sos i have lost my Admin rights on my hdd

M

Mack

hello i have 6 administrator and 1 unknown user on my hdd
i did netsh qprocess quser they all have the same base
addy but they use my gate ip and create servers on my hdd
they modify the register so i cant do much like modify the
programs antivirus do mimic on the ones online i can't
format it comes back and another admin is there in charge
of my hdd volume what can i do here some info i got:

boot:[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft
Windows XP Professionnel" /fastdetect

shell32:

HKCU,"%PATH_EXPLORER%\NoRoamObfuscated"
HKLM,"%PATH_AUTOPLAY%
\ContentTypeHandlers\MixedContentHandler\EventHandlers\Medi
aArrival","Fake",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\DeviceAr
rival","GenericVolumeArrival",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\DeviceAr
rival","DefaultIcon",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\DeviceAr
rival","FriendlyName",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\MediaArr
ival","GenericVolumeArrival",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\MediaArr
ival","DefaultIcon",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\MediaArr
ival","FriendlyName",,""
HKLM,"%PATH_AUTOPLAY%\DeviceClasses\{53f5630d-b6bf-11d0-
94f2-00a0c91efb8b}","DeviceHandlers",,
HKLM,"%PATH_AUTOPLAY%
\EventHandlers\PlayMusicFilesOnArrival","MSPlayMusicFilesOn
Arrival",,""
HKLM,"%PATH_AUTOPLAY%
\EventHandlers\PlayVideoFilesOnArrival","MSPlayVideoFilesOn
Arrival",,""
HKLM,"%ADV_VISUALEFFECTS%\MenuFade"
HKLM,"%ADV_VISUALEFFECTS%\UIEffects"
HKLM,"%ADV_VISUALEFFECTS%\GradientCaptions"
HKLM,"%ADV_VISUALEFFECTS%\HotTracking"
HKLM,"%ADV_VISUALEFFECTS%\ListviewScrollOver"
HKCR,mp3file,TileInfo
HKCR,wmafile,TileInfo
HKCR,jpegfile,TileInfo
HKCR,Paint.Picture,TileInfo
HKCR,TIFImage.Document,TileInfo
HKCR,pngfile,TileInfo
HKCR,PCXImage.Document,TileInfo
HKCR,"CLSID\{0003000C-0000-0000-C000-000000000046}\TreatAs"
HKCR,"CLSID\{0003000C-0000-0000-C000-000000000046}
\NotInsertable"
HKCR,"CLSID\%CLSID_UserNotification%\%LS%"
HKCR,"exefile\shell\runas",Extended
HKLM,"%ADV_FOLDER%\NetPlacesOnDesktop"
HKCR,"CLSID\%CLSID_AutoCMWinSecurity%"
HKLM,"%PATH_HIDEDESKICONS%","%CLSID_RecycleBin%"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Explorer\Hi
deDesktopIcons\ClassicStartMenu","%CLSID_RecycleBin%"
HKCR,"CLSID\%CLSID_RecycleBin%
\ShellFolder",HideOnDesktopPerUser
HKCR,".cdburn"
HKCR,"CLSID\%CLSID_CDBurn%","NeverShowExt"
HKCR,"CLSID\%CLSID_CDBurn%\DefaultIcon"
HKCR,"CLSID\%CLSID_CDBurn%\shellex\DropHandler"
[!DelRegShell]
HKCR,"CLSID\%CLSID_ShellDesktop%\%EXTVIEW%\%
VID_WebView%","PersistFile"
[RegShellNamespace]
HKCR,"CLSID\%CLSID_MyDocuments%\%IPS%",,%REGEXSZ%,"%
_SYS_MOD_PATH%"
HKCR,"CLSID\%CLSID_MyDocuments%\%
IPS%",ThreadingModel,,Apartment
HKCR,"CLSID\%CLSID_MyDocuments%\%IPS%",LoadWithoutCOM
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",WantsFORPARSING
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",CallForAttributes,%REGDW%,0x00020040
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",HideOnDesktopPerUser
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",QueryForOverlay
HKCR,"CLSID\%CLSID_MyDocuments%\ShellFolder",Attributes,%
REGDW%,0xF080013D
HKCR,"CLSID\%CLSID_MyDocuments%\DefaultIcon",,%REGEXSZ%,"%
_SYS_MOD_PATH%,-235"
HKCR,"CLSID\%CLSID_MyDocuments%",SortOrderIndex,%
REGDW%,0x00000048
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find",SuppressionPolicy,%REGDW%,0x00000080
HKCR,"CLSID\%CLSID_MyDocuments%\shell\find\command",,%
REGEXSZ%,"%25%\Explorer.exe"
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find\ddeexec",,,"[FindFolder(""%l"", %I)]"
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find\ddeexec\application",,,"Folders"
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find\ddeexec\topic",,,"AppProperties"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Explorer\De
sktop\NameSpace\%CLSID_MyDocuments%",,"My Documents"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Explorer\De
sktop\NameSpace\%CLSID_MyDocuments%","Removal
Message",,"@mydocs.dll,-900"
HKCR,"CLSID\%CLSID_DocFindFolder%",,2,"Search Results
Folder"
HKCR,"CLSID\%CLSID_DocFindFolder%",LocalizedString,%
REGEXSZ%,"@%_SYS_MOD_PATH%,-30520"
HKCR,"CLSID\%CLSID_DocFindFolder%\DefaultIcon",,%
REGEXSZ%,"%_SYS_MOD_PATH%,-134"
HKCR,"CLSID\%CLSID_DocFindFolder%\%IPS%",,%REGEXSZ%,"%
_SYS_MOD_PATH%"
HKCR,"CLSID\%CLSID_DocFindFolder%\%
IPS%",ThreadingModel,,Apartment
HKCR,"CLSID\%CLSID_DocFindFolder%
\ShellFolder","Attributes",%REGDW%,0x20180000
HKLM,"%PATH_EXPLORER%\Desktop\NameSpace\%
CLSID_DocFindFolder%",,,"Search Results Folder"
HKCR,"CLSID\%CLSID_ComputerFindFolder%",,2,"Computer
Search Results Folder"
HKCR,"CLSID\%CLSID_ComputerFindFolder%",LocalizedString,%
REGEXSZ%,"@%_SYS_MOD_PATH%,-30521"
HKCR,"CLSID\%CLSID_ComputerFindFolder%\DefaultIcon",,%
REGEXSZ%,"%_SYS_MOD_PATH%,-135"
HKCR,"CLSID\%CLSID_ComputerFindFolder%\%IPS%",,%REGEXSZ%,"%
_SYS_MOD_PATH%"

