Virus Enabled Read Only Attribute on Folders

charismatic100
charismatic100 used Ask the Experts™
on
I am working with a Dell desktop computer with XP Pro SP3 installed.  End user let antivirus subscription expire and is now experienciencing all sorts of issues.
I uninstalled Win Maximizer and FileCure from her computer.  
There are two exe on her desktop null0.xxxxxxxxxxxxxxxx where x's are random numbers.
I installed malwarebytes.  15 seconds into a full scan, malwarebytes program exits.  Nothing malwarebytes related listed in taskmanger.  If you try to run malwarebytes again, receive "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe  Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."  Further investigation reveals that folders are marked read only.  Changing read only attribute is not persistent.  Attribute changes back to read only.
Unable to run online virus scans.  They begin and stop as well.
Unable to install anything from a CD/DVD receive access denied error message.
How should I proceed?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Author of the Year 2011
Top Expert 2006

Commented:
Really good EE Article on just this problem here:
http://www.experts-exchange.com/A_1995.html - IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:  
Author of the Year 2011
Top Expert 2006

Commented:
When fighting current malware variants, you need to keep in mind that many of them are running "rogue processes" which will stop even the best scanners from installing or functioning properly.

My personal favorite for stopping the rogues is "Rogue Killer", described here:
Rogue-Killer-What-a-great-name

Please take a few minutes and review the procedures in these EE Articles for more ideas on different methods you can use:
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware

As noted, please post the "Logs" from any scanner you run and we will review them before taking further action.

Author

Commented:
Ran rkill.  Malwarebytes quits 6 seconds into full scan.
Ran Rogue Killer first time.  Malwarebytes quits 6 seconds into full scan.
Ran TDSSKiller which caused reboot to finish.  Malwarebytes quits 6 seconds into full scan.
Ran Rogue Killer second time.  Malwarebytes quits 6 seconds into full scan.
I am now able to run executable from a CD/DVD drive.  Still unable to run an executable from computer or Internet.
Rkill, RK1, TDSS and RK2 files attached

rkill.log
RKreport-1-.txt
TDSSKiller.2.5.14.0-06.08.2011-1.txt
RKreport-2-.txt
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Author of the Year 2011
Top Expert 2006

Commented:
Are you running Malwarebytes immediately after running RogueKiller (no re-boot in between)?

Strange that you can run the executable for RK, but not for MBAM.

Since RogueKiller seems to be working properly, try downloading a new copy of MBAM - but use the "Save As" function to name is something like 'mb.exe' BEFORE it touches your computer.

You can also download it on a clean computer and copy (as mb.exe) to a USB stick...then copy it to the desktop of the infected computer.

Try running them both again after doing that.

Author

Commented:
In all cases ran mbam immediately after reboot.
Do I need to uninstall the current mbam now that it is installed?

Author

Commented:
My apologies.  Please disregard the previous post.  Mbam was run immediately after each process killer...no reboot in between.
Do I need to uninstall the current mbam before trying to run again?  I am unable to run mbam or any online virus scan.  Scan starts, then quits.
Top Expert 2007
Commented:
This rootkit is called ZeroAccess, I had this before and took a while to remove, it also creates this folder c:\windows\$NtUninstallKB6522$
ComboFix now supposed to remove it. It should run now after TDSSkiller or just run it from a USB or a CD.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



There's a tool for it, but doesn't always work.
Download AntiZeroAccess
http://anywhere.webrootcloudav.com/antizeroaccess.exe

Double click to run
Type y and press enter to run the scan


http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/
"The free tool removes the rootkit but does not restore the Access Control Lists (ACLs) that have been modified by the rootkit. For that, you’ll probably want to use a free tool like SetACL, which can make software functional that ZeroAccess disabled by modifying its ACL."
Top Expert 2007

Commented:
No security scanners will completely run because this rootkit also has a driver that kills security scanners(scanners calls for its exitprocess) and resets the ACL setting rendering the file unusable unless you manually sets it back to the correct ACL.


