Cleaned Trojans but lost ALL Admin capabilities

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by GFNS, Jul 24, 2005.

  1. GFNS

    GFNS Private E-2

    This one has me completely stumped. As an IT Architect for the last 20 years, I've NEVER had to go to a forum for answers (even though I've rarely used 'support' facilities on occasion).

    I'm running XP Pro, SP 2. I've NEVER had any problems with Admin configuration before.

    Somehow (my children are suspect), the CoolWebSearch virus/trojan made it past my HW and SW firewalls. The thing was SO insidious, it opened the DOOR (port) for 2 other trojans and a ton of adware and spyware withing 24 HOURS (I haven't seen anything as ugly as this since LOP a couple years ago..........and this was MUCH, MUCH worse).

    Each time I CLEANED and rebooted, a NUMBER of additional afflictions would trigger even though MANY were NOT visible in the RUNONCE or RUN registry.

    Some hidden executable.......coupled with some 'cloned' system dll's just kept the garbage coming (multiple ports BTW......it's like it was smart enough to change itself or morph into something else as soon as I found it).

    After FINALLY cleaning everything with Norton Systemworks, Spybot, Spywareblaster, Spy Sweeper, Microsoft Antispyware, Ad-Aware, CWS Shredder utility, AboutBuster Trojan utility, AV-Gold Trojan utility, multiple HijactThis runs, X-Setup Pro, TUT (The Ultimate Troubleshooter), SFC (just in case some system files were swapped), running a number of Registry fix tools, following Microsoft guidelines for EACH of the malware afflictions (and, in some cases execution of SPECIFIC removal utilities).

    First, let me say that I KNOW this appears PARANOID, but I don't know ANYONE who is as careful, aware of what and how these nefarious programs proliferate...........and..........second, I tracked, traced and hunted through TONS of logs, registry items, changes, tweaks and modifications and HERE is what I've narrowed the problem down to......

    One or more of these PLAGUES set registry switches to lock me out as an Administrator (and, subsequently, my 'user' membership as a user within the GPO Administrators). This means I have NO administrative capabilities to UNDO any of the changes that have been made (even in SAFE mode). This means I cannot perform any winXP UPDATES, change desktop settings, Administration, or ASSIGNMENTS of admin capabilities..........even when I LOG ON AS ADMINISTRATOR!!!

    The amazing thing is the Admin .cpl DOES come up, and it appears all of the assignments and rights appear correct but the AU and security files don't get updated.

    Another ODD thing was that I noticed wscntfy.exe and wuauclt.exe were running through svchost.exe threads so I started checking some of the DLL's because this didn't make sense. A GOOD percentage of the dll's just happen to be associated with security, administrative settings, GPO and OTHER policy assignments.........and............they ALL have NEW dates associated with when they were last updated........May 26th, 2005.

    Oh, there's ONE more thing that may help trigger some familiarity with some of the guru's on this forum........when I first boot up, my original wallpaper pops up for a second or two, then the screen goes black (with my desktop icons still appearing though), and then it finally turns and stays white (again, with icons still visible and active).............NOW........the significance of THAT is that one of the virus's or trojans that showed up around the 4th of July was a screen that took over my desktop wallpaper and had some stupid message that my machine might have a virus and all I had to do was download a product to remove it (talk about scum.............plant a virus.........offer a removal program.......for a fee of course........and then continue to monitor the computer your program is loaded on.........I personally can't think of another way to generate more business to some poor slob who couldn't fix their computer if their life depended on it.....pretty sad.........and absolutely contemptable if you ask me).

    I apologize for making this long but I hope SOMETHING will ring a bell with someone here.

    There is a DEFINITE possability, one or more Spyware/malware/AntiVirus tools removed one or more components or registry items that had been TAKEN OVER with duplicates created during creation. MOST don't check and or replace SYSTEM files, so the action would have had to have taken place during one of a FEW reboots during the removal process.

    PLEASE let me assure everyone here of ONE thing. Of ALL the AntiVirus/Spyware/Adware/Malware removal and detection programs........NONE........absolutely NONE detected ALL of the maladies found on my machine.........that is........some found a few here and there, and other's found ones missed by the first one or two.

    The CWS group of virus/trojans, literally opens the front door and HOLDS IT OPEN while every affliction known to mankind pours in.

    FINALLY, my QUESTION is, can ANYONE here figure out how I can get my Admin capabilities back, I can get the rest (I've likely failed to try something simple). I've thought of booting up via boot disk, swapping LSASS.exe and all of the Admin and Security DLL's with the same date and then trying to reboot again but I'm afraid the DLLCACHE and System library may have a problem in the event one or more versions don't match.

    Rebuilding the machine is NOT AN OPTION. I've got FAR TOO MANY incredibly valuable items on this machine to chance losing something.

    MANY of you guys are terriffic. PLEASE let me know if you need any other info........sorry to say but there's TONS I haven't mentioned here.

    Respectfully.........GFNS!
     
    GFNS, Jul 24, 2005
    #1
  2. GFNS

    GFNS Private E-2

    Say there D3m3nt3d...........ANYTHING that may help would be VERY appreciated. I'm sure you know best.

    Sorry if I didn't post this appropriately (on the correct thread). I thought I had although it may be related to the spyware/malware affliction and there's a chance it may have been some default setting that has been included on one or more of the 'removal' tools, utilities or programs that has somehow skipped my detection.

    One way or another, it's SO ugly I'm sure someone else will fall prey to the same circumstances sooner or later. Hopefully, I'll be able to offer some assistance to help them through it as well?

    After going through search after search, thread after thread, there was ONE here on MG that appeared to have much the same symptoms. Unfortunately, after a few suggestions, the afflicted individual simply returned their computer back to the store/manufacturer (sorry, I can't seem to find it again and can't recall the key words to dig it up again) and the FULL resolution had NOT been determined.

    Let me assure you, this is NOT JUST a CWS problem but MOST likely the culmination of that in conjunction with ALL the additional garbage that came with it. I've got a few lists, log files and screen captures from a few of them that I've sorted through to determine what happened, when and where.

    Thanks again for your suggestions. I'll do whatever I can to put the steps and results together to sort this out.

    Respectfully, GFNS.
     
    GFNS, Jul 24, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    From your first post it looks like you may have run quite a few things already so some of the below will be repetitious but bare with us and maybe we can get to the bottom of what is going on. If you cannot install anything because of the Admin priviledges problem, then just skip to the instructions of installing and posting a HijackThis log.

    Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jul 25, 2005
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds