Ongoing Virus/Malware/Spyware Issues - Restricted Admin Rights on Win 2k Pro machine

Hello...

I was wondering if anyone had any insight on how to fix the following issue my friend is experiencing on his machine.

I've run through Howard's 15 preliminary steps as best I could, installed all requested applications, applied updates, ran the scans, etc., and I believe I successfully removed all the infected files that were found. As of yesterday, the AVG, AVGSpyware, SS&D, AdAware scans were all coming up "clean". The Panda rootkit scan also came up clean (no rootkits).

I had some problems running the SmitFraudFix application. It was able to create a log but when running selection #2 (Clean) it just "hung" after "Killing processes" and then "Hosts"....I left it alone for 30 minutes but there was nothing further so I stopped it. Also there was an issue running Combofix - as the functions "scrolled by", it appeared that it could a lot of "loading" of files was "not successfull", and that it did not find files or directory "runs.dat". Saving of registry key windows\currentversion\run to temp00.hiv was not successful, etc. It did go through all the stages, and perhaps these messages are indicative of nothing being found, but it is not clear to me that Combofix was successful.

I've attached the requested scan logs for HJT, Combofix, and AVG Antispyware (post scans). Actually, I'm running the AVG Antispyware again because it did not save the report from yesterday. I will post as soon as it is done, but here are the other two logs.

However, I am still experiencing a problem with administrative rights. In addition to the built-in administrator account, my friend only had his user account with full administrative rights that he used for everything. Of course, this lead to some really ugly virus/spyware/malware installations on his system.

When logging in under either his personal account (which has full administrative rights) or the built-in administrative account, I keep getting "access is denied" errors for the following : attempting to install new hardware (the monitor driver has a problem and every time the machine boots it wants to reinstall the driver to fix it - however, instead of being allowed to fix it, I get the message that I don't have sufficient rights to install new hardware and to see my system administrator).

As part of the ongoing challenge of cleaning his machine, I did a windows repair, which reverted the system back to service pack 3. I downloaded Service Pack 4 for Windows 2000 and attempted to install it and received an error that access to certain registry keys was denied (install was being done as an administrator). I believe the error was something along the lines of the client not holding sufficient priveleges for that key). I have not been able to upgrade to service pack 4.

Also, I cannot do windows updates on the system through the automatic update. I get notified the the updates are available, however, if I attempt to download the updates it just quietly does nothing. Same thing if I go to MS webpage to manually update - system just hands at the point that the download is supposed to take place.

On the other hand, I was able to download and install all the recommended antivirus and spyware software , so it does not appear that ALL admin rights have been restricted, just certain ones.

I have event viewer errors every time I boot up that say "The Point to Point Protocol module C:\\WINNT\System32\rastls.dll returned an error while initializing. The network request is not supported.", "The Control Protocol EAP in the Point to POint Protocol module C:\\WINNT\System32\rasppp.dll returned and error while initializing. The network request is not supported.", "Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The network request is not supported., "The Remote Access Connection Manager service terminated whith the following error: The network request isn ot supported."/ "The Internet Connection Manager service which failed to start because of the following error: The network request is not supported.", "Remote Access Connection Manager failed to start because it could not create buffers. Restart the computer. Access is denied.","The Remote Access Connection Manager service terminated with the following error: Access is denied". I understand that these services are related to network connectivity and this is a standalone machine, but I don't believe I should be receiving these errors (maybe someone can clarify).

A week or so ago he had some ugly malware/spyware/virus infections on his system (including rootkits) that now appear to be gone (based on the scans), but I can't rest until this administrative rights issue is resolved. I've created a regular user account and instructed him on its use so hopefully this does not happen again (well, that, and along with the fortress of antispyware/virus software that is now installed on the machine).

Would another windows repair do the trick as far as getting back admni rights? I ran the windows repair utility at one point when the machine would only boot into safe move to see if it would fix it (it didn't - there was a driver conflict between Kaspersky antivirus and the logitech camera that had be resolved to be able to boot into normal windows), but I DID appear to have admin rights for about a day after the windows repair (before, I assume, a resident virus/malware/rootkit/whatever took it away again).

Sorry for the long post, I just wanted to be as specific as possible...Any ideas, help, please? I realize that by this point in time I could have done a complete system restore (and maybe should have), but my friend didn't want to go that route due to potential loss of data and is about to buy a Macbook and relegate this windows machine to very basic use....

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

FGLRXUTIL (FGLRXUtil)

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

frxhser.exe
frxhapp.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Frxmxins] frxmxins

O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINNT\System32\frxhser.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINNT\System32\frxhser.exe
C:\WINNT\system32\frxhapp.exe

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs. Please let me know if you`re still having problems and what they are.

Regards Howard :wave: :wave:

This thread is for the use of Sillykitty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi Howard,

Thanks so much for your speedy response.

As instructed, I booted into safe mode and logged into a regular user account.

I ran the services.msc and found the FGLRXUTIL (FGLRXUtil) service. It was set to automatic, but the service was in a stopped mode.

I got an access denied error when attempting to change the startup to "disabled", so, I logged into an account with admin rights, and was able to do it there. I logged back into a regular user account and verified that the startup for this service retained the "disabled" selection.

Neither processes frxhser.exe or frxhapp.exe were running in the task manager.

Unfotunately, when closing all windows and running HJT, I got this error: "For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this. If that happens, you need to edie the file yourself. To do this, click Start, Run and type: notepad C:\\WINNT\System32\Drivers\etc\hosts and press Enter. Find the line(s) HighjackThis reports and delete them. Save the file as 'hosts." (with quotes), and reboot. For Vista: simply, exit HiJackThis, right click on the HijackThis icon, choose "Run as Administrator". I simply clicked OK. I assume this message was due to using a regular user account, since I have not been getting it previously.

I put a check mark into the O4 - HKLM\..\Run: [Frxmxins] frxmxins but the other selection (O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINNT\System32\frxhser.exe) did not appear as a service in HJT any longer (though I see that it was there in my original log). I fixed the O4 - HKLM\..\Run: [Frxmxins] frxmxins using HJT, but was not able to fix the FGLRXUtil (as it did not appear this time as a selection).

I checked for the two files you indicated in the system32 directory. Both are there (frxhapp.exe and frxhser.exe), but neither allow me to delete. Gave me the error "Cannot delete frxhapp: Access is denied. The source file may be in use". Same error when I attemped to delete frxhser.exe. I logged into a user account (still in safe mode) that had admin rights - this time I was able to delete both these files and emptied the recyle bin.

Unfortunately, when I rebooted into normal Windows I still had the error "You do not have sufficient security privileges to install devices on this computer. Please contact your site administrator, or log out and log in again as an administrator and try again".

Also still could not connect to any Microsoft update sites and still getting exact same event viewer errors.

Here are the fresh HJT and Combofix log, along with the AVG Spyware log I had running today.

Anything more I can do??