XP: Keep losing my admin privileges

By giltionel
Feb 18, 2009
Topic Status:
Not open for further replies.
  1. Hi all, hope you can help.
    It's one month I'm trying to figure this proble out, with no success.

    My laptop runs windows xp pro.
    I have, beside the windows default admin account, another account that is the main one.

    The main account is supposed to have administrative privileges but frequently, after a normal reboot, I find to have lost them.

    Easily fixable: I access as admin to the control panel---> users account and add myself again as an administrator. Log off, log on, and is done.

    Anyway, is definitely annoying.

    Not sure what the problem is. I tried to look on internet for something but I wasn't able to find anything fitting this issue.

    In order to provide you all the informations, beside the local accounts I'm connected to a company network with a domain.

    Should be an automatic reset of the domain administrator on my local privileges?

    I really have no idea on how and why this is happening, so if you have some suggestions...

    Thanks for your help, and if you need any other information, I'll be pleased to share them with you.

    Ste
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Begin with the below....

    Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).

    Most importantly update MalwareBytes and SuperAntiSpyware! Attach logs.

    Mike
  3. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    Oh, I forgot a lot to say! I'm sorry.

    No malwares, spywares, viruses or similars. I'm a little bit paranoic with computer maintainance and I'm running checks at least once a week with Malware bytes, spybot S&D, Avast and ad-aware.

    I ran scandisk both in the windows xp session and after reboot with no errors found.


    Sorry for the lack of precision. I knew there was something missing
  4. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Well you missed something! This just do happen by itself!

    Run MBAM and click logs and post all these back from oldest to newest!

    Do the 8 Steps and get me a SAS scan and log and also a HJT log!

    Mike
  5. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    here what was asked

    Everything is (i guess) as asked, but the name of my company in the hijackthis log.
    I changed it to ---> CENSORED for my privacy and to accomplish the company policy.
  6. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Run HJT and select and Fix the below
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    Those logs were clean do the below and if clean we will address you issue directly!

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
  7. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    here the logs...

    but...

    the issue came out again following a reboot :)
  8. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Had to run some errands.

    Ah ha!

    Just as I thought a real bad boy TSServ plus some minor issues.

    Your issue may now be fixed.

    Update and run them both again as they may find more, we need to confirm them gone if not. We need clean logs.

    Mike
  9. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    Thanks a lot for your help. I'll let you know later on how the things are going when I post the last logs.
  10. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK but I stress we ARE not finished. Don't stop here or let it get cold.

    Mike
  11. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    For now those....

    tomorrow morning SDfix and MAM
     
  12. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Yes you still have signs of Malware.

    This should get them.....

    Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

    Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

    Enter folder double click RootRepeal.exe.
    Click the Report tab, then click Scan

    It will ask what to include in the scan.

    Check the following
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Then click OK

    It wil ask which drive to scan.

    Check C: (or your windows drive, if not C)
    Click OK
    The scan will begin will take a while.

    When scan completes, click Save Report .

    Name the log RRepeal.txt save it to your Documents folder (it should default there). Post it back.

    Then

    Get Nod32

    Download http://finalbuilds.edskes.net/nod32.htm
    Had some issues today with above link if it fails go to http://home.hccnet.nl/h.edskes/mirror.htm
    Slide down near bottom of page find nod32, to the right will be 3 Mirrors marked Online try each one of them will work.

    Boot to Safe mode only to run.

    Before Scanning click Setup and click all boxes under Scan typically only System memory is not checked. So check it. Then click logging, Then Scan and clean.

    It is very thorough and may detect some other malware cleaners as a threat so if it seems to point say SpyBot then click Leave.
    If you have doubt about and issue then Quarintine it and it can be restored.

    Depending on CPU and HD speed and the fact we are in (Safe Mode slower also) it could take a while.

    Mike
  13. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    doing that.

    In the meantime, the last SDfix report
  14. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Roger that!

    The SDFfix was clean so these last 2 should do it!

    Has the issue popped up lately?

    Mike
  15. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    Yes, the issue came back again this morning. Again no administrator privileges. :)

    Here the rootreeal report.

    Going to run Nod32, so see you in a while :)
  16. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Nothing obvious in that log except some very suspisious temps.

    So..

    After NOD32 scan do the below Disk/Temp and Registry cleanups

    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. (if you have concerns of registry cleaners CCleaner is very gentle and does a backup).

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner.
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    Mike
  17. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    Ok, I'm done with NOD32 that found just theats in spybot, SAS and SDfix... i left.
    I checked the box for automatic log, but It was not created.

    I performed the cleaning with CCleaner, ATF and KCleaner.

    In addition I'm done witht the deletion of shadow copies.
  18. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK now lets address the possible causes of your issues.

    Boot to Safe Mode Networking.
    Update then run SuperAntiSpyware

    Then Click Preferences
    then click Repairs

    Then counting down from top do the following entries this will cover several bases.

    Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

    Then back to normal do the below..

    Download Dial-A-Fix (DAF)
    http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
    http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

    Have XP CD available in case DAF needs a file.

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here 1 at a time do the below

    Flush DNS
    Repair Permissions

    Watch for any File not found or other errors and make note as this may lead to the fix!

    After reboot check for the issue!

    Mike
  19. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    Have to wait tonight to perform these checks.
    I will let you know here how things go.
  20. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK trust me don't be afraid of DAF a lot of people are.

    But it is one of the safest programs I know of.

    Basically it just unregisters dlls, activex etc then reregisters and in so doing corrects corrupted or missing registry entries. Not its intended purpose but as it does its job it will find missing DLL's (best way I know of to do so) and will find access violations indicating a permissions issue.

    Mike
  21. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    done. Everything seems to work fine! Thanks!

    Have just another little issue now... at any reboot SDfix start to search for malware... (to let you better understand...it keeps going to present the window that appeared following the rebbot after the safe mode scan was done )

    Just solved this thing, so i think i'm fine now!

    Thanks again for your help :)
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK I am going to put you thru the closing that will remove SDFix and the other special cleaners that should always be downloaded if needed later.

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.


    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner.
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike

    EDIT: Please do keep me posted on your original issue. As I have one more possible fix.
  23. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    :( again I logged in without admin privileges :(

    I was rebooting after the first step.
  24. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OKEY Dookie!

    Lets shoot the big guns.

    Download Win2003 Resource Kit, then install, must be to the default location do not change. It is fully compatable with XP even tho it says 2003.

    http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

    Then

    Browse to C:\Program files Dial-A-Fix folder and copy the 2 secedit files into
    C:\Program Files\Windows Resource Kits\Tools folder.

    Then do the below

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt
    Code:
    @echo off
    :: Fix Access denied
    cd /d "C:\Program Files\Windows Resource Kits\Tools"
    
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
    subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
    subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
    
    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
    exit
    exit
    This will take perhaps 30 mins to an hour depending on Processor, disk speed and size of registry.


    Mike
  25. giltionel

    giltionel Newcomer, in training Topic Starter Posts: 16

    Got everything but... in the dial a fix folder i have just ONE secedit.exe.... is it fine?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.