Weird Access Denial in System Configuration

Hi,
System Configuration has stopped recognizing my adminstrative status. (Win XP Home/one account)

"An Access Denial error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes."

The rest of the PC acknowledges my administrative status & grants me full privledges. This began while attempting to untick cftmon.exe from Startup via msconfig. cftmon was not there the prior month (have a list). Googled it, mistakenly left out the "f"-- ctmon.exe is a dangerous trojan. cftmon is in its proper place in Windows/System32. Now System Configuration doesn't know its place!

Any suggestions for resolution would be deeply appreciated.

 

Hi LaFemmeMichele,

Well, when dealing with ctfmon through msconfig M$ has documented a slightly different approach. You wouldn't by chance have copies of Filemon and Regmon handy from the original SysInternal's website now would you, there seem's to be a little skepticism involving the new, "integrated" version. I ask because these are two great tool's for filtering access denied error's.


GF

 

Hi Global Force,

I get the "another case of MS screwing up a good product" part! I'm afraid I don't have any SysInternal tools. I take it they're no longer available.

Could you explain what you think is going on? A possible scenario?

I'm fine with cftmon.exe remaining in Startup, I'd just like to be able to use msconfig.

Happy you've responded! -M

PS Is it at all likely one of my security applications is "protecting" msconfig for me?

 

Try here

Blue

 

Oh! Thanks so much!

Edit: Blue, Those are the MS versions!

 

I just found a thread online with a similar Denial Access Error Msconfig--although he is able to untick startup items & I'm not & his followed an episode with a trojan, none here.

The last post in the thread links the Denial Error with his firewall, ZA. I hadn't mentioned earlier that 24 hours before this began I installed a new firewall . Do you see a correlation?

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=36&threadid=50160&enterthread=y


Addendum: Within minutes after posting Spyware Doctor found AntiMcAfeeTrojanB in my registry! I'd run the same scan last night, & an online AV. Been scanning for hours. Says I'm clean, I don't believe it! I don't know what steps to take to take back control. Still cannot use MSCONFIG!

Open to suggestions.

 

Still here LaFemmeMichele, trying to decide where your situation reside's though the addition of finding that trojan somewhat complicate's matter's ~ possibly a false, no Dr.Web here ~ If your anything like many peep's ~ which I doubt ~ finding a re-install as the end of the world, I'd suggest posting an HJT log somewhere your likely to get a quick response - http://bfccomputerhelp.com/index.php?showtopic=323. If Dr.Web's finding's are for real, that may very well be what's causing your msconfig denial.

Try this if you would .... run msconfig with system credential's, then see if she open's. You'll have to change the command line to read ....

at militarytime /interactive %systemroot%\pchealth\helpctr\binaries\msconfig.exe

My other thought ~ trojan's aside and "sketchy" info provided by M$ on this ~ is that sometime's a user's "SID" become's altered. Obviously it's also feasible a crutial ACL has been modified somewhere. In the meantime I've got plenty of related reading material including that link you supplied to keep me busy and will update you as soon as time allow's.


GF

 

GF-

Well, who doesn't? I know I have them! by the combined tool you mean the one on the page that you linked to? I haven't read about it. Maybe I should. Do you use Filemon and Regmon now, or in the past?


-HandsOff

 

What a great connection I've made! New stuff: I no longer belong in Software & Services! The trojan findings in the registry were by Spyware Doctor. No other AS/AV have picked up anything. A2 free found Trojan-Dropper.Win32.Paradrop.a in Windows/System32/atiptaxx.exe. So the OS corruption is infection related. After quarantining it, I was able to use MSCONFIG! Still get error message but was able to untick atiptaxx from Startup. Have been in Safe mode running scans. A2 free found the same trojan in the same spot again. I deleted it (apparently quarantining wasn't enough). Is "deleting" enough? The folder atiptaxx is no longer in Windows/System32 but it is still listed, although unticked in startup. I have no idea the extent of the damage, how to repair it, or whether or not I've removed all infection. So many scans showed false negative results.

Came back online to print out Blackspear's instructions for infection & download whatever else might help clean up. Glad to find your post! Infection & cleaning aside, what is the relationship in that thread of his firewall to the Denial Access MSCONFIG? Am I going to have to remove my FW after cleaned up? I wish I were a tech!

How can I assess the registry? I should at minimum remove apitaxx from it, right? Or with enough cleaning will a visit the registry be unnecessary? Thanks for the support, a lot! -M

Addendum: I've just read that a change in user rights signifies that clean up alone can't give you back control of your system. It's been compromised enough to allow return access by whomever/whatever you've cleaned (if I make sense!). True?

 

I've covered many utilities since last posting and will be with you shortly. Update me .... if you haven't reinstalled yet have you at least posted an HJT log (especially if your still crusing the web on that "suspect" puter)? The folk's who work those site's are very familiar with both content's, and *junk* id tool's.

