spyware / rootkit or else? Cannot take ownership of new folder "quarantine" and cannot delete

Another suggestion is to download SubInACL.exe (http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en) file from Microsoft and use the script based at:

http://www.experts-exchange.com/Networking/Windows_Networking/Q_21903279.html

See the first post from Gary and do that on your system and the permissions error should be gone then.

Ok, I'll do the kaspersky (used to have it until it stopped working for vista, maybe they upgraded meanwhile). Just tried the unlocker http://ccollomb.free.fr/unlocker/ (unfortunately it is not as good as it used to be, it installs adware itself now: http://it.toolbox.com/blogs/paytonbyrd/beware-unlocker-187-26919) but it couldn't do anything either (it can rename / delete etc. on restart, but it didn't work).

I'll try that SubInACL too. Hold on.

k, so I tried all kinds of querying commands using SubInACL (very nice tool, I'll keep it) and did about the same with accesschk.exe from SysInternals. Got access denied all the way long. Then, after a cop of coffee (really!) I hit KeyUp in DOS to run the same command again for copy/pasting the results here and all of a sudden I received a list of access rights!

Well, I don't like magic of this kind and after years of experience, I usually know what's going on, but this time, I really don't have any clue. The only thing I can think of is that the ACL got corrupted and at some stage, Vista decided to fix it. Note that I didn't try any of the actions of SubInACL, I only queried.

Because of the 20 hours or so I spent on this, together with trying to find out what could have possibly stopped Apache from functioning, I want to go to the bottom, if possible. I tried to install ComboFix, but received the following error repeatedly:

• regular tools (Comodo Firewall, netstat) do not show internet activity to anything other than my usual ports, and nothing when I'm away either 
• I may be looking in the wrong direction, maybe the system is sound, I am a very safe server and know my ways to prevent malware (i know, that's no guarantee) 
• I went back to a restore point quite far in history. I cannot guarantee that it was a safe point, but behavior of certain processes (apache, this quarantaine dir) keeps me on alert 
• tried downladup worm by hand with removal tool, but from previous experience (friend of mine) I know that once it is active it cannot be found. Similar stealth worms do exist and may be the cause here. 

hmm... when it installs, does it find trouble in memory and tries to delete the trouble and the fails? This sounds fishy: http://www.threatexpert.com/files/n.com.html

hidec however seems safe(r): http://www.threatexpert.com/files/hidec.exe.html

A Kaspersky Online Scanner with 'Extended Databases' in the Scan Settings should tell us what is in there.

Yes, I meanwhile found out that Comodo Antivirus was the culprit there. Disabling Comodo Antivirus helped, of course. Funny thing is, whatever you do to disable Comodo Antivirus (from Comodo Security Center, via disabling the related services, to manually removing the driver files cmdhlp.sys, inspect.sys, cmdmon.sys and cmdguard.sys from system32) both Windows Security Alerts and ComboFix will still show an alert that Comodo Antivirus is still loaded.

Anyway, the trouble quarantine file is gone. My Apache is still not running (the reason I started this ghost chase) and the report from ComboFix (nice program!) does not show something that I should be worried about (yes, I do know how to read these reports and I do know when I don't understand it ;-)

Headbanging time :(

Conclusion so far: no malware, viruses, or other strange stuff. The odd behavior of "quarantine" directory can be subscribed the tool that I wanted to install and Apache not running (http:Q_24412193.html) is most likely just a bug in Apache and not something external (though I would very much like to know what bug!).

Have you installed any other application that could be interfering with Apache?? or using the same port as Apache? What error do you get when you try to start Apache? Have you seen the logs directory within Apache for more information or system logs (Start->eventvwr)?

Those pointers might help. Ah, by the way, have you done the Kaspersky scan? and did it say anything at all?

Kaspersky is still running (I needed to close it to try some of the other options). Nothing so far and it did the full C-drive without any trouble found.

Yes, all the basic, and quite some of the more advanced stuff has been checked (check out the other question, if you have Apache experience, any advice is welcome there). I am already that far that I have downloaded the sources and build it from scratch. There are not port conflicts (I tried the opposite: by creating a port conflict I know what behavior Apache shows when there is a conflict, and it does try to bind and throw an error then). The problem is: there's just very little errors to go on, it just cannot spawn the child process. And, unfortunately, no access violation as far as I can tell.

Has your computer downloaded any Windows Updates recently?? or have you changed Apache installation recently? Updating Apache to the latest version (2.2.11) might give us a clue if its a problem with the Apache 2.2.

I am assuming that you've added Apache as a trusted application in Comodo Antivirus as well, unless that is the problem and the antivirus is intercepting the calls to spawn processes. You can try shutting down the antivirus and firewall and then try to start apache again.

Apache works again (version 2.2.11 btw, all my software is fully up-to-date)! Why? I'm not sure. If you can shed some light on this, it'll be much appreciated, as it is related to ComboFix which you suggested me:

The story: I went back to a restore point furthest back possible, as you know. This did not help. I ran ComboFix from this restore point. This did not seem to help, but after restart, some repairing of network connections (broken by ComboFix) and a new full delete and re-install (surely the twelfth today) of Apache did the trick and brought me in a euphoric mood first time in 40 hours.

 So, I was happy! Don't know what ComboFix fixed, it reported a whopping 6GB it freed (!) and a lot of other things of which most seemed harmless (well known registry entries etc), so it must have fixed something behind the scenes.

