spyware / rootkit or else? Cannot take ownership of new folder "quarantine" and cannot delete
Hi all!
I'm not totally ignorant when it comes to rootkits, spyware etc and I don't (yet) say I have one. Two scans (Panda, Comodo) didn't reveal viruses (going to try online F-Secure and McAfee as well), but I know that even rootkit revealers usually won't reveal that: rootkits (F-Secure blacklight didn't find any). This nightmare started out while researching why Apache didn't start anymore: http:Q_24412193.html.
Now, my current question where I'm a bit stuck on, is this: I tried to install Spyware Doctor and it gave me an error "Access Denied" while trying to create the quarantine folder (c:\users\Abel\AppData\Roa
Now it gets funny: I went again to that directory, this time to delete it, and now I got Access Denied myself. I checked permissions: no ownership (!!???) and tried to regain ownership (tried several admin users) and failed with all, saying "access denied". I then tried it from the command prompt to be sure I wasn't crazy and still: access denied.
Know that I usually don't have problem taking over ownership of a file or a directory. In fact, I use the "remove ownership" trick sometimes to make sure occasional users don't accidentally remove secure files (it is just to prevent stupidity).
I'm on Windows Vista Business, and the following two commands should show you my problem clearly:
C:\>dir "Users\Abel\AppData\Roamin
quarantine
C:\>takeown -f "Users\Abel\AppData\Roamin
ERROR: Access is denied.
Any help on how to search for what's going on here is appreciated. I will restart into safe mode to find out whether that will help. In the screenshot the advanced security settings
ScreenShot284.png
I'm not totally ignorant when it comes to rootkits, spyware etc and I don't (yet) say I have one. Two scans (Panda, Comodo) didn't reveal viruses (going to try online F-Secure and McAfee as well), but I know that even rootkit revealers usually won't reveal that: rootkits (F-Secure blacklight didn't find any). This nightmare started out while researching why Apache didn't start anymore: http:Q_24412193.html.
Now, my current question where I'm a bit stuck on, is this: I tried to install Spyware Doctor and it gave me an error "Access Denied" while trying to create the quarantine folder (c:\users\Abel\AppData\Roa
Now it gets funny: I went again to that directory, this time to delete it, and now I got Access Denied myself. I checked permissions: no ownership (!!???) and tried to regain ownership (tried several admin users) and failed with all, saying "access denied". I then tried it from the command prompt to be sure I wasn't crazy and still: access denied.
Know that I usually don't have problem taking over ownership of a file or a directory. In fact, I use the "remove ownership" trick sometimes to make sure occasional users don't accidentally remove secure files (it is just to prevent stupidity).
I'm on Windows Vista Business, and the following two commands should show you my problem clearly:
C:\>dir "Users\Abel\AppData\Roamin
quarantine
C:\>takeown -f "Users\Abel\AppData\Roamin
ERROR: Access is denied.
Any help on how to search for what's going on here is appreciated. I will restart into safe mode to find out whether that will help. In the screenshot the advanced security settings
ScreenShot284.png
Another suggestion is to download SubInACL.exe (http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en) file from Microsoft and use the script based at:
https://www.experts-exchange.com/questions/21903279/Changing-Registry-Permissions-with-SubInACL-exe.html
See the first post from Gary and do that on your system and the permissions error should be gone then.
https://www.experts-exchange.com/questions/21903279/Changing-Registry-Permissions-with-SubInACL-exe.html
See the first post from Gary and do that on your system and the permissions error should be gone then.
ASKER
Ok, I'll do the kaspersky (used to have it until it stopped working for vista, maybe they upgraded meanwhile). Just tried the unlocker http://ccollomb.free.fr/unlocker/ (unfortunately it is not as good as it used to be, it installs adware itself now: http://it.toolbox.com/blogs/paytonbyrd/beware-unlocker-187-26919) but it couldn't do anything either (it can rename / delete etc. on restart, but it didn't work).
I'll try that SubInACL too. Hold on.