Also please .... Install cd? SP2 - Included or update?

GF

PS - Hand's .... in pm, soon.

 

I have been getting the same message for several weeks and cannot figure it out either.

My anti-virus and other utilities do not find any problems.

 

Me again-

Just thought I would mention, if there is any confusion, that you can still get Regmon, and filemon from their website. That may be obvious, but I was not sure at first...

GF - I think I read you were doing a leisurely re-install. I'm doing the same thing. It seems like a learning experience. I remember telling people how simple formatting, partitioning, installing are --- then find out I made some bad assumptions! Just wanted to tell you I can relate!

 

DCM,
AV, AS, AT scans don't necessarily pick things up, trust me! Take a look at Blackspear's General Virus & Trojan Removal Instructions. In Safe mode run Stinger, A2, CWShredder, & I'll bet you'll find you have company. Company that has changed your user privledges. It's like your'e in a peep show!

GF,
All I've been doing is cleaning! I'm just about done. I'm following his directions so I haven't posted a HJT log yet. I'm not sure how to interpret the findings of one of the tools, Stinger. If that's what was found & repaired or if that's what's still in there, & they can't remove it. It's boggling to see how poorly your security applications perform! My poor PC. I continue to receive the error message but I'm allowed in MSCONFIG. I haven't tried your command line because I want to get rid of my guests first & I don't understand exactly what it does. I'll take a look at the product you've recommended when I get through this cleaning. Three days now?!! I appreciate the support a lot, GF. Thanks!

HO,
We've confused you! Sorry.

 

What? Your just about done? Sure about that?

Consider .... who do you think get's paid more, the programmer's who write this infiltrating garbage, or the people writing to protect you? ~ "It's boggling to see how poorly your security applications perform!" ~ Sure, cracker's aren't cracker's cause of any aimless direction, they simply download the latest security soft like you and I might, then unlike you and I proceed ~ ever so methodically ~ with their craft .... "D-I-S-A-S-S-E-M-B-L-Y!" Once you know the internal's, you know the "how's," and "where's," to beat it!

At this point (where you are with not knowing for sure) it may be almost pointless for me to continue, not that any urge to offer help isn't there mind you, just that .... why try to fix permission's when you're dealing with far greater threat's, threat's that could easily be remedied by simply reinstalling the OS. What's the hesitation .... no disc, OS pre-installed? Too much stuff on too large a hard-drive you haven't looked at since who know's when? Like you said, three day's running.

Don't misconstrue this as a push to get you to do anything, merely suggestion's based on more than my share of observation's. I'm getting the drift you ~ same pool here ~ like to resolve matter's on your own if possible, at least to have made the attempt. On that note I'll forward you something I came across but haven't tested for myself yet, something I pride myself in doing for everyone I reply to. If your patient another day or two, I'll provide my finding's, not a big deal for me to reinstall with three individual XP install's across four partition's. One clean, one for testing stuff like this, my main, plus one for storage. I'm back up in less than two hour's .... driver's, setting's, a few "choice" application's, and minus any I may have had installed that proved marginal.

Here's the page - http://wiki.djlizard.net/Repair_Permissions. Read through it carefully. The "medium" file for XP Home is Beta and carries several consideration's, though I think (yet to prove) you can get away with dwnlding the Repair Permissions.zip all by it's lonesome (content's in screenshot). His dwnld's carry an md5, either keir.net or pctools.net should fit the bill. Find one additional consideration here ....

"The Secedit.exe command-line utility does not export a security template for local security policy in Windows XP."

Inconvenient the realization of not being prepared when the *HIT* finally confront's you, isn't it! When you get this all cleared up, you may well consider purchasing a reliable imaging soft such as Image4DOS or DriveSnapshot (highly forum touted), installing the superb, free ERUNT (xp musthave), adding the Recovery Console (no install disk, look here), or perhap's just adjusting your surfing habit's to include VMWare Player. There are many option's to safe hex.

Keep me updated as you progress, I may still be of assistance.

PS - "I haven't tried your command line ...." For the time being, don't worry about it. That msconfig open's is enough.


GF

 

Hand's,

You may be correct. According to Snapfiles, both Filemon and Regmon, version's 7.03 do seem to be available. My connection showed:

66.192.0.0 - 66.195.255.255/Time Warner Telecom, Inc.
66.193.254.32 - 66.193.254.63/Winternals Software

.... to be the source, download dialog showing individual name's. Hmmm worth considering LaFemme.
You know this force's me to dwnld, don't 'cha Hand's!

Update: Yep, look's good! The included eula's are M$, the help file's were ALL Sys.


GF

 

Hi DCM,

Have you previously posted an HJT log somewhere?
If yes, did they give you their seal of approval?


GF

 

GF,
I really appreciate your interest in helping. I'm PMing you! -M