Results 1 to 2 of 2
  1. #1
    Member
    Join Date
    Jun 2010
    Posts
    3
    Points
    0

    Question The Mystery of the Dissapearing User Account Admin Privileges! Please Help!

    Hello members,

    This is my first post! It’s good to be here! And thanks in advance to all of you who read this post & also for any help you might be able to provide!!!

    So, basically I am trying to understand how my Windows XP User Account could have lost its 'Administrator' priveledges seemingly out-of-the-blue. I figure perhaps someone has experienced a similar incident and maybe could share some insight into what the root of my problem could quite possibly be...

    Ok, here are the details as I understand them:

    So, yesterday I noticed that my computer was slowing up a bit and so I peeked into my Task Manager / Running Process and observed multiple instances of explorer.exe running simultaneously (2 at first and 3 or 4 on another occasion). This was hogging up a lot of my memory usage and slowing the computer speed down noticebly. I found that event to be a bit odd, but nothing to fret about because I was able to end the process tree on the explorer.exe process that was using the least amount of memory which seemed to temporarily solve the problem.

    However, later in the day I noticed that all of a sudden my Windows XP User Account – (which is the only account I have setup) no longer had Administrative Priviledges! I realized this when I couldn't kill certain running processes which I knew to be killable with no-harm, no-foul. Also, when I downloaded Hijack this I couldn’t install it in the default location because I couldn’t create a new folder in C:\Program Files.

    Anyhow, I ran the HijackThis application and I was prompted with an unfamiliar popup message which read, “For some reason your system denied access to the Hosts file. If any hijacked domains are in this file HijackThis may NOT be able to fix this…” The message went on to instruct me to try and edit the file myself using the RUN command and typing “notepad C:\WINDOWS\System32\drivers\etc\hosts”. I did this as instructed and found the hosts file to simply be a blank document. I’ll be honest, I’m not familiar with this “hosts” file, but I am assuming that a blank file is probably good, right?

    So, in closing, [I]my main question today is whether or not anyone might know what could potentially be the root cause of why my User Account seems to have suddenly lost its God-given Administrator privileges right out of the blue?

    I honestly can’t think of any logical explanation for this other than some type of infection… Anyways, I just ran Hijack this and I am including my log below... If anyone can help me I would greatly appreciate it! Thanks again friends!




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:58:17 PM, on 6/8/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\JLM\Desktop\New Folder\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\mspaint.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to Facebook | Facebook
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Players Only - {c1bb3821-d7bc-4d12-90cc-eca4c2a3be99} - C:\Documents and Settings\JLM\Start Menu\Programs\Players Only\Players Only.lnk (HKCU)
    O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/EN/mdldetect/VaioInfo.CAB
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{044B3CD2-E583-4E8A-A965-B2A758B43FB6}: NameServer = 65.32.5.111,65.32.5.112
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 3154 bytes

  2. #2
    Moderator Forum Moderator arraknid's Avatar
    Join Date
    Dec 2006
    Location
    France
    Posts
    6,151
    Points
    1293
    Blog Entries
    4

    Default

    You were asked not to post log files in this forum, yet you chose to ignore that instruction.

    HijackThis logs should not be posted in the Computer Help Forum unless specifically requested by a forum volunteer.

    If you suspect your computer is infected with malware, we ask that you please read and follow all of the instructions in this tutorial How to start removing Viruses and Spyware from your Computer

    Following the instructions will allow us to quickly help you with specific fixes to your system.

    While working through the instructions, please save the following logs to post in your reply.

    - SUPERAntiSpyware log
    - Malwarebytes log
    - HijackThis log

    Your current HJT installation is running from a temporary folder, and should be installed using default settings. It also needs to be updated.

    If any of the scans will not run, just move on to the next step. If you have any questions, please stop and ask.

    Post the logs in a new topic in the Spyware Help forum.

    This thread will now be closed.