What kind of malware does this?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I worked on a Windows XP PC recently where malware had disabled access to
the control panel and all it's applets, task manager, and even Windows
Update.  The message says something along the lines of "administrator
policies do not allow access".  I managed to  work around this and clean off
the malware, but I don't know how to reverse these policy restrictions.  I
tried doing a repair/install of the OS using the XP CD and this fixed a
number of problems, but it did not undo the restrictions (perhaps because it
does not replace the registry(?)  Obviously formatting the drive and
starting over will take care of it, but is there a way to correct the
current copy?  TIA


Re: What kind of malware does this?


| I worked on a Windows XP PC recently where malware had disabled access to
| the control panel and all it's applets, task manager, and even Windows
| Update.  The message says something along the lines of "administrator
| policies do not allow access".  I managed to  work around this and clean off
| the malware, but I don't know how to reverse these policy restrictions.  I
| tried doing a repair/install of the OS using the XP CD and this fixed a
| number of problems, but it did not undo the restrictions (perhaps because it
| does not replace the registry(?)  Obviously formatting the drive and
| starting over will take care of it, but is there a way to correct the
| current copy?  TIA

Many kinds of malware will use "group/local policies" to limit the infected
person from
removing the malware.  The goal is to stay active on the infected PC as long as
possible.
Limiting the infected PC's owner from accessing the Task Manger, Registry, etc,
is one such
methodolgy.

My Multi-AV Scanning Tool will remove most Policies known to be set by malware.

It is actually simple.  There are several locations in the Registry in both HKCU
and HKLM
where Policies are set.  If the key exists you have either of two states;  0 or
1 .  If the
key is set to 1 then the policy is enabled.  If the key is non-existent or is
set to 0 then
the Policy is disabled.

Example:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr = 1

In the above, the Task Manager will be disabled for that logged on user.  Set
the key to 0
or delete the key "DisableTaskMgr" and the user will again be able to use the
Task Manager.

The same is true for HKLM.  The difference is this is true for all users, not
just the
currently logged on user.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: What kind of malware does this?

Quoted text here. Click to load it
Thanks, that helps.


Site Timeline