How to make a Run Key in Current User

[mchain]

Yes, well kind of.

I've booted into Hiren's BootCD Version 15.3. I"ve changed, removed and modified every single "Admin" account. THe issue that is with me right now, is that the acer56 accounnt (Which the account needing the password removed) is not showing up in anything. I've tried Mini-XP and then C:\Users\X nothing, Hiren's PW changer, nothing. At this point I'm going to bite the bullet, pull the files needed off the computer, and set it to factory defaults. The computer looks like it may or may not have a few trojans and a **** ton of adware installed looking at the desktop alone.

At least it'll save her $50 bucks so she doens't have to take it back to the store.

Edit: I've also tried this from system32 CMD. net user administrator /active:yes

No luck.

Well, from the sound of it, this is a super-hidden account not meant to be accessible by anyone other than the original creator/user.  Parameters are set to prevent normal access, so a factory restore is likely your best option.  I'd clone the original drive first just to be safe and see if the account disappears on factory restore on the original drive.  If it does, then you can go ahead and format the clone and use it for something else.

[EDIT:]  Rootkit?

Any version of Linux run as a Live CD or Live USB should make all user accounts visible, try that.

Next thing I would do is make a full disk image of the reset drive and periodically back it up weekly.  Might be helpful for this user in the future.

You're looking at an advanced user that basically hacked her system for their own purposes.  As such, it is compromised.

[Michael (alan1998)]

I've tried linux.... I cannot get it too work. I've tried everything off Hirens. I've taken a look into Windows Mini XP (Which works). I took a look inside all the common hiding places. I do suspect malware is active, and such forth I have told her. Only way for me to "Clean" it at this point, is CF, Rootkit Revealer (Basically anything with AV's) which is already set into Hirens.

When I went through the D/L list, most of the files had the extensions of .TORRENT, .MP3, .EXE, .AVI or .TXT. Tyhe main being .TORRENT. So my guess is, BitTorrent is somewhere on the system.

The solution at this point is, save the important files (Which I already have), and restore to defaults. I'll look into Rootkits, never crossed my mind that something might be active...

[mchain]

Question is, did your user run torrents? 

Getting something for free in this way can be very costly.  Advice here is, once the system is restored to factory, do not run or use any torrent programs or clients, if indeed, this was the case.  As the source torrent(s) cannot be vetted or be verifiable, coming from multiple sources, any one of which can be infected and/or contain undetectable malware.

Result:  An infected or pwnd system.

[Michael (alan1998)]

I am aware of the dangers of torrenting, hence why I do not do it. I actually set a Group Policy on my personal computer to block them (eg: UTorrent, Firewire or maybe it's primeware) but the major ones out their. My family actually tried to bypass it. My dad who works for a University IT department can't, so i'm good to go lol.

Basically, this is what's going to happen now. I will attempt to save the documents needed. EG: school work. After that, I will do a full format of the system... Then I'll be setting very strict group Policies (eg: Block torrents, block AV/AM/USB protection settings, Limited user account in case. etc)

If they still manage to infect the computer, I'd be shocked...

Before I turned off the computer, last count had 250 Torrented files in it. So were .Torrent,exe,mp3. So some were clean, but I wouldn't trust it.

[Michael (alan1998)]

I have the Acer Aspire back... GMER Has detected Rootkit stuff sadly. I'm going to reformat it. But Alt+F10 is not working. I have the product ke just incase and I don't know how to contact Acer directly...

[Michael (alan1998)]

Blue screened. Lol, hope the format went well, when I checked on it 10 minutes ago it was turned off. Hoping the students haven't messed with my Drive. Already know someone shut the computer off during the format. Erkk, looks like I'll be working during noon hour. .

Anyone know how to get the GMER log I saved onto my EHDD? Kind of a pain in the arse since it only sees "Mini XP" and not the full 2TB's.

Linux won't work... Giving me a bunch of Graphical Issues. Using Hiren's BootCD 15.3

[Michael (alan1998)]

Great news! I've formatted and set-up the admin account only. This time protected by me... Teacher knows the password and I've told her to change it so she remembers... I left it to install it's Acer crapware, which I will most likely remove.

At lunch it'll be time to set-up the limited account, and install Avast!, MBAM 2.0 (ODS) & MCShield. I'm considering putting a private firewall on it. But the computer has little resources to use. (2 GB's of RAM, Intel Atom proccessor etc). Any light (And I mean light) weight FW's out there? I'd prefer not to have to use the Windows FW.