Questions

XP Admin. Permission problem

Tags:
+
0 Votes
Locked

XP Admin. Permission problem

LockOutGirl
Got a call from a user today. XP Laptop would not boot. Kept showing a Registry File Failure. File that was affected was \systemroot\system32\config\software. So, using Microsoft's help ( http://support.microsoft.com/kb/307545 - got through part one fine), I managed to swap out the affected files and once again, the laptop boots. However, the next part is causing problems.

I am logged in as the Administrator for the computer, as it was set up before the registry error. Now, though, the admin account is giving "not appropriate permission" errors when I try to do most anything. Also, I am getting what I think are corrupted error messages when I open control panel. The window that shows reads "CWBNL0202 - []\CA400RED.DLL". If I click OK, I can view the CP, but I cannot open most icons, due to the permissions error. (I cannot open user accounts, windows explorer, add/remove programs, etc. )

Thankfully, the data seems to still be on the drive, so we can pull it off and wipe if need be, but I'd love to save myself the trouble of reconfiguring the laptop.

Any help is very appreciated!
  • +
    0 Votes
    Jacky Howe

    It could be W32.Yaha.K@mm

    http://securityresponse.symantec.com/avcenter/venc/data/w32.yah...@mm.html

    If that dosn't work try this. On a clean PC Download the following Programs.

    Download Sophos and the latest IDE Files. Install it and extract the IDE files to the SAV32CLI folder. I normally create batch Files for the 4 runs.
    EG: Sav1.bat
    cd\SAV32CLI
    SAV32CLI -P=C:\SCANLOG.TXT

    http://www.sophos.com/support/knowledgebase/article/13251.html

    Running an information scan
    To run a scan for information only, so as to create a log, type the following at the command prompt:

    SAV32CLI -P=C:\SCANLOG.TXT

    This will create a log of infected files, but will not disinfect or delete any infected files. You can then copy the log to a floppy disk for printing or emailing. If you run SAV32CLI without the -P command line parameter, the information on viruses will be written only to the screen.

    Disinfecting infected files
    To disinfect infected items with SAV32CLI, use the '-di' command line parameter.

    If a file is infected more than once (either with different viruses, or several cases of the same virus), you might need to run multiple scans to disinfect all virus infections.
    Do not use the command line parameter '-remove' in the same scan as '-di', as you could delete a file which could have been cleaned.
    If the infection on the computer seems to be progressing rapidly, back up your data to CD or DVD before attempting disinfection.
    The '-di' command line parameter will disinfect infected boot sectors, some infected program (.exe) files, and infected documents (e.g. .doc, .xls).

    So, if your computer has been infected by a number of viruses, macro viruses, and worms, shut down the infected processes (either manually, or by using safe mode with command prompt), then run a series of scans to disinfect and remove these malicious programs. Make a log of all scans.

    First run

    SAV32CLI -DI -P=C:\SCANLOG1.TXT

    Make a note of the number of files disinfected.

    Run the scan again, with a different log name

    SAV32CLI -DI -P=C:\SCANLOG2.TXT

    If the number of files disinfected has decreased, run a third scan. If it has not, or the number is '0', remove all other virus files:

    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT

    The above scans will disinfect all files that can be disinfected, and remove the rest.

    During this process any infected documents will have been disinfected. Check the relevant virus analysis to find out if the virus involved could have corrupted data in the document. If you check the logs, you may well find that some worm or Trojan files were infected with a virus, so they were first disinfected, then removed.

    Download Spybot - Search & Destroy 1.5.2 and install it. Update it.

    http://www.safer-networking.org/en/download/index.html

    Run Spybot to check if any remnants have been left.
    Copy all installed Folders to a Flash Disk including HiJackThis and any batch files that I recommend creating.

    Start the Suspect PC in Safe Mode and run the Programs in the order that they were downloaded with the instructions provided.

    By now if still infected you should know the name of the Virus.

    +
    0 Votes
    bart777

    How much is your time worth.
    This one is going to be bad and take a while to get resolved. Unless you have a backup of the laptop or a good restore point available to you, you're going to be sitting there a while. That being the case I would just copy the data out, format the drive and start over.

    Now, that being said, I would start with the standard recovery tools. See if ther is a system restore point that you can go back to.
    Failing that you could try a repair installation of the OS to hopefully fix the bad registry and system files.

    Best of luck.

    +
    0 Votes
    LockOutGirl

    Thanks for the help.

    Re: Virus. It may well be, but I'm highly suspicious of that being the end result. The amount of virus protection we've got here is pretty impressive. Not saying it can't happen, I'm just more inclined to look other places for an answer.