I'll try that SubInACL too. Hold on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
k, so I tried all kinds of querying commands using SubInACL (very nice tool, I'll keep it) and did about the same with accesschk.exe from SysInternals. Got access denied all the way long. Then, after a cop of coffee (really!) I hit KeyUp in DOS to run the same command again for copy/pasting the results here and all of a sudden I received a list of access rights!
Well, I don't like magic of this kind and after years of experience, I usually know what's going on, but this time, I really don't have any clue. The only thing I can think of is that the ACL got corrupted and at some stage, Vista decided to fix it. Note that I didn't try any of the actions of SubInACL, I only queried.
Because of the 20 hours or so I spent on this, together with trying to find out what could have possibly stopped Apache from functioning, I want to go to the bottom, if possible. I tried to install ComboFix, but received the following error repeatedly:
now, since I tried GMER for rootkit revealing and GMER didn't manage to shut down all my processes without crashing the system (without a blank list of processes apart from the really needed four, you won't find anything, is my experience with rootkits), I am starting to get really suspicious. There seems to be some dirty fishes around here but I cannot get the hang of them.
What I know:
ScreenShot286.png
Well, I don't like magic of this kind and after years of experience, I usually know what's going on, but this time, I really don't have any clue. The only thing I can think of is that the ACL got corrupted and at some stage, Vista decided to fix it. Note that I didn't try any of the actions of SubInACL, I only queried.
Because of the 20 hours or so I spent on this, together with trying to find out what could have possibly stopped Apache from functioning, I want to go to the bottom, if possible. I tried to install ComboFix, but received the following error repeatedly:
[Window Title]32788R22FWJFW\n.com[Content]Windows cannot find '32788R22FWJFW\n.com'. Make sure you typed the name correctly, and then try again.
now, since I tried GMER for rootkit revealing and GMER didn't manage to shut down all my processes without crashing the system (without a blank list of processes apart from the really needed four, you won't find anything, is my experience with rootkits), I am starting to get really suspicious. There seems to be some dirty fishes around here but I cannot get the hang of them.
What I know:
- regular tools (Comodo Firewall, netstat) do not show internet activity to anything other than my usual ports, and nothing when I'm away either
- I may be looking in the wrong direction, maybe the system is sound, I am a very safe server and know my ways to prevent malware (i know, that's no guarantee)
- I went back to a restore point quite far in history. I cannot guarantee that it was a safe point, but behavior of certain processes (apache, this quarantaine dir) keeps me on alert
- tried downladup worm by hand with removal tool, but from previous experience (friend of mine) I know that once it is active it cannot be found. Similar stealth worms do exist and may be the cause here.
ScreenShot286.png
ASKER
hmm... when it installs, does it find trouble in memory and tries to delete the trouble and the fails? This sounds fishy: http://www.threatexpert.com/files/n.com.html
hidec however seems safe(r): http://www.threatexpert.com/files/hidec.exe.html
hidec however seems safe(r): http://www.threatexpert.com/files/hidec.exe.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A Kaspersky Online Scanner with 'Extended Databases' in the Scan Settings should tell us what is in there.
ASKER
Yes, I meanwhile found out that Comodo Antivirus was the culprit there. Disabling Comodo Antivirus helped, of course. Funny thing is, whatever you do to disable Comodo Antivirus (from Comodo Security Center, via disabling the related services, to manually removing the driver files cmdhlp.sys, inspect.sys, cmdmon.sys and cmdguard.sys from system32) both Windows Security Alerts and ComboFix will still show an alert that Comodo Antivirus is still loaded.
Anyway, the trouble quarantine file is gone. My Apache is still not running (the reason I started this ghost chase) and the report from ComboFix (nice program!) does not show something that I should be worried about (yes, I do know how to read these reports and I do know when I don't understand it ;-)
Headbanging time :(
Anyway, the trouble quarantine file is gone. My Apache is still not running (the reason I started this ghost chase) and the report from ComboFix (nice program!) does not show something that I should be worried about (yes, I do know how to read these reports and I do know when I don't understand it ;-)
Headbanging time :(
ASKER
Conclusion so far: no malware, viruses, or other strange stuff. The odd behavior of "quarantine" directory can be subscribed the tool that I wanted to install and Apache not running (http:Q_24412193.html) is most likely just a bug in Apache and not something external (though I would very much like to know what bug!).
