Getting Rid of Multiple Administrators

[Alan]

I was cleaning up a friend's PC that had become infected with a
variety of trojans, malware and viruses. After cleaning all the
pests, the OS (WIN XP Home SP1) remained corrupted. He was able
to use the PC but there was no windows update functionality, no
firewall, inability to execute certain setup files, no antivirus
program and other little funny things going on. We could not
execute any firewall or antivirus setup program. User accounts
said that he had one user (user1) and a guest account that was
turned off. User1 was the administrator. There was no password
protection.

I soon discovered that if one checked user accounts in safe mode,
there were two administrators. One called User1 and one called
Administrator. After logging in as the Administrator I then
discovered that it was various registry settings in the
Administrator account that were causing the OS anomalies in the
User1 account.

I fixed the registry and the User1 account OS was restored. All
critical updates were installed. Antivirus protection and a
firewall were installed. An antispyware app is also installed.
Before upgrading the OS to SP2 I would like to reset the machine
to one Administrator (User1).

Interestingly, MBSA reports that there are more than two
administrators......

I'm looking for advice on how to do this without jeopardizing a
machine that is fully functional. Any advice or links to other
sites are welcome.

 

[Gordon]

I was cleaning up a friend's PC that had become infected with a variety
of trojans, malware and viruses. After cleaning all the pests, the OS
(WIN XP Home SP1) remained corrupted. He was able to use the PC but
there was no windows update functionality, no firewall, inability to
execute certain setup files, no antivirus program and other little funny
things going on. We could not execute any firewall or antivirus setup
program. User accounts said that he had one user (user1) and a guest
account that was turned off. User1 was the administrator. There was no
password protection.

I soon discovered that if one checked user accounts in safe mode, there
were two administrators. One called User1 and one called Administrator.
After logging in as the Administrator I then discovered that it was
various registry settings in the Administrator account that were causing
the OS anomalies in the User1 account.

I fixed the registry and the User1 account OS was restored. All
critical updates were installed. Antivirus protection and a firewall
were installed. An antispyware app is also installed. Before upgrading
the OS to SP2 I would like to reset the machine to one Administrator
(User1).

Interestingly, MBSA reports that there are more than two
administrators......

I'm looking for advice on how to do this without jeopardizing a machine
that is fully functional. Any advice or links to other sites are welcome.

You cannot get rid of the built-in Administrator account. This is a
system account and you WILL need it when a user account gets corrupted,
as it is your only way into the machine short of a repair install if
this in fact does happen. Having said that, do NOT use this account on a
day to day basis. Create (which you already have) another user account
with Admin rights and use that.
Put a strong password on the built-in Administrator account. I find it
VERY odd that the Administrator account should have been causing
problems with the other admin account - I've never heard of that one
before. Perhaps the Administrator account had been the subject of a
virus or malware attack?

 

[Alan]

You cannot get rid of the built-in Administrator account. This is a
system account and you WILL need it when a user account gets corrupted,
as it is your only way into the machine short of a repair install if
this in fact does happen. Having said that, do NOT use this account on a
day to day basis. Create (which you already have) another user account
with Admin rights and use that.
Put a strong password on the built-in Administrator account. I find it
VERY odd that the Administrator account should have been causing
problems with the other admin account - I've never heard of that one
before. Perhaps the Administrator account had been the subject of a
virus or malware attack?

Let me give you an example of one of the problems tied to the
Administrator account that was not visible other than in safe
mode. Windows updates would not work. It identified the problem
as the automatic updates service. When I looked at the service,
I discovered that it had no status and no description. I was
able to reregister all the dlls except for wuaueng.dll.
Everything I tried fail to restore the service until I logged
into that Admin account in safe mode. Automatic updates was
disabled as was a variety of other services. Re-enabling those
services in that account let me fix the problems in the user
account. When I checked permissions, the user account appeared
to have all the required admin permissions.

Would you know of any reason why MBSA (Microsoft Baseline
Security Analyzer) would be reporting more than two administrator
accounts? I can only find two accounts in safe mode.

 

[Gordon]

Alan wrote:
||
|| Would you know of any reason why MBSA (Microsoft Baseline
|| Security Analyzer) would be reporting more than two administrator
|| accounts? I can only find two accounts in safe mode.

I can't. What does it say the accounts are? (Mine only lists two -
administrator and my own account)

 

[Alan]

Alan wrote:
||
|| Would you know of any reason why MBSA (Microsoft Baseline
|| Security Analyzer) would be reporting more than two administrator
|| accounts? I can only find two accounts in safe mode.

