Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware setting anti-malware app file permissions to nothing!


  • Please log in to reply
15 replies to this topic

#1 Michael211

Michael211

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 30 September 2010 - 10:57 PM

I'm about to pull my hair out here! I've been working this problem for 2 days now, and have Googled every which way to find out what's on this PC with WinXP Home + SP3.... there is some kind of trojan virus on it, that prevents anything from scanning the hard drives (ergo, I can install anti-malware software inclucing HiJackThis, Malwarebyte's anti-malware app, and even Microsoft's MRT.exe but as soon as ANY of them begin a scan of the system they are terminated and their exe file has it's permissions reset to Everyone ONLY (and apparently this thing has set the policy for the Everyone Group to NOBODY). Once this occurs, I can't run the program again as I no longer have permission to do so.... in Safe mode, I can reset the executable permissions back to Administrators Full Control and run the anti-malware exe again, only to have it terminated and it's permissions again reset... this thing's killing me!

I tried RKill to no effect either, whatever this thing is the most current RKill doesn't recognize it apparently.

I've read on these forms of others who've experienced similar problems, so I know I'm not alone... what nobody else on the internet seems to have figured out though is WHY their anti-malware app goes "Poof!" seconds after it starts scanning the system for malware. There is something, some virus in memory which I cannot locate, which is changing the security permissions of any program that tries to scan the system effectively revoking your user account and Administrators in general from being able to use the anti-malware app anymore! This is why once the app dissppears while scanning, you can no longer re-start the app.... you no longer have permissions to do so. If you uninstall the app (Malwarebyte's AntiMalware app for instance) you can then re-install it and run it again (only to have the cycle repeat and the file permissions revoked again), or you can click on the antimalware main exe file properties in Safe mode and then select Security and Add the Administrator's group back to the file with full permissions and click Ok and run it again. I don't read where anybody else has noticed this fact!

Also, the file name and extension is irrlevant.... I tried changing the antimalware (both MalwareByte's Antimalware exe and Microssoft's MRT.exe program to other names and .com extensions and the same locking down of permissions on the file occurrs seconds after they start scanning the PC... this bugger is looking for activity, not names!).

Finally tonight just now, I was moving files from a thumbdrive to the PC's hardrive several at a time when Poof! there went Explorer.exe.... no desktop, no icons, no task bar, no right-click window, nothing. It (whatever it is) apparently thought the Explorer.exe file transfers were "antimalware activity" (which, they kinda are since that's my goal here) and it locked down the permissions on Explorer.exe so that now the desktop won't run and I can't even create a New Task for explorer.exe with TaskManager (which I can get to run by pressing Ctrl-Alt-Delete still)... this is nuts!

Trying to start a New Task of explorer.exe, I now get the dreaded "Windows cannot access the specified device path or file. You may not have the appropriate permissions to access the item." message. This is the same exact error message so many are getting when they try to run Malwarebyte's Anti-malware... we no longer have permissions to the main application file.

Anybody have any ideas what to do with this PC at this point? Both the Owner account and the Administrator account (in Safe mode) are no longer able to have a desktop, permissions for the explorer.exe file have evidentally been revoked (all I had running, all I was doing was copying files with Explorer when the desktop went Poof! and was gone, so I feel certain that THIS virus looks for disk activity and uses that as an indicator that something is trying to get rid of it and it zaps the offending program's security permissions away, Windows then instantly kills the running process since my accounts suddenly no longer have permission to run the program file).

Malwarebyte's AntiMalware, Spyhunter, Microsoft MRT.exe, all are useless agains this thing... as soon as they start scanning the computer, this thing zaps their Security permissions away.

ps. I'm a degreed BSCS software developer and long time Windows user, and I've cleaned off malware on numerous PC's over the past decade or so.... I'm no newbie, this thing has me totally perplexed though. This malware is getting to the spooky level now!

I'm open to ideas though.

- Michael

BC AdBot (Login to Remove)

 


#2 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 30 September 2010 - 11:36 PM

Well, I went and sat and thought about it for a few minutes... then came back to the PC, started up Safe mode with Command Prompt, and used the command window to manually launch System Restore and restored the computer back to a checkpoint it had made earlier today BEFORE the desktop went Poof!

To my immense relief, System Restore apparently tracks changes to file permissions as well and it reset the explorer.exe file permissions back and upon restarting the PC I had a desktop with all the trimmings again finally.

However, the virus or whatever it is still remains of course (there are no restore points beyond today, as the virus or 1 of it's many friends I already removed from this PC today had disabled System Restore and deleted all the restore points it might have had already).

I don't know where to go from this point with this PC... perhaps it's a dead horse and just needs to be reformatted, idk.