Apparently Gmer sees the random number service at HKLM\System\ControlSet002\12345678, which can be deleted.
ZA also creates below folder/files:
c:\windows\$NtUninstallKB6522$
C:\Windows\Assembly\GAC_MSI\Desktop.ini
 .\globalroot\Device\svchost.exe

There are mixed reports about what scanners can completely remove this or not,  but I would just run them all starting with ComboFix since CF supposedly able to fix this.

Commented:
Just a note about ZeroAccess root kit and CF. I've had 2 PCs in the shop recently with ZA root kit and CF removed it in both cases.

Author

Commented:
Ran ComboFix and AntiZero access.
AntiZero access reports everything good.
Combo Fix log attached.
Working on ACLs now.
CFlog.txt
Top Expert 2007

Commented:
Slightly different strain of ZA rootkit it created slightly different folder.

When you're done with resetting ACL, check to make sure that "userinit.exe" is present in the system32 folder. And if userinit.exe is present then you can change the value of userinit under winlogon key to point to --> c:\windows\system32\userinit.exe
at the moment, CF made it point to explorer.exe instead.

You are familiar with editing the registry right? If not, then we can create a regfile that you can merge with your registry.
Author of the Year 2011
Top Expert 2006

Commented:
@rpg & willcomp -
Thank you for jumping in here.
I haven't seen this one yet, but when it comes into the shop, I will now know how to attack it.

Good stuff!

Author

Commented:
Registry edited as you suggested.
As I mentioned in the original post, I uninstalled WinMaximzer before trying to fix anything.  Now receiving an error message on start up "WinMaximizer Your installation is corrupt or damaged!  Please reinstall."
Found nothing in system configuration utility start up or in services.msc.
Searched winmaximizer.  Deleted all scheduled tasks and folders found.  Rebbot of computer was clean.
Now having an issue with downloading McAfee updates.  Screen shot is attached.
Research shows that subscription is valid unitl November 2012.  No issues with IP settings and I am able to successfully ping their download site as suggested here https://community.mcafee.com/thread/23148
Do I need to follow up with McAfee on this?
I was able to successfully run Malwarebytes.  It found a number of items in system restore that it wants to fix.  It also listed items in the combofix quarantine.  Will I be creating a problem if I select fix all?


McAfee.doc

Author

Commented:
mbam log file attached.
mbam-log-2011-08-07--19-10-17-.txt
Top Expert 2007

Commented:
It was very wise that you uninstalled WinMaximazer. That program was no good.

The files that Mbam detected in the qoobox folder and in the System volume information are all harmless while in that folder so doesn't really matter if you fix them now or later on when everything's fine.

You can also get rid of them later on by flushing the System restore and when you uninstall CF.
I'm not sure about the McAfee update error, perhaps they have a fairly good idea what caused it.


Author

Commented:
Instructed end user on how she may have accidentally installed WinMaximizer.  She is the only user and says that she did not know how it got installed.
I will be contacting McAfee directly regarding the update issue as I have not been able to correct it through Internet research.  It is not clear if no virus definition updates for McAfee was the beginning of the problem or if ZeroAccess disabled the update process somehow.
I will follow your instructions regarding flushing System Restore and then uninstall CF.

Author

Commented:
I had to uninstall/reinstall the McAfee software with McAfee tech support.  McAfee is now functioning correctly.
I have flushed System Restore.  
Are there specific instructions that I should follow to uninstall CF or can it be removed using add/remove programs?

Commented:
Go to to Start > Run
Type in
combofix /uninstall

Author

Commented:
Interesting...Windows cannot find combofix
Probably because I ran CF rom a CD.

Author

Commented:
Thank you!

Commented:
Great information rpggamergirl!  Thanks.  When do the EE shirts come out with your name on them?  ;-)
Top Expert 2007

Commented:
"Windows cannot find combofix"

That could be why.


@ samiam41:
Nice thought, but no one would want to wear them, lol.
Though it would be a good idea if EE shirts will have the Expert's name on it to make it more special.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial