Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows and NTFS permissions issue after removal


  • Please log in to reply
1 reply to this topic

#1 equate975

equate975

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 27 May 2011 - 05:06 PM

I've had a persistent problem with computers coming in infected, after removals my user permissions and NTFS permissions are hosed. I've been banging my head on the wall trying to resolve the issue but have never found a solution other than a reload.

Infected machines are all running Win7 (x86 if it matters). Issues include files and folders (seemingly at random) are hidden and cannot be unhidden (right now desktop icons), cannot install programs (Access Denied) I'm assuming because I do not have permission to write to a temp folder during the install. Copying to the root of C: for example I am prompted to elevate as an admin.

I try to run:

secedit /configure /cfg %windir%\Windows\inf\defltbase.inf /db defltbase.sdb /verbose


And it will fail after processing all the registry keys, scesrv.log results in:

Warning 5: Access is denied.
Error setting security on machine\software\classes.

Registry permission reset with secedit (which I don't think is even officially supported in 7) will fail every key.
I even tried running icacls * /T /Q /C /RESET (which I know is not meant for a windows install drive) to see if that would get me anywhere, every file is access denied.

Below are what my scanners pulled out, minus the tracking cookies on my most recent machine:

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cake Mania --> DisplayName 	detected: Trace.Registry.Cake Mania!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cake Mania --> UninstallString 	detected: Trace.Registry.Cake Mania!A2
C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\7be78a09-1ec0ce29 	detected: Trojan-Downloader.Java.Agent!IK
C:\Program Files\Shockwave.com\Cake Mania\product\CakeMania.exe 	detected: Trojan.Win32.Buzus!IK
C:\Users\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\7be78a09-1ec0ce29 	detected: Trojan-Downloader.Java.Agent!IK

2011-05-27 07:22:49	c:\programdata\godylqgmths.exe	detected	Trojan-Downloader.Win32.Dapato.bt
2011-05-27 07:22:53	c:\programdata\godylqgmths.exe	was deleted
2011-05-27 07:23:12	C:\Documents and Settings\All Users\28368632.exe	detected	Trojan.Win32.Jorik.Fraud.ud
2011-05-27 07:23:14	C:\Documents and Settings\All Users\28368632.exe	was deleted
2011-05-27 07:27:26	C:\Documents and Settings\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8QK3SFN2\QQkFBg0MBAEDAAABEkcJBQcEAAYADAANBQ==[1].htm	detected	Trojan-Downloader.HTML.Agent.tm
2011-05-27 07:27:32	C:\Documents and Settings\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8QK3SFN2\QQkFBg0MBAEDAAABEkcJBQcEAAYADAANBQ==[1].htm	was deleted
2011-05-27 07:30:34	C:\Documents and Settings\User\AppData\Local\Temp\Low\tmp28E5.tmp	detected	Trojan-Downloader.Win32.Dapato.bt
2011-05-27 07:30:39	C:\Documents and Settings\User\AppData\Local\Temp\Low\tmp28E5.tmp	was deleted
2011-05-27 07:33:39	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\2f84494a-335fc203/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:39	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\51660c8f-6fa25510/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:41	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\d50c015-34bead79/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:41	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\2f84494a-335fc203	was deleted
2011-05-27 07:33:41	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\51660c8f-6fa25510	was deleted
2011-05-27 07:33:42	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2f31845f-4b7df0b8/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:42	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\d50c015-34bead79	was deleted
2011-05-27 07:33:42	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2f31845f-4b7df0b8	was deleted
2011-05-27 07:33:42	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\6b4d836b-7af242ae/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:42	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\d81016d-6a3e657f/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:43	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\6b4d836b-7af242ae	was deleted
2011-05-27 07:33:43	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\d81016d-6a3e657f	was deleted
2011-05-27 07:33:43	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\6dfdeab1-560bc7e9/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:43	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\6dfdeab1-560bc7e9	was deleted
2011-05-27 07:33:43	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\fad2d88-41bf078d/main.class	detected	Trojan-Downloader.Java.Small.f
2011-05-27 07:33:44	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\7be78a09-1ec0ce29	detected	Exploit.Java.CVE-2010-4452.a
2011-05-27 07:33:44	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\fad2d88-41bf078d	was deleted
2011-05-27 07:33:44	C:\Documents and Settings\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\7be78a09-1ec0ce29	was deleted
2011-05-27 08:03:25	C:\Program Files\Shockwave.com\Cake Mania\product\CakeMania.exe//Armadillo	detected	Trojan.Win32.Buzus.hhqp
2011-05-27 08:03:31	C:\Program Files\Shockwave.com\Cake Mania\product\CakeMania.exe	was deleted

Any help would be greatly appreciated.

Edit:

Also the recycle bin is corrupt on every reboot.

Edited by equate975, 27 May 2011 - 05:13 PM.


BC AdBot (Login to Remove)

 


#2 equate975

equate975
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 28 May 2011 - 04:18 PM

Sorry for the bump, but the plaster is starting to chip off the wall.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users