Solved

spyware / rootkit or else? Cannot take ownership of new folder "quarantine" and cannot delete

Posted on 2009-05-16
30
1,082 Views
Last Modified: 2013-12-04
Hi all!

I'm not totally ignorant when it comes to rootkits, spyware etc and I don't (yet) say I have one. Two scans (Panda, Comodo) didn't reveal viruses (going to try online F-Secure and McAfee as well), but I know that even rootkit revealers usually won't reveal that: rootkits (F-Secure blacklight didn't find any). This nightmare started out while researching why Apache didn't start anymore: http:Q_24412193.html.

Now, my current question where I'm a bit stuck on, is this: I tried to install Spyware Doctor and it gave me an error "Access Denied" while trying to create the quarantine folder (c:\users\Abel\AppData\Roaming\PC Tools\Spyware Doctor\Quarantine). So I went to that folder, and it wasn't created. I created it. Ran the installer again (as admin) and same error.

Now it gets funny: I went again to that directory, this time to delete it, and now I got Access Denied myself. I checked permissions: no ownership (!!???) and tried to regain ownership (tried several admin users) and failed with all, saying "access denied". I then tried it from the command prompt to be sure I wasn't crazy and still: access denied.

Know that I usually don't have problem taking over ownership of a file or a directory. In fact, I use the "remove ownership" trick sometimes to make sure occasional users don't accidentally remove secure files (it is just to prevent stupidity).

I'm on Windows Vista Business, and the following two commands should show you my problem clearly:

C:\>dir "Users\Abel\AppData\Roaming\PC Tools\Spyware Doctor" /b
quarantine

C:\>takeown -f "Users\Abel\AppData\Roaming\PC Tools\Spyware Doctor\quarantine"
ERROR: Access is denied.

Any help on how to search for what's going on here is appreciated. I will restart into safe mode to find out whether that will help. In the screenshot the advanced security settings


ScreenShot284.png
0
Comment
Question by:abel
  • 16
  • 10
  • 4
30 Comments
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Hello,

Did you right-click on the installer and select 'Run as administrator' and then try to install it?? I am also going to suggest that you scan with the Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner and let us know what you find.

Hope it helps.

0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Another suggestion is to download SubInACL.exe (http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en) file from Microsoft and use the script based at:

http://www.experts-exchange.com/Networking/Windows_Networking/Q_21903279.html

See the first post from Gary and do that on your system and the permissions error should be gone then.

0
 
LVL 39

Author Comment

by:abel
Comment Utility
Ok, I'll do the kaspersky (used to have it until it stopped working for vista, maybe they upgraded meanwhile). Just tried the unlocker http://ccollomb.free.fr/unlocker/ (unfortunately it is not as good as it used to be, it installs adware itself now: http://it.toolbox.com/blogs/paytonbyrd/beware-unlocker-187-26919) but it couldn't do anything either (it can rename / delete etc. on restart, but it didn't work).

I'll try that SubInACL too. Hold on.
0
 
LVL 16

Accepted Solution

by:
warturtle earned 450 total points
Comment Utility
Try the above things and let me know how it goes, if you still get problems then we can try installing SuperAntiSpyware (www.superantispyware.com) on there. Best to download a file and save with a completely different name and install and run it.

If all fails, we can run ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Download and save with a completely different name like jabba.exe and then disable your existing antivirus and firewall and run it. After ComboFix finisihes running, it will create a log. Please send that log to us and download, install and run SuperAntiSpyware (www.superantispyware.com) on your PC. Re-enable your antivirus and firewall again.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
k, so I tried all kinds of querying commands using SubInACL (very nice tool, I'll keep it) and did about the same with accesschk.exe from SysInternals. Got access denied all the way long. Then, after a cop of coffee (really!) I hit KeyUp in DOS to run the same command again for copy/pasting the results here and all of a sudden I received a list of access rights!

Well, I don't like magic of this kind and after years of experience, I usually know what's going on, but this time, I really don't have any clue. The only thing I can think of is that the ACL got corrupted and at some stage, Vista decided to fix it. Note that I didn't try any of the actions of SubInACL, I only queried.

