insufficient rights error

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sidana, Oct 8, 2009.

  1. Sidana

    Sidana Private E-2

    Hi there,

    I'm having a problem with one of the laptops. It started about two weeks ago, while someone else in the family was using it. It seems to have started with McAfee, but by now is affecting several programs, seemingly the ones that should be able to fix it.

    The login has administrator rights, but trying to run McAfee came up with a message that the user had insufficient rights to run the program. I've tried using Avast, AdAware and Spybot to find and clean the computer, but all of those are now locked down with the same message (again, the login used has administrator rights), it seems that after either starting a scan or finishing a first scan the programs get locked down. Internet Explorer was locked down for a while too, but that's back now.

    I've tried restoring the system to an earlier date, but the restore doesn't work (the restore points seem to be locked down as well).

    Avast managed to complete a boot time scan and found 13 backup and restore points, adaware, spybot, three software distribution update.exe files and an mrt.exe file, all with the error 0xc0000022. Once the computer loaded windows, Avast was once again locked down (If I re-install, it works until I either run the boot time scan or update and try to start a full scan).

    I've followed the cleaning instructions outlined on your website, but ran across several issues.

    After running CCleaner on the Administrator account in Safe Mode, loading back into Normal mode came up with a message initiatied by NT Authority System that the system process Windows\system32\services.exe terminated unexpectedly. The computer rebooted itself a few times and eventually stayed on.

    Continuing with the procedure, the same message appeared after ensuring msconfig was set to Normal startup. The error code here was -1073741482 (I didn't write it down for the first times the error came up).

    When I ran SuperAntiSpyware, it found 6 registry entries (one was a trojan with 4 entries, didn't write down what the other was). The program said it quarantied the entries then asked to reboot, and after the reboot the program was locked down and I couldn't get the log (unless you can tell me where on the computer they are stored?)

    Malwarebyte locked down as soon as I tried to run the program.

    ComboFix found "rootkit" when I tried to run it and said it had to reboot, which I did. After the reboot it asked to download the newest version, so I said Yes to that, and the blue screen appeared to start the d/l. Now the blue screen has a flashing cursor, but nothing else seems to be happening. It's been over 30 minutes now, but the procedure said it may take some time, so I'm writing this from a different computer, though I suspect it's not going any further.

    Any help would be greatly appreciated.

    Thanks in advance,

    Sidana
     
    Sidana, Oct 8, 2009
    #1
  2. Sidana

    Sidana Private E-2

    I forgot to add this in the original post.

    I also tried to use Kaspersky to see if it could find the problem. The online version wouldn't run, so I tried installing the program itself. It does not show up in the Start Menu, it never ran. It appears in Add/Remove, but clicking on it does nothing. When I run Avast, it tells me Kaspersky is installed, but I can't find a way to either run it or uninstall it.

    As an update, ComboFix has been sitting at the blue screen with the blinking cursor for 3 hours now, it doesn't seem to be going anywhere.

    Again thanks for any help,

    Sidana
     
    Sidana, Oct 8, 2009
    #2
  3. Sidana

    Sidana Private E-2

    After reading the post by hbnutz who seems to have at least a very similar problem, I rebooted the computer, and when prompted to update ComboFix again, I said NO and the program ran without issues.

    The logs I managed to get are attached below:
     

    Attached Files:

    Sidana, Oct 8, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Please download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe.
      You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log
      called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r


    Now download Junction,zip to your Windows folder
    • Please download Junction.zip
      and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
    • Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
    • Do not try to run it right now. We will run something that uses it later.
    Now you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now uninstall the below software:
    Ad-Aware SE Personal
    Kaspersky(TM) Anti-Virus Personal Pro 4.5
    McAfee Virtual Technician

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now we need to reset the permissions altered by the malware on some files.
    • Download and save inhertit.exe to your Desktop:
      Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
    • Accept the license agreement and the scan will begin.
    • Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything
      else while it is scanning.
    • The command prompt window should close when it finishes.
    • While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.
    See if you can run SUPERAntiSpyware and Malwarebytes now per the instructions in the READ & RUN ME FIRST cleaning procedure.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • the log from Win32kDiag
    • C:\ComboFix.txt
    • the logs from SUPERAntiSpyware and Malwarebytes if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Oct 13, 2009
    chaslang, Oct 12, 2009
    #4
  5. Sidana

    Sidana Private E-2

    Hi Chaslang,

    Thanks for taking the time to help me.