- Michael

#3 it.slacker

it.slacker

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 01 October 2010 - 08:58 AM

I have also come across the same symptoms when cleaning a computer this week. I keep resetting the permissions by command line, ie crtl+shift+esc for the task manager window and then running cmd, running cacls c:\path\to\explorer.exe /G Username:F to add full access to the process. This will allow you access to the gui. I am currently making a cd-rom of portable apps to run to see if they can get any information / remove anything.

#4 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 01 October 2010 - 11:48 AM

Removing the patient PC's harddrive and attaching it as a secondary drive to my main PC here yesterday, I was able to scan the drive using AVG (latest update) and removed some 260 infections from the patient PC's drive that way... it was a mess. When the strange "security pop-up's" began last Friday evening, my mother turned off the monitor and just left the pc sitting there all weekend running and attached to high speed internet. It apparnetly downloaded on it's own most every piece of malware possible from the net! It was Tuesday before she called me to take a look at her PC. Grrrrrrr!

I'm trying to install AVG on it right now, I have it connected to the net for the moment while AVG downloads only then I'll pull the cable again. When I'd tried installing AVG on it yesterday morning the install failed with an error about not being able to register some dll's it needed.... I since re-applied the full XP SP3, so perhaps that will have fixed something so AVG can install.... idk yet, but I'm trying it anyhows.

ps. I never knew Ctrl-Shift-Esc also brought up the Task Manager. That's a new one on me, but it seems to work exactly like Ctrl-Alt-Del does.

- Michael

#5 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 01 October 2010 - 12:33 PM

AVG installed on the patient PC correctly this time... apparently re-applying the service pack for WinXP did fix something. It's scanning the computer now, and hasn't been affected by whatever malware it is that kills Malwarebyte's Anti-Malware and Microsoft's MRT.... so here's hoping AVG finds and removes SOMETHING!

- Michael

#6 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 01 October 2010 - 01:08 PM

AVG didn't find anything after scanning the entire computer... so, what keeps resetting the security permissions on MRT.EXE and Malwarebyte's Anti-Malware files then? I'm confused... is this something Windows itself was configured to do by the virus' I removed from the drive yesterday, or is there still something malware like that's still running on this PC?

Is it still infected, or is there still something active messing with the file permissions?

- Michael

#7 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 01 October 2010 - 02:40 PM

Ok MalwareByte's Anti-Malware and Microsoft's MRT.exe and HijackThis all still go "Poof!" within seconds of starting a scan in Safe mode (and in normal mode as well of course), then cannot be re-launched because their file permissions have been restricted as per my initial post. AVG runs fine and finds no infections whatsoever.... I'm not sure what to think about this, some Windows configuration left over from the malware that I removed yesterday perhaps?

I've Googled this file permissions thingy every way I can think of but can't find where anyone else has documented Windows changing file permissions by itself automatically... plenty of explanations on how a user can or cannot change file permissions in WinXP Home Edition, but nothing about files having their permissions changes just by running the file.

Finally, I've been using the PC for an hour or two now connected to the net without any unusual behavior to speak of. IE works properly and loads the pages I direct it to without any unusual pop-ups or anything, and when I shut IE down there is no further "talking" going on with the net connection (the connection appears to be idle when I'm not browsing the web).

AVG is up and running and monitoring the computer.... I think I'm going to call this one ok, unless anybody has any other ideas for me to try???
I'm totally out of ideas here now. I made a new restore point, and am just going to let it sit connected all afternoon and if nothing unusual comes up and nobody has any better ideas I'm returning this pc to my mother's home office (she's calling me constantly about the thing... there was a time when she wouldn't even touch a computer and had no interest at all in them... ahhh, for the good old days! LOL!).

- Michael

#8 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 04 October 2010 - 12:27 PM

I have also come across the same symptoms when cleaning a computer this week. I keep resetting the permissions by command line, ie crtl+shift+esc for the task manager window and then running cmd, running cacls c:\path\to\explorer.exe /G Username:F to add full access to the process. This will allow you access to the gui. I am currently making a cd-rom of portable apps to run to see if they can get any information / remove anything.


Well it happened again.... Dissappearing Desktop, no access to explorer.exe.... and btw your explorer.exe /G Administrator:F doesn't work (Access Denied, even in Safe Mode) I suspect because that would only grant Administrator Full Control BUT the Administrator account isn't even in the list of Accounts with access to the file in the permissions window (if I could get there at this point). Administrator (or the Administrators group) would need to be Added to the file permissions list before access rights can be altered.

Also, this PC "talks" alot when plugged into the internet, even when nothing is going on (nothing user initiated, no browsing or checking e-mail and Windows Update is turned off yet it constantly "talks" online... but AVG 9.0 still finds nothing when it scans the PC.

I'm stumped, I still feel there is someing malware related behind this but I can't find anything (that won't disappear within seconds!) that can detect anything. Grrrrr!