Have you installed any other application that could be interfering with Apache?? or using the same port as Apache? What error do you get when you try to start Apache? Have you seen the logs directory within Apache for more information or system logs (Start->eventvwr)?
Those pointers might help. Ah, by the way, have you done the Kaspersky scan? and did it say anything at all?
Those pointers might help. Ah, by the way, have you done the Kaspersky scan? and did it say anything at all?
ASKER
Kaspersky is still running (I needed to close it to try some of the other options). Nothing so far and it did the full C-drive without any trouble found.
Yes, all the basic, and quite some of the more advanced stuff has been checked (check out the other question, if you have Apache experience, any advice is welcome there). I am already that far that I have downloaded the sources and build it from scratch. There are not port conflicts (I tried the opposite: by creating a port conflict I know what behavior Apache shows when there is a conflict, and it does try to bind and throw an error then). The problem is: there's just very little errors to go on, it just cannot spawn the child process. And, unfortunately, no access violation as far as I can tell.
Yes, all the basic, and quite some of the more advanced stuff has been checked (check out the other question, if you have Apache experience, any advice is welcome there). I am already that far that I have downloaded the sources and build it from scratch. There are not port conflicts (I tried the opposite: by creating a port conflict I know what behavior Apache shows when there is a conflict, and it does try to bind and throw an error then). The problem is: there's just very little errors to go on, it just cannot spawn the child process. And, unfortunately, no access violation as far as I can tell.
Has your computer downloaded any Windows Updates recently?? or have you changed Apache installation recently? Updating Apache to the latest version (2.2.11) might give us a clue if its a problem with the Apache 2.2.
I am assuming that you've added Apache as a trusted application in Comodo Antivirus as well, unless that is the problem and the antivirus is intercepting the calls to spawn processes. You can try shutting down the antivirus and firewall and then try to start apache again.
I am assuming that you've added Apache as a trusted application in Comodo Antivirus as well, unless that is the problem and the antivirus is intercepting the calls to spawn processes. You can try shutting down the antivirus and firewall and then try to start apache again.
ASKER
Apache works again (version 2.2.11 btw, all my software is fully up-to-date)! Why? I'm not sure. If you can shed some light on this, it'll be much appreciated, as it is related to ComboFix which you suggested me:
The story: I went back to a restore point furthest back possible, as you know. This did not help. I ran ComboFix from this restore point. This did not seem to help, but after restart, some repairing of network connections (broken by ComboFix) and a new full delete and re-install (surely the twelfth today) of Apache did the trick and brought me in a euphoric mood first time in 40 hours.
So, I was happy! Don't know what ComboFix fixed, it reported a whopping 6GB it freed (!) and a lot of other things of which most seemed harmless (well known registry entries etc), so it must have fixed something behind the scenes.
Then, I went back to the most recent Restore Point, one just before this trouble started (which was after a tiny windows update indeed). This, not surprisingly, showed the same behavior for Apache again. I ran my previous schedule of actions (I wanted to know whether it was ComboFix or something else that had fixed it) and only after ComboFix (this time with a much larger log, mostly due to "other removals" from the recycle bin) it worked again. This time no broken network connection, but a restart was required though.
To me this sounds like the most plausible reason is that I was hijacked (or at least, some program tried to, but failed where it came to be successful, I use both an external and internal firewall, and the external did not show odd behavior in the logs, but I can be wrong).
I reran a full scan, until now only with Comodo, and it seems that it only found some false positives (pskill.exe of SysInternals, NIRCMD.exe and NirCmd.cfexe of ComboFix, Tutorial.exe of Febooti Filetweak). This report seems equal to before all this.
Ideas are welcome, because knowing what happened can prevent this from happening again.
-- Abel --
The story: I went back to a restore point furthest back possible, as you know. This did not help. I ran ComboFix from this restore point. This did not seem to help, but after restart, some repairing of network connections (broken by ComboFix) and a new full delete and re-install (surely the twelfth today) of Apache did the trick and brought me in a euphoric mood first time in 40 hours.