    The Win32kDiag ran no problems, log is attached below.

    I still can't open Spybot so instead of changing the TeaTime settings I uninstalled it completely.

    I still wasn't able to uninstall Kaspersky, clicking on it in Add/Remove does nothing, and I couldn't actually find the application folder anywhere on the computer to see if there was an uninstall option there.

    McAfee Virtual Technician gave me an error while trying to uninstall, saying "the feature you are trying to use is on a network resource that is unavailable" and it was looking for a "mvt_en-us.msi" file on the computer that I searched for, but did not exist. I opened the program via the Start Menu to see if I could uninstall in there, and it came back saying "some components are corrupt" and offering I re-download and install, which I did, in hopes I could then uninstall the program. Instead, the re-install resulted with two entries in Add/Remove. The new one uninstalled no problems, the old one still had the above error and pointing it to the file (which was the d/l) came back saying it's not a valid installation package.

    HJT seemed to work no problem.

    Since Avast was also locked down, trying to run ComboFix came back saying it had to be disabled first, so I uninstalled it, but wasn't able to reboot before CF continued, but it seemed to run fine, the log is attached.

    Running FixPerm.bat did not show any license agreement as per your instructions, but all the Finish/OK windows appeared, so the program seemed to run fine.

    I was now able to run both SAS and MB (re-installed both just in case, and it seems I still have permission to use them). Neither found anything, logs are attached.

    MGtools.exe also ran just fine, again the logs are attached.

    Overall, the computer seems to be running better. I haven't been locked out of any new programs, and the browser pages aren't being hijacked anymore, as sometimes happened when clicking on a google search result. I haven't rebooted yet to see if the desktop actually shows up any faster, right now it's very slow, but that's bearable as long as the rest works.

    Here are the logs:
     

    Attached Files:

    Sidana, Oct 13, 2009
    #5
  6. Sidana

    Sidana Private E-2

    Here is the last log:
     

    Attached Files:

    Sidana, Oct 13, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you want to help speed up startup, you can do the below with HijackThis. This is not malware. It is just stuff you don't need.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    After clicking Fix, exit HJT.





    You did not put junction.exe into the Windows folder as requested. You downloaded Junction.zip to C:\Windows, but you allowed the Windows ZIP utility to put junction.exe into the C:\Windows\Junction folder. Thus you have C:\Windows\Junction\junction.exe instead of C:\Windows\junction.exe


    Do not rerun it right now and don't worry about move the junction.exe file to the correct location. I will have you try a new version of FixPerm.bat after we install another new version of MGtools and it will automatically allow for it to be in the location where you put it. So let's get the new MGtools installed now.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator ) DO NOT attach a new MGlogs.zip file at this point. We will get a new one later.


    Now let's take care of the remaining items from McAfee and Kaspersky.


    No copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Delete the below two folders:
    c:\program files\McAfee
    c:\documents and settings\All Users\Application Data\McAfee





    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
    • Accept the license agreement and the scan will begin.
    • Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything
      else while it is scanning.
    • The command prompt window should close when it finishes.
    • While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).




    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 16, 2009
    #7
  8. Sidana

    Sidana Private E-2

    I ran HJT, and the only entry I couldn't find was the one for Malwarebytes, but that doesn't matter.

    There were no problems running the new MGTools, and the registry changes were made successfully. Kaspersky is no longer in Add/Remove Programs, though McAfee Virtual Technician still appears, also in the Start menu, though the file it refers to is gone. I can clean the start menu up later. There is another folder under Application Data called "McAfee.com", can I remove that one too?

    FixPerm.bat and CCleaner ran without issues, and the MGlogs.zip is attached below.

    The system seems to be running better, the correct webpages seem to be appearing, and none of the programs have been suddenly disabled. It seems to be getting back to normal.
     

    Attached Files:

    Sidana, Oct 17, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes.

    Delete the below left over file from ComboFix:
    C:\WINDOWS\system32\CF12394.exe


    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 20, 2009
    #9
  10. Sidana

    Sidana Private E-2

    Thank you very much for all your help,

    Sidana
     
    Sidana, Oct 25, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Oct 28, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds