UAC on XP Home

C

copiman

Member
I have just cleaned up a PC. I wanted to enable user accounts so that the kids are just users and me as the administrator. They download too much, which is why I had to clean it up. The problem is when I go to control panel>user accounts, the user account box opens just fine but will not let me do anything. Cannot create an account, change, nothing. I looked at security services and they are on automatic. Not sure which is used for what I need though. I have XP Home. I know, its old. Anyway, not sure where to go from here. Been googling since lunch with no solution.
 
Suggest starting by using Steps 6 - 8 here and doing a little detective work in the registry. Sometimes it's the only way to get things done with w2k and xp. Be careful!
 
You should click on User Accounts, and then choose Manage Another Account.
 
voyagerfan99 said:
You should click on User Accounts, and then choose Manage Another Account.
Click to expand...


In User Accounts I have 3 choices. Change an account, create a new account, and change my picture. Regardless of which one I click on, nothing happens. I know I'm the administrator. I thought maybe some type of service or something may not be enabled for this, just don't know what to look for.
 
Sounds like the machine could still be infected. Please do the following.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


In your next reply please post:

The ComboFix log
 
Here it is.

ComboFix 14-03-05.01 - Laura Shine 03/08/2014 19:06:26.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.759 [GMT -5:00]
Running from: c:\documents and settings\Laura Shine\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.DFDZC741\GoToAssistDownloadHelper.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Laura Shine\GoToAssistDownloadHelper.exe
c:\documents and settings\Laura Shine\WINDOWS
c:\windows\offitems.log
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETB9.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PPDRV
-------\Legacy_WEBSERVER
.
.
((((((((((((((((((((((((( Files Created from 2014-02-09 to 2014-03-09 )))))))))))))))))))))))))))))))
.
.
2014-03-08 23:04 . 2014-03-08 23:31 1409 ----a-w- c:\windows\QTFont.for
2014-03-08 22:14 . 2014-02-26 01:59 13312 ------w- c:\windows\system32\xp_eos.exe
2014-03-08 20:45 . 2014-03-08 20:46 -------- d-----w- c:\documents and settings\DAD
2014-03-08 20:38 . 2014-03-08 20:38 -------- d-sh--w- c:\documents and settings\Administrator.DFDZC741\IETldCache
2014-03-08 19:11 . 2014-03-08 19:12 -------- d-----w- c:\documents and settings\Children
2014-03-08 17:44 . 2001-08-17 17:13 49182 ----a-w- c:\windows\system32\dllcache\cem56n5.sys
2014-03-08 17:43 . 2001-08-18 03:36 15360 ----a-w- c:\windows\system32\dllcache\brmfbidi.dll
2014-03-08 17:42 . 2001-08-17 17:11 46112 ----a-w- c:\windows\system32\dllcache\adptsf50.sys
2014-03-08 15:53 . 2014-03-08 15:54 -------- d-----w- c:\windows\system32\NtmsData
2014-03-08 14:45 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2014-03-08 14:43 . 2014-03-08 14:43 -------- d-----w- c:\program files\Windows Media Connect 2
2014-03-08 14:28 . 2014-03-08 23:37 -------- d-----w- c:\documents and settings\Laura Shine\Application Data\GlarySoft
2014-03-08 13:45 . 2014-03-08 13:59 -------- d-----w- C:\AdwCleaner
2014-03-08 13:18 . 2014-03-08 13:18 -------- d-----w- c:\program files\VS Revo Group
2014-03-08 13:10 . 2014-03-08 13:10 -------- d-----w- c:\documents and settings\Laura Shine\Local Settings\Application Data\Mozilla
2014-03-08 13:09 . 2014-03-08 13:09 -------- d-----w- c:\program files\Mozilla Maintenance Service
2014-03-08 01:44 . 2014-03-08 12:24 -------- d-----w- c:\program files\MediaViewV1
2014-02-21 19:21 . 2014-02-21 20:16 1337424 ----a-w- C:\TRANSLATE
2014-02-12 21:44 . 2014-03-08 02:21 0 ----a-w- c:\windows\system32\tmpresp.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-08 13:42 . 2012-07-17 11:40 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-08 13:42 . 2011-07-10 15:40 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-05 23:26 . 2004-02-06 23:05 920064 ----a-w- c:\windows\system32\wininet.dll
2014-02-05 23:26 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-02-05 23:26 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2014-02-05 23:26 . 2002-08-29 11:00 18944 ----a-w- c:\windows\system32\corpol.dll
2014-02-05 22:24 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2014-01-04 03:13 . 2002-08-29 11:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-12-10 09:04 . 2012-06-19 21:28 135776 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-06-21 01:04 . 2010-06-21 01:32 5434248 ----a-w- c:\program files\mbam-rules.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe" [2013-10-09 356128]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-10 14:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 09:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-05-03 00:46 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-07-17 17:47 77824 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
.
R1 kltdi;kltdi;c:\windows\SYSTEM32\DRIVERS\kltdi.sys [6/8/2012 10:38 AM 44000]
R1 kneps;kneps;c:\windows\SYSTEM32\DRIVERS\kneps.sys [8/13/2012 3:49 PM 145040]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [6/27/2012 1:09 PM 35672]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\SYSTEM32\DRIVERS\klkbdflt.sys [5/25/2012 6:38 PM 24160]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\SYSTEM32\DRIVERS\klmouflt.sys [7/25/2012 1:53 PM 24672]
R3 NeoAccel;NeoAccel SSL VPN-Plus Client Adapter;c:\windows\SYSTEM32\DRIVERS\NeoAccel.sys [9/18/2008 6:09 AM 517680]
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-17 13:42]
.
2014-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-08 19:10]
.
2014-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-08 19:10]
.
2014-03-09 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-08 01:59]
.
2014-03-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-08 01:59]
.
2014-03-08 c:\windows\Tasks\User_Feed_Synchronization-{8CDE4D54-F514-4AC1-99DC-56BF309F41B2}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:8081
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2013\ie_banner_deny.htm
LSP: %SystemRoot%\System32\neolsp.2049.dll
TCP: DhcpNameServer = 75.76.84.102 75.76.84.103
FF - ProfilePath - c:\documents and settings\Laura Shine\Application Data\Mozilla\Firefox\Profiles\smxj09b4.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
MSConfigStartUp-sysfbtray - c:\windows\bill112.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-08 19:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1324)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'lsass.exe'(1380)
c:\windows\System32\neolsp.2049.dll
.
- - - - - - - > 'explorer.exe'(6012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\NeoSrv.exe
.
**************************************************************************
.
Completion time: 2014-03-08 19:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2014-03-09 00:26
.
Pre-Run: 21,635,907,584 bytes free
Post-Run: 21,735,579,648 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 4BA92AF76427D09F4FCAAA5F0F43E61C
8F558EB6672622401DA993E1E865C861
 
Still the same. I can get to UAC in control panel but when I click on anything in UAC, nothing happens. Like maybe some files are missing that are needed for UAC. If I type "control userpasswords2" in the run box, I can get a box to open for named user accounts. Looks different than the one in control panel. It has 4 users in it.

User Name / Group

Administrator / Administrators
ASPNET / Users
Guest / Guests
Laura / Adninstrators

When I boot up, there are no icons to select from. It just boots up to the desktop. I have asked the owner if they have the XP disk that came with the PC. They are looking. Should I need it for a repair, would another disk work if I need it? This PC is a Dell Dimension 2400 with XP Home Edition. The cd I do have is from a Dell Dimension 8400 with XP Home Edition. Just thinking ahead as well as learning.

Any thing I need to run and post logs?


I did run Malewarebytes first thing to clean up the PC. It found alot of PUPs and some viruses and such. I also ran Adwcleaner and Ccleaner as well.


Yes, the first thing I did to clean it up was run Maleware bytes.
 
Last edited:
I can boot into safe mode, but when I select User Accounts in the Control Panel it does not open up. Also, when I boot into safe mode, there are two icons for users. Remember, when I boot normally, there are no icons. It just boots to the desktop.
 
Last edited:
That is the way safe mode is designed. Administrator and regular user account. Usually any dell XP installation media will work with any dell that came with XP. Looks like you'll need to reinstall windows.
 
I was afraid of that. Thanks for your help. I have another question. Not that familiar with the different installations just yet. If possible, I would like to just re-install XP and keep the other data (apps, docs, etc) in place. I have not done this before. I have only installed using recovery CDs on a blank drive. Any guidance would be appreciated. Thanks.
 
You can try the repair but I find the repair option doesn't work too well. Documents you backup and copy back once the install is done but as far as programs and such, you can't. They would have to reinstalled.
 
Thanks everyone. I think I'll try the repair just because I have never done it. Need the experience. Worst case if I screw it up, I can do the install, which I probably will anyways to get a fresh start and get the experience of doing that as well. In my opinion, reading about it is one thing. Doing it is better.
 
I was told last night that if the CD included service pack 2 and the PC has service pack 3, you cannot do a repair. The only thing you can do is an install. Does this sound correct?
 
You must log in or register to reply here.
Back
Top