restore hacked win xp?

Hi
I am using CIS (last version) on win xp sp3 .
i fond that
on my computer all accounts can do administrator tasks - even if they are not in administrators group
(for example account in users group only can add it self to administrator group and so become an administrator without any problems but it does not need this as it can do this without being member of administrators group)
and there is one account that belongs to no group but this account is explicitly added in access control lists
for almost all files and registry keys with full control - i.e this account has full control over my computer - but it is not an administrator account. I have no idea how it could happened.
Perhaps there are other damages that i have not discovered yet.

I concluded that my computer has been hacked despite defense from CIS.

Can Comodo help me (and other users in my situation if there are other so unlucky people)
to restore and maintain the security of windows xp ?

Perhaps CIS should include traffic filtering by content not only by port , ip and application?
or it is already included but it is not turn on by default?
and second i noticed that if I allow some connection with “remember” in the list of rules it is added
as any (port ip … ) and i don’t see option to allow connections only for current ip and not for “any”
if i want to do this i have to write manually rules …
or to manually allow or deny every single connection .

thaks
best regards

Hi ialtaparmakov ,

Probably some guys will tell if there are other ways, but as far as I know in order to promote Limited User(s) Account(s) to Admin you (or somebody) need to boot into Safe Mode and change permissions using hidden unpassworded
Admin account adding a user to admin group from command prompt

> net localgroup Administrators UserName /add

The similar thing but not precisely what you described can happen, say after win2000 was upgraded to XP.

I am not sure (rather have doubts) that it was some hacker’s program worked (or still sitting) on your PC that Comodo’s Defense+ missed.

… but again, there most likely will be other opinions.

Have you tried to reset LUAs rights (and passwords… just in case)?

======
As for the Firewall Rules question if you right-click on the main node of the Rule use Edit… and you can change the Policy from Custom to predefined or copy from the existing
If you right-click on branches you can Edit… and change those "any” to what you need and/or use Add… rule.

If that is what you were asking for

My regards

but can i restore the security ?

i use mmc - administrative tools - computer management - local users and groups - users not from safe mode

i had problems -my background was turning black on genuine windows. i used repair option of windows setup , and after that i discovered that administrator have no access to some registry keys - the access control list of some registry keys was empty - so i used microsoft fix - (secedit.exe) - to restore permissions. this helped.
perhaps the current state of access control list is due to this fix? - but i don’t believe that microsoft will destroy the security this way .
I rather think that my computer was hacked. But it is possible that some my actions had led to this situation - it seems that i am the most effective virus :wink:

“Have you tried to reset LUAs rights (and passwords… just in case)?”
i don’t know how to do this.

about the firewall rules - how i remember norton internet security did not allow “any” so easily
it would be better if in the dialog box asking for allowing / blocking some connections
there was option to chose to allow only current ip , or any ip , and only current port or any port
and combinations - current ip - any port , or any ip - curent port only
and the default remember allow action would be allow only current ip and only current port

and if there are some number of rules collected and allowing access - then to draw conclusion what to allow in future
for example if there are 3 - 5- 10 allowed ip to the same port , then next time the default suggestion have to
be to allow any ip to current port or if there is some zones - to allow the zone of the current ip to current port
and then it is possible to update only rules for drawing conclusion instead of update the entire program - and this would make the firewall more intelligent - perhaps this is the training mode ?

now it is possible to do the same thing but manual - the idea is to do this automatically

the similrar is the situation with defense+ but more complex

perhaps this could be in the wish list ?

thanks best regards

Hi ialtaparmakov,

But it is possible that some my actions had led to this situation - it seems that i am the most effective virus ;)

Let’s hope you are not :smiley: … but the additional information you provided with repair & suff kinda confirmed my suspicion that there were some actions rather different than hacker’s activities

... but i don't believe that microsoft will destroy the security this way

That was most likely a combination of what was before as you described and the fix.
At the same time that is nor rare thing when MS can do bad things and mess up with permissions.
That is known fact the patches / some installations etc. may lead to changes in permissions
Sometimes you can find it straight away sometimes you will make “a discovery” later.
The “Access denied” message without any title bar or other description is one of the famous & beloved messages by MS. Have a look at SP3 installation saga; The Framework install / updates can do that as well, etc.
Then you dive into the Registry … and have to change the permissions.
Interestingly enough, user must do that (repeat the same installation) in iteration in order to find out the cause of the next “permission failure”… and so on, so you dont worry about MSoft’s capabilities to break thing in this specific area.

I am not sure that it is possible to give a concrete advices based on info you provided, rather than suggest reading what referred below:
How to restore settings; users’ rights & permissions
Group Policy Editor: Windows help & learning
and Set, View, Change, or Remove Permissions on Files and Folders | Microsoft Learn
This Tool SubInACL helped me a lot few times actually.

Probably the best way in your situation would be to remove all Limited users. Then being the one and only Admin you may try to return/reset full rights for Admin using SubInACL. If that worked recreate users as needed.

==============

As for the second part of the request It would be better if you create separate thread.
Firstly, some issues with default Custom settings to “any” were discussed previously
and you can search the forum. I’m not sure that it would be easy to find the best filters like “Custom rule(s)”; “port to Any” etc.,… but still…
Some things from what you described are indeed in the Wish List (WL) already as far as I remember.
Here is a WL section

Few things as I can see are already possible to achieve or they are suppose to be improved in v4

But most importantly, if that is a separate request in “Firewall Help”, for example, that would be easier to get more advices rather than handle 2 different issues here.
There are many guys here who are extremely proficient with networking.

Cheers!