    Course of action right now seems to be scrounge up a loaner to get the user running again in the mean time, and then struggle through the mire to get this one going again. Can't rush things like this, I suppose.

    Thanks again!

    +
    0 Votes
    Jacky Howe

    run Task Manager, if you don't have permission to run it you're infected.

    Edit: To make it a bit clearer.
    If the error message states that ?Task Manager has been disabled by your administrator? and you haven't disabled it through Group Policy or a Local Policy you are probably infected.

    +
    0 Votes
    The Scummy One

    unless you have a backup with all of the apps installed,
    just rebuild it. Once you change the SW hive with the
    repair version, the system goes back to the way it was
    (pretty much) when it was just installed, with nothing on it
    -- except many unknown/unwanted items that may still
    be lurking.

    Once I see the hive fails to install, I start thinking about a
    backup data and rebuild. If it happens again, then it is
    time to replace the HDD. However, it may just get fixed
    by a chkdsk. But this is unlikely.

    +
    0 Votes
    OH Smeg

    While gathering new knowledge is good you have to balance that against lost production time of the user so I've found it much better to just wipe & Re Image.

    While you may not learn as much you have happier End Users who are not constantly complaining to the boss that they where unable to do whatever because IT messed them around when their NB failed and that failure was caused by IT as well because they didn't tell us to do it differently. The IT section is always the Scape Goat for End Users.

    If the business is big enough you could pull the HDD fit it to an Identical NB and play with it when you have the time but having even a backup NB out of service for any length of time in most business isn't acceptable.

    Col

    +
    0 Votes
    jdclyde

    Once you start getting issues with the registry, the system is going to become unstable.

    If you REALLY know what your doing, you might be able to fix it, but virus or bad registry, a wipe and reload is by far the quickest solution, and will give you the best end product.

    Good luck.

    +
    0 Votes
    david.wallis

    once youve copied the files over you need to boot to windows, you should be able to do a system restore to go back before the errors.

    +
    0 Votes
    emerem2tor

    If Yes, then it might be the Client Access you need to have a look at. It might be no infection there, just a corrupt registry. Usualy if you update the CA the problem is solved.
    I would suggest you to look on other forums, too, and perhaps you find more help there.

    +
    0 Votes
    okiefishinpole

    Had the same problem on a desktop.Boot into safe mode,create new account for user, but don't delete corupt account. reboot into new user account and check to see everything works. Copy needed files and settings from bad account to new account and then delete bad account from users.

    +
    0 Votes
    cherubcalf

    Rather than reformat, I loaded XP Home over XP Pro and was able to save most of the files except an encrypted 2000+ picture folder. Some minor masking problems worked out over time; but it was a desperate tactic from getting tired of backing up all my data, and then a bad crash. Still have the useless folder, hoping that the certificate, which is still intact, can somehow be unlocked with the invisible key. Latest clue: getting an Error Message 2 lately. This is assuming you have your program CDs: reloading split @ half and half.

  • +
    0 Votes
    Jacky Howe

    It could be W32.Yaha.K@mm

    http://securityresponse.symantec.com/avcenter/venc/data/w32.yah...@mm.html

    If that dosn't work try this. On a clean PC Download the following Programs.

    Download Sophos and the latest IDE Files. Install it and extract the IDE files to the SAV32CLI folder. I normally create batch Files for the 4 runs.
    EG: Sav1.bat
    cd\SAV32CLI
    SAV32CLI -P=C:\SCANLOG.TXT

    http://www.sophos.com/support/knowledgebase/article/13251.html

    Running an information scan
    To run a scan for information only, so as to create a log, type the following at the command prompt:

    SAV32CLI -P=C:\SCANLOG.TXT

    This will create a log of infected files, but will not disinfect or delete any infected files. You can then copy the log to a floppy disk for printing or emailing. If you run SAV32CLI without the -P command line parameter, the information on viruses will be written only to the screen.

    Disinfecting infected files
    To disinfect infected items with SAV32CLI, use the '-di' command line parameter.

    If a file is infected more than once (either with different viruses, or several cases of the same virus), you might need to run multiple scans to disinfect all virus infections.
    Do not use the command line parameter '-remove' in the same scan as '-di', as you could delete a file which could have been cleaned.
    If the infection on the computer seems to be progressing rapidly, back up your data to CD or DVD before attempting disinfection.
    The '-di' command line parameter will disinfect infected boot sectors, some infected program (.exe) files, and infected documents (e.g. .doc, .xls).

    So, if your computer has been infected by a number of viruses, macro viruses, and worms, shut down the infected processes (either manually, or by using safe mode with command prompt), then run a series of scans to disinfect and remove these malicious programs. Make a log of all scans.

    First run

    SAV32CLI -DI -P=C:\SCANLOG1.TXT

    Make a note of the number of files disinfected.

    Run the scan again, with a different log name

    SAV32CLI -DI -P=C:\SCANLOG2.TXT

    If the number of files disinfected has decreased, run a third scan. If it has not, or the number is '0', remove all other virus files:

    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT

    The above scans will disinfect all files that can be disinfected, and remove the rest.

    During this process any infected documents will have been disinfected. Check the relevant virus analysis to find out if the virus involved could have corrupted data in the document. If you check the logs, you may well find that some worm or Trojan files were infected with a virus, so they were first disinfected, then removed.

    Download Spybot - Search & Destroy 1.5.2 and install it. Update it.

    http://www.safer-networking.org/en/download/index.html

    Run Spybot to check if any remnants have been left.
    Copy all installed Folders to a Flash Disk including HiJackThis and any batch files that I recommend creating.

    Start the Suspect PC in Safe Mode and run the Programs in the order that they were downloaded with the instructions provided.

    By now if still infected you should know the name of the Virus.

    +
    0 Votes
    bart777

    How much is your time worth.
    This one is going to be bad and take a while to get resolved. Unless you have a backup of the laptop or a good restore point available to you, you're going to be sitting there a while. That being the case I would just copy the data out, format the drive and start over.

    Now, that being said, I would start with the standard recovery tools. See if ther is a system restore point that you can go back to.
    Failing that you could try a repair installation of the OS to hopefully fix the bad registry and system files.

    Best of luck.

    +
    0 Votes
    LockOutGirl

    Thanks for the help.

    Re: Virus. It may well be, but I'm highly suspicious of that being the end result. The amount of virus protection we've got here is pretty impressive. Not saying it can't happen, I'm just more inclined to look other places for an answer.

    Course of action right now seems to be scrounge up a loaner to get the user running again in the mean time, and then struggle through the mire to get this one going again. Can't rush things like this, I suppose.

    Thanks again!

    +
    0 Votes
    Jacky Howe

    run Task Manager, if you don't have permission to run it you're infected.

    Edit: To make it a bit clearer.
    If the error message states that ?Task Manager has been disabled by your administrator? and you haven't disabled it through Group Policy or a Local Policy you are probably infected.

    +
    0 Votes
    The Scummy One

    unless you have a backup with all of the apps installed,
    just rebuild it. Once you change the SW hive with the
    repair version, the system goes back to the way it was
    (pretty much) when it was just installed, with nothing on it
    -- except many unknown/unwanted items that may still
    be lurking.

    Once I see the hive fails to install, I start thinking about a
    backup data and rebuild. If it happens again, then it is
    time to replace the HDD. However, it may just get fixed
    by a chkdsk. But this is unlikely.

    +
    0 Votes
    OH Smeg

    While gathering new knowledge is good you have to balance that against lost production time of the user so I've found it much better to just wipe & Re Image.

    While you may not learn as much you have happier End Users who are not constantly complaining to the boss that they where unable to do whatever because IT messed them around when their NB failed and that failure was caused by IT as well because they didn't tell us to do it differently. The IT section is always the Scape Goat for End Users.

    If the business is big enough you could pull the HDD fit it to an Identical NB and play with it when you have the time but having even a backup NB out of service for any length of time in most business isn't acceptable.

    Col

    +
    0 Votes
    jdclyde

    Once you start getting issues with the registry, the system is going to become unstable.

    If you REALLY know what your doing, you might be able to fix it, but virus or bad registry, a wipe and reload is by far the quickest solution, and will give you the best end product.

    Good luck.

    +
    0 Votes
    david.wallis

    once youve copied the files over you need to boot to windows, you should be able to do a system restore to go back before the errors.

    +
    0 Votes
    emerem2tor

    If Yes, then it might be the Client Access you need to have a look at. It might be no infection there, just a corrupt registry. Usualy if you update the CA the problem is solved.
    I would suggest you to look on other forums, too, and perhaps you find more help there.

    +
    0 Votes
    okiefishinpole

    Had the same problem on a desktop.Boot into safe mode,create new account for user, but don't delete corupt account. reboot into new user account and check to see everything works. Copy needed files and settings from bad account to new account and then delete bad account from users.

    +
    0 Votes
    cherubcalf

    Rather than reformat, I loaded XP Home over XP Pro and was able to save most of the files except an encrypted 2000+ picture folder. Some minor masking problems worked out over time; but it was a desperate tactic from getting tired of backing up all my data, and then a bad crash. Still have the useless folder, hoping that the certificate, which is still intact, can somehow be unlocked with the invisible key. Latest clue: getting an Error Message 2 lately. This is assuming you have your program CDs: reloading split @ half and half.