XP: Keep losing my admin privileges

Status
Not open for further replies.

giltionel

Posts: 16   +0
Hi all, hope you can help.
It's one month I'm trying to figure this proble out, with no success.

My laptop runs windows xp pro.
I have, beside the windows default admin account, another account that is the main one.

The main account is supposed to have administrative privileges but frequently, after a normal reboot, I find to have lost them.

Easily fixable: I access as admin to the control panel---> users account and add myself again as an administrator. Log off, log on, and is done.

Anyway, is definitely annoying.

Not sure what the problem is. I tried to look on internet for something but I wasn't able to find anything fitting this issue.

In order to provide you all the informations, beside the local accounts I'm connected to a company network with a domain.

Should be an automatic reset of the domain administrator on my local privileges?

I really have no idea on how and why this is happening, so if you have some suggestions...

Thanks for your help, and if you need any other information, I'll be pleased to share them with you.

Ste
 
Oh, I forgot a lot to say! I'm sorry.

No malwares, spywares, viruses or similars. I'm a little bit paranoic with computer maintainance and I'm running checks at least once a week with Malware bytes, spybot S&D, Avast and ad-aware.

I ran scandisk both in the windows xp session and after reboot with no errors found.


Sorry for the lack of precision. I knew there was something missing
 
Well you missed something! This just do happen by itself!

Run MBAM and click logs and post all these back from oldest to newest!

Do the 8 Steps and get me a SAS scan and log and also a HJT log!

Mike
 
here what was asked

Everything is (i guess) as asked, but the name of my company in the hijackthis log.
I changed it to ---> CENSORED for my privacy and to accomplish the company policy.
 
Run HJT and select and Fix the below
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Those logs were clean do the below and if clean we will address you issue directly!

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
Had to run some errands.

Ah ha!

Just as I thought a real bad boy TSServ plus some minor issues.

Your issue may now be fixed.

Update and run them both again as they may find more, we need to confirm them gone if not. We need clean logs.

Mike
 
Thanks a lot for your help. I'll let you know later on how the things are going when I post the last logs.
 
Yes you still have signs of Malware.

This should get them.....

Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

Enter folder double click RootRepeal.exe.
Click the Report tab, then click Scan

It will ask what to include in the scan.

Check the following
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Then click OK

It wil ask which drive to scan.

Check C: (or your windows drive, if not C)
Click OK
The scan will begin will take a while.

When scan completes, click Save Report .

Name the log RRepeal.txt save it to your Documents folder (it should default there). Post it back.

Then

Get Nod32

Download http://finalbuilds.edskes.net/nod32.htm
Had some issues today with above link if it fails go to http://home.hccnet.nl/h.edskes/mirror.htm
Slide down near bottom of page find nod32, to the right will be 3 Mirrors marked Online try each one of them will work.

Boot to Safe mode only to run.

Before Scanning click Setup and click all boxes under Scan typically only System memory is not checked. So check it. Then click logging, Then Scan and clean.

It is very thorough and may detect some other malware cleaners as a threat so if it seems to point say SpyBot then click Leave.
If you have doubt about and issue then Quarintine it and it can be restored.

Depending on CPU and HD speed and the fact we are in (Safe Mode slower also) it could take a while.

Mike
 
Roger that!

The SDFfix was clean so these last 2 should do it!

Has the issue popped up lately?

Mike
 
Yes, the issue came back again this morning. Again no administrator privileges. :)

Here the rootreeal report.

Going to run Nod32, so see you in a while :)
 
Nothing obvious in that log except some very suspisious temps.

So..

After NOD32 scan do the below Disk/Temp and Registry cleanups

Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. (if you have concerns of registry cleaners CCleaner is very gentle and does a backup).

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Mike
 
Ok, I'm done with NOD32 that found just theats in spybot, SAS and SDfix... i left.
I checked the box for automatic log, but It was not created.

I performed the cleaning with CCleaner, ATF and KCleaner.

In addition I'm done witht the deletion of shadow copies.
 
OK now lets address the possible causes of your issues.

Boot to Safe Mode Networking.
Update then run SuperAntiSpyware

Then Click Preferences
then click Repairs

Then counting down from top do the following entries this will cover several bases.

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Then back to normal do the below..

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Repair Permissions

Watch for any File not found or other errors and make note as this may lead to the fix!

After reboot check for the issue!

Mike
 
OK trust me don't be afraid of DAF a lot of people are.

But it is one of the safest programs I know of.

Basically it just unregisters dlls, activex etc then reregisters and in so doing corrects corrupted or missing registry entries. Not its intended purpose but as it does its job it will find missing DLL's (best way I know of to do so) and will find access violations indicating a permissions issue.

Mike
 
done. Everything seems to work fine! Thanks!

Have just another little issue now... at any reboot SDfix start to search for malware... (to let you better understand...it keeps going to present the window that appeared following the rebbot after the safe mode scan was done )

Just solved this thing, so i think i'm fine now!

Thanks again for your help :)
 
OK I am going to put you thru the closing that will remove SDFix and the other special cleaners that should always be downloaded if needed later.

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.


Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike

EDIT: Please do keep me posted on your original issue. As I have one more possible fix.
 
OKEY Dookie!

Lets shoot the big guns.

Download Win2003 Resource Kit, then install, must be to the default location do not change. It is fully compatable with XP even tho it says 2003.

http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Then

Browse to C:\Program files Dial-A-Fix folder and copy the 2 secedit files into
C:\Program Files\Windows Resource Kits\Tools folder.

Then do the below

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt
Code:
@echo off
:: Fix Access denied
cd /d "C:\Program Files\Windows Resource Kits\Tools"

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
exit
exit

This will take perhaps 30 mins to an hour depending on Processor, disk speed and size of registry.


Mike
 
Status
Not open for further replies.
Back