V
vern
Spent 5 hrs last night on a clients HP machine with win xp, trying to
take back control of the system. She is convinced that she was
sabataged by an angry son-in-law, which is probably true. She uses
this for her buisness and does not have a backup of her data (she is
doing this today), but she doesn't even know where everything is
because files and folders have been moved by the son-in law, so a
format and re-install is not an option yet. Here are some of the
symtoms and problems:
1. Installed AVG and scanned, found 2 versions of downloader and one
backdoor. 2 of these were deleted by AVG and one was quarintined
2. tried to install adaware to the default directory twice and failed
both times, installed to c:\lavasoft ok. Cleaned all the stuff it
found ok.
3. Updated and ran Spybot which was previously installed, found and
cleaned 132 items.
4. Tried to run Trend Micro on line scan and it would just hang at
installing the engine, no error messages.
5. She has several malware folders in her program files folder,
memwatcher, Internetoptimizer, ictbar and others. tried to delete
these and received access denied message.
6. booted to safe mode and tried to delete again and received the
same nessage.
7. Checked permissions and ownership of these folders and found that
the owner was S-1-5-21-2190867815-etc. with all options to change it
were disabled. She is supposedly logged on as administrator and no
other user accounts show up in user manager.
8. Went to the parent folder and took ownership of it and all
subdirerctories, this apparently worked on some folders and not on
others, they are still owned by S-1-5-21-... is this a deleted admin
user? if so, does anyone know how to get rid of it.
9. Although she is logged on as "administrator" she apparently
doesn't have full admin rights, when you check the individual file
permissions (even on the ones that she owns) she can't change them
because they are greyed out.
I've seen lots of messed up systems but never anything like this. If
we can get full admin control I think I can get it cleaned up.
Another problem is she doesn't have any restore disks or operating
system cd. This is a HP machine less than one year old. They (HP)
created a restore partition (FAT32) with the I386 folder on it, does
anyone have experience with doing a clean install form this HP
partition, I'm not sure I trust it.
any help would be much appreciated.
Vern Davenport
http://www.vernscomputerservices.com
take back control of the system. She is convinced that she was
sabataged by an angry son-in-law, which is probably true. She uses
this for her buisness and does not have a backup of her data (she is
doing this today), but she doesn't even know where everything is
because files and folders have been moved by the son-in law, so a
format and re-install is not an option yet. Here are some of the
symtoms and problems:
1. Installed AVG and scanned, found 2 versions of downloader and one
backdoor. 2 of these were deleted by AVG and one was quarintined
2. tried to install adaware to the default directory twice and failed
both times, installed to c:\lavasoft ok. Cleaned all the stuff it
found ok.
3. Updated and ran Spybot which was previously installed, found and
cleaned 132 items.
4. Tried to run Trend Micro on line scan and it would just hang at
installing the engine, no error messages.
5. She has several malware folders in her program files folder,
memwatcher, Internetoptimizer, ictbar and others. tried to delete
these and received access denied message.
6. booted to safe mode and tried to delete again and received the
same nessage.
7. Checked permissions and ownership of these folders and found that
the owner was S-1-5-21-2190867815-etc. with all options to change it
were disabled. She is supposedly logged on as administrator and no
other user accounts show up in user manager.
8. Went to the parent folder and took ownership of it and all
subdirerctories, this apparently worked on some folders and not on
others, they are still owned by S-1-5-21-... is this a deleted admin
user? if so, does anyone know how to get rid of it.
9. Although she is logged on as "administrator" she apparently
doesn't have full admin rights, when you check the individual file
permissions (even on the ones that she owns) she can't change them
because they are greyed out.
I've seen lots of messed up systems but never anything like this. If
we can get full admin control I think I can get it cleaned up.
Another problem is she doesn't have any restore disks or operating
system cd. This is a HP machine less than one year old. They (HP)
created a restore partition (FAT32) with the I386 folder on it, does
anyone have experience with doing a clean install form this HP
partition, I'm not sure I trust it.
any help would be much appreciated.
Vern Davenport
http://www.vernscomputerservices.com