Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 756
  • Last Modified:

Admin rights gone on XP after virus

Hi

After removing malware/virus on a XP I have lost admin rights!

The user is in admin group but can't install programs etc. missing rights!

I have create a new user with admin group, dosn't work!

The malware/virus most have change something!  Most of the folders are marked as hidden too!!!

Any suggestion?

Best Regards

Ole
0
OleD
Asked:
OleD
3 Solutions
 
Sudeep SharmaTechnical DesignerCommented:
You could use the below tools to enable/disable user on the system and reset the password to blank as well.


http://pogostick.net/~pnh/ntpasswd/

In case that didn't work try these.

http://www.petri.co.il/forgot_administrator_password.htm
http://www.worldstart.com/tips/tips.php/1436
http://www.petenetlive.com/KB/Article/0000159.htm


Once you are able to login with Administrator let us know so that we can proceed with cleaning the system.

Just make sure that you should not run any Temp cleaner or clean the temp files and folder yourself.

Sudeep
0
 
OleDAuthor Commented:
I do not have problems logging in, either as a user or administrator.

But it seems like I do not have administrator permissions.

I can not install programs but am told I lack the necessary rights to the folder etc., although I as a user associated with the Administrators group.

I created a new user and assigned him administartor group but it doesn't work.

Most directories have been marked as hidden!

/Ole
0
 
Sudeep SharmaTechnical DesignerCommented:
I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned and post the logs

Make sure you DO NOT REBOOT the system after running tools in point 1 & 2.

1. RogueKiller/TheKiller
2. MalwareBytes
3. TDSSKIller

I would also recommend you to go through the articles from Younghv and RPG for the links of the tools and for the future reference

Basic Malware Troubleshooting
http://www.experts-exchange.com/A_1940.html

Rogue-Killer-What-a-great-name
http://www.experts-exchange.com/A_4922.html

Stop-the-Bleeding-First-Aid-for-Malware
http://www.experts-exchange.com/A_5124.html

Run MalwareBytes in Quick Mode and if that required reboot, then reboot the system and run tools mentioned in point 1 and 2 but this time run MalwareBytes in Full Systen Scan.

So in your next reply post the RogueKiller logs, MBAM logs and TDSSKIller Logs

Sudeep
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
flubbsterCommented:
You need to reset file and registry security settings. There are a couple of ways to do this. Try this one first as it is the easiest.

Download and install subinacl.exe:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

Then download and unzip this file:

http://www.winhelponline.com/blog/wp-content/uploads/reset.zip

Run the "reset.cmd" file.

Test


If this does not work, then use the start>run  command line and execute this command:  (copy and paste it as it is long)

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
0
 
OleDAuthor Commented:
I try to reset file and reg......

The "reset.cmd" file give error. One of these are:

C: \ Program Files \ Windows Resource Kits \ Tools> subinacl / subkeyreg HKEY_CLASSES_ROOT
/ grant = administrators = f / grant = system = f
LookupAccountName: HKEY_CLASSES_ROOT: Administrator 1337 The structure of security ID is invalid.


I try the another command but nothing change.

Just for information.
PC was infected with trojan: dos / alureon.E, found by Avast.
After Avast has clear what it could be, I deleted the hidden partition as the virus had created.
Then I made the boot-time scan with Avast and full scan with Windows Defender Offline. None of them have reported infections.
0
 
OleDAuthor Commented:
Here's report from Rogue-Killer:
Report-RK.txt
0
 
Jackie ManCommented:
Your PC has been infected with ZeroAccess rootkit virus.

According to McAfee, it says:-

"ZeroAccess patches system files to load its malicious code. The original file content is overwritten, but the original system file is kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in an unsuspecting file on disk."

Source: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23412/en_US/McAfee%20Labs%20Threat%20Advisory-ZeroAccess.pdf

My wild guess is that the original system files are moved by the virus to the hidden partition that you have deleted. So, you need a clean re-install of the OS or a in-place install of the OS as the critical system files should be missing.
0
 
Sudeep SharmaTechnical DesignerCommented:
Rogue Killer logs indeed suggests that you have Zero Access infection.  Did you ran MBAM after RogueKiller?

Once done that run TDSSKiller and post the logs of MBAM and TDSSKIller.

Sudeep
0
 
OleDAuthor Commented:
I have make a scan with sfc /scannow. Some files was copyed from the CD.

My customer need notebook back so I hope it's works now, it's look like!

Thanks for helping.

/Ole
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now