NT Authority\System + registry: access denied? (BFE, Firewall, Defende

[Jeffrey89]

hi

Someone brought me a laptop where "the internet did not function anymore". I attempted a system restore, still the problem existed.

I tried scanning with a few anti-malware programs (MBAM, Avast), nothing was found.

MSE can also not be installed.

I noticed a firewall issue, but it's much more than that. The Base Filtering Engine did not start, so several depending services couldn't be started, so no internet... I fixed the internet problem by changing some permissions to a reg key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BSE or something like that. Internet access is back. I now have the firewall service running, but not the firewall. Also Windows Defender fails to start.

Thanks to ProcMon, I noticed that "NT Authority\System" returns "access denied" while accessing the registry in nearly all those instances. Yet when I check, "SYSTEM" is found in (most of) the permissions for the reg keys, and has full access in (nearly) all cases.

So before I manually change anything: are there any hints on what might be causing this? (I solved one or two by adding FULL CONTROL permissions for EVERYONE, which is definitely not the way to go. NT Authority\SYSTEM has also been added to the ADMINISTRATORS group, but no avail).

Thank you very much in advance!

( Windows 7 Home Premium )

[jnelsoninjax]

Are you positive that there is not a virus or malware on the system? I had one on my system the MWB detected and removed, but it still came back, and it was masquerading as a system file (csrss.exe) but it was loading it from a hidden/system folder simply called Nvida. I would also recommend trying NTFS Access and see if perhaps the NTFS permissions are screwed up. One other check that can be done easily is: Open command prompt, and do

dir/ah

you also might want to include the /s switch and see if anything looks out of the ordinary.

[Jeffrey89]

No, not positive the malware has been removed (and yes, it's very likely it's malware, but my usual set of tools didn't pick up anything - and MSE even failed to (re)install, it's also gone).

As for the access, I really mean the rights in the registry. Those keys ( HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BSE / HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winsock2/Parameters / HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Epoch2 or something like that) all returned "NT AUTHORITY\SYSTEM" "access denied", although the rights are in fact granted if I check everything.

[jnelsoninjax]

Sounds like its time to format and reinstall then :( at this point that might be the simplest way of fixing the whole issue(s)

[Jeffrey89]

Yeah, but really, that's what I want to avoid. So far, never had to format any PC after malware, I'm somehow being stubborn and trying to keep that score, even if it's more work.

[jnelsoninjax]

One other thing to attempt: open an elevated command prompt, and type in

sfc/scannow

this process will take some time, but should be able to fix any corrupted system files.

[Jeffrey89]

Thanks, I'll try that!

Btw, is there any chance anyone has a overview of the permissions on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ - subkeys? Or a tool to restore the default permissions there?

[jnelsoninjax]

Found this doing a google search:

I had some problems with my registery permissions a while ago, I couldn?t delete any thing any more, so I was looking for something that could reset my registery permissions to defaults. Here is the solution that worked for me

If you want to reset the entire registry permissions to defaults follow these steps

Note:- Before Doing any changes to registry plesae take a backup and start your changes

First you need to download SubInACL from here

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

Create a file with the name reset.cmd under C:\Program Files\Windows Resource Kits\Tools folder

Now you need to Edit the reset.cmd file and add the following lines

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f

subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f

subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f

subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f

subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f

subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f

subinacl /subdirectories %SystemDrive% /grant=system=f

Save and exit your file

Now you need to open command prompt run the following command

cdcd ?C:\Program Files\Windows Resource Kits\Tools?

after this press enter and enter the following command

reset.cmd

after entering this please press enter

after a few minutes by processing subinacl, the permission will be reset

[Jeffrey89]

Thanks. Still no fix though. Yesterday I managed to have an internet connection, working, just not the firewall, today I'm offline again.

Even the Diagnostics Policy Service fails (also access denied).

This must have been / be one serious malware infection!

[jnelsoninjax]

Have you attempted to create a new user account? I would try and see if perhaps just that profile is corrupt. If not then it seems that your only remaining choice would be a reinstall!