- Michael

#9 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 04 October 2010 - 01:01 PM

Update: I started a cmd window, deleted explorer.exe and then copied a fresh explorer.exe (from a thumb drive with a copy of explorer.exe taken from another XP system I have here) to \windows. This allows me to start explorer.exe again (without having to do a system restore from previous checkpoint)... yet, I now see that it's when I right-click the desktop (to get to Desktop Properties!) that whatever this thing is changes the file permissions on Explorer.exe file and the Desktop goes Poof!

I still can't run MalwareByte's Antimalware nor Microsoft's MRT.exe programs (they go Poof! within seconds as their file permissions become restricted). Only AVG 9 will run on this computer, and it still doesn't find anything wrong.... this is crazy!

- Michael

#10 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 11 October 2010 - 12:42 PM

fyi: I ended up wiping the drive and re-installing WinXP. There simply was no way to undo whatever it was that the malware had left behind. MalwareByte's AntiMalware would not run, neither would Microsoft's MRT.exe tool, and right-clicking the Desktop (to get to the Desktop properties) would cause the Desktop to disappear (permissions for explorer.exe would be revoked). Whatever it was, it was revoking permissions to certain exe files (namely MalwareByte's AntiMalware MBAM.exe, MRT.exe and explorer.exe would have their file permissions revoked). I spent 2 weeks on this computer and couldn't stop this behavior even after AVG 9.0 (which was the only anti-malware product I could get to run successfully on the computer) found no further infections (it initially removed some 260 infections on this PC.... yeah it was bad!!!).

Malware on the internet has evidentally gotten to the point where it's impossible to remove from an infected computer anymore. From here on out, I'm not even going to try... it's not worth all the hours spent, I'll just reformat and re-install Windows from now on.

Regards.

- Michael

#11 m1garand

m1garand

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 October 2010 - 01:00 PM

Ah it's not healthy to think that way the malware could've likely been removed by one of the malware response team/moderators/bc advisors but strangely none of them had posted at all in this topic...

#12 zcatnz

zcatnz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 09 December 2010 - 04:45 AM

Ah it's not healthy to think that way the malware could've likely been removed by one of the malware response team/moderators/bc advisors but strangely none of them had posted at all in this topic...


I think I have an identical of very similar issue. Should I start a new thread or add to this one?

Symptoms; all AV and security software has been stopped and permissions changed so that it cannot be run.
Downloading and installing new software is not a problem, but when any AV or malware product attempts to scan the drive it is killed and the file permissions changed so that it can't be run.

There is nothing suspicious in the system tray. There are no 'fake AV' popups.


Things I've tried so far;

malwarebytes (in safemode with networking)

slave the drive to a linux machine and scan with avast (it keeps crashing each time?) and clamav (which found nothing)
and then the linux version of NOD32 which removed 9 files. Then two more after the problem was still not gone

NOD32 has identified the two recurring files as Rootkit.Agent.NSF trojan and Win32/Kryptik.YQ trojan.

Tried various online scans

kaspersky's TDSSKiller

SDFix

TDSSremover

Combofix (won't even install, normal boot or safemode)

rootkitrevealer (killed during scan, as with most other programs)

Booting an install CD and running FIXMBR / FIXBOOT, THEN booting into safemode, then running TDSSremover


Not sure what else I can try?

#13 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 09 December 2010 - 12:12 PM

Did you try right-clicking the Desktop to try to get to Desktop Properties? If doing that causes Explorer (ie. the Desktop... all Desktop shortcuts and the Taskbar) to dissappear, then it's the exact same malware I had encountered and could not remove/undo. I never found a solution, though I'd still be interested to know if a solution exists besides re-format and re-install Windows.

- Michael

#14 zcatnz

zcatnz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 09 December 2010 - 07:02 PM

Did you try right-clicking the Desktop to try to get to Desktop Properties? If doing that causes Explorer (ie. the Desktop... all Desktop shortcuts and the Taskbar) to dissappear, then it's the exact same malware I had encountered and could not remove/undo. I never found a solution, though I'd still be interested to know if a solution exists besides re-format and re-install Windows.

- Michael



Not the same rootkit perhaps. I can get to desktop properties just fine.

Doing a scan with kaspersky's live CD next.

#15 Michael211

Michael211
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 09 December 2010 - 07:59 PM

Well it sure sounds similar... I couldn't understand why it would revoke file permissions on Explorer.exe whenever I right-clicked the Desktop actually. Why would a malware program care if the user right-clicked the Desktop, after all? It was very very strange at any rate... I couldn't make any headway against it. I also took the hard drive out and slaved it to another computer and scanned it with everything I had available and nothing viral or malware was found (after the original infections I'd found were removed). I rather suspect the malware had set some setting in Windows itself that would revoke file permissions on certain kinds of files when executed.

- Michael




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users