Admin rights gone on XP after virus

Posted on 2012-09-06
Last Modified: 2012-09-13

After removing malware/virus on a XP I have lost admin rights!

The user is in admin group but can't install programs etc. missing rights!

I have create a new user with admin group, dosn't work!

The malware/virus most have change something!  Most of the folders are marked as hidden too!!!

Any suggestion?

Best Regards

Question by:OleD
    LVL 29

    Expert Comment

    by:Sudeep Sharma
    You could use the below tools to enable/disable user on the system and reset the password to blank as well.

    In case that didn't work try these.

    Once you are able to login with Administrator let us know so that we can proceed with cleaning the system.

    Just make sure that you should not run any Temp cleaner or clean the temp files and folder yourself.


    Author Comment

    I do not have problems logging in, either as a user or administrator.

    But it seems like I do not have administrator permissions.

    I can not install programs but am told I lack the necessary rights to the folder etc., although I as a user associated with the Administrators group.

    I created a new user and assigned him administartor group but it doesn't work.

    Most directories have been marked as hidden!

    LVL 29

    Assisted Solution

    by:Sudeep Sharma
    I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned and post the logs

    Make sure you DO NOT REBOOT the system after running tools in point 1 & 2.

    1. RogueKiller/TheKiller
    2. MalwareBytes
    3. TDSSKIller

    I would also recommend you to go through the articles from Younghv and RPG for the links of the tools and for the future reference

    Basic Malware Troubleshooting



    Run MalwareBytes in Quick Mode and if that required reboot, then reboot the system and run tools mentioned in point 1 and 2 but this time run MalwareBytes in Full Systen Scan.

    So in your next reply post the RogueKiller logs, MBAM logs and TDSSKIller Logs

    LVL 30

    Accepted Solution

    You need to reset file and registry security settings. There are a couple of ways to do this. Try this one first as it is the easiest.

    Download and install subinacl.exe:

    Then download and unzip this file:

    Run the "reset.cmd" file.


    If this does not work, then use the start>run  command line and execute this command:  (copy and paste it as it is long)

    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

    Author Comment

    I try to reset file and reg......

    The "reset.cmd" file give error. One of these are:

    C: \ Program Files \ Windows Resource Kits \ Tools> subinacl / subkeyreg HKEY_CLASSES_ROOT
    / grant = administrators = f / grant = system = f
    LookupAccountName: HKEY_CLASSES_ROOT: Administrator 1337 The structure of security ID is invalid.

    I try the another command but nothing change.

    Just for information.
    PC was infected with trojan: dos / alureon.E, found by Avast.
    After Avast has clear what it could be, I deleted the hidden partition as the virus had created.
    Then I made the boot-time scan with Avast and full scan with Windows Defender Offline. None of them have reported infections.

    Author Comment

    Here's report from Rogue-Killer:
    LVL 40

    Assisted Solution

    by:Jackie Man
    Your PC has been infected with ZeroAccess rootkit virus.

    According to McAfee, it says:-

    "ZeroAccess patches system files to load its malicious code. The original file content is overwritten, but the original system file is kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in an unsuspecting file on disk."


    My wild guess is that the original system files are moved by the virus to the hidden partition that you have deleted. So, you need a clean re-install of the OS or a in-place install of the OS as the critical system files should be missing.
    LVL 29

    Expert Comment

    by:Sudeep Sharma
    Rogue Killer logs indeed suggests that you have Zero Access infection.  Did you ran MBAM after RogueKiller?

    Once done that run TDSSKiller and post the logs of MBAM and TDSSKIller.


    Author Closing Comment

    I have make a scan with sfc /scannow. Some files was copyed from the CD.

    My customer need notebook back so I hope it's works now, it's look like!

    Thanks for helping.


    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
    It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now