Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Troubles with Permissions Changes Preventing access to anything.

13 Feb 2014   #1

7 64 sp1
 
 
Troubles with Permissions Changes Preventing access to anything.

I told my aunt that I could fix her dell computer windows 7 x 64sp1 went to see it the thing was unusable Activate Ultimate Protection popups now way to download or save anything no way to back anything up. I had an AVG rescue ROM and it found nothing so I loaded up the thing and took it home plugged it in and got the Black Screen cursor in every mode. using the recovery parttition that was set up on the Dell (no restore point found) I did boot repair multiple times to no avail.
I figured it had something to do with permissions as I had heard of this before followed the instructions doing a bunch of icacls commands here Fix Permissions Changes Preventing Windows From Booting (Windows 7 / Vista) - Sysnative Forums
Code:
icacls Windows /t /c /grant "NT SERVICE\TrustedInstaller":(F) 
icacls Windows /t /c /grant SYSTEM:(M) 
icacls Windows /t /c /grant SYSTEM:(F)
icacls Windows /t /c /grant Administrators:(M) 
icacls Windows /t /c /grant Administrators:(F) 
icacls Windows /t /c /grant Users:(RX)
icacls Windows /t /c /grant Users:(GR,GE)
icacls Windows /t /c /grant "CREATOR OWNER":(F) 
icacls "Program Files" /t /c /grant"NT SERVICE\TrustedInstaller":(F) 
icacls "Program Files" /t /c /grant SYSTEM:(M)
icacls "Program Files" /t /c /grant SYSTEM:(F) icacls "Program Files" /t /c /grant Administrators:(M)
icacls "Program Files" /t /c /grant Administrators:(F)
icacls "Program Files" /t /c /grant Users:(RX) 
icacls "Program Files" /t /c /grant Users:(GR,GE) 
icacls "Program Files" /t /c /grant "CREATOR OWNER":(F) 
icacls "Program Files (x86)" /t /c /grant "NT SERVICE\TrustedInstaller":(F) 
icacls "Program Files (x86)" /t /c /grant SYSTEM:(M) 
icacls "Program Files (x86)" /t /c /grant SYSTEM:(F) 
icacls "Program Files (x86)" /t /c /grant Administrators:(M) 
icacls "Program Files (x86)" /t /c /grant Administrators:(F)
icacls "Program Files (x86)" /t /c /grant Users:(RX)
icacls "Program Files (x86)" /t /c /grant Users:(GR,GE)
icacls "Program Files (x86)' /t /c /grant"CREATOR OWNER":(F)
icacls Users /t /c /grant SYSTEM:(F)
icacls Users /t /c /grant Administrators:(F)
icacls Users /t /c /grant Users:(RX)
icacls Users /t /c /grant Users:(GR,GE)
icacls Users /t /c /grant Everyone:(RX)
icacls Users /t /c /grant Everyone:(GR,GE)
A short 16 hrs later I rebooted in to safemode w network and ran malware bytes found this

Code:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.12.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 11.0.9600.16476
ruth :: RUTH-PC [administrator]

2/12/2014 10:35:48 AM
MBAM-log-2014-02-12 (10-41-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260483
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\k9filter.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\mpuxsrv.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\msascui.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\MSconfig.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\msmpeng.exe  (Security.Hijack) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PrSft  (Rogue.FakeAV) -> Data: C:\Users\ruth\AppData\Roaming\svc-gbgt.exe  -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Users\ruth\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\ruth\AppData\Roaming\OpenCandy\A7567E0F27B548CABD222B28F112AB16 (PUP.Optional.OpenCandy) -> No action taken.

Files Detected: 5
C:\Users\ruth\AppData\Roaming\svc-gbgt.exe (Rogue.FakeAV) -> No action taken.
C:\Users\ruth\Local  Settings\Temporary Internet  Files\Content.IE5\E0JSFM4K\ab6202e78319b45adf9484a48a249c09[1].exe  (Rogue.FakeAV) -> No action taken.
C:\Users\ruth\Local  Settings\Temporary Internet  Files\Content.IE5\HUE5DQ7X\616b0bbfd25d47d1c83eee1f8de3cdc3[1].exe  (Rogue.FakeAV) -> No action taken.
C:\Users\ruth\AppData\Roaming\data.sec (Malware.Trace.E) -> No action taken.
C:\Users\ruth\AppData\Roaming\OpenCandy\A7567E0F27B548CABD222B28F112AB16\RealPlayerR71POC3_p2v2.exe  (PUP.Optional.OpenCandy) -> No action taken.

(end)
I know the log says "no action Taken" but the log was made before I cleaned it.
Ran it a second time found no infections
I was able to boot in to regular old windows and ran a AVG PRO scan found nothing
Did a rootkit scan and got this

Code:
"Anti-Rootkit scan"
"Medium priority";"9";"9";"0"
"Started:";"2/12/2014, 11:48:04 AM"
"Finished:";"2/12/2014, 11:50:13 AM"
"Total object scanned:";"205246"
"User who launched the scan:";"ruth"

"Name";"Description";"Result";"Status";"Priority"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_POWER -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_READ -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_PNP -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_SYSTEM_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CLOSE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_WRITE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CREATE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
Took a break noticed alot of HDD activity came back after a couple hours told her I wanted to back up her stuff.
Just in case, when I went to do that
I think Permissions had been changed again by something.
I was able to create myself an account, task manger will not show me all tasks, I have no access to the C: (OS) drive need some help. Long post sorry I usually don't need help but I am out of ideas on this one.
Bill
I just joined this forum and just read not to use combofix but that was after I ran it I have the log.

My System SpecsSystem Spec
.

13 Feb 2014   #2

Windows 7 Home Premium 64-bit
 
 

My System SpecsSystem Spec
13 Feb 2014   #3

7 64 sp1
 
 

johnsmith45jock
Thanks for the reply I am unsure if it would work the machine has a Vista COA on it.
Excuse my ignorance I have been fixing xp machines for years but if i had a 7-x64 disc can a recovery install be done from the disk with out affecting the user files.
My System SpecsSystem Spec
.


13 Feb 2014   #4

W7 Pro SP1 64bit
 
 

Windows 7 Universal Installation Disc - Create

Take note of the download links.
You might want to grab 32bit and 64bit while you can.
My System SpecsSystem Spec
14 Feb 2014   #5

7 64 sp1
 
 

UsernameIssues,
Thanks for your reply I got my Windows 7 Home Premium with Service Pack 1 (x64) - DVD (English) iso from my technet subscription but if people have made the Universal iso I would like to have one Although it would be kinda cool to make my own I don't have the time for the project right now. She is looking for her install dvd now
My System SpecsSystem Spec
14 Feb 2014   #6

7 64 sp1
 
 
Re: Troubles with Permissions Changes Preventing access to anything.

BTW Heres my combofix text
What am I missing


Attached Files
File Type: txt results in safe mode.txt (22.7 KB, 4 views)
My System SpecsSystem Spec
14 Feb 2014   #7

W7 Pro SP1 64bit
 
 

We will need to wait on a member that deals with infections to pickup the thread.
My System SpecsSystem Spec
14 Feb 2014   #8

7 64 sp1
 
 

Usernameissues,
Thanks for the reply.
Is there anyway to intice them? I am willing to strip down to my t-shirt if nessisary LOL
I think if I could get Admin access again I have the tools to beat this infection. I am burning my Windows 7 Home Premium with Service Pack 1 (x64) - DVD (English) DVD right now
My System SpecsSystem Spec
14 Feb 2014   #9

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by pwrcat4000 View Post
~~~
...I am willing to strip down to my t-shirt if nessisary LOL
~~~
Don't want to drive them away :-)

I don't see them online and I'll be away for a bit too.
My System SpecsSystem Spec
14 Feb 2014   #10

7 64 sp1
 
 

attempting "Upgrade"
Windows 7 Home Premium with Service Pack 1 (x64) <----infected
to Windows 7 Home Premium with Service Pack 1 (x64) <----- Clean!
My System SpecsSystem Spec
Reply

 Troubles with Permissions Changes Preventing access to anything.




Thread Tools



Similar help and support threads for2: Troubles with Permissions Changes Preventing access to anything.
Thread Forum
preventing access to drive System Security
Troubles in taking Ownership (Access Denied) General Discussion
IE9 preventing access to web pages Browsers & Mail
Preventing Access TO Unsecured Wireless Networks Network & Sharing
permissions to access folders System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:47 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33