Link to home
Start Free TrialLog in
Avatar of charismatic100
charismatic100

asked on

Virus Enabled Read Only Attribute on Folders

I am working with a Dell desktop computer with XP Pro SP3 installed.  End user let antivirus subscription expire and is now experienciencing all sorts of issues.
I uninstalled Win Maximizer and FileCure from her computer.  
There are two exe on her desktop null0.xxxxxxxxxxxxxxxx where x's are random numbers.
I installed malwarebytes.  15 seconds into a full scan, malwarebytes program exits.  Nothing malwarebytes related listed in taskmanger.  If you try to run malwarebytes again, receive "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe  Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."  Further investigation reveals that folders are marked read only.  Changing read only attribute is not persistent.  Attribute changes back to read only.
Unable to run online virus scans.  They begin and stop as well.
Unable to install anything from a CD/DVD receive access denied error message.
How should I proceed?
Avatar of younghv
younghv
Flag of United States of America image

Really good EE Article on just this problem here:
https://www.experts-exchange.com/A_1995.html - IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:  
When fighting current malware variants, you need to keep in mind that many of them are running "rogue processes" which will stop even the best scanners from installing or functioning properly.

My personal favorite for stopping the rogues is "Rogue Killer", described here:
Rogue-Killer-What-a-great-name

Please take a few minutes and review the procedures in these EE Articles for more ideas on different methods you can use:
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware

As noted, please post the "Logs" from any scanner you run and we will review them before taking further action.
Avatar of charismatic100
charismatic100

ASKER

Ran rkill.  Malwarebytes quits 6 seconds into full scan.
Ran Rogue Killer first time.  Malwarebytes quits 6 seconds into full scan.
Ran TDSSKiller which caused reboot to finish.  Malwarebytes quits 6 seconds into full scan.
Ran Rogue Killer second time.  Malwarebytes quits 6 seconds into full scan.
I am now able to run executable from a CD/DVD drive.  Still unable to run an executable from computer or Internet.
Rkill, RK1, TDSS and RK2 files attached

rkill.log
RKreport-1-.txt
TDSSKiller.2.5.14.0-06.08.2011-1.txt
RKreport-2-.txt
Are you running Malwarebytes immediately after running RogueKiller (no re-boot in between)?

Strange that you can run the executable for RK, but not for MBAM.

Since RogueKiller seems to be working properly, try downloading a new copy of MBAM - but use the "Save As" function to name is something like 'mb.exe' BEFORE it touches your computer.

You can also download it on a clean computer and copy (as mb.exe) to a USB stick...then copy it to the desktop of the infected computer.

Try running them both again after doing that.
In all cases ran mbam immediately after reboot.
Do I need to uninstall the current mbam now that it is installed?
My apologies.  Please disregard the previous post.  Mbam was run immediately after each process killer...no reboot in between.
Do I need to uninstall the current mbam before trying to run again?  I am unable to run mbam or any online virus scan.  Scan starts, then quits.
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No security scanners will completely run because this rootkit also has a driver that kills security scanners(scanners calls for its exitprocess) and resets the ACL setting rendering the file unusable unless you manually sets it back to the correct ACL.


Apparently Gmer sees the random number service at HKLM\System\ControlSet002\12345678, which can be deleted.
ZA also creates below folder/files:
c:\windows\$NtUninstallKB6522$
C:\Windows\Assembly\GAC_MSI\Desktop.ini
 .\globalroot\Device\svchost.exe

There are mixed reports about what scanners can completely remove this or not,  but I would just run them all starting with ComboFix since CF supposedly able to fix this.
Just a note about ZeroAccess root kit and CF. I've had 2 PCs in the shop recently with ZA root kit and CF removed it in both cases.
Ran ComboFix and AntiZero access.
AntiZero access reports everything good.
Combo Fix log attached.
Working on ACLs now.
CFlog.txt
Slightly different strain of ZA rootkit it created slightly different folder.

When you're done with resetting ACL, check to make sure that "userinit.exe" is present in the system32 folder. And if userinit.exe is present then you can change the value of userinit under winlogon key to point to --> c:\windows\system32\userinit.exe
at the moment, CF made it point to explorer.exe instead.

You are familiar with editing the registry right? If not, then we can create a regfile that you can merge with your registry.
@rpg & willcomp -
Thank you for jumping in here.
I haven't seen this one yet, but when it comes into the shop, I will now know how to attack it.

Good stuff!
Registry edited as you suggested.
As I mentioned in the original post, I uninstalled WinMaximzer before trying to fix anything.  Now receiving an error message on start up "WinMaximizer Your installation is corrupt or damaged!  Please reinstall."
Found nothing in system configuration utility start up or in services.msc.
Searched winmaximizer.  Deleted all scheduled tasks and folders found.  Rebbot of computer was clean.
Now having an issue with downloading McAfee updates.  Screen shot is attached.
Research shows that subscription is valid unitl November 2012.  No issues with IP settings and I am able to successfully ping their download site as suggested here https://community.mcafee.com/thread/23148
Do I need to follow up with McAfee on this?
I was able to successfully run Malwarebytes.  It found a number of items in system restore that it wants to fix.  It also listed items in the combofix quarantine.  Will I be creating a problem if I select fix all?


McAfee.doc
It was very wise that you uninstalled WinMaximazer. That program was no good.

The files that Mbam detected in the qoobox folder and in the System volume information are all harmless while in that folder so doesn't really matter if you fix them now or later on when everything's fine.

You can also get rid of them later on by flushing the System restore and when you uninstall CF.
I'm not sure about the McAfee update error, perhaps they have a fairly good idea what caused it.


Instructed end user on how she may have accidentally installed WinMaximizer.  She is the only user and says that she did not know how it got installed.
I will be contacting McAfee directly regarding the update issue as I have not been able to correct it through Internet research.  It is not clear if no virus definition updates for McAfee was the beginning of the problem or if ZeroAccess disabled the update process somehow.
I will follow your instructions regarding flushing System Restore and then uninstall CF.
I had to uninstall/reinstall the McAfee software with McAfee tech support.  McAfee is now functioning correctly.
I have flushed System Restore.  
Are there specific instructions that I should follow to uninstall CF or can it be removed using add/remove programs?
Go to to Start > Run
Type in
combofix /uninstall
Interesting...Windows cannot find combofix
Probably because I ran CF rom a CD.
Thank you!
Great information rpggamergirl!  Thanks.  When do the EE shirts come out with your name on them?  ;-)
"Windows cannot find combofix"

That could be why.


@ samiam41:
Nice thought, but no one would want to wear them, lol.
Though it would be a good idea if EE shirts will have the Expert's name on it to make it more special.