Yo, howdy!!

This is a rather frustrating problem my friend and his brother have on their XP PCs. For some reason, we suspect due to a past viral infection, certain programs now cannot be run even though the user is a member of the Administrators group. In particular, cmd and task manager both show an error saying something about the administrator blocking access to the programs.

However, the current user is an administrator. Does anyone here know where one might tweak their settings so that these programs could run again? We also had difficulty installing Nero because the dlls could not be registered, and I suspect that this is caused by the same problem. Additionally, permission is denied when attempting to go to the hard disks outside the Documents and Settings tree.

So, where can I go on the computer to change what the administrator is allowed to do?

Another error, which I've encountered before, also probably caused by a virus, is that when the hard drives are double-clicked in my computer an error message pops up saying that copy.exe cannot be found. Does anyone know what registry key I need to hack to remove this reference?

XP can have registry keys changed to lock out the use of such programs as CMD, REGEDIT, MSCONFIG and TASKMANAGER. This was usually applied by NETWORK systems administrators in places like Schools and Colleges.

I found back then that XP did have an interesting exploit to deal with this registry lockouts.(I'm not sure if they patched it)
It required the installation of Winzip (Not sure of the version since this is going from 2004) on the systems that were locked out. Winzip was installed so as to stop .exe's from being installed on the computer (You couldn't run an .exe file)

What you would do is get a copy of the locked out program you want to run, like REGEDIT and you would put it in a ZIP file. Winzip of course would block you from running the EXE (The exe usually requires decompression and the system denied it being decompressed anywhere else other than a temporary cache which locked out allowing .exe files from being executed)

Instead of using the default method to deal with the file (in this case Winzip) you would right click the zipfile link and select Open Container folder. This made Windows open the ZIP file with it's inbuilt compression system, which circumnavigated the .exe lockout.

It was then possible to run things like MSCONFIG and REGEDIT even though the localised versions of the files had been locked out by Administration. So basically it was possible to regain rights over the machine, potentially increasing your User level (I didn't bother with this personally though because it would of only been of use for one specific computer in a single class considering the network login) I didn't use it for mischief though, in fact I found it extremely handy for turning off the number of viral infections that existed across the college network since the administrators hadn't patched the network against them.




Copy.exe
http://www.securitystronghold.com/solutions/copy.exe-spyware-remover-cannot-open-drive.html

Don't download the program, read the 'Advanced Users only' removal guide.


In Essence though:
If your operating system security has been breached, it's a good idea to just backup what information you want to keep to external drives, DVDs or CDs and do a complete fresh install of the OS. This means there will be no 'orphaned' registry entries from the virus and no clandestine privilege levels that shouldn't be there. Make sure you also change ALL YOUR PASSWORDS (Not just for the computer login but online too).

A thousand thank you's, Stryder! I believe that I did once personally have the copy.exe problem but I couldn't remember how I fixed it (and I didn't have access to my friend's computer so I could do some registry hacking).

Dude, I'm quite sure that there must be a simple registry solution to change administrator settings (the management console just assigns users to groups, without allowing me to actually change the groups' permissions). Do you not perhaps know where I could find such settings? Should I maybe find the settings for the affected programs instead (though I have no way of knowing which ones are affected)? Of course, if regedit is also affected then this will become a lot more difficult... Wouldn't booting in Safe Mode allow me access to at least regedit (I remember fixing a problem a while ago where a user had forgotten their password, and I somehow managed to log in as administrator and delete their password anecic their group, but I can't remember how I did it)??

????

A thousand thank you's, Stryder! I believe that I did once personally have the copy.exe problem but I couldn't remember how I fixed it (and I didn't have access to my friend's computer so I could do some registry hacking).

Dude, I'm quite sure that there must be a simple registry solution to change administrator settings (the management console just assigns users to groups, without allowing me to actually change the groups' permissions). Do you not perhaps know where I could find such settings? Should I maybe find the settings for the affected programs instead (though I have no way of knowing which ones are affected)? Of course, if regedit is also affected then this will become a lot more difficult... Wouldn't booting in Safe Mode allow me access to at least regedit (I remember fixing a problem a while ago where a user had forgotten their password, and I somehow managed to log in as administrator and delete their password anecic their group, but I can't remember how I did it)??

????

In regards to Safemode, I'm not entirely sure. It's really dependent on if the system uses the whole Registry or a 'safemode' registry at bootup. There are ways to revert to a previous registry *IF* you've either got the Savepoint for rollback or manually made a copy of the registry (This is good to do once and a while but can take up hundreds of Mb)

I'd really suggest doing a search engine search on the particular infection or problem.

