This isn't humorous anymore

[Magnum]

I think I still have an unwelcome visitor.

I have used Commodo, Kaspersky, Malware Defender, MSE, Fprot, etc.

I can't ->

1. get to safe mode
2. run any program as a limited user
3. log on to any limited user account
4. I am installing some security updates right now
5. My bat file that uses psiexec to run firefox as a limited user doesn't work anymore
   It says winsock32.dll is missing when it is not
6. It likes whatever it is, is adapting...

[Gunther]

Hi Andy,

that sounds dangerous. Here's my advice. Save your data, format your hard disk and make a new installation (OS and software).

Gunther

[Vortex]

Hi Magnum,

It looks like that your OS is seriously damaged. Repairing windows problems can be difficult and it can take long time. Mark Russinovich wrote very nice articles on diagnosing and fixing Win errors with Sysinternals tools. A solid understanding of Windows internals can help a lot to identify some problems but sometimes this is a difficult task. A time saving solution, a prophylactic one is to have a safe Windows backup.

Mark Russinovich's Blog :

http://blogs.technet.com/b/markrussinovich/

My modest recommendation is to backup your data and reinstall the OS.

[japheth]

This doesn't sound like malware. It's more likely that you unintentionally did delete some files which are needed by the "restricted" account.

a first brief check is:

1. open a console and enter "net user" to see if the account that you cannot log in is still there.
2. if it is, enter "net user <account>" to see if it is still active
3. check "Documents and Settings\<account> if file "ntuser.dat" exists
4. if it does, load the file as a hive in the registry editor to see if it's loaded correctly and the contents looks ok.

[Magnum]

I haven't deleted any files.

I did steps 1 - 3. They are all still there.

Do you mean import ntuser.dat into the registry ?

[japheth]

No - not import, but "load": see regedit, menu "file".

It's not very likely that this loading fails. Just to be sure.

Next step is to control the event log - can you view the entries in the event log again?

If yes, see the event log "security". Your failed logon attempts should be seen there - with a more detailed error description.

[dedndave]

he means to "load it as a temporary hive"
if you google that term, you will find instructions
it seems pretty hard to verify it because there is a lot of stuff to look at   :redface:
but it is good to know it is present and loads

i don't usually like using SFC, but in this case, it may be helpful

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_checker.mspx?mfr=true

[dedndave]

another option may be to log into an admin account and create a new user account
this sometimes fixes small problems that add up to big ones

[dedndave]

as for the specific issues you mention

the av software you have running may cause issues with running programs as a limited user
if you have more than one av running, they may conflict
otherwise, it may be a policies problem - you can set the policies back to defaults i think

winsock may be present, but not properly registered
SFC may take care of that one
this sounds like a machine-level issue, as opposed to a user-level problem