Stupid Lockout

Ok! It's my turn!

I wanted to secure my wife's computer (which she uses to do all of her school stuff). I set up my local security policy and forgot to include INTERACTIVE as to whom could log into the system. So now it says "The local policy does not allow you to log in interactively" if you try to do so. I know this is a registry thing but which registry file do I need to replace? Also, do I need to replace it with one with her account already set up? Let me know! Thanks!

 

Ok! I hate to ask and then yank - so if anyone has a better idea please DO let me know. But, like any good soldier, I didn't sit on my butt and wait for an answer - I went surfing! (Nice tan, fell off several times but rode the waves til I was tired! Doh! :-D )

No, really, I did go surfing the net looking for an answer. I found this:

There is a file called secedit.sdb which is found in %SystemRoot%/security/repair which you can copy over to %SystemRoot%/system32/config. That will reset all of the security items back to their defaults. (Which means I have to go through and set everything back up again, but hey! That's better than being locked out completely.)​

So that is (I think) the answer to my problem. If anyone comes up with anything else, please DO let me know! (As I said.) If this doesn't work I'll come back tomorrow with bowed head, sobbing my heart out, gasping for breath, crawling.....(I can't bear to look!). Anyway, I'll come back and fess up that it didn't work.

Later guys & gals! :cool

 

Well, that didn't work. :cry

Ok - next thing - I had been looking for where the Bard PE stuff was located and I came across UBCD (Ultimate Bootable CD for Windows). If this works so that I can get a default Windows XP OS up and running - AND - I can then access the Local Security Policy part of the Administrator's tools, then I will be able to get things restored quickly.

So that's my next thing I'll try.

Status of my three computers (and my wife's computer):

System #1: (Laptop) All files were backed up to archives (ZIPped) and I reinstalled Windows XP. Made a backup of the default OS so I could slap it on to my other systems and then change the Product Key to each one of them. (I used my oldest OS CD because it keeps saying it has been activated too many times and asks me to change the Product Key anyway. So I just called it in the first time for the laptop, but when you put it on another system it wants to re-activate it again which....you get the picture.) Anyway, still downloading updates - almost to SP3.

System #2: (Server) Because the CD drives and HDs are on SIIG cards I was really glad I had decided to back up the OS from System #1. (Because I couldn't activate the CD Drives until the OS was installed. A catch-22!) I've already switched the Product Key to another CD and I am now starting to do all of the updates on that system.

System #3: (Old Developement System) It is still sitting in safe mode just in case something goes wrong with the other two systems.

System #4: (Wife's Laptop) Still can't log in to it because I haven't figured out how to reset the Local Security Policy. Going to create a Bart PE CD tonight via the UBCD website's instructions. Then I'll boot up from the CD and try fixing things that way.

No other ideas yet from anyone on how to reset this stuff so I can get back into the system?

Notes: Also looking at AutoIt to see if I can write a small program to just go in and reset things. Only it would have to run at boot time since I can't even get into the system yet. rolleyes

 

Well, I hope everyone had a wonderful Christmas. Ours was rather small this year - but we are still saving up to get our house rebuilt from Hurricane Ike.

Still working on the virus issue. I successfully made a UBCD CD. I then took it to work to show someone that it could be done and left it there. So much for fixing the computer. I have, though, some info on what to look for to see if you have been infected by this thing.

1. If you are infected by this virus, then it will create two folders in your "Document and Settings" folder. These are called "Local Service" and "Network Service". These two folders are normally there but hidden from view. However, after the virus gets through with them - they will show up. This is because the virus modifies their properties so it can write to them.

2. A new "System Volume Information" folder will appear on your "C:\" folder. This folder's information is used (as far as I can tell) to re-install the virus should you delete it.

3. The "alg.exe" program will begin running on your system. You can verify this by bringing up the Task Manager. You bring up the Task Manager by right-clicking on the task bar (blue bar at the bottom of your screen) and selecting it from the pop-up menu. Now - there really is a program called "alg.exe" in your system folder. But this "alg.exe" is not run from there.

I'm here at work presently and I decided to look at how they have their system set up and the main thing I noticed that was different was that they have de-selected the first option under Folder Options. This being the "Automatically search for network folders and printers". Which might be a way to prevent the virus from spreading. Because this virus spreads the moment you plug in a new USB drive or anything like that.

Anyway, still working on this problem. I am thinking of downloading all of the anti-spyware/antivirus programs onto a jump drive so I can take that home and then run all of the programs in that way.

Later everyone! :cool

 

I'm not familiar with the Security settings you are changing but I think you are jumping around a bit too hastily. System Volume Information is a hidden system folder that contains your Restore points. Alg.exe is running on my XP and has been for as long as I can remember.

Have you tried logging on to the laptop in safe mode (F8) at boot and logging on to the Administrator account? If you can get on try doing a System Restore to a date before you changed the Security settings.

 

The virus/hacker managed to wipe all accounts so I could no longer get into the computer. The virus also had other properties. Avira noted that the System Volume Information folder comtained the Smit virus as well as another virus (forgot to write it down). Also Avira said that the system was set to run this other virus in the registry. By deleting the System Volume Information folder I got rid of the virus's attempts to re-install itself. I also deleted the Recycler folder as that is where the System Volume Information was placed after I had deleted it.

This was a part of how I got rid of the virus. There were other locations (ie: Registry and e-mail files) where the virus was also located. The "Local Service" and "Network Service" directories were also infected and had been created by the virus when it took over the system. (Or when the hacker came in.)

The virus also turned on the Pixe boot capabilities of the laptops and desktop units (PXE was off before).

All-in-all a very nasty virus.

Oh! Also, I forgot to mention that I went out and did research on the virus names that Avira was returning. One of them changes its name from whatever it normally is to alg.exe and inserts itself into a separate directory than the c:\windows\system32 directory. That was one of the files I found. If I remember correctly it was in c:\windows by itself. Unfortunately, I also tracked down where the problem was coming from. My wife had decided to try out limewire and the first pass by Avira reported several viruses in the music she had downloaded. I'm now thinking that that is where things got started.

Interesting that AVG v8.0 did not catch this happening but Avira caught one of the viruses trying to infiltrate the system almost immediately.

:cool

(A good backup and a good reformatting go a long way to getting rid of viruses. )