thanks for your help
 
R

Roger Abell [MVP]

Could you please try using separate sentences so
that we could follow what you are saying ?
What is
netsh qprocess quser
?
netsh does not have a qprocess context.

Why do you not just use the User Accounts applet
to reset the passwords on the admin accounts, all
of them, and turn on your firewall. Then, you could
start trying to find out what software has been
installed to allow them, assuming there is a "them",
to get system access.

If your system has been penetrated to the extent
you seem to indicate, then you are likely looking
at a reinstall starting from a fresh format.
Mack said:
hello i have 6 administrator and 1 unknown user on my hdd
i did netsh qprocess quser they all have the same base
addy but they use my gate ip and create servers on my hdd
they modify the register so i cant do much like modify the
programs antivirus do mimic on the ones online i can't
format it comes back and another admin is there in charge
of my hdd volume what can i do here some info i got:

boot:[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft
Windows XP Professionnel" /fastdetect

shell32:

HKCU,"%PATH_EXPLORER%\NoRoamObfuscated"
HKLM,"%PATH_AUTOPLAY%
\ContentTypeHandlers\MixedContentHandler\EventHandlers\Medi
aArrival","Fake",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\DeviceAr
rival","GenericVolumeArrival",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\DeviceAr
rival","DefaultIcon",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\DeviceAr
rival","FriendlyName",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\MediaArr
ival","GenericVolumeArrival",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\MediaArr
ival","DefaultIcon",,""
HKLM,"%PATH_AUTOPLAY%
\DeviceHandlers\GenericVolumeHandler\EventHandlers\MediaArr
ival","FriendlyName",,""
HKLM,"%PATH_AUTOPLAY%\DeviceClasses\{53f5630d-b6bf-11d0-
94f2-00a0c91efb8b}","DeviceHandlers",,
HKLM,"%PATH_AUTOPLAY%
\EventHandlers\PlayMusicFilesOnArrival","MSPlayMusicFilesOn
Arrival",,""
HKLM,"%PATH_AUTOPLAY%
\EventHandlers\PlayVideoFilesOnArrival","MSPlayVideoFilesOn
Arrival",,""
HKLM,"%ADV_VISUALEFFECTS%\MenuFade"
HKLM,"%ADV_VISUALEFFECTS%\UIEffects"
HKLM,"%ADV_VISUALEFFECTS%\GradientCaptions"
HKLM,"%ADV_VISUALEFFECTS%\HotTracking"
HKLM,"%ADV_VISUALEFFECTS%\ListviewScrollOver"
HKCR,mp3file,TileInfo
HKCR,wmafile,TileInfo
HKCR,jpegfile,TileInfo
HKCR,Paint.Picture,TileInfo
HKCR,TIFImage.Document,TileInfo
HKCR,pngfile,TileInfo
HKCR,PCXImage.Document,TileInfo
HKCR,"CLSID\{0003000C-0000-0000-C000-000000000046}\TreatAs"
HKCR,"CLSID\{0003000C-0000-0000-C000-000000000046}
\NotInsertable"
HKCR,"CLSID\%CLSID_UserNotification%\%LS%"
HKCR,"exefile\shell\runas",Extended
HKLM,"%ADV_FOLDER%\NetPlacesOnDesktop"
HKCR,"CLSID\%CLSID_AutoCMWinSecurity%"
