) and my AV program.
Safe mode didn't work either. Got the login screen, but the keyboard and mouse were both disabled.
Trying for safe mode with command line got that too (which it shouldn't have).
Obviously something had majorly compromised things.
I wasted a few hours trying to get Windows installed on a spare drive (install went ok, except I couldn't boot off the drive).
I've spent time since then sticking the drives from the main box into a removable "rack" in another system (one at a time) and doing AV scans on them.
Didn't find anything significant.
Currently backing up the drives, and then I'll stick the boot drive back into the main system and try various repair tricks.
Worst case, I'll reformat it and reinstall Windows (and entirely too much other stuff).
Any suggestions on how to fix that software policy BS?
Thursday night I noticed that BitTorrent wasn't running any longer. And attempts to run it failed.
A reinstall got some really weird outgoing connection attempts, and a few other things were acting odd.
So I rebooted. To discover that a "software restriction policy" had disabled the firewall I use, Windows Firewall (which was turned off anyway) and my AV program.
Safe mode didn't work either. Got the login screen, but the keyboard and mouse were both disabled.
Trying for safe mode with command line got that too (which it shouldn't have).
Obviously something had majorly compromised things.
I wasted a few hours trying to get Windows installed on a spare drive (install went ok, except I couldn't boot off the drive).
I've spent time since then sticking the drives from the main box into a removable "rack" in another system (one at a time) and doing AV scans on them.
Didn't find anything significant.
Currently backing up the drives, and then I'll stick the boot drive back into the main system and try various repair tricks.
Worst case, I'll reformat it and reinstall Windows (and entirely too much other stuff).
Any suggestions on how to fix that software policy BS?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2014-11-23 05:21 am (UTC)no subject
Date: 2014-11-23 06:13 am (UTC)Mind you, this means that install CDs/DVDs won't autorun when you insert them and you'll have to go thru a couple extra steps to install whatever.
Google "autorun" and you should find instructions.
no subject
Date: 2014-11-25 01:29 am (UTC)At one time, I had a piece of malware that blocked my running web browsers and Task Manager, but it blocked them by file name, so by renaming taskmgr.exe to maskmgr.exe, I got around it.
no subject
Date: 2014-12-08 09:24 am (UTC)The last step (and one that none of the fix programs, nor web advice had) was to go into Event Viewer, find the software restriction entries, and use the string from those to find the restriction entries in the registry.
Once I found them, I just nuked the whole section, as there was no possibility of *any* of them being legit.
That fixed access to the blocked programs (and also removed blockages that hadn't happened (yet) to some updates)