Because of the 20 hours or so I spent on this, together with trying to find out what could have possibly stopped Apache from functioning, I want to go to the bottom, if possible. I tried to install ComboFix, but received the following error repeatedly:

[Window Title]32788R22FWJFW\n.com[Content]Windows cannot find '32788R22FWJFW\n.com'. Make sure you typed the name correctly, and then try again.

now, since I tried GMER for rootkit revealing and GMER didn't manage to shut down all my processes without crashing the system (without a blank list of processes apart from the really needed four, you won't find anything, is my experience with rootkits), I am starting to get really suspicious. There seems to be some dirty fishes around here but I cannot get the hang of them.

What I know:

  • regular tools (Comodo Firewall, netstat) do not show internet activity to anything other than my usual ports, and nothing when I'm away either
  • I may be looking in the wrong direction, maybe the system is sound, I am a very safe server and know my ways to prevent malware (i know, that's no guarantee)
  • I went back to a restore point quite far in history. I cannot guarantee that it was a safe point, but behavior of certain processes (apache, this quarantaine dir) keeps me on alert
  • tried downladup worm by hand with removal tool, but from previous experience (friend of mine) I know that once it is active it cannot be found. Similar stealth worms do exist and may be the cause here.
In short, I do feel at one hand that I am chasing a ghost, on the other hand, there are simply to many little things that do not feel right....

ScreenShot286.png
0
 
LVL 39

Author Comment

by:abel
Comment Utility
hmm... when it installs, does it find trouble in memory and tries to delete the trouble and the fails? This sounds fishy: http://www.threatexpert.com/files/n.com.html

hidec however seems safe(r): http://www.threatexpert.com/files/hidec.exe.html
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 450 total points
Comment Utility
Aha, I see what has happened here. Did you disable the internet security programs on your laptop before running ComboFix. Because ComboFix is treated as an unsafe application by lots of antiviruses and this is why it is required to disable them (unless the virus has been generous and has done it already ;-) ). It seems that your antivirus has tried to block ComboFix as soon as it starts running and this is why you get these messages.

I am going to suggest that you upload the below file on www.virustotal.com to be scanned by the antiviruses:

c:\32788r22fwjfw\n.com

If the antiviruses confirm that its Sality or Virut, then you need to download Sailty Removal tool from: http://free.avg.com/virus-removal.ndi-67769

0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
A Kaspersky Online Scanner with 'Extended Databases' in the Scan Settings should tell us what is in there.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Yes, I meanwhile found out that Comodo Antivirus was the culprit there. Disabling Comodo Antivirus helped, of course. Funny thing is, whatever you do to disable Comodo Antivirus (from Comodo Security Center, via disabling the related services, to manually removing the driver files cmdhlp.sys, inspect.sys, cmdmon.sys and cmdguard.sys from system32) both Windows Security Alerts and ComboFix will still show an alert that Comodo Antivirus is still loaded.

Anyway, the trouble quarantine file is gone. My Apache is still not running (the reason I started this ghost chase) and the report from ComboFix (nice program!) does not show something that I should be worried about (yes, I do know how to read these reports and I do know when I don't understand it ;-)

Headbanging time :(
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Conclusion so far: no malware, viruses, or other strange stuff. The odd behavior of "quarantine" directory can be subscribed the tool that I wanted to install and Apache not running (http:Q_24412193.html) is most likely just a bug in Apache and not something external (though I would very much like to know what bug!).
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Have you installed any other application that could be interfering with Apache?? or using the same port as Apache? What error do you get when you try to start Apache? Have you seen the logs directory within Apache for more information or system logs (Start->eventvwr)?

Those pointers might help. Ah, by the way, have you done the Kaspersky scan? and did it say anything at all?
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Kaspersky is still running (I needed to close it to try some of the other options). Nothing so far and it did the full C-drive without any trouble found.

Yes, all the basic, and quite some of the more advanced stuff has been checked (check out the other question, if you have Apache experience, any advice is welcome there). I am already that far that I have downloaded the sources and build it from scratch. There are not port conflicts (I tried the opposite: by creating a port conflict I know what behavior Apache shows when there is a conflict, and it does try to bind and throw an error then). The problem is: there's just very little errors to go on, it just cannot spawn the child process. And, unfortunately, no access violation as far as I can tell.
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Has your computer downloaded any Windows Updates recently?? or have you changed Apache installation recently? Updating Apache to the latest version (2.2.11) might give us a clue if its a problem with the Apache 2.2.

