administrator hostile take over

[Bruce]

About 2 months ago I had a trojan problem, and I seem to have gotten rid of
that.
Since then (and never before) there are some things my laptop won't let me
do and it claims administrator only rights. I'm sure it's something I'm
doing, but I have no idea where to begin with solving this.

Most recent.....I was working from home via a remote connection, accessed an
excel spreadsheet remotely, and then, this morning when I have come to work,
I tried to open it and got an warning that the file had been locked by the
administrator and could be opened as "read-only".

How do I deal with this administrator problem at home on the laptop......I
can figure out how to deal with the read only part here.
Thanks.

 

[csxfire]

I have the same problem. The virus changed your registration file. your
control panel may also missing. It may have created a new administrator in
the user area. I have been told to use regedt32 in the run line to see the
registration file is changed. I have one user called administrator and one
user called administrators. you have have to find out which one is the real
user. good luck most people to me to save what I can and wipe it clean
and start over.

 

[Lanwench [MVP - Exchange]]

I have the same problem. The virus changed your registration file.
your control panel may also missing. It may have created a new
administrator in the user area. I have been told to use regedt32 in
the run line to see the registration file is changed. I have one
user called administrator and one user called administrators. you
have have to find out which one is the real user. good luck
most people to me to save what I can and wipe it clean and start over.

Hmmmm. Administrators is a *group* - a built-in name that can't be used for
anything else and Administrator is a *user*.

However, you may be right in that a clean reiinstall might be the best
option. I'd suggest to the OP that he/she post in
microsoft.public.security.homeusers for some more ideas.

 

[csxfire]

A virus changed the registration file. The virus has been removed, but the
damage remains. The control panel is now missing. It has created a new user
called administrator in the user area. I have one user called administrator
and one
user called administrators. Even in safe mode, the administrator user has no
rights or a control panel.
using regedt32 several users are show. besides my user id. what others
should show in a normal file. I have my user id, administrators,
everyone,system, restricted,creator owner, account unknown (s-1-5-32-547).
which should been removed.

 

[User66]

I have an *actual user* called 'administrators' that cannot be modified (all allow/deny options grayed out in security tab under properties in a wide variety of applications). It cannot be removed, and it cannot be stopped via command prompt (net user administrators /active:no). It does not appear in the user folder and is not listed in the administrators file members section. It does not appear under user accounts. I have reformatted my computer from disk and this user reappears with inheritable permissions after portions of my recovery disk program (NOT a RW disk) were rewritten during the install. It still cannot be stopped with cmd prompt, nor can it be modified or removed. If *anyone* has heard of this and knows others who have seen this, please send my post to any and all forums to focus as much information on this issue as possible. It is present in both my Windows 7 desktop and my Windows 10 laptop even though they have never shared the same network nor have they been connected to each other.



The intriguing part about the laptop is that it appeared IMMEDIATELY after initial startup RIGHT OUT OF THE BOX. I had not set up any internet connection (I NEVER did - there is none in my house) and had not activated the McAfee subscription, yet there were FIVE active internet connections running and McAfee was the largest process (by memory %) running (multiple instances) in task manager. Incredibly, I had just completed a system exchange through HP because the first laptop had exactly the same issue even though it was first opened and set up 100 miles away from where I set up the second. There is no way the second was corrupted by the same internet connection or local network.



I truly believe this user indicates a serious compromise of windows security and needs serious exploration as soon as possible.