XP: Keep losing my admin privileges

Hi all, hope you can help.
It's one month I'm trying to figure this proble out, with no success.

My laptop runs windows xp pro.
I have, beside the windows default admin account, another account that is the main one.

The main account is supposed to have administrative privileges but frequently, after a normal reboot, I find to have lost them.

Easily fixable: I access as admin to the control panel---> users account and add myself again as an administrator. Log off, log on, and is done.

Anyway, is definitely annoying.

Not sure what the problem is. I tried to look on internet for something but I wasn't able to find anything fitting this issue.

In order to provide you all the informations, beside the local accounts I'm connected to a company network with a domain.

Should be an automatic reset of the domain administrator on my local privileges?

I really have no idea on how and why this is happening, so if you have some suggestions...

Thanks for your help, and if you need any other information, I'll be pleased to share them with you.

Ste

Begin with the below....

Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).

Most importantly update MalwareBytes and SuperAntiSpyware! Attach logs.

Mike

Oh, I forgot a lot to say! I'm sorry.

No malwares, spywares, viruses or similars. I'm a little bit paranoic with computer maintainance and I'm running checks at least once a week with Malware bytes, spybot S&D, Avast and ad-aware.

I ran scandisk both in the windows xp session and after reboot with no errors found.


Sorry for the lack of precision. I knew there was something missing

Well you missed something! This just do happen by itself!

Run MBAM and click logs and post all these back from oldest to newest!

Do the 8 Steps and get me a SAS scan and log and also a HJT log!

Mike

here what was asked

Everything is (i guess) as asked, but the name of my company in the hijackthis log.
I changed it to ---> CENSORED for my privacy and to accomplish the company policy.

Run HJT and select and Fix the below
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Those logs were clean do the below and if clean we will address you issue directly!

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

here the logs...

but...

the issue came out again following a reboot

Had to run some errands.

Ah ha!

Just as I thought a real bad boy TSServ plus some minor issues.

Your issue may now be fixed.

Update and run them both again as they may find more, we need to confirm them gone if not. We need clean logs.

Mike

Thanks a lot for your help. I'll let you know later on how the things are going when I post the last logs.

OK but I stress we ARE not finished. Don't stop here or let it get cold.

Mike

For now those....

tomorrow morning SDfix and MAM

Yes you still have signs of Malware.

This should get them.....

Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

Enter folder double click RootRepeal.exe.
Click the Report tab, then click Scan

It will ask what to include in the scan.

Check the following
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Then click OK

It wil ask which drive to scan.

Check C: (or your windows drive, if not C)
Click OK
The scan will begin will take a while.

When scan completes, click Save Report .

Name the log RRepeal.txt save it to your Documents folder (it should default there). Post it back.

Then

Get Nod32

Download http://finalbuilds.edskes.net/nod32.htm
Had some issues today with above link if it fails go to http://home.hccnet.nl/h.edskes/mirror.htm
Slide down near bottom of page find nod32, to the right will be 3 Mirrors marked Online try each one of them will work.

Boot to Safe mode only to run.

Before Scanning click Setup and click all boxes under Scan typically only System memory is not checked. So check it. Then click logging, Then Scan and clean.

It is very thorough and may detect some other malware cleaners as a threat so if it seems to point say SpyBot then click Leave.
If you have doubt about and issue then Quarintine it and it can be restored.

Depending on CPU and HD speed and the fact we are in (Safe Mode slower also) it could take a while.

Mike

doing that.

In the meantime, the last SDfix report

Roger that!

The SDFfix was clean so these last 2 should do it!

Has the issue popped up lately?

Mike

Yes, the issue came back again this morning. Again no administrator privileges.

Here the rootreeal report.

Going to run Nod32, so see you in a while

Nothing obvious in that log except some very suspisious temps.

So..

After NOD32 scan do the below Disk/Temp and Registry cleanups

Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. (if you have concerns of registry cleaners CCleaner is very gentle and does a backup).

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Mike

Ok, I'm done with NOD32 that found just theats in spybot, SAS and SDfix... i left.
I checked the box for automatic log, but It was not created.

I performed the cleaning with CCleaner, ATF and KCleaner.

In addition I'm done witht the deletion of shadow copies.

OK now lets address the possible causes of your issues.

Boot to Safe Mode Networking.
Update then run SuperAntiSpyware

Then Click Preferences
then click Repairs

Then counting down from top do the following entries this will cover several bases.

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Then back to normal do the below..

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Repair Permissions

Watch for any File not found or other errors and make note as this may lead to the fix!

After reboot check for the issue!

Mike

Have to wait tonight to perform these checks.
I will let you know here how things go.

OK trust me don't be afraid of DAF a lot of people are.

But it is one of the safest programs I know of.

Basically it just unregisters dlls, activex etc then reregisters and in so doing corrects corrupted or missing registry entries. Not its intended purpose but as it does its job it will find missing DLL's (best way I know of to do so) and will find access violations indicating a permissions issue.

Mike