Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus That Disables Admin Rights HELP


  • This topic is locked This topic is locked
13 replies to this topic

#1 Generator

Generator

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 01 February 2013 - 09:43 AM

Hi! I've heard this forum really helps people, so...

My machine: ASUS laptop, Windows 7 64x
Problem: I have a virus that is blocking administrator rights, user account management, disables systemrestore and msconfig etc. That's why i cant run any antivirus, even in safe mode. I can't even run DDS utility, says not enough privileges. There are no pop-ups. Obviously, i can't switch from guest account and all changes are ignored or denied. It also doesn't let me to modify the files in root of C:. Even bootable Kaspersky and AVG didn't find the virus.
What i've done previously: I discovered it when i was trying to make a network with a desktop PC. It wasn't working, so i enabled empty passwords. This other PC is absolutely healthy. I have also been installing some minor applications.
Antivirus: I try to surf safe, and use fully functional Avira, firewall is on for private networks.

What should i do to HELP YOU to help me? How to make a log? I attached only available logs from RogueKill and Hijackthis.

Thankyou and i'm waiting for help.

G

Update: Bitdefender (Bootable USB) found Trojan.Qhost.Gen in some system folder, deleted it, but nothing happened. Is it related to the issue or maybe not?

Edited by Generator, 02 February 2013 - 06:11 AM.


BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:08:44 AM

Posted 05 February 2013 - 04:14 AM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

Since you got RogueKiller to run, please see if you can get the below tool to run.

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 Generator

Generator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 06 February 2013 - 02:03 AM

The problem seems to be not a virus, i will report what it is...

#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:08:44 AM

Posted 06 February 2013 - 03:30 AM

Hello Generator,

OK let me know. :)

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 Generator

Generator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 08 February 2013 - 04:01 AM

I managed to create a new admin. But the problem is partially still
there. The old user's safety policy is corrupt: i can't change files,
install some programs etc. How can i transfer program data to new user
without damage (CorelDraw, Word etc settings)? I would also like to
transfer environment settings, like Desktop, Docs etc.

I can use Windows Easy Transfer, but i'm afraid won't it move corrupt permissions settings to the new user?

 

Please tell me, i will tell how i fixed previous problems later.



#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:08:44 AM

Posted 08 February 2013 - 05:50 AM

Hello Generator,

 

I am unfamiliar with transferring settings, but usually you can't from profile to profile from my knowledge.

 

What settings are corrupt?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 Generator

Generator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 08 February 2013 - 09:33 AM

Hello Generator,

 

I am unfamiliar with transferring settings, but usually you can't from profile to profile from my knowledge.

 

What settings are corrupt?

I can not install new programs and modify files i previously created. But when i login as admin, i can. But that admin doesn't have all those settings i have been creating for a long time. What should i do to have old settings and restored rights?

 

Maybe you could move the topic to proper thematical place, what could that be?


Edited by Generator, 08 February 2013 - 09:48 AM.


#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:08:44 AM

Posted 08 February 2013 - 04:17 PM

Hey Generator,

 

If you don't think it is a virus, and do not wish to run ComboFix etc then I can arrange to have the topic moved for you. Please let me know what you would like to do.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 Generator

Generator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 10 February 2013 - 01:32 PM

For those who want to know how i solved the problem: i ran "NT Windows
Password and registry Offline editor" and chose "unlock" built-in admin
account. (there's also a way to use installation cd and edit the
registry thru it, but i chose to use this awesome program) Then i went
back to windows and from there logged into admin with no problems. And i
gave the old user administrator rights too from hidden admin account. And disabled blank passwords
just in case, cause that's when the glitch started.


It is a pretty rare bug, i would call it "admin as guest bug", it
appears when you are trying to create a network, enable empty passwords
and there are some other glitchy factors only Bill knows.



#10 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:08:44 AM

Posted 10 February 2013 - 03:35 PM

Hello Generator,

 

Thank you for sharing your solution. I am glad you got it fixed.

 

Please consider using these ideas to help secure your computer.  While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection.  While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.   :thumbup:


IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.


As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.


Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.  A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.  However, it is important to run only one resident program of each type since they can conflict and become less effective.  That means only one antivirus, firewall and scanning anti-spyware program at a time.  Passive protectors, like SpywareBlaster, can be run with any of them.  

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware."  Scareware programs are active infections that will pop-up on your computer and tell you that you are infected.  If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed.  It tells you to click and install it right away.  If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further.  Keeping protection updated and running resident protection can help prevent these infections.  If it happens anyway, get offline as quickly as you can.  Pull the internet connection cable or shut down the computer if you have to.  Contact someone to help by using another computer if possible.  These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.


Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free.  If you run into more difficulty, we will certainly do what we can to help.  :)


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#11 Generator

Generator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 11 February 2013 - 04:17 AM

Theres one concern still. I gained "full access" to whole disc C and subfolders when i was trying to fix the problem. Is it safe and How can i undo it?

 

I just heard when user owns system folders a virus can use it to infiltrate the system. Is it true? Should i restrict myself from owning system folders?
        

        

        

        

        

        

        
            
            
                
                edit.gif



#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:08:44 AM

Posted 11 February 2013 - 04:34 AM

Howdy Generator,

The User Access Control (UAC) is a system implemented on Windows Vista and above that requires permission before accessing system folders, settings, etc. In addition, accessing system folders requires an additional permission before they are opened. You should be fine if you keep an eye on what sites you visit and download.

What you can do is restrict your Account from Administrator to Limited, which means that lots of rights will be restricted. smile.png

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 Generator

Generator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 11 February 2013 - 09:43 AM

Ok thanks, i downgraded to Standard User



#14 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:08:44 AM

Posted 15 February 2013 - 04:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users