HKLM,"%PATH_HIDEDESKICONS%","%CLSID_RecycleBin%"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Explorer\Hi
deDesktopIcons\ClassicStartMenu","%CLSID_RecycleBin%"
HKCR,"CLSID\%CLSID_RecycleBin%
\ShellFolder",HideOnDesktopPerUser
HKCR,".cdburn"
HKCR,"CLSID\%CLSID_CDBurn%","NeverShowExt"
HKCR,"CLSID\%CLSID_CDBurn%\DefaultIcon"
HKCR,"CLSID\%CLSID_CDBurn%\shellex\DropHandler"
[!DelRegShell]
HKCR,"CLSID\%CLSID_ShellDesktop%\%EXTVIEW%\%
VID_WebView%","PersistFile"
[RegShellNamespace]
HKCR,"CLSID\%CLSID_MyDocuments%\%IPS%",,%REGEXSZ%,"%
_SYS_MOD_PATH%"
HKCR,"CLSID\%CLSID_MyDocuments%\%
IPS%",ThreadingModel,,Apartment
HKCR,"CLSID\%CLSID_MyDocuments%\%IPS%",LoadWithoutCOM
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",WantsFORPARSING
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",CallForAttributes,%REGDW%,0x00020040
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",HideOnDesktopPerUser
HKCR,"CLSID\%CLSID_MyDocuments%
\ShellFolder",QueryForOverlay
HKCR,"CLSID\%CLSID_MyDocuments%\ShellFolder",Attributes,%
REGDW%,0xF080013D
HKCR,"CLSID\%CLSID_MyDocuments%\DefaultIcon",,%REGEXSZ%,"%
_SYS_MOD_PATH%,-235"
HKCR,"CLSID\%CLSID_MyDocuments%",SortOrderIndex,%
REGDW%,0x00000048
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find",SuppressionPolicy,%REGDW%,0x00000080
HKCR,"CLSID\%CLSID_MyDocuments%\shell\find\command",,%
REGEXSZ%,"%25%\Explorer.exe"
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find\ddeexec",,,"[FindFolder(""%l"", %I)]"
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find\ddeexec\application",,,"Folders"
HKCR,"CLSID\%CLSID_MyDocuments%
\shell\find\ddeexec\topic",,,"AppProperties"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Explorer\De
sktop\NameSpace\%CLSID_MyDocuments%",,"My Documents"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Explorer\De
sktop\NameSpace\%CLSID_MyDocuments%","Removal
Message",,"@mydocs.dll,-900"
HKCR,"CLSID\%CLSID_DocFindFolder%",,2,"Search Results
Folder"
HKCR,"CLSID\%CLSID_DocFindFolder%",LocalizedString,%
REGEXSZ%,"@%_SYS_MOD_PATH%,-30520"
HKCR,"CLSID\%CLSID_DocFindFolder%\DefaultIcon",,%
REGEXSZ%,"%_SYS_MOD_PATH%,-134"
HKCR,"CLSID\%CLSID_DocFindFolder%\%IPS%",,%REGEXSZ%,"%
_SYS_MOD_PATH%"
HKCR,"CLSID\%CLSID_DocFindFolder%\%
IPS%",ThreadingModel,,Apartment
HKCR,"CLSID\%CLSID_DocFindFolder%
\ShellFolder","Attributes",%REGDW%,0x20180000
HKLM,"%PATH_EXPLORER%\Desktop\NameSpace\%
CLSID_DocFindFolder%",,,"Search Results Folder"
HKCR,"CLSID\%CLSID_ComputerFindFolder%",,2,"Computer
Search Results Folder"
HKCR,"CLSID\%CLSID_ComputerFindFolder%",LocalizedString,%
REGEXSZ%,"@%_SYS_MOD_PATH%,-30521"
HKCR,"CLSID\%CLSID_ComputerFindFolder%\DefaultIcon",,%
REGEXSZ%,"%_SYS_MOD_PATH%,-135"
HKCR,"CLSID\%CLSID_ComputerFindFolder%\%IPS%",,%REGEXSZ%,"%
_SYS_MOD_PATH%"

thanks for your help
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

xp is alive 1

Top