Author Topic: Not A Administrator Anymore!?!?!!?  (Read 37151 times)

0 Members and 1 Guest are viewing this topic.

Offline Darth.Mikey

  • Super Poster
  • ***
  • Posts: 1586
  • You are unwise to lower your defenses!
Re: Not A Administrator Anymore!?!?!!?
« Reply #30 on: June 08, 2009, 01:59:25 PM »
I'm sorry i didn't notice he is already receiving help with his infection in another thread. Should follow instructions layed out there by Polonus. The problem is that he is trying to do everything at once, he needs to follow Polonuses instructions and not try to fix things on his own. Both the infection and admin restriction issues are related. It's all fixable but like i said he needs to follow the instructions given to him.

SATA drives don't have any jumpers, if he has regular PATA drives i seriously doubt he would have been even able to boot into win if the jumpers were set incorrectly(since the BIOS wouldn't recognize the drives). I would need to know more about his config ...

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Not A Administrator Anymore!?!?!!?
« Reply #31 on: June 08, 2009, 08:19:18 PM »
IM CONFUSED.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Not A Administrator Anymore!?!?!!?
« Reply #32 on: June 08, 2009, 09:57:40 PM »
What are jumpers anyway? (Sorry, I don't know much about computers.)
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Darth.Mikey

  • Super Poster
  • ***
  • Posts: 1586
  • You are unwise to lower your defenses!
Re: Not A Administrator Anymore!?!?!!?
« Reply #33 on: June 08, 2009, 10:10:10 PM »
Wait till Polonus comes online, he will outline the steps you need to take to get rid of your infection. Please follow his instructions precisely and do not try anything on your own please(this is important!). You can do more harm than good on your own. Your issue is not one that can be solved immediately, it will take same time and patience. We will fix you up but you're gonna have to listen to what is being said to you. Good luck !

Jumpers ? Read more here if you are interested ... http://www.computerhope.com/help/jumpers.htm

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Not A Administrator Anymore!?!?!!?
« Reply #34 on: June 08, 2009, 10:17:35 PM »
Ok. *waits*
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1620
Re: Not A Administrator Anymore!?!?!!?
« Reply #35 on: June 08, 2009, 10:25:25 PM »
Are you still running the same system?

http://forum.avast.com/index.php?topic=45514.msg383901#msg383901

If so then you would be better to tackle this problem using just the hard disk with your system drive on it, which should be C:\  
See: http://forum.avast.com/index.php?topic=45868.msg385371#msg385371
 
Jumpers enable hard disks to interface together and amongst each other on the same motherboard. Who set up (mounted) your hard disks to cables from motherboard to your OS? They must have set the jumpers.

I have a 160GB WD SATA in front of me that plugs in SATA or IDE (including jumper bay) cables, but that's neither here nor there really. Point is, the computer should be able to boot into Safe Mode.
Edit - disk is for sale today $NZ40.

Quote
he is trying to do everything at once, he needs to follow Polonuses instructions and not try to fix things on his own
 Agree! sorry Drb10 but he is right, those earlier posts concerning your HjT are too important to brush over.


I would also like to know whether it is possible to work on HjT log offline - using basically same procedures - since program is loaded down to the computer system? Or do you need to be hooked to the net? Right now, I don't have time to go there myself.
« Last Edit: June 08, 2009, 10:53:45 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Not A Administrator Anymore!?!?!!?
« Reply #36 on: June 08, 2009, 10:28:59 PM »
*still waits*
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Not A Administrator Anymore!?!?!!?
« Reply #37 on: June 08, 2009, 10:37:45 PM »
Hi,

Try to follow up the info you will find here:
http://ranjanajain.spaces.live.com/blog/cns!5F09EF6281DD4DB0!277.entry
This could be used to get back to the sequence where you have admin rights.

First try F7, some comps do F7 in stead of F8, tap tap tap. Think you're on a DELL
Actually, if you go to msconfig ( click Start, Run, and then type in msconfig and hit Enter) the system configuration utility box comes up.

You should see several tabs across the top. One of them, when selected, has, in the middle of the page, a box you can check that says "Safe Boot". . check that box, and then click Apply and Ok and it will prompt you to restart the computer. .

do this, and then it will boot up in Safe Mode. .

to change it back so that it no longer boots up in Safe Mode (when you have done what you wanted to do in Safe Mode) you have to go back into this same box to uncheck that box or it will continue to boot in Safe Mode,

polonus

« Last Edit: June 08, 2009, 11:26:42 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Not A Administrator Anymore!?!?!!?
« Reply #38 on: June 08, 2009, 10:59:37 PM »
Another thing from your ComboScript.txt file that you apparently could not find:
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
SafeBoot-procexp90.Sys

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ae,95,6d,c9,99,
   68,cf,64,e2,63,26,f1,3f,c8,ff,68,77,d8,8c,be,1f,c6,b3,5f,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,f8,9b,3f,95,0d,
   f2,ae,c3,6a,9c,d6,61,af,45,84,18,0d,bf,a6,ff,c7,73,fd,7a,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,d7,67,84,d9,47,
   5c,79,a7,ff,7c,85,e0,43,d4,0e,fe,6f,6d,5b,8f,d4,65,b0,14,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,33,6b,4a,a2,e7,
   29,5c,19,86,8c,21,01,be,91,eb,e7,32,67,e3,6c,02,86,b0,a5,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,38,33,94,48,d3,
   c0,a3,b0,f5,1d,4d,73,a8,13,5c,05,7e,83,a9,74,27,bc,04,dd,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,36,56,bd,ba,88,
   8f,9c,f2,df,20,58,62,78,6b,cf,c8,1c,4a,8f,a3,78,e5,a6,0f,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,00,a4,ae,c4,8b,
   d3,48,c8,fb,a7,78,e6,12,2f,9a,ea,c4,a9,ef,85,da,5a,6c,1b,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,44,fd,a5,5c,86,
   8b,af,27,01,3a,48,fc,e8,04,4a,f1,09,57,bc,fe,c5,25,59,fe,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,31,fc,8b,17,15,
   37,16,d0,f6,0f,4e,58,98,5b,89,c9,36,dd,ce,d3,a1,6e,b9,7e,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,e2,57,88,f6,3e,
   aa,54,ac,3d,ce,ea,26,2d,45,aa,78,a4,99,63,c0,e1,b6,3a,d3,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,90,e7,f0,f8,8a,
   f9,67,43,2a,b7,cc,b5,b9,7f,41,e7,61,aa,37,ea,40,94,1b,b3,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,45,7c,f7,48,5c,
   8f,d1,07,6c,43,2d,1e,aa,22,2f,9c,9e,ce,d7,34,22,57,1d,45,6c,43,2d,1e,aa,22,\
.

Maybe Darth_Mikey can so something with this info,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: Not A Administrator Anymore!?!?!!?
« Reply #39 on: June 08, 2009, 11:09:12 PM »
Hi folks,

Some additional info on this:
With ERUNT and an hex editor I was able to unhide these entries :
- they are in SOFTWARE hive,
- each of them contains InprocServer32 key defined as a 15 character long string where it should be 14
(here's why). Hence the RKR report and registry key opening error / hidden values.

These entries have the same structure, here is a sample
(each ?? replaces an hex value because it may contain unique informations LOL ) :

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32]
"ThreadingModel"="Apartment"
@="C:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd1????????????????"=hex:31,77,e1,ba,b1,f8,6 8,02,81,2b,c5,ac,92,\
  09,11,c2,31,77,e1,ba,b1,f8,68,02,1f,39,aa,7e,a3,3d,d5,78,fb, a7,78,e6,12,2f,\
  ??,??,??,??,??,??,??,??,??,??,??,??,??,??,??,??,??,??,??,??, ??,??,??,??,??,\
  ??,??,??,??,??

so - we see how other Apps are taking advantage of of WIn32 API vulnerability -
-- this "security exploit' was done/created/left unfixed intentionally by MS,
so that they (MS) would be able to HIDE stuff from the User/Owner
-- it's called MS Spyware - and thanks to Mark, Sysinternals,
and others out there with the programming skills to vet this crap out -
the majority of 'dumbass' users are just learning about MS's spyware.


- OLE32.DLL = Object Linking and Embedding - like ActiveX, DCOM, and many other Nasties

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Not A Administrator Anymore!?!?!!?
« Reply #40 on: June 08, 2009, 11:46:43 PM »
Hi,

Try to follow up the info you will find here:
http://ranjanajain.spaces.live.com/blog/cns!5F09EF6281DD4DB0!277.entry
This could be used to get back to the sequence where you have admin rights.

First try F7, some comps do F7 in stead of F8, tap tap tap. Think you're on a DELL
Actually, if you go to msconfig ( click Start, Run, and then type in msconfig and hit Enter) the system configuration utility box comes up.

You should see several tabs across the top. One of them, when selected, has, in the middle of the page, a box you can check that says "Safe Boot". . check that box, and then click Apply and Ok and it will prompt you to restart the computer. .

do this, and then it will boot up in Safe Mode. .

to change it back so that it no longer boots up in Safe Mode (when you have done what you wanted to do in Safe Mode) you have to go back into this same box to uncheck that box or it will continue to boot in Safe Mode,

polonus



The Command Prompt starts at c:\documents and settings\donovan\ not c:\

........................

goto c:\ doesen't work.........
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81894
  • No support PMs thanks
Re: Not A Administrator Anymore!?!?!!?
« Reply #41 on: June 09, 2009, 12:13:24 AM »
Its CD C:\

e.g. change directory and a space before the C:\
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.526)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Not A Administrator Anymore!?!?!!?
« Reply #42 on: June 09, 2009, 12:15:12 AM »
Thanks. ;)
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Not A Administrator Anymore!?!?!!?
« Reply #43 on: June 09, 2009, 12:17:49 AM »
command prompt says bcdedit isn't a command...
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81894
  • No support PMs thanks
Re: Not A Administrator Anymore!?!?!!?
« Reply #44 on: June 09, 2009, 12:29:22 AM »
http://www.google.com/search?q=bcdedit

http://technet.microsoft.com/en-us/library/cc709667.aspx

It may need arguments
Quote
The following command-line options are available for BCDEdit.exe.

BCDEdit/Command [Argument1] [Argument2] ...

Check the system32 folder and see if bcdedit.exe exists, it doesn't on my system.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.526)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/