View Full Version : Help Required WIN XP Pro Locked out Admin?

22-05-2008, 09:16 PM
Hi guys

I've been handed a PC to get running and update for an elderly couple, it seems it came from their son's business but it's been locked down and I can't install antivirus or spybot as both programs terminate within seconds of running the install.

It's running WIN XP Pro, I've created a new account with admin priviledges etc but occasionally on rebooting, changing accounts I'm seeing a message saying that some linux prog can't run under windows, I'm assuming this is how the access has been locked down.

How can I get around this to configure & update the box to their requirements?

22-05-2008, 09:32 PM
I'd just do a full rebuild to be honest - or is there stuff on the laptop you need to keep??

22-05-2008, 09:55 PM
Hi guys

It's running WIN XP Pro, I've created a new account with admin priviledges etc but occasionally on rebooting, changing accounts I'm seeing a message saying that some linux prog can't run under windows, I'm assuming this is how the access has been locked down.

What is the program seems odd that it would be a Linux program,

can you not stop it from starting in MSConfig assuming you have already tried removing it in add remove programs?

22-05-2008, 10:27 PM
Nothing on the PC as far as I can tell

Nothing to save in that respect either

I could install CCleaner OK but Spybot and the antivirus exe's won't load. A virus is another thought....

Speedy Gonzales
22-05-2008, 11:58 PM
Try trojan remover , and see if it installs in safe mode / networking. Then scan, then see if it updates, if its on a network / connected to the net

If it boots into safe mode see if ccleaner installs. Then tell us whats under tools / startup

23-05-2008, 08:08 PM

I've scanned the drive, Stinger found a couple of beasties when run on the machine.
Removing the drive and installing it in my box found a few more.

What's really interesting/ frustrating is I can surf the web read PC World for instance or go to Filehippo or Google that's fine.
If I go to an antivirus site Explorer terminates within seconds

I was able to install and run CCleaner, nothing of note found
Stinger ran as above

If I try to install Spybot, TrRemover or Antvir the installer terminates before you can even click anything and the message if displayed is gone in a microsecond.

Can I borrow a sledgehammer :badpc:

Speedy Gonzales
23-05-2008, 08:10 PM
Did u try installing trojan remover in safe mode?

23-05-2008, 08:30 PM
Yep tried installing all the above in safe mode no go

Even tried under different admins with protect the pc unticked.

Somethings going on in the background....

23-05-2008, 08:42 PM
Seen that sort of thing before, what its doing is there is some sort of infection thats killing any sort of antispyware/antivirus.

From memory - try this, open my computer, go to tools/Folder Options/View, untick Hide hidden files and folders.

then navigate to C:\Windows\System32\Drivers\etc\ Double click the hosts file, select open with Notepad, it should look like this here: ( in Blue)

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# rhino.acme.com # source server
# x.acme.com # x client host localhost

Delete any entries from the file that are extra.

From My sig, then download all the cleaners, Malewarebytes, Spybot, and spyware doctor. Install all and run. While at it, get Superantispyware (http://www.superantispyware.com/) - Install and run that to.

Download Hijackthis from Speedys sig, run it and save a file , copy/paste teh complete file back here.

Speedy Gonzales
23-05-2008, 08:48 PM
So, what did stinger find??

23-05-2008, 09:05 PM
The hosts file is clean, already looked at that.

Stinger found W32/SDBot Worm Gen H and SDBot/FTP

Avira found BDS/Pcclient.qf' [backdoor, WORM/SdBot.46992.1, JS/StartPage.C
when the drive was installed in my machine.

I've just downloaded those other scanners, just about to refit the drive to the case and try again.

I'd reinstall Windows except no Disk and I think it's a locked out key on the machine anyway.

Speedy Gonzales
23-05-2008, 09:11 PM
Thats probably how / why they got it (by not patching / updating windows)

It exploited a vulnerability

23-05-2008, 09:19 PM
Yeah that I know..

Somehow I don't think a couple in their 70's given a PC to use are going to want to splash out $250 for a legal copy of windows.

Therefore it was always how to get it working and "protected" in said state.

Speedy Gonzales
23-05-2008, 09:22 PM
Hmm I could check it out, where in Auckland are you??

West still or City?

23-05-2008, 09:24 PM
have a look Here from trend (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRBOT%2EGA&VSect=Sn) they call it something different, but its the same bug.

23-05-2008, 09:51 PM
Yay :banana

Spybot installed :thumbs:
Avira Installed :thumbs:

Scumbag virus writers :yuck:

23-05-2008, 10:03 PM
Great now you need to run the remainder of the cleaners to make sure all bugs are removed :thumbs: