Troubles with Permissions Changes Preventing access to anything.

[pwrcat4000]

I told my aunt that I could fix her dell computer windows 7 x 64sp1 went to see it the thing was unusable Activate Ultimate Protection popups now way to download or save anything no way to back anything up. I had an AVG rescue ROM and it found nothing so I loaded up the thing and took it home plugged it in and got the Black Screen cursor in every mode. using the recovery parttition that was set up on the Dell (no restore point found) I did boot repair multiple times to no avail.
I figured it had something to do with permissions as I had heard of this before followed the instructions doing a bunch of icacls commands here Fix Permissions Changes Preventing Windows From Booting (Windows 7 / Vista) - Sysnative Forums

icacls Windows /t /c /grant "NT SERVICE\TrustedInstaller":(F) 
icacls Windows /t /c /grant SYSTEM:(M) 
icacls Windows /t /c /grant SYSTEM:(F)
icacls Windows /t /c /grant Administrators:(M) 
icacls Windows /t /c /grant Administrators:(F) 
icacls Windows /t /c /grant Users:(RX)
icacls Windows /t /c /grant Users:(GR,GE)
icacls Windows /t /c /grant "CREATOR OWNER":(F) 
icacls "Program Files" /t /c /grant"NT SERVICE\TrustedInstaller":(F) 
icacls "Program Files" /t /c /grant SYSTEM:(M)
icacls "Program Files" /t /c /grant SYSTEM:(F) icacls "Program Files" /t /c /grant Administrators:(M)
icacls "Program Files" /t /c /grant Administrators:(F)
icacls "Program Files" /t /c /grant Users:(RX) 
icacls "Program Files" /t /c /grant Users:(GR,GE) 
icacls "Program Files" /t /c /grant "CREATOR OWNER":(F) 
icacls "Program Files (x86)" /t /c /grant "NT SERVICE\TrustedInstaller":(F) 
icacls "Program Files (x86)" /t /c /grant SYSTEM:(M) 
icacls "Program Files (x86)" /t /c /grant SYSTEM:(F) 
icacls "Program Files (x86)" /t /c /grant Administrators:(M) 
icacls "Program Files (x86)" /t /c /grant Administrators:(F)
icacls "Program Files (x86)" /t /c /grant Users:(RX)
icacls "Program Files (x86)" /t /c /grant Users:(GR,GE)
icacls "Program Files (x86)' /t /c /grant"CREATOR OWNER":(F)
icacls Users /t /c /grant SYSTEM:(F)
icacls Users /t /c /grant Administrators:(F)
icacls Users /t /c /grant Users:(RX)
icacls Users /t /c /grant Users:(GR,GE)
icacls Users /t /c /grant Everyone:(RX)
icacls Users /t /c /grant Everyone:(GR,GE)

A short 16 hrs later I rebooted in to safemode w network and ran malware bytes found this

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.12.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 11.0.9600.16476
ruth :: RUTH-PC [administrator]

2/12/2014 10:35:48 AM
MBAM-log-2014-02-12 (10-41-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260483
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\k9filter.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\mpuxsrv.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\msascui.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\MSconfig.exe  (Security.Hijack) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File Execution Options\msmpeng.exe  (Security.Hijack) -> No action taken.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PrSft  (Rogue.FakeAV) -> Data: C:\Users\ruth\AppData\Roaming\svc-gbgt.exe  -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Users\ruth\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\ruth\AppData\Roaming\OpenCandy\A7567E0F27B548CABD222B28F112AB16 (PUP.Optional.OpenCandy) -> No action taken.

Files Detected: 5
C:\Users\ruth\AppData\Roaming\svc-gbgt.exe (Rogue.FakeAV) -> No action taken.
C:\Users\ruth\Local  Settings\Temporary Internet  Files\Content.IE5\E0JSFM4K\ab6202e78319b45adf9484a48a249c09[1].exe  (Rogue.FakeAV) -> No action taken.
C:\Users\ruth\Local  Settings\Temporary Internet  Files\Content.IE5\HUE5DQ7X\616b0bbfd25d47d1c83eee1f8de3cdc3[1].exe  (Rogue.FakeAV) -> No action taken.
C:\Users\ruth\AppData\Roaming\data.sec (Malware.Trace.E) -> No action taken.
C:\Users\ruth\AppData\Roaming\OpenCandy\A7567E0F27B548CABD222B28F112AB16\RealPlayerR71POC3_p2v2.exe  (PUP.Optional.OpenCandy) -> No action taken.

(end)

I know the log says "no action Taken" but the log was made before I cleaned it.
Ran it a second time found no infections
I was able to boot in to regular old windows and ran a AVG PRO scan found nothing
Did a rootkit scan and got this

"Anti-Rootkit scan"
"Medium priority";"9";"9";"0"
"Started:";"2/12/2014, 11:48:04 AM"
"Finished:";"2/12/2014, 11:50:13 AM"
"Total object scanned:";"205246"
"User who launched the scan:";"ruth"

"Name";"Description";"Result";"Status";"Priority"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_POWER -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_READ -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_PNP -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_SYSTEM_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CLOSE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_WRITE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"
"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CREATE -> HIDCLASS.SYS +0x2710";"Secured";"Healed";"Medium"

Took a break noticed alot of HDD activity came back after a couple hours told her I wanted to back up her stuff.
Just in case, when I went to do that
I think Permissions had been changed again by something.
I was able to create myself an account, task manger will not show me all tasks, I have no access to the C: (OS) drive need some help. Long post sorry I usually don't need help but I am out of ideas on this one.
Bill
I just joined this forum and just read not to use combofix but that was after I ran it I have the log.

 

[AmericanPharaoh]

Restoring Your Dell Computer to Original Factory Installation with Dell DataSafe Local Backup 2.0 | Dell US

 

[pwrcat4000]

johnsmith45jock
Thanks for the reply I am unsure if it would work the machine has a Vista COA on it.
Excuse my ignorance I have been fixing xp machines for years but if i had a 7-x64 disc can a recovery install be done from the disk with out affecting the user files.

 

[UsernameIssues]

http://www.sevenforums.com/tutorials/85813-windows-7-universal-installation-disc-create.html

Take note of the download links.
You might want to grab 32bit and 64bit while you can.

 

[pwrcat4000]

UsernameIssues,
Thanks for your reply I got my Windows 7 Home Premium with Service Pack 1 (x64) - DVD (English) iso from my technet subscription but if people have made the Universal iso I would like to have one Although it would be kinda cool to make my own I don't have the time for the project right now. She is looking for her install dvd now

 

[pwrcat4000]

BTW Heres my combofix text
What am I missing

 

[UsernameIssues]

We will need to wait on a member that deals with infections to pickup the thread.

 

[pwrcat4000]

Usernameissues,
Thanks for the reply.
Is there anyway to intice them? I am willing to strip down to my t-shirt if nessisary LOL
I think if I could get Admin access again I have the tools to beat this infection. I am burning my Windows 7 Home Premium with Service Pack 1 (x64) - DVD (English) DVD right now

 

[UsernameIssues]

~~~
...I am willing to strip down to my t-shirt if nessisary LOL
~~~

Don't want to drive them away

I don't see them online and I'll be away for a bit too.

 

[pwrcat4000]

attempting "Upgrade"
Windows 7 Home Premium with Service Pack 1 (x64) <----infected
to Windows 7 Home Premium with Service Pack 1 (x64) <----- Clean!

 

[shellcode]

At this stage, what are the remaining indicators of infection or other noteworthy problems?

Have permissions been properly restored? If no, explain remaining issues.

Does she really need Java installed on her system? If no, remove it.

Is backing up documents, wiping drive, and re-imaging an option? If yes, this is the best option as trust can no longer be guaranteed without known-good image. System key can be extracted from registry, prior to re-imaging.

 

[pwrcat4000]

shellcode,
Thanks for your response The reinstall worked so far I have already removed her java (she had 6 which is probably where all this came from) also saw that some one had downloaded Fonts and saw the word Conduit associated with that (Red flags) since I assume like XP fonts are loaded everytime Win7 boots. I am renstalling AVG PRo now and the 500 or so updates.

 

[shellcode]

Sounds like you have it under control. I have found this tool useful for removing Conduit, in the past.

Remove Conduit Toolbar and search.conduit.com (Uninstall Guide)

Let me know if anything alarming pops up.

 

[Malnutrition]

Lets take a look at the machine, and see what needs to be removed.

If there is conduit, there is likely other items that need to go.



Please download Junkware Removal Tool and save it on your desktop.

• Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log is saved to your desktop and will automatically open.
• Please attach the JRT log.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on Scan button.
• When the scan has finished click on Clean button.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the contents of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

Download RSIT 64 bit or RSIT 32 bit Save it to your desktop.

CLICK HERE to determine whether you're running 32-bit or 64-bit for Windows.

Double-click RSIT.exe to start the tool. Windows Vista, 7 and 8 users Right Click & Run as Administrator .

• Then click " Continue "
• When the tool is finished, a notepad file called " Log "and "info" open
• Attach both of these to your reply.

 

[pwrcat4000]

Malnutrition,
I am unfamiliar with the programs you suggested how long have you been using them?
are there advantages over these programs

AVG
Malware Bytes
Combofix
Spybot Search and Destroy

Thank you for your response

 

[pwrcat4000]

I should follow up I have the OS working again struggling with (Curse work of your choice) .net 4 going off my experience from fixing xp I am fairly familiar with fixing these probelms using and old dot Net repair tool but windows 7 seems to be resisting
I used IObits Uninstaller to Power unistall all the dot net 4 updates and had to reinstall dot net 4 as it did not appear in the installed programs list typical install it to unistall it rebooted an gouple of times and reienstalled dot net 4 (I dont think I got the client dot net 4) tried to unistall full dot net and stated that I needed dot net 4 client installing that now then plan to Unistall all dot net 4 stuff updated the whole thing and reboot and let windoes update direct me. Hopefully it will fix

 

[Malnutrition]

These tools will not harm your machine, I have been using them for a couple of years.

The first two will remove adware/spyware from your machine, the last will tell me what remains on your machine then we can remove what needs to be removed.

RSIT can make a detailed analysis of the computer system and generate elaborate reports regarding its efficiency, resource utilisation etc. After installation, first use of the RSIT generates two reports info.txt and log.txt. In subsequent runs, only the log.txt is generated. The log.txt report contains general information about the RSIT version, OS, hard disk, RAM etc. that can be used to identify causes for delays in the computer if any. The info.txt is generated during the first use right after the installation of the RSIT and consists of a list of software, security

Choice is yours I am here to help.

 

[Malnutrition]

Also if you are using Spybot Search and Destroy I highly suggest that you remove it while I help you work on your machine. It can interfere with malware tools making our job harder, you may reinstall at the end of this venture, if you so choose.

 

[Jacee]

Please uninstall Combofix:


• Click START Search
• Now type or copy/paste) ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


After doing all of the above, download DDS from one of these links:
DDS.com

DDS.pif

• Disable any script blocking protection
• Double click the dds icon to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt <--- will be minimized in the task tray
• Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

 

[pwrcat4000]

Jacee,
Thanks for your reply
The output files are attached