HCHTech
Well-Known Member
- Reaction score
- 4,254
- Location
- Pittsburgh, PA - USA
Did a cleanup on a Win7 Pro 32bit computer today that was a little interesting.
The reported symptom was "playing ads through the speakers", and of course they mucked around for a while before calling for help. There was MSE on the computer (inoperable), a fresh install of Avast Free, and Malwarebytes (also inoperable).
I started by uninstalling Avast. Whenever Malwarebytes or MSE was run or an uninstall was attempted however, you got a popup saying "you have insufficient access to run/uninstall this program".
I removed the rootkit easily enough, and it had replaced the default rpcss.dll with a nefarious version, so I replaced that with the original version from an install disk.
I finished the cleanup and did a couple of other scans which came out clean. Still couldn't run or uninstall MBAM or MSE in normal or safe mode. I figured originally that this was a permissions issue, but running a permissions fix didn't help. I poked through gpedit, but this computer wasn't on a domain and there were no configured policies. A bit of Googling didn't turn up anything relevant.
Luckily, there were entries in the application log to accompany the "insufficient access" popups. They were Warning messages, Source was Software Restriction Policies, #866: "Access to c:\program files microsoft security client msseces.exe has been restricted by your administrator by location with policy code {79984917-462a-466e-b09a-3ce3549620fc} placed on path c:\program files\microsoft security client"
A search for this policy code in the registry took me this key:
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
There were entries here for both MSE and MBAM. Deleting them and rebooting restored access so I could remove MSE and install a better av. MBAM also runs fine after the fix. It was a satisfying resolution.
The reported symptom was "playing ads through the speakers", and of course they mucked around for a while before calling for help. There was MSE on the computer (inoperable), a fresh install of Avast Free, and Malwarebytes (also inoperable).
I started by uninstalling Avast. Whenever Malwarebytes or MSE was run or an uninstall was attempted however, you got a popup saying "you have insufficient access to run/uninstall this program".
I removed the rootkit easily enough, and it had replaced the default rpcss.dll with a nefarious version, so I replaced that with the original version from an install disk.
I finished the cleanup and did a couple of other scans which came out clean. Still couldn't run or uninstall MBAM or MSE in normal or safe mode. I figured originally that this was a permissions issue, but running a permissions fix didn't help. I poked through gpedit, but this computer wasn't on a domain and there were no configured policies. A bit of Googling didn't turn up anything relevant.
Luckily, there were entries in the application log to accompany the "insufficient access" popups. They were Warning messages, Source was Software Restriction Policies, #866: "Access to c:\program files microsoft security client msseces.exe has been restricted by your administrator by location with policy code {79984917-462a-466e-b09a-3ce3549620fc} placed on path c:\program files\microsoft security client"
A search for this policy code in the registry took me this key:
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
There were entries here for both MSE and MBAM. Deleting them and rebooting restored access so I could remove MSE and install a better av. MBAM also runs fine after the fix. It was a satisfying resolution.