[+BudMan MVC]

"So far, never had to format any PC after malware"

Sad as it may be, this really is no longer a viable option with the sophistication and complexity of modern day infections.

Sometimes you just have to "nuke it from orbit" as the only sure way of being sure its clean.

If you can not be reasonably sure that you have cleaned it after a specific time frame, a nuke is most likely going to be the safest approach both in time spent and confidence that it is actually clean.

It is a good practice once you create a system and get your applications/tools installed and configured how you like it to take an image. And then update this image as you make major changes to the system, say after a specific number of patches, install of new major applications, etc. This way if the need arises you can get back to a clean usable install in just a few minutes.

[Jeffrey89]

I know, it's not my personal PC, hence the reluctance of formatting, although I realize it's the easiest solution.

[Princess Katie Pixie]

Never use a laptop/desktop when you bought it off from someone. Who knows what it might have.

The safest way is to first the drivers for the computer and second do a clean install.

Never use a stranger's computer ever.

[Jeffrey89]

I didn't buy it, it's someone who brought it to me to have a look at the problem. I only buy new stuff ;)

I had already tried the creation of a new user account, but I had the same issues.

Last night, I tried a repair install (the fake upgrade method) of Windows 7. Lots of previously-unable-to-start services running again, although I did get a warning that the hard disk might be failing soon (but I think it's a consequence of removing SP1 so I could attempt the repair install). I'll be looking further into it tonight and keep you posted.

[jnelsoninjax]

I'll say it again: You might as well format the HDD and reinstall the OS! Whatever is going on in the system is going to continue until you remove it, and based on what you are saying, you can not install any A/V or malware scanner, so the next most likely option is a reinstall :/

[Jeffrey89]

Probably. The repair seemed fine this morning, but now it refuses to boot, after a warning this morning that the hard disk might be corrupted. Using a Windows CD, it turns out C:\ is now D:\ and it's not loading....

[jnelsoninjax]

Something is really screwed up in that system :/ It might be worth while to ask your friend what he/she was doing prior to all hell breaking loose. At least in that case you might have a pretty good idea when/where the infection took place.

[Jeffrey89]

Screwed, beyond any malware infection I've seen so far (except for an XP one a couple of months ago).

No, they're the typical user who doesn't know why stuff happened... I bet adult sites, since apparently there was some warning in French about porn and having to pay up and stuff.

Current status: after the repair install, I got a bad HDD warning. On reboot, Windows hang on the logo. Win7 Start-up repair didn't help, I attached the drive to another laptop to make a back-up and try some chkdsk-stuff (which all was fine!). Ultimately, I was lucky and got it running again. Internet connection OK, just immensely slow for my taste, but that could be the PC itself, I obviously can't judge how slow it used to be let's say two weeks ago. Hope tonight it still works, since I need to re-apply lots of updates.

[+BudMan MVC]

So how many days we into this now? If you would of just nuked it after say 2 hours dicking with it and not getting anywhere, the user would already have their machine back.

[Jeffrey89]

Yes, I know, I'm just too obsessed with the cause, to prevent it from happening again.

On the bright side, the user can't screw things up again already, and a back-up is now a fact. :)

[+BudMan MVC]

"I'm just too obsessed with the cause"

The cause is the USER ;) What they actually infected themselves with, it could be MULTIPLE things and the combo of them really messed things up. Does not always come down to 1 infection. Most machines I have cleaned in the past were infected with a plethora of things!!

I can understand your curiosity, I am inflected with the same trait!! But to be honest it comes down to the fact it was compromised in some fashion. The only real way to be sure that the infection is gone is nuke it.

New crap comes out hourly, its code changes at that same kind of rate - your going to see lots of different variants of the same infection. Most of the antivirus players don't always give lots of details of what a specific virus/malware/crapware does, etc.. So even if you had a name of the infection to work with - getting the details you seek might not be possible.

Your symptoms may be the cause of virus A doing X, then virus B doing Y, then C.. doing Z... etc..