Link to home
Create AccountLog in
Avatar of jimbecher
jimbecherFlag for United States of America

asked on

Subacl - Improvements?

  I have a XP computer that really got whacked with malware. I have it clean to where you can log in to it as administrator in safe mode. I have to press ctrl-alt-del and run explorer from Task Manager to get a desktop.

   When I boot to normal mode I can log in but get no desktop icons. I press ctrl-alt-del to try and run explorer from within Task Manager but I immediately get the message that the administrator has disabled access to Task Manager. I have seen this before. Security on the registry has been hosed.

   There is a utility out there called subacl that is suppose to reset the security on the registry back to factory defaults. The problem is that you need to install an msi to get it to run and the installer isn't running is safe mode.

   So the question is .... has anyone come out with something different that will run in safe mode that will reset the security on the registry and/or access to Task Manager so I can get to it in enhanced mode?
ASKER CERTIFIED SOLUTION
Avatar of flubbster
flubbster
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Assuming that you're talking about SubInACL, you don't have to run the .msi installer.  Rename subinacl.msi to subinacl.zip, then extract subinacl.exe from it.  It will run as a standalone program.
you may be able to just download and execute the file on this page to od the same thing...

http://support.microsoft.com/kb/313222
SOLUTION
Avatar of Speshalyst
Speshalyst
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
It is also possible that you may have more of a policy issue due to the malware than a security issue. While similar, they can affect different things. Follow this also to correct and reset the default xp policies:

Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: .exe

Double-click FixPolicies.exe.
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close. You can ignore any warnings or error messages. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like . " 
Avatar of jimbecher

ASKER

  Secedit didn't work, when I renamed SubInACL.msi to SubInACL.zip Winzip wouldn't recognize it as a valid zip file and Fixpolicies didn't work either.

   Still in enhanced mode I get "Task Manager has been disabled buy your administrator". All have been excellant suggestions and keeps.

   ANything else I can try?
START>RUN>
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
  This is fun. I wasn't paying a log of attention to this TM fix until I looked closely above and noticed HKCU. Since task manager is disabled on these accounts I couldn't  get to a prompt or run regedit logging is as a user so ....

   I fired up UBCD4WIN and started the remote registry editor. Found the key on the first user and changed it. Tried to load the HKCU for the second user and got the message "administor has disabled editing the registry". I thought that to be interesting. Running UBCD4WIN I would have guessed that "flag" wouldn't have been in effect.

Any other remote registry utilities out there to get me in to this second user?
Hmm.. I have read all the messages and would like to suggest that you download and run ComboFix in safe mode followed by installation of SuperAntiSpyware and using its System repair features. Let us know, how it goes. A HijackThis log might also shed some light on what is going on in the background.
SmitFraud removal tool might help too
  The very first thing I did when I was able to get in under sage mode, as administrator and to the desktop was Combofix followed by Malwarebytes followed by Superantispyware.

   I found it very interesting that the remote registry editor that comes with UBCD4WIN actually acknowledged and restricted the editing of a users hive because a flag was set in that hive not to allow registry editing. It kind of defeats the purpose of a emergency rescue CD doesn't it? Anyway I found another remote registry plug-in for UBCD4WIN, rolled my own, and it gave me fiull access to all the user's hives.

   Everything is clean. The only issue remaining is the desktop with no icons. I can ctrl-alt-del in to task manager and run explorer and the desktop comes up fine. I just can't get the desktop for a direct login.  

   Anyone want to venture a guess on that one?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
No joy. The entry was there. I even deleted it and re-added it.
Can you check if the services such as Windows Defender, Windows UPdate and Windows Error Reporting Services are not disabled? I am hoping that its not one of those Windows Worms like Conficker which have attacked this machine.

http://onecare.live.com/standard/en-us/virusenc/virusencinfo.htm?VirusName=Worm:Win32/Conficker.B

You can also try to get CCleaner to clean the registry of any unwanted entries.
I have a feeling that you might have a rootkit, otherwise how can your system exhibit such behaviour. Please scan with this tool : http://www.gmer.net/index.php and post the log here for analysis.

Looks like you are close. Now that you can get into the registry, look for this key. If it is there... delete it.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
almost forgot.. after you delete the key ( if it is there), exit out and reboot.
forgot one more thing.. while in there, look for this key in the same location. If there, delete it. It will make IE unworkable also.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

.... is unworkable a word ????
  Gmer found no rootkits. After Combofix, Malwarebytes and Superantispyware all gave the computer a clean bill of health there is no longer a doubt in my mind that the computer is clean. Now it is just a matter of fixing the damage that was done.

   No explorer or iexplorer in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ that seems to be the general consensus on the fix but nada.

   It might be easier if I just told the guy to hit ctrl-alt-del, new task, explorer.exe :)
  This is fun! I decided to see if it was profile related so I created a new user and logged in as that user. No difference, Had to ctrl-alt-del to get to explorer. So I rebooted and now .... not matter who I log in as it immediately logs back out. Safe mode or enhanced ...
There is another way - create a new profile, take a backup of existing settings, copy to new profile and then delete the old profile and the problem should be history.
Hello,

Download ERD Commander (now its Microsoft Diagnostics and Recovery Toolkit, burn the ISO on a CD and boot your computer and recover the system and change the registry setting to be able to login without any problems.

http://www.geekstogo.com/2009/01/17/erd-commander-free-trial-from-microsoft/
http://forum.sysinternals.com/forum_posts.asp?TID=2608

I am still unable to believe that you don't have a virus on your computer. Last suggestion for the virus side of things is to download VundoFix and do a scan with that.

http://vundofix.atribune.org/

Hope it helps.
  The last issue (immediate logout) was caused by a missing userinit.exe That was a resurrection from the dead. Thanks guys. All helpful inputs.