Avatar of charismatic100
charismatic100
 asked on

Virus Enabled Read Only Attribute on Folders

I am working with a Dell desktop computer with XP Pro SP3 installed.  End user let antivirus subscription expire and is now experienciencing all sorts of issues.
I uninstalled Win Maximizer and FileCure from her computer.  
There are two exe on her desktop null0.xxxxxxxxxxxxxxxx where x's are random numbers.
I installed malwarebytes.  15 seconds into a full scan, malwarebytes program exits.  Nothing malwarebytes related listed in taskmanger.  If you try to run malwarebytes again, receive "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe  Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."  Further investigation reveals that folders are marked read only.  Changing read only attribute is not persistent.  Attribute changes back to read only.
Unable to run online virus scans.  They begin and stop as well.
Unable to install anything from a CD/DVD receive access denied error message.
How should I proceed?
Anti-Virus AppsAnti-Spyware

Avatar of undefined
Last Comment
rpggamergirl

8/22/2022 - Mon
younghv

Really good EE Article on just this problem here:
https://www.experts-exchange.com/A_1995.html - IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:  
younghv

When fighting current malware variants, you need to keep in mind that many of them are running "rogue processes" which will stop even the best scanners from installing or functioning properly.

My personal favorite for stopping the rogues is "Rogue Killer", described here:
Rogue-Killer-What-a-great-name

Please take a few minutes and review the procedures in these EE Articles for more ideas on different methods you can use:
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware

As noted, please post the "Logs" from any scanner you run and we will review them before taking further action.
charismatic100

ASKER
Ran rkill.  Malwarebytes quits 6 seconds into full scan.
Ran Rogue Killer first time.  Malwarebytes quits 6 seconds into full scan.
Ran TDSSKiller which caused reboot to finish.  Malwarebytes quits 6 seconds into full scan.
Ran Rogue Killer second time.  Malwarebytes quits 6 seconds into full scan.
I am now able to run executable from a CD/DVD drive.  Still unable to run an executable from computer or Internet.
Rkill, RK1, TDSS and RK2 files attached

rkill.log
RKreport-1-.txt
TDSSKiller.2.5.14.0-06.08.2011-1.txt
RKreport-2-.txt
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
younghv

Are you running Malwarebytes immediately after running RogueKiller (no re-boot in between)?

Strange that you can run the executable for RK, but not for MBAM.

Since RogueKiller seems to be working properly, try downloading a new copy of MBAM - but use the "Save As" function to name is something like 'mb.exe' BEFORE it touches your computer.

You can also download it on a clean computer and copy (as mb.exe) to a USB stick...then copy it to the desktop of the infected computer.

Try running them both again after doing that.
charismatic100

ASKER
In all cases ran mbam immediately after reboot.
Do I need to uninstall the current mbam now that it is installed?
charismatic100

ASKER
My apologies.  Please disregard the previous post.  Mbam was run immediately after each process killer...no reboot in between.
Do I need to uninstall the current mbam before trying to run again?  I am unable to run mbam or any online virus scan.  Scan starts, then quits.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
rpggamergirl

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
rpggamergirl

No security scanners will completely run because this rootkit also has a driver that kills security scanners(scanners calls for its exitprocess) and resets the ACL setting rendering the file unusable unless you manually sets it back to the correct ACL.


Apparently Gmer sees the random number service at HKLM\System\ControlSet002\12345678, which can be deleted.
ZA also creates below folder/files:
c:\windows\$NtUninstallKB6522$
C:\Windows\Assembly\GAC_MSI\Desktop.ini
 .\globalroot\Device\svchost.exe

There are mixed reports about what scanners can completely remove this or not,  but I would just run them all starting with ComboFix since CF supposedly able to fix this.
willcomp

Just a note about ZeroAccess root kit and CF. I've had 2 PCs in the shop recently with ZA root kit and CF removed it in both cases.
charismatic100

ASKER
Ran ComboFix and AntiZero access.
AntiZero access reports everything good.
Combo Fix log attached.
Working on ACLs now.
CFlog.txt
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
rpggamergirl

Slightly different strain of ZA rootkit it created slightly different folder.

When you're done with resetting ACL, check to make sure that "userinit.exe" is present in the system32 folder. And if userinit.exe is present then you can change the value of userinit under winlogon key to point to --> c:\windows\system32\userinit.exe
at the moment, CF made it point to explorer.exe instead.

You are familiar with editing the registry right? If not, then we can create a regfile that you can merge with your registry.
younghv

@rpg & willcomp -
Thank you for jumping in here.
I haven't seen this one yet, but when it comes into the shop, I will now know how to attack it.

Good stuff!
charismatic100

ASKER
Registry edited as you suggested.
As I mentioned in the original post, I uninstalled WinMaximzer before trying to fix anything.  Now receiving an error message on start up "WinMaximizer Your installation is corrupt or damaged!  Please reinstall."
Found nothing in system configuration utility start up or in services.msc.
Searched winmaximizer.  Deleted all scheduled tasks and folders found.  Rebbot of computer was clean.
Now having an issue with downloading McAfee updates.  Screen shot is attached.
Research shows that subscription is valid unitl November 2012.  No issues with IP settings and I am able to successfully ping their download site as suggested here https://community.mcafee.com/thread/23148
Do I need to follow up with McAfee on this?
I was able to successfully run Malwarebytes.  It found a number of items in system restore that it wants to fix.  It also listed items in the combofix quarantine.  Will I be creating a problem if I select fix all?


McAfee.doc
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
charismatic100

ASKER
mbam log file attached.
mbam-log-2011-08-07--19-10-17-.txt
rpggamergirl

It was very wise that you uninstalled WinMaximazer. That program was no good.

The files that Mbam detected in the qoobox folder and in the System volume information are all harmless while in that folder so doesn't really matter if you fix them now or later on when everything's fine.

You can also get rid of them later on by flushing the System restore and when you uninstall CF.
I'm not sure about the McAfee update error, perhaps they have a fairly good idea what caused it.


charismatic100

ASKER
Instructed end user on how she may have accidentally installed WinMaximizer.  She is the only user and says that she did not know how it got installed.
I will be contacting McAfee directly regarding the update issue as I have not been able to correct it through Internet research.  It is not clear if no virus definition updates for McAfee was the beginning of the problem or if ZeroAccess disabled the update process somehow.
I will follow your instructions regarding flushing System Restore and then uninstall CF.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
charismatic100

ASKER
I had to uninstall/reinstall the McAfee software with McAfee tech support.  McAfee is now functioning correctly.
I have flushed System Restore.  
Are there specific instructions that I should follow to uninstall CF or can it be removed using add/remove programs?
willcomp

Go to to Start > Run
Type in
combofix /uninstall
charismatic100

ASKER
Interesting...Windows cannot find combofix
Probably because I ran CF rom a CD.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
charismatic100

ASKER
Thank you!
samiam41

Great information rpggamergirl!  Thanks.  When do the EE shirts come out with your name on them?  ;-)
rpggamergirl

"Windows cannot find combofix"

That could be why.


@ samiam41:
Nice thought, but no one would want to wear them, lol.
Though it would be a good idea if EE shirts will have the Expert's name on it to make it more special.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck