What kind of malware does this?

V

Victek

I worked on a Windows XP PC recently where malware had disabled access to
the control panel and all it's applets, task manager, and even Windows
Update. The message says something along the lines of "administrator
policies do not allow access". I managed to work around this and clean off
the malware, but I don't know how to reverse these policy restrictions. I
tried doing a repair/install of the OS using the XP CD and this fixed a
number of problems, but it did not undo the restrictions (perhaps because it
does not replace the registry(?) Obviously formatting the drive and
starting over will take care of it, but is there a way to correct the
current copy? TIA
 
D

David H. Lipman

From: "Victek" <[email protected]>

| I worked on a Windows XP PC recently where malware had disabled access to
| the control panel and all it's applets, task manager, and even Windows
| Update. The message says something along the lines of "administrator
| policies do not allow access". I managed to work around this and clean off
| the malware, but I don't know how to reverse these policy restrictions. I
| tried doing a repair/install of the OS using the XP CD and this fixed a
| number of problems, but it did not undo the restrictions (perhaps because it
| does not replace the registry(?) Obviously formatting the drive and
| starting over will take care of it, but is there a way to correct the
| current copy? TIA

Many kinds of malware will use "group/local policies" to limit the infected person from
removing the malware. The goal is to stay active on the infected PC as long as possible.
Limiting the infected PC's owner from accessing the Task Manger, Registry, etc, is one such
methodolgy.

My Multi-AV Scanning Tool will remove most Policies known to be set by malware.

It is actually simple. There are several locations in the Registry in both HKCU and HKLM
where Policies are set. If the key exists you have either of two states; 0 or 1 . If the
key is set to 1 then the policy is enabled. If the key is non-existent or is set to 0 then
the Policy is disabled.

Example:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr = 1

In the above, the Task Manager will be disabled for that logged on user. Set the key to 0
or delete the key "DisableTaskMgr" and the user will again be able to use the Task Manager.

The same is true for HKLM. The difference is this is true for all users, not just the
currently logged on user.
 
V

Victek

| I worked on a Windows XP PC recently where malware had disabled access
to
| the control panel and all it's applets, task manager, and even Windows
| Update. The message says something along the lines of "administrator
| policies do not allow access". I managed to work around this and clean
off
| the malware, but I don't know how to reverse these policy restrictions.
I
| tried doing a repair/install of the OS using the XP CD and this fixed a
| number of problems, but it did not undo the restrictions (perhaps
because it
| does not replace the registry(?) Obviously formatting the drive and
| starting over will take care of it, but is there a way to correct the
| current copy? TIA

Many kinds of malware will use "group/local policies" to limit the
infected person from
removing the malware. The goal is to stay active on the infected PC as
long as possible.
Limiting the infected PC's owner from accessing the Task Manger, Registry,
etc, is one such
methodolgy.

My Multi-AV Scanning Tool will remove most Policies known to be set by
malware.

It is actually simple. There are several locations in the Registry in
both HKCU and HKLM
where Policies are set. If the key exists you have either of two states;
0 or 1 . If the
key is set to 1 then the policy is enabled. If the key is non-existent or
is set to 0 then
the Policy is disabled.

Example:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr = 1

In the above, the Task Manager will be disabled for that logged on user.
Set the key to 0
or delete the key "DisableTaskMgr" and the user will again be able to use
the Task Manager.

The same is true for HKLM. The difference is this is true for all users,
not just the
currently logged on user.
Thanks, that helps.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top