Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Administrator and Registry Advice Please


  • Please log in to reply
14 replies to this topic

#1 kiwipoppy

kiwipoppy

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 02 May 2013 - 06:03 PM

Hi,am running win 7 ultimate on a stand alone computer not currently connected to the internet.I am only user and have two visible accounts,a standard admin,and the Built in admin account Recent scans have shown the existence of an account named C:\users\ADMINI~1,its files are hidden,and cannot be shown
I have been posting in the malware removal forum,no luck so far,and combofix won't run,although MBAM did quarantine various rootkits
What I want to do is communicate with someone familiar with the win 7 registry,who can explain
The various admin and aliases references there,which include what looks like encrypted data
I feel that if I can sort out the admin account,I will have more control in fixing the nomerous other issues
Process Explorer shows the built in as being specifically denied various privilege and gpedit only has a few entries that include BUILTIN in the options
Although this is a stand alone home computer,I have been joined to a WORKGROUP,not sure if that has any relevance
Not looking for a solution,some advice would be great!
Thanks

BC AdBot (Login to Remove)

 


#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 02 May 2013 - 06:34 PM

Did you recently upgrade the OS to Windows 7 Ultimate? That particular user account is related to OS upgrades, the migration of user data during upgrades, and the preparation of Windows image files for deployment.



#3 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 05 May 2013 - 05:55 PM

OK,not sure if i can understand all that,so how can I stop it being hidden,attrib and unhide don't work
Also is there anyway of checking admin permissions in the list of accounts and aliases in the registry,some look encrpted,obviously not by me
Thanks

#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 05 May 2013 - 08:32 PM

If you didn't upgrade your OS, or install a new OS on your PC, did you recently install any other program, like Symantec or Blackberry desktop? That admin file is associated with temporary folders where various installation files are stored. The admin account itself is not malicious, if that's what you're concerned about. However, malware can use it.

Hope that helps.



#5 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 06 May 2013 - 05:13 AM

Thanks,so how to look at contents of that admin file?
Have installed a trial version of win 7 ultimate,but this has not helped with all the problems that were on my legit copy of win 7 home premium.
So realise that registries can differ,but want to know whether on a stand alone home computer,with admin account,built in,and a user account the following keys seem normal,
HKLM Security SAM
domains
Built in
List of 8 numerical aliases
Members S-1-5
6 numerical refs all with encrypted data
My user SID
4 subkeys all encrypted
I don't use encryption,and no one else has access to the machine
Thanks

#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 06 May 2013 - 06:42 AM

That c:\users\admini~1 account was created when you installed the trial version of 7 ultimate. There's a reason some of those registry keys are encrypted -- you're using a trial version of 7 ultimate. There's no way to access or unencrypt those registry keys without entering a valid product activiation code. Without seeing the actual registry key settings you are referring to, it's hard to say if they are set properly or not, but my guess is they probably are. You don't want to try to alter or edit those keys, or delete that admini~1 account -- you'll just brick your hard drive.

If you were having issues with 7 home premium, a repair/restore from the recovery partition or installation DVD would have been a better fix than installing a trial version of 7 ultimate.



#7 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 06 May 2013 - 05:28 PM

Window Ultimate was a last resort,my Home Premium was so corrupted,I wanted to try something else,and thought that having the option of gpedit and secpol might help
Reinstalling does not help,as soon as I connect anything,I seemed to be infected again
Repair mode on any previous installation takes me to an ''X'' drive,which may fix a immediate problem,but nothing overall
SFC shows files that cannot be repaired
And recent MMC report showed code integrity violations on ''device\hardiskVolume2\Windows\system32\drives''...various entries relating to antivirus etc programs
Not sure where or what hardisk volume 2 is,list disk shows ''O'' as only active that I can se and what are all these devices attached to everything?eg above,and filter on desktop,lots of the drivers appear to be partly in code
And why am I in a WORKGROUP,how do I look at those details
And Win 7 ultimate might be encrypting stuff,but Process Explorer shows completely different privileges,than those visible in the c drive,the built in is specifically denied certain rights,and cannot be changed and of course when I was on the internet my credit card details were stolen,lots of weird sites being accessed,and dozens of shortcuts being created in another language
Might just have to keep off the internet...shame,I loved my desktops
Many thanks

#8 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 06 May 2013 - 06:20 PM

That is a shame. At this point, your only real option is to back up any user data you want to salvage, make sure you have all installation disks for programs and hardware drivers you'll want to reinstall, reformat the hard drive to wipe it as clean as possible, and do a clean install of the operating system.

