Ask Experts Questions for FREE Help !
Ask
    morgaine300's Avatar
    morgaine300 Posts: 6,561, Reputation: 276
    Uber Member
     
    #1

    Apr 7, 2010, 04:20 PM
    Loss of Admin Privileges
    Hi all, this is a little complicated, so hopefully this all makes sense, and please just bare with me.

    The other day my user account in XP turned into a guest account, and when I tried switching users, only Admin came up and my account wasn't even on the screen. The admin account wanted a password, which I've never put in, and it wouldn't let me just bypass it. (I have been amazed over how limited a guest account is!)

    Fortunately I'd done a Ghost image a couple of days before and it has a bootable CD that enabled me to get in and restore that image, cause I wasn't allowed into anything else that could fix anything.

    Everything was fine earlier in the day, so I will concentrate on specific things I did that day.

    I turned off the welcome screen. I got into this a way seahwk told me a while back, using the "control userpasswords2" command. All I did was uncheck the box to show the welcome screen and while I took a glance at some other stuff, I didn't change anything else. Is there a possible way for me to have caused this admin privilege problem by getting into that? I can't imagine what since I didn't touch anything, nor how the Admin account (which I never use) would suddenly require a password.

    I went into msconfig and unchecked ICQ in the startup menu. I already have this on selective startup with some other changes. I always do this. The only thing different is that I only recently installed ICQ again, and that was the first time I'd turned if off in startup.

    Not long before, I'd gotten yet another "person" adding me as a contact. ICQ used to not allow that without permission from me. Originally I thought this was a real person, but it happened several times and I started suspecting spam or something. I'm now suspecting it was a virus but am not sure.

    When I discovered I no longer had admin prvileges I started by running Spybot and Avast. Spybot found a thing called opachki.ru. Avast found nothing.

    OK, some thoughts on the whole thing... The "contact" I kept getting through ICQ was from Russia, or so it looks. The virus had .ru on it. However, when I did some reading, I found that the issue seems to be related to a thing called QIP, which is an ICQ client commonly used in Russia and that virus had been attacking that. I started getting those "contacts" several weeks ago and only just now had a problem. I don't know if something just finally got through, or if it's one of those things triggered by something I do. That isn't the only way to get that virus, so maybe that's just a bizarre coincidence.

    Spybot mentioned the setting for Autorun in HKLM\Software\Microsoft\Windows\CurrentVersion\Run . It didn't say "what about" the setting - just gave that directory, so just looking in there didn't tell me anything. Spybot couldn't fix it cause I needed admin privileges. After I restored the image I ran it again and it still found it (meaning it was in my image), but this time it was able to fix it. I can now see which line it got rid of - didn't write it down but I know it had something like "MSConfig.exe /Auto" at the end of the line. What's interesting is that this happened not long after I unchecked the ICQ in the startup.

    There's a lot pointing to a virus here. And I'm very suspicious of ICQ at this point. (I did uninstall it.)

    However, Avast didn't find anything. This virus seems to have existed for about a year now and it seems weird that Avast would not detect this thing. My research revealed several files and registry keys this virus is supposed to put on the computer, but I didn't have any of them. (I didn't even see that MSConfig thing mentioned.) My symptoms are not like those described. Some places said people easily got rid of this thing. Some places said the virus made it difficult to do so. (Demoting me to guest and adding a passworded admin certainly is a good way to prevent me from fixing it.)

    Is anyone familiar with this virus? I haven't had any trouble since I restored the image. Do I trust that Spybot actually fixed this thing? Is it still possible that something I did in the user file could've caused this, even though I didn't touch anything else? Any opinions on the safety of ICQ? That used to be the thing my geeky friends would use cause it had better security settings. Now it seems like all the other ones, but there's still things I prefer about it over, say, Yahoo.
    cdad's Avatar
    cdad Posts: 12,700, Reputation: 1438
    Internet Research Expert
     
    #2

    Apr 7, 2010, 04:40 PM

    As with any program you run looking for a virus it won't find one that you approve of. So if you authorized to install a program that was a virus then you got the system infected.
    morgaine300's Avatar
    morgaine300 Posts: 6,561, Reputation: 276
    Uber Member
     
    #3

    Apr 7, 2010, 05:21 PM

    If I understand what you're saying, you think that installing ICQ gave me a virus, and since I gave it permission to install, Avast didn't find it?

    I don't know that installing ICQ did anything - I assumed it was from the messages I've been getting that some Russian has added me to their contact list. Avast is supposed to be monitoring IM's. It's also a new version I just downloaded and it's supposed to be monitoring downloads as well. It also would be checking the installation .exe when I run a file scan. Is this not the point of scanning downloads and files?
    cdad's Avatar
    cdad Posts: 12,700, Reputation: 1438
    Internet Research Expert
     
    #4

    Apr 7, 2010, 05:26 PM

    It can skip a step if you choose to "run" before its downloaded. Also if the virus wasn't in the database at the time you received it it would remain unknown.

Not your question? Ask your question View similar questions

 

Question Tools Search this Question
Search this Question:

Advanced Search

Add your answer here.


Check out some similar questions!

Admin password [ 1 Answers ]

Forgot administrator password, so unable to log in, system is on workgroup and os is windows xp prof. but lan is disabled.

Admin. Controls [ 3 Answers ]

Well it's probably a simple solution, but I'll be buggered I can't figure it out... In my contol panel, when I click on Display, I receive a message saying Display has been disabled by administrator (that would be me) But I have no idea when, where, or how!! OK Scottgem I know you can help me,...


View more questions Search