So, I was happy! Don't know what ComboFix fixed, it reported a whopping 6GB it freed (!) and a lot of other things of which most seemed harmless (well known registry entries etc), so it must have fixed something behind the scenes.
Then, I went back to the most recent Restore Point, one just before this trouble started (which was after a tiny windows update indeed). This, not surprisingly, showed the same behavior for Apache again. I ran my previous schedule of actions (I wanted to know whether it was ComboFix or something else that had fixed it) and only after ComboFix (this time with a much larger log, mostly due to "other removals" from the recycle bin) it worked again. This time no broken network connection, but a restart was required though.
To me this sounds like the most plausible reason is that I was hijacked (or at least, some program tried to, but failed where it came to be successful, I use both an external and internal firewall, and the external did not show odd behavior in the logs, but I can be wrong).
I reran a full scan, until now only with Comodo, and it seems that it only found some false positives (pskill.exe of SysInternals, NIRCMD.exe and NirCmd.cfexe of ComboFix, Tutorial.exe of Febooti Filetweak). This report seems equal to before all this.
Ideas are welcome, because knowing what happened can prevent this from happening again.
-- Abel --
ASKER
One small thought: Might it be possible that some malware/trojware had been sitting around on my machine all along, that I only recently opened port 80 to the outside world, and that at some point (do note this sh*t only started after a restart!) a stealth program hijacked port 80, possibly with mapping it to some other port (port 80 was stil free, apache could listen to it and netstat -a did not list it, you know) to open-up my pc from outside?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A few day further, I ran both tools, ran another few antivirus scans, both Kaspersky and Comodo (I really don't want to use McAfee or Norton/Symantec for obvious reasons) and haven't found anything (a few referring cookies, but that's all).
The way I look at it: something was (seriously) wrong, but it wasn't necessarily a malware program, it could just as well have been a genuine conflict, possibly caused by a driver or whatever low-level program, or possibly in the registry somewhere (many registry keys were reported fixed by ComboFix). I'm afraid I will never really know.
Is there anywhere a report of what ComboFix tries to fix on any normal run?
Btw: it did uninstall, but it did not revert my settings. But I'm not a complete noob, so that wasn't too big a deal.
The way I look at it: something was (seriously) wrong, but it wasn't necessarily a malware program, it could just as well have been a genuine conflict, possibly caused by a driver or whatever low-level program, or possibly in the registry somewhere (many registry keys were reported fixed by ComboFix). I'm afraid I will never really know.
Is there anywhere a report of what ComboFix tries to fix on any normal run?
Btw: it did uninstall, but it did not revert my settings. But I'm not a complete noob, so that wasn't too big a deal.
If you are able to post the ComboFix log as an attachment, perhaps it would shed more light on what was wrong with the computer and what did ComboFix get rid of. As a general statement, I can only say that ComboFix has a database of the possible places of where the virus could be present as well in registry, memory and the hard-disk and it looks for existing signatures to remove anything and produces a list of hidden files and possible registry entries which are out of ordinary and/or locked.
Even if ComboFix by itself doesn't remove the infection completely, it gives enough information to inform a user about any possible infections in their computer. And by using ComboFix Script, one can fix the problems that are still left on a PC.
Even if ComboFix by itself doesn't remove the infection completely, it gives enough information to inform a user about any possible infections in their computer. And by using ComboFix Script, one can fix the problems that are still left on a PC.
<<<"Is there anywhere a report of what ComboFix tries to fix on any normal run?">>>
Combofix keeps a log and backup of all files/folders and registry entries that it removed so it can be restored if it mistakenly deleted legit files/reg entries, but since you already uninstalled it - ALL is now gone(including its backup).
Combofix keeps a log and backup of all files/folders and registry entries that it removed so it can be restored if it mistakenly deleted legit files/reg entries, but since you already uninstalled it - ALL is now gone(including its backup).