Staying off the Internet is a short-term fix -- your computer is going to crash permanently at some point, by the sound of it. Unfortunately, it seems the spyware on your computer has corrupted too many system files to have any hope of removing it effectively.

And when you do reinstall the operating system, make sure you've got good antivirus/antimalware installed. Sorry the news isn't better.



#9 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 07 May 2013 - 05:49 PM

Thanks for that,unfortunately HP did not supply installation disks at that time,you had to make your own backup which I'm guessing was not the most secure way to go,the recovery partition disappeared long ago...
And always had up to date paid for antivirus,and windows updates activated..of course the hijack blocked any new updates,and set the firewall to suit itself!
I appreciate your help,but while not expecting a fix,would still like an explanation of the questions asked in the previous post
If anyone can help..
Thanks

#10 hamluis

hamluis

    Moderator


  • Moderator
  • 56,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:22 PM

Posted 08 May 2013 - 09:54 AM

From where did you download this trial version of Win 7 Ultimate?

 

That...might be your problem with the current installl.

 

Louis



#11 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 11 May 2013 - 11:34 PM

Nope,problem is almost exactly the same as I had with the legal home premium install,and before that crossed over from XP,via backup I had scanned thoroughly.The main difference is that the Ultimate trial installed from a CD has allowed me to instal and run many tools that would not work before,e.g. Mbam quarantined various Trojan references(log on other forum),and to see issues that might be normal,but that I would like explained
For instance re attached devices,the registry shows the following in HKLM System MOUNTED DEVICES(attached)
Just want someone with a basic standalone win 7 machine to say,yeah,that's normal,we all have those
Keeps telling me file is too large to upload,will try to attach later
Thanks
Ps trying again,also want to reassure everyone that will not be jumping in deleting,and changing things at this stage,just want to find out what is normal and what is not!

Attached Files


Edited by kiwipoppy, 12 May 2013 - 03:49 AM.


#12 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 12 May 2013 - 11:05 AM

Try copying and pasting it into the reply window, rather than attaching it.

If I understand what you're saying, you upgraded from XP to Windows 7 on this PC, and have now installed a trial version of 7 Ultimate from a CD. You say the problem or problems have been the same since you were running XP -- but I'm still not clear what those problems are. Are there recurring problems with Trojans and malware? If so, upgrading operating systems won't solve that.

That particular registry key, HKLM\System, handles system configuration, including mounted devices, drivers, etc. Are you having an issue with a mounted device that you're hoping to solve in the registry? Or you just want to make sure your settings are correct?



#13 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 PM

Posted 12 May 2013 - 01:39 PM

I've gone back and read the thread you posted in the antivirus section. Judging from the issues you described and the steps you took there, at this point you really only have one option: reformat the hard drive to wipe it as clean as possible, and do a clean install of the operating system. Doing in-place upgrades isn't going to address the issue.

Unfortunately, when you transferred files over from the old system to the new, some of those files either became corrupt, were corrupt, or were incompatible with the new system, since it doesn't look like they found any evidence of malware in the log files you posted. I notice the moderator of the antivirus forum also kept asking you why you want to change entries in the registry. Editing those registry keys isn't going to address the issues you are having, and may only make the problems worse.

As much as I dislike being the bearer of bad news, it seems the only way you are going to solve your issues once and for all is to do a clean install of the operating system. :( Sorry.



#14 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 12 May 2013 - 05:17 PM

My experience has been that careful editing of registry keys can be the only way to help with certain issues,eg
Keyboard being set to a custom way with no backward slash
Hidden files where folder view does not reveal them,
Removing several dozen blocked commands
Removing access is denied issues
Custom setting of language preferences
I have nowhere to reinstall from,and sorry about attaching,as I explained earlier I am using tablet,and copying and pasting from stored documents does not seem to work.
I have no problem with any devices,just was puzzled by all the??? And wanted confirmation that was a normal layout,in a normal registry,no one seems able to tell me
Have not been able to get combofix to run,and also the way Process Explorer shows what appears to be a different set of permissions,and identities than those normally visible seems to indicate some kind of malware activity
Also the discovery of a partition which I have not created,which shows ''code integrity violations''
Anyway was not expecting anyone to help,this is probably not fixable,would be nice to be contacted by someone who can ''think outside the square'',and learn a bit more from them,but won't take up anymore of your time
Many thanks

#15 kiwipoppy

kiwipoppy
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 14 May 2013 - 04:23 PM

Feel free to message me,anyone, if you have any insights..
And just one more log from Trend Micro tool attached,

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users