I am assuming that you've added Apache as a trusted application in Comodo Antivirus as well, unless that is the problem and the antivirus is intercepting the calls to spawn processes. You can try shutting down the antivirus and firewall and then try to start apache again.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Apache works again (version 2.2.11 btw, all my software is fully up-to-date)! Why? I'm not sure. If you can shed some light on this, it'll be much appreciated, as it is related to ComboFix which you suggested me:

The story: I went back to a restore point furthest back possible, as you know. This did not help. I ran ComboFix from this restore point. This did not seem to help, but after restart, some repairing of network connections (broken by ComboFix) and a new full delete and re-install (surely the twelfth today) of Apache did the trick and brought me in a euphoric mood first time in 40 hours.
 
 So, I was happy! Don't know what ComboFix fixed, it reported a whopping 6GB it freed (!) and a lot of other things of which most seemed harmless (well known registry entries etc), so it must have fixed something behind the scenes.
 
 Then, I went back to the most recent Restore Point, one just before this trouble started (which was after a tiny windows update indeed). This, not surprisingly, showed the same behavior for Apache again. I ran my previous schedule of actions (I wanted to know whether it was ComboFix or something else that had fixed it) and only after ComboFix (this time with a much larger log, mostly due to "other removals" from the recycle bin) it worked again. This time no broken network connection, but a restart was required though.

To me this sounds like the most plausible reason is that I was hijacked (or at least, some program tried to, but failed where it came to be successful, I use both an external and internal firewall, and the external did not show odd behavior in the logs, but I can be wrong).

I reran a full scan, until now only with Comodo, and it seems that it only found some false positives (pskill.exe of SysInternals,  NIRCMD.exe and NirCmd.cfexe of ComboFix, Tutorial.exe of Febooti Filetweak). This report seems equal to before all this.

Ideas are welcome, because knowing what happened can prevent this from happening again.

-- Abel --
0
 
LVL 39

Author Comment

by:abel
Comment Utility
One small thought: Might it be possible that some malware/trojware had been sitting around on my machine all along, that I only recently opened port 80 to the outside world, and that at some point (do note this sh*t only started after a restart!) a stealth program hijacked port 80, possibly with mapping it to some other port (port 80 was stil free, apache could listen to it and netstat -a did not list it, you know) to open-up my pc from outside?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 450 total points
Comment Utility
That good stuff! I don't think that ComboFix has freed up 6 GB of space, but rather it has fixed some registry entries which would notify Windows of how much free space is present. Some viruses would modify the registry entries to not allow Windows Updates, some others would change the settings for Windows Security Center to not monitor the antivirus status (if it has the latest definitions or not). I think you most likely had a rootkit in your PC which had hidden itself from everything (Comodo antivirus and firewall) but not from ComboFix.

The reason for the port 80 to not showup in the netstat can be a rootkit effect as well, because netstat, tracert, ping, etc would see what the explorer would see. On some family computers which had rootkit infections, I tried to manually see the infected files in Windows Explorer, but they were never there, so they were like invisible to Windows Explorer. But the scanners were able to see them.

I can recommend 2 free tools that are very effective against malware - MalwareBytes Anti-Malware (www.malwarebytes.org) and SuperAntiSpyware (www.superantispyware.com). Both of them are extremely good and free as well (their paid version has a resident shield in the background, but the free version is fully functional with free updates as well). In some cases, I've also seen that MalwareBytes (MBAM) and SuperAntiSpyware (SAS) see an infection and try to remove it on a reboot, but fail to do so. At those times, running ComboFix and then running MBAM and/or SAS works wonderfully and removes the infections. ComboFix sometimes removes the rootkit files completely and sometimes, it removes the supporting files of the rootkit and it(the rootkit) becomes visible to MBAM/SAS scanners and they remove it then.

You might want to uninstall ComboFix as follows >

Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore. Comodo will most likely complain about Application.NirCmd but click on allow. ComboFix is updated regularly and you should always have the latest version whenever you need it.

Hope it helps.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
A few day further, I ran both tools, ran another few antivirus scans, both Kaspersky and Comodo (I really don't want to use McAfee or Norton/Symantec for obvious reasons) and haven't found anything (a few referring cookies, but that's all).

The way I look at it: something was (seriously) wrong, but it wasn't necessarily a malware program, it could just as well have been a genuine conflict, possibly caused by a driver or whatever low-level program, or possibly in the registry somewhere (many registry keys were reported fixed by ComboFix). I'm afraid I will never really know.

Is there anywhere a report of what ComboFix tries to fix on any normal run?

Btw: it did uninstall, but it did not revert my settings. But I'm not a complete noob, so that wasn't too big a deal.
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
If you are able to post the ComboFix log as an attachment, perhaps it would shed more light on what was wrong with the computer and what did ComboFix get rid of. As a general statement, I can only say that ComboFix has a database of the possible places of where the virus could be present as well in registry, memory and the hard-disk and it looks for existing signatures to remove anything and produces a list of hidden files and possible registry entries which are out of ordinary and/or locked.

Even if ComboFix by itself doesn't remove the infection completely, it gives enough information to inform a user about any possible infections in their computer. And by using ComboFix Script, one can fix the problems that are still left on a PC.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
<<<"Is there anywhere a report of what ComboFix tries to fix on any normal run?">>>

Combofix keeps a log and backup of all files/folders and registry entries that it removed so it can be restored if it mistakenly deleted legit files/reg entries, but since you already uninstalled it -  ALL is now gone(including its backup).

0
 
LVL 39

Author Comment

by:abel
Comment Utility
The logfile has been posted to ee-stuff. Apparently there auto-update feature for the question does not work. This is the direct link: https://filedb.experts-exchange.com/incoming/ee-stuff/7642-ComboFix.rar (the password to the file is your name, the ee-stuff site can be accessed with the EE credentials).

@rpggamergirl: thanks for the intel, but I made a copy of those files, of course, prior to deinstallation. Yet, the originals were not removed, so the /u is not as thorough as the program itself.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Btw: you don't have to look into these files, you (warturtle) have already put so much effort in this question, and many thanks for that! I would love to know what has happened, to prevent it in the future, but you don't have to take it too far.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
<<<"I made a copy of those files, of course, prior to deinstallation.">>>

I don't quite understand what you meant above.
You're saying you made a copy of the files from Combofix quarantine folder?


 
<<<"Yet, the originals were not removed, so the /u is not as thorough as the program itself.">>>
What do you mean the originals were not removed?
I thought you wanted to know what files and what registry entries combofix had removed/fix? and to do that you have to look in CF qoobox folder but that folder is deleted when you uninstall combofix that's why I said it's gone.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Ah, well, you are right there and I actually made a copy of another folder, the one which contained the running copy, which was not removed (c:\32788R22WJFW.2.tmp). I remember now that I was angry with myself for removing the qoobox folder (using /u) without first making a copy (which I would've done normally). However, the report was placed in c:\combofix.txt and that was not removed with /u and that's what I sent.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 50 total points
Comment Utility
The c:\combofix.txt is the log that shows the files that combofix had deleted among the files created, reg loading points etc...
Combofix.txt will not show the deleted reg entries and you cannot restore or undo anything. This log right now is no longer of use to you.

Whereas, the qoobox folder is the quarantine folder where it make it possible to restore any deleted files and restore any deleted registry entries, or undo any changes made by Combofix. This is a very important folder if you want to undo what combofix did.
That is why we don't rush users to uninstall combofix just in case... because after the user uninstalls combofix there are no backups to go back to, everything will be gone .... apart from the combofix.txt (which is of no use to the user when CF is gone)
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Aha, thanks for the update. So, the log doesn't mean anything without the backups. I tried to restore (using some undelete program) but apparently ComboFix does not do half work. Much was recoverable, but not their qoobox folder.

Problem solved, won't know the cause, but at least all's running again. Thanks to you all for helping so far!
0
 
LVL 39

Author Closing Comment

by:abel
Comment Utility
Triple-A to warturtle for staying with me so long, and thanks to rpggamergirl too for the notes on the combofix deinstallation.
0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Thanks, Abel for the feedback and rating. After your last comment, I decided to take a break from EE for a couple of hours and played some serious sports and then came back at it again :-). Feels good to be able to help.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
<<"So, the log doesn't mean anything without the backups.">>
The log is only important to us while in the process of cleaning the system as it tells us a lot of what's installed what's running etc... the log also will show us the bad files reg entries(if any) which needs to be deleted using CF script function.
Afterwards, when the system is clean, the log is no longer needed.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
>  the log also will show us the bad files reg entries(if any) which needs to be deleted using CF script function.

well, I didn't do anything else then running it, then do /u and then posting the log. I'm still curious about a possible cause of all this and whether there still's something wrong, possibly. I'll open up a related question with a pointer to this one, so you can have a look at the log, if you (still) want to ;-)


0
 
LVL 39

Author Comment

by:abel
Comment Utility
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now