ASKER
The logfile has been posted to ee-stuff. Apparently there auto-update feature for the question does not work. This is the direct link: https://filedb.experts-exchange.com/incoming/ee-stuff/7642-ComboFix.rar (the password to the file is your name, the ee-stuff site can be accessed with the EE credentials).
@rpggamergirl: thanks for the intel, but I made a copy of those files, of course, prior to deinstallation. Yet, the originals were not removed, so the /u is not as thorough as the program itself.
@rpggamergirl: thanks for the intel, but I made a copy of those files, of course, prior to deinstallation. Yet, the originals were not removed, so the /u is not as thorough as the program itself.
ASKER
Btw: you don't have to look into these files, you (warturtle) have already put so much effort in this question, and many thanks for that! I would love to know what has happened, to prevent it in the future, but you don't have to take it too far.
<<<"I made a copy of those files, of course, prior to deinstallation.">>>
I don't quite understand what you meant above.
You're saying you made a copy of the files from Combofix quarantine folder?
<<<"Yet, the originals were not removed, so the /u is not as thorough as the program itself.">>>
What do you mean the originals were not removed?
I thought you wanted to know what files and what registry entries combofix had removed/fix? and to do that you have to look in CF qoobox folder but that folder is deleted when you uninstall combofix that's why I said it's gone.
I don't quite understand what you meant above.
You're saying you made a copy of the files from Combofix quarantine folder?
<<<"Yet, the originals were not removed, so the /u is not as thorough as the program itself.">>>
What do you mean the originals were not removed?
I thought you wanted to know what files and what registry entries combofix had removed/fix? and to do that you have to look in CF qoobox folder but that folder is deleted when you uninstall combofix that's why I said it's gone.
ASKER
Ah, well, you are right there and I actually made a copy of another folder, the one which contained the running copy, which was not removed (c:\32788R22WJFW.2.tmp). I remember now that I was angry with myself for removing the qoobox folder (using /u) without first making a copy (which I would've done normally). However, the report was placed in c:\combofix.txt and that was not removed with /u and that's what I sent.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Aha, thanks for the update. So, the log doesn't mean anything without the backups. I tried to restore (using some undelete program) but apparently ComboFix does not do half work. Much was recoverable, but not their qoobox folder.
Problem solved, won't know the cause, but at least all's running again. Thanks to you all for helping so far!
Problem solved, won't know the cause, but at least all's running again. Thanks to you all for helping so far!
ASKER
Triple-A to warturtle for staying with me so long, and thanks to rpggamergirl too for the notes on the combofix deinstallation.
Thanks, Abel for the feedback and rating. After your last comment, I decided to take a break from EE for a couple of hours and played some serious sports and then came back at it again :-). Feels good to be able to help.
<<"So, the log doesn't mean anything without the backups.">>
The log is only important to us while in the process of cleaning the system as it tells us a lot of what's installed what's running etc... the log also will show us the bad files reg entries(if any) which needs to be deleted using CF script function.
Afterwards, when the system is clean, the log is no longer needed.
The log is only important to us while in the process of cleaning the system as it tells us a lot of what's installed what's running etc... the log also will show us the bad files reg entries(if any) which needs to be deleted using CF script function.
Afterwards, when the system is clean, the log is no longer needed.
ASKER
> the log also will show us the bad files reg entries(if any) which needs to be deleted using CF script function.
well, I didn't do anything else then running it, then do /u and then posting the log. I'm still curious about a possible cause of all this and whether there still's something wrong, possibly. I'll open up a related question with a pointer to this one, so you can have a look at the log, if you (still) want to ;-)
well, I didn't do anything else then running it, then do /u and then posting the log. I'm still curious about a possible cause of all this and whether there still's something wrong, possibly. I'll open up a related question with a pointer to this one, so you can have a look at the log, if you (still) want to ;-)
ASKER
If you want to, check out: https://www.experts-exchange.com/questions/24430373/Interpretation-of-combofix-log.html
Did you right-click on the installer and select 'Run as administrator' and then try to install it?? I am also going to suggest that you scan with the Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner and let us know what you find.
Hope it helps.