I can't. What does it say the accounts are? (Mine only lists two -
administrator and my own account)

Sorry for the delay in responding but I couldn't get access to
the machine.

MBSA reports that there are 3 administrators called
Administrator, the User and
S-1-5-21-2163411867-891307005-2424629274-1003.
MBSA advises one to review the list of members in local
administrators & the domain admin groups to correct this.
Suffice, to say, that is Greek to me.

MBSA is the only place that one can find 3 administrators.

Any ideas?

 

[Gordon]

Alan wrote:
|| Gordon wrote:
||| Alan wrote:
|||||
||||| Would you know of any reason why MBSA (Microsoft Baseline
||||| Security Analyzer) would be reporting more than two administrator
||||| accounts? I can only find two accounts in safe mode.
|||
||| I can't. What does it say the accounts are? (Mine only lists two -
||| administrator and my own account)
|||
|| Sorry for the delay in responding but I couldn't get access to
|| the machine.
||
|| MBSA reports that there are 3 administrators called
|| Administrator, the User and
|| S-1-5-21-2163411867-891307005-2424629274-1003.
|| MBSA advises one to review the list of members in local
|| administrators & the domain admin groups to correct this.
|| Suffice, to say, that is Greek to me.
||
|| MBSA is the only place that one can find 3 administrators.
||
|| Any ideas?

I've seen a few posts recently relating to an Administrator account like
that, but at the moment can't find any of them. I suggest you re-post with a
query specifically about that account, and someone with more immediate
knowledge than I may reply!
Meanwhile I'll go on looking........

 

[Gordon]

Alan wrote:
|| Gordon wrote:
||| Alan wrote:
|||||
||||| Would you know of any reason why MBSA (Microsoft Baseline
||||| Security Analyzer) would be reporting more than two administrator
||||| accounts? I can only find two accounts in safe mode.
|||
||| I can't. What does it say the accounts are? (Mine only lists two -
||| administrator and my own account)
|||
|| Sorry for the delay in responding but I couldn't get access to
|| the machine.
||
|| MBSA reports that there are 3 administrators called
|| Administrator, the User and
|| S-1-5-21-2163411867-891307005-2424629274-1003.
|| MBSA advises one to review the list of members in local
|| administrators & the domain admin groups to correct this.
|| Suffice, to say, that is Greek to me.
||
|| MBSA is the only place that one can find 3 administrators.
||
|| Any ideas?

Got it!
Have a look here:
http://makeashorterlink.com/?G4D2214FA

(Full link:
http://groups.google.co.uk/groups?q...r=&selm=#Xs2mb9uBHA.1608@tkmsftngp04&rnum=261)

 

[Alan]

Alan wrote:
|| Gordon wrote:
||| Alan wrote:
|||||
||||| Would you know of any reason why MBSA (Microsoft Baseline
||||| Security Analyzer) would be reporting more than two administrator
||||| accounts? I can only find two accounts in safe mode.
|||
||| I can't. What does it say the accounts are? (Mine only lists two -
||| administrator and my own account)
|||
|| Sorry for the delay in responding but I couldn't get access to
|| the machine.
||
|| MBSA reports that there are 3 administrators called
|| Administrator, the User and
|| S-1-5-21-2163411867-891307005-2424629274-1003.
|| MBSA advises one to review the list of members in local
|| administrators & the domain admin groups to correct this.
|| Suffice, to say, that is Greek to me.
||
|| MBSA is the only place that one can find 3 administrators.
||
|| Any ideas?

Got it!
Have a look here:
http://makeashorterlink.com/?G4D2214FA

(Full link:
http://groups.google.co.uk/groups?q...r=&selm=#Xs2mb9uBHA.1608@tkmsftngp04&rnum=261)

Getsid.exe is a Win XP Professional exec. Thanks anyhow. I'll
post a separate query.

 

[Guest]

I have a similar issue - see posting "Mystery Administrator." I have learned
a little but not enough to solve my problem or yours. What I have learned is
that your mystery administrator - the one with the long string of letters and
numbers - is probably related to a feature called "Protected Storage System
Provider" This feature is used to store certain kinds of privileged
information such as passwords entered into web browser form fields or used to
connect to an Internet service provider. I have no idea how to decipher what
causes this to show up as an administrator or what the consequences of
attempting to delete it. Hope some one does