New
#1
Troubles with Permissions Changes Preventing access to anything.
I told my aunt that I could fix her dell computer windows 7 x 64sp1 went to see it the thing was unusable Activate Ultimate Protection popups now way to download or save anything no way to back anything up. I had an AVG rescue ROM and it found nothing so I loaded up the thing and took it home plugged it in and got the Black Screen cursor in every mode. using the recovery parttition that was set up on the Dell (no restore point found) I did boot repair multiple times to no avail.
I figured it had something to do with permissions as I had heard of this before followed the instructions doing a bunch of icacls commands here Fix Permissions Changes Preventing Windows From Booting (Windows 7 / Vista) - Sysnative Forums
A short 16 hrs later I rebooted in to safemode w network and ran malware bytes found thisCode:icacls Windows /t /c /grant "NT SERVICE\TrustedInstaller":(F) icacls Windows /t /c /grant SYSTEM:(M) icacls Windows /t /c /grant SYSTEM:(F) icacls Windows /t /c /grant Administrators:(M) icacls Windows /t /c /grant Administrators:(F) icacls Windows /t /c /grant Users:(RX) icacls Windows /t /c /grant Users:(GR,GE) icacls Windows /t /c /grant "CREATOR OWNER":(F) icacls "Program Files" /t /c /grant"NT SERVICE\TrustedInstaller":(F) icacls "Program Files" /t /c /grant SYSTEM:(M) icacls "Program Files" /t /c /grant SYSTEM:(F) icacls "Program Files" /t /c /grant Administrators:(M) icacls "Program Files" /t /c /grant Administrators:(F) icacls "Program Files" /t /c /grant Users:(RX) icacls "Program Files" /t /c /grant Users:(GR,GE) icacls "Program Files" /t /c /grant "CREATOR OWNER":(F) icacls "Program Files (x86)" /t /c /grant "NT SERVICE\TrustedInstaller":(F) icacls "Program Files (x86)" /t /c /grant SYSTEM:(M) icacls "Program Files (x86)" /t /c /grant SYSTEM:(F) icacls "Program Files (x86)" /t /c /grant Administrators:(M) icacls "Program Files (x86)" /t /c /grant Administrators:(F) icacls "Program Files (x86)" /t /c /grant Users:(RX) icacls "Program Files (x86)" /t /c /grant Users:(GR,GE) icacls "Program Files (x86)' /t /c /grant"CREATOR OWNER":(F) icacls Users /t /c /grant SYSTEM:(F) icacls Users /t /c /grant Administrators:(F) icacls Users /t /c /grant Users:(RX) icacls Users /t /c /grant Users:(GR,GE) icacls Users /t /c /grant Everyone:(RX) icacls Users /t /c /grant Everyone:(GR,GE)
I know the log says "no action Taken" but the log was made before I cleaned it.Code:Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.02.12.06 Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking) Internet Explorer 11.0.9600.16476 ruth :: RUTH-PC [administrator] 2/12/2014 10:35:48 AM MBAM-log-2014-02-12 (10-41-18).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 260483 Time elapsed: 4 minute(s), 20 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 5 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9filter.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpuxsrv.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSconfig.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe (Security.Hijack) -> No action taken. Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PrSft (Rogue.FakeAV) -> Data: C:\Users\ruth\AppData\Roaming\svc-gbgt.exe -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 2 C:\Users\ruth\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> No action taken. C:\Users\ruth\AppData\Roaming\OpenCandy\A7567E0F27B548CABD222B28F112AB16 (PUP.Optional.OpenCandy) -> No action taken. Files Detected: 5 C:\Users\ruth\AppData\Roaming\svc-gbgt.exe (Rogue.FakeAV) -> No action taken. C:\Users\ruth\Local Settings\Temporary Internet Files\Content.IE5\E0JSFM4K\ab6202e78319b45adf9484a48a249c09[1].exe (Rogue.FakeAV) -> No action taken. C:\Users\ruth\Local Settings\Temporary Internet Files\Content.IE5\HUE5DQ7X\616b0bbfd25d47d1c83eee1f8de3cdc3[1].exe (Rogue.FakeAV) -> No action taken. C:\Users\ruth\AppData\Roaming\data.sec (Malware.Trace.E) -> No action taken. C:\Users\ruth\AppData\Roaming\OpenCandy\A7567E0F27B548CABD222B28F112AB16\RealPlayerR71POC3_p2v2.exe (PUP.Optional.OpenCandy) -> No action taken. (end)
Ran it a second time found no infections
I was able to boot in to regular old windows and ran a AVG PRO scan found nothing
Did a rootkit scan and got this
Took a break noticed alot of HDD activity came back after a couple hours told her I wanted to back up her stuff.Code:"Anti-Rootkit scan" "Medium priority";"9";"9";"0" "Started:";"2/12/2014, 11:48:04 AM" "Finished:";"2/12/2014, 11:50:13 AM" "Total object scanned:";"205246" "User who launched the scan:";"ruth" "Name";"Description";"Result";"Status";"Priority" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_POWER -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_READ -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_PNP -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_SYSTEM_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CLOSE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_WRITE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium" "C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CREATE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
Just in case, when I went to do that
I think Permissions had been changed again by something.
I was able to create myself an account, task manger will not show me all tasks, I have no access to the C: (OS) drive need some help. Long post sorry I usually don't need help but I am out of ideas on this one.
Bill
I just joined this forum and just read not to use combofix but that was after I ran it I have the log.