 Then, I went back to the most recent Restore Point, one just before this trouble started (which was after a tiny windows update indeed). This, not surprisingly, showed the same behavior for Apache again. I ran my previous schedule of actions (I wanted to know whether it was ComboFix or something else that had fixed it) and only after ComboFix (this time with a much larger log, mostly due to "other removals" from the recycle bin) it worked again. This time no broken network connection, but a restart was required though.

To me this sounds like the most plausible reason is that I was hijacked (or at least, some program tried to, but failed where it came to be successful, I use both an external and internal firewall, and the external did not show odd behavior in the logs, but I can be wrong).

I reran a full scan, until now only with Comodo, and it seems that it only found some false positives (pskill.exe of SysInternals,  NIRCMD.exe and NirCmd.cfexe of ComboFix, Tutorial.exe of Febooti Filetweak). This report seems equal to before all this.

Ideas are welcome, because knowing what happened can prevent this from happening again.

-- Abel --

One small thought: Might it be possible that some malware/trojware had been sitting around on my machine all along, that I only recently opened port 80 to the outside world, and that at some point (do note this sh*t only started after a restart!) a stealth program hijacked port 80, possibly with mapping it to some other port (port 80 was stil free, apache could listen to it and netstat -a did not list it, you know) to open-up my pc from outside?

A few day further, I ran both tools, ran another few antivirus scans, both Kaspersky and Comodo (I really don't want to use McAfee or Norton/Symantec for obvious reasons) and haven't found anything (a few referring cookies, but that's all).

The way I look at it: something was (seriously) wrong, but it wasn't necessarily a malware program, it could just as well have been a genuine conflict, possibly caused by a driver or whatever low-level program, or possibly in the registry somewhere (many registry keys were reported fixed by ComboFix). I'm afraid I will never really know.

Is there anywhere a report of what ComboFix tries to fix on any normal run?

Btw: it did uninstall, but it did not revert my settings. But I'm not a complete noob, so that wasn't too big a deal.

If you are able to post the ComboFix log as an attachment, perhaps it would shed more light on what was wrong with the computer and what did ComboFix get rid of. As a general statement, I can only say that ComboFix has a database of the possible places of where the virus could be present as well in registry, memory and the hard-disk and it looks for existing signatures to remove anything and produces a list of hidden files and possible registry entries which are out of ordinary and/or locked.

Even if ComboFix by itself doesn't remove the infection completely, it gives enough information to inform a user about any possible infections in their computer. And by using ComboFix Script, one can fix the problems that are still left on a PC.

<<<"Is there anywhere a report of what ComboFix tries to fix on any normal run?">>>

Combofix keeps a log and backup of all files/folders and registry entries that it removed so it can be restored if it mistakenly deleted legit files/reg entries, but since you already uninstalled it -  ALL is now gone(including its backup).

The logfile has been posted to ee-stuff. Apparently there auto-update feature for the question does not work. This is the direct link: http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=7642 (the password to the file is your name, the ee-stuff site can be accessed with the EE credentials).

@rpggamergirl: thanks for the intel, but I made a copy of those files, of course, prior to deinstallation. Yet, the originals were not removed, so the /u is not as thorough as the program itself.

Btw: you don't have to look into these files, you (warturtle) have already put so much effort in this question, and many thanks for that! I would love to know what has happened, to prevent it in the future, but you don't have to take it too far.

<<<"I made a copy of those files, of course, prior to deinstallation.">>>

I don't quite understand what you meant above.
You're saying you made a copy of the files from Combofix quarantine folder?

<<<"Yet, the originals were not removed, so the /u is not as thorough as the program itself.">>>

What do you mean the originals were not removed?
I thought you wanted to know what files and what registry entries combofix had removed/fix? and to do that you have to look in CF qoobox folder but that folder is deleted when you uninstall combofix that's why I said it's gone.

Ah, well, you are right there and I actually made a copy of another folder, the one which contained the running copy, which was not removed (c:\32788R22WJFW.2.tmp). I remember now that I was angry with myself for removing the qoobox folder (using /u) without first making a copy (which I would've done normally). However, the report was placed in c:\combofix.txt and that was not removed with /u and that's what I sent.

Aha, thanks for the update. So, the log doesn't mean anything without the backups. I tried to restore (using some undelete program) but apparently ComboFix does not do half work. Much was recoverable, but not their qoobox folder.

Problem solved, won't know the cause, but at least all's running again. Thanks to you all for helping so far!

Triple-A to warturtle for staying with me so long, and thanks to rpggamergirl too for the notes on the combofix deinstallation.

Thanks, Abel for the feedback and rating. After your last comment, I decided to take a break from EE for a couple of hours and played some serious sports and then came back at it again :-). Feels good to be able to help.

<<"So, the log doesn't mean anything without the backups.">>
The log is only important to us while in the process of cleaning the system as it tells us a lot of what's installed what's running etc... the log also will show us the bad files reg entries(if any) which needs to be deleted using CF script function.

Afterwards, when the system is clean, the log is no longer needed.

>  the log also will show us the bad files reg entries(if any) which needs to be deleted using CF script function.

well, I didn't do anything else then running it, then do /u and then posting the log. I'm still curious about a possible cause of all this and whether there still's something wrong, possibly. I'll open up a related question with a pointer to this one, so you can have a look at the log, if you (still) want to ;-)