What would happen if you created a new user account with administrator privileges? Don't delete you current account though. If that works, then it narrows down the problem (or at least lets you edit the registry if you can't already).

Do you still get the copy.exe error, or did that go away when you removed the virus?

@Rubix: The copy.exe error is caused by anti-viruses not removing the infection properly. I haven't been to my friend yet, but I'm sure that by following the instructions on the page stryder linked me to I should be able to fix that easily.

The user is an administrator. I think that the problem was caused by some virus which changed the settings for the administrators group, thus all administrators will have the problem. There's a little hack I know to access the SYSTEM user account (which has higher privileges than administrators), but it requires using cmd and at, both of which I may be restricted from using...

@stryder: Thanks once again.

The user is an administrator. I think that the problem was caused by some virus which changed the settings for the administrators group, thus all administrators will have the problem. There's a little hack I know to access the SYSTEM user account (which has higher privileges than administrators), but it requires using cmd and at, both of which I may be restricted from using...Unless it only affects this particular user. I've seen accounts get corrupted like that. I was just suggesting to rule that out, because at this point there's no way to know what exactly happened.

My assumption would be that it's 'corrupted'. Basically a virus has been written for the purpose of taking over the administration privileges and locking out ways of getting it back. (Of course not all ways) Merely doing a removal won't necessarily fix all the privileges, since after all the hacker responsible built it with the purpose of gaining control over peoples computers.

This is why I suggested that if your security has been compromised, you are better off with a fresh install rather than patching. Your only need for privileges currently would be just to acquire any data you want to save.

While doing research, I realised that this is a problem only because they have NTFS. Being a hacker (you know what I mean) I stuck to FAT so I could access my hard drive from DOS, but this means that I can't experiment on my system in preparation for dealing with theirs.

It's going to be a long night tonight, but I'm sure I'll eventually succeed.

Thanks again guys.

Okay, here's a quick question: How do I log in to the administrator account without going to safe mode? At the login screen it just gives me one user but hides the administrator...

Hit ctrl alt del at the login in screen Zy.

I have seen viruses turn off admin rights to the task manager. I use a little program called EnableTM...it just changes the registry entry.

Hey Guys!!!

I am an Informatic Engineering Student at the Arabian International University in Syria.

Now we have an internet cafe in the faculty. And the computers there are really setup professionally by the IT staff not to let the users have wide permission among the PC, but for a rooki hacker like me, it's like a challange.

No that "copy.exe" virus seems a little bit spreaded wide inside the net and most of the pcs at the faculty are infected with it.

Now it's a low-risk viruse any way. It maybe not a virus at all.;)

It's so easy to defuse it any way, wether the Anti-virus had done the work or not:

-This virus get in a partition on your hard disk.
-Then it makes an "autorun" structure inside this partition with the same technique of that autorun built in Software CDs or DVDs.
-Now, some antivirus applications only remove the copy.exe file located on the partition, and the two other hidden enclosed files stay on the disk, they are "autorun.inf" and "sqlserv.exe", and if the copy.exe is removed, you'll get an error message every time you try to open the infected drive, cuz when you tyr to open it, the autorun starts and it tries to open the copy.exe, but NO copy.exe, so the error message pop-up in the face.
-THe virus also copy its self onto flash drives, that get inserted into the usb, and maybe any other storage device.

Now after that lecture about the copy.exe viruse, here is how to get rid of it and of all of it's files.

1- open "My Computer"
2- Right-click on the drive which has your system inside.
3- Select "Open" from the menu.
4- You should be seeing all of the hidden files and folders there.
If not, so see that "View" button up there in the menu bar, press it then select "Folder Options", then in "View" Page scroll down till you see the options of showing and not showing system and hidden files. Set them to show you every thing.
5- When you see the "copy.exe", QUICKLY!
select it and delete it, if it refuse to be deleted then it should be already running, so light speed, CTRL+ALT+DEL, then end it's task and another task called "sqlserv.exe".

":cool:NOW THE 3-COMBO HIT!:cool:", delete copy.exe, delete sqlserv.exe, delete autorun.inf.

Do that for every partition you have and every flash disk was connected to the PC since it got infected.

remember no to double click the drive cuz that lunches the autorun, consecuently copy.exe

MISSION ACCOMPLISHED...

And after all of that I still have my problem with the IE staff there at the facult.

Hay, guys! what should I do with those disabled PCs?

THe IT staff has done real job with computer and the user I can access is so limited.

Now I managed with my team to have the power to reset the Administrator password and go in, but that would be so "obvious" to them that the system was breached.

I need some technique that gives me the power to have this limited user upgraded to an Administrator-Permissions enhanced user.

I can edit the registry alittle bit as I can recall. But the most thing bouthers me, is that I am not able to install the softwares I want, and even I can't run some no-installation application on it. Acctually I need to burn some data from the Intranet of the university, and the ASPI Layer is not cooperate with me because of that restrection....

I hope that some one help me.

ANd please would you send me replys to my email: hassoon3@gmail.com , and I will really appreciate that alot, because I may not be visiting that fourm again.

Hey Guys!!!

I am an Informatic Engineering Student at the Arabian International University in Syria.

Now we have an internet cafe in the faculty. And the computers there are really setup professionally by the IT staff not to let the users have wide permission among the PC, but for a rooki hacker like me, it's like a challange.

No that "copy.exe" virus seems a little bit spreaded wide inside the net and most of the pcs at the faculty are infected with it.

Now it's a low-risk viruse any way. It maybe not a virus at all.;)

It's so easy to defuse it any way, wether the Anti-virus had done the work or not:

-This virus get in a partition on your hard disk.
-Then it makes an "autorun" structure inside this partition with the same technique of that autorun built in Software CDs or DVDs.
-Now, some antivirus applications only remove the copy.exe file located on the partition, and the two other hidden enclosed files stay on the disk, they are "autorun.inf" and "sqlserv.exe", and if the copy.exe is removed, you'll get an error message every time you try to open the infected drive, cuz when you tyr to open it, the autorun starts and it tries to open the copy.exe, but NO copy.exe, so the error message pop-up in the face.
-THe virus also copy its self onto flash drives, that get inserted into the usb, and maybe any other storage device.

Now after that lecture about the copy.exe viruse, here is how to get rid of it and of all of it's files.

1- open "My Computer"
2- Right-click on the drive which has your system inside.
3- Select "Open" from the menu.
4- You should be seeing all of the hidden files and folders there.
If not, so see that "View" button up there in the menu bar, press it then select "Folder Options", then in "View" Page scroll down till you see the options of showing and not showing system and hidden files. Set them to show you every thing.
5- When you see the "copy.exe", QUICKLY!
select it and delete it, if it refuse to be deleted then it should be already running, so light speed, CTRL+ALT+DEL, then end it's task and another task called "sqlserv.exe".

":cool:NOW THE 3-COMBO HIT!:cool:", delete copy.exe, delete sqlserv.exe, delete autorun.inf.

Do that for every partition you have and every flash disk was connected to the PC since it got infected.

remember no to double click the drive cuz that lunches the autorun, consecuently copy.exe

MISSION ACCOMPLISHED...

And after all of that I still have my problem with the IE staff there at the facult.

Hay, guys! what should I do with those disabled PCs?

THe IT staff has done real job with computer and the user I can access is so limited.

Now I managed with my team to have the power to reset the Administrator password and go in, but that would be so "obvious" to them that the system was breached.

I need some technique that gives me the power to have this limited user upgraded to an Administrator-Permissions enhanced user.

I can edit the registry alittle bit as I can recall. But the most thing bouthers me, is that I am not able to install the softwares I want, and even I can't run some no-installation application on it. Acctually I need to burn some data from the Intranet of the university, and the ASPI Layer is not cooperate with me because of that restrection....

I hope that some one help me.

ANd please would you send me replys to my email: hassoon3@gmail.com , and I will really appreciate that alot, because I may not be visiting that fourm again.

I suggest your contact your Admin, if you want full permissions they might give them to you should you ask if of course the reason is a good one. (You could ask to be a Junior Admin, to aid them. Obviously they would watch your logs for what you do.)

Alternately there are ways to gain access, I can't tell you though because of the nature. What I can tell you though is most of the time the logins are networked, so concealing logs on the computer isn't necessary the problem, the computer sending packets out is however.

aloha Stryder:jason:

THanks for caring about the problem.

You have mentioned that I can go an ask them to give me some junior admin permission.... that easy!!!:cool:

Actually, there is a roumer in the faculty that once apon a time there were a student that managed to go in some DR. acount and steal the test patterns.

So they probably don't trust us that much....

Any way I am doning this with a friend of mine, and our main aim is not to destry or to make mess around, we are just soaring up trying to reach the High-level Hacking skills... and expireance.

So if you can help me more in this... with some techniques, I would appreciat that alot, and you can use my email if you wnat hassoon3@gmail.com .

THS;)