Jump to content

Qoobox Persists

Recommended Posts

I thought this was 'too trivial' to post here but was sent here from the "General Malwarebytes' Anti-Malware Forum" where it was deemed inappropriate.

Posted Today, 10:25 AM

On 2 Nov 2011 Larry Tate walked me through a system cleaning process. I think that ComboFix left something behind. When I do a full log of my C:\ drive I encounter an error message "Access Denied [5] Coobox\BackEnv\*.*. I find I have to 'skip' it to complete the log. I did a quick Google search for "Coobox" and learned that it is the quarantine area used by ComboFix when it runs. Should it have been deleted when I uninstalled ComboFix? I think I followed the instructions to the letter.


Uploaded with ImageShack.us

Here is my DDS.txt


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by John Baum at 13:54:12 on 2011-11-08


============== Running Processes ===============



============== Pseudo HJT Report ===============


uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

mRun: [GEST] c:\program files\gigabyte\gest\RUN.exe

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"


mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [AutoTask] "c:\program files\autotask\AutoTask.exe" /STARTUP

mRun: [iAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRunOnce: [RunNarrator] Narrator.exe

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204766255656

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204766314453

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

TCP: DhcpNameServer =

TCP: Interfaces\{EF779F53-A259-4983-BB69-E6D050A627B0} : NameServer =,

TCP: Interfaces\{EF779F53-A259-4983-BB69-E6D050A627B0} : DhcpNameServer =

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"


============= SERVICES / DRIVERS ===============


R? gupdate1c9829e187f717e;Google Update Service (gupdate1c9829e187f717e)

R? gupdatem;Google Update Service (gupdatem)

R? Lbd;Lbd

S? aswFsBlk;aswFsBlk

S? aswSnx;aswSnx

S? aswSP;aswSP

S? avast! Antivirus;avast! Antivirus

S? GEST Service;GEST Service for program management.

S? IAStorDataMgrSvc;Intel® Rapid Storage Technology



S? scsiscan;SCSI Scanner Driver

S? Secunia PSI Agent;Secunia PSI Agent

S? Secunia Update Agent;Secunia Update Agent


=============== Created Last 30 ================


2011-11-06 05:17:22 -------- d-----w- c:\program files\Omron Healthcare

2011-11-06 05:17:22 -------- d-----w- C:\Omron Healthcare

2011-11-02 22:50:07 -------- d-sha-r- C:\cmdcons

2011-11-02 22:44:25 98816 ----a-w- c:\windows\sed.exe

2011-11-02 22:44:25 518144 ----a-w- c:\windows\SWREG.exe

2011-11-02 22:44:25 256000 ----a-w- c:\windows\PEV.exe

2011-11-02 22:44:25 208896 ----a-w- c:\windows\MBR.exe

2011-10-29 19:52:35 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-10-29 19:52:35 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-10-29 19:52:35 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-10-29 19:52:35 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-10-29 19:52:35 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-10-29 19:52:35 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-10-29 19:52:35 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-10-24 21:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 21:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-24 20:51:41 388096 ----a-r- c:\documents and settings\john baum\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe


==================== Find3M ====================


2011-11-08 15:33:02 16608 ----a-w- c:\windows\gdrv.sys

2011-10-18 14:56:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 12:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-03 09:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr

2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll


============= FINISH: 13:57:45.14 ===============

I've attached the "attach.zip" file, as requested.




Link to post
Share on other sites

Hello Larry,

Thank you for the prompt reply.

I tried to remove C:\QooBox but it persists because the subfolder, BackEnv is inaccessible. I get this error message:

Cannot delete BackEnv:Access Denied

Make sure the disk is not full or write-protected and that the file is not currently in use.

All I have open are a few SeaMonkey windows, 2 Word documents, and the Windows Explorer results of a search for Qoobox.

A curious thing happened when I ran the search. The Windows Explorer Find program seemed to go into an endless loop and find the same files over and over again until I stopped the routine. I had a similar experience yesterday or the day before. I was trying to install newly downloaded software for an Omron blood pressure apparatus and did a 'find' to locate the downloaded files. "Find" kept going round and round. I noticed that it was trying to check the floppy drive. That makes a brief noise. I can post an image via Imageshack if that will help. I hope this is not a 'bad sign.'

Thanks for your patience and help.


You can remove these leftover files and folders if listed:






Link to post
Share on other sites


Thank you for asking. I see there is still a copy there. Could I have installed two copies? I thought I followed your clean-up instructions carefully when you gave me a clean bill of health. I know I ran ComboFix /Uninstall in the runbox and it appeared to go to completion. Should I run it again? Will it rebel because I've deleted some of the files manually?



Link to post
Share on other sites


I just ran ComboFix /Uninstall and documented the process to Word. using screen dumps. I did not document every *.exe that Avast asked me to acknowledge. I shut down Avast when requested. The uninstall ran and ended in a ComboFix is uninstalled message in an Info drop-down box. I opened my desktop and the ComboFix icon is still there. Does it need to be manually deleted? If so, do I run the uninstall one more time after deleting it?



Link to post
Share on other sites


Since I put this together after my last post, here's Windows Explorer Search for C:\Combofix

I stopped the search when it started repeating itself. I documented it using screen-dumps to Photoshop and created a merged copy of what had accumulated.

It illustrates the 'repeating report' problem I noted above. Have you any idea what causes this, or does this go to some Windows XP forum?


Uploaded with ImageShack.us

I will try your above suggestion next.


Link to post
Share on other sites


Don't I need a more complex argument when I rename the ComboFix icon on the desktop.

I check a log of my C: drive and find that 9 files answer to the name "uninstall.exe."

I don't want to trigger the wrong one. Help me see how your suggestion will only attempt to uninstall ComboFix. Then I'll feel more comfortable trying the suggestion.



Link to post
Share on other sites


Here is a follow-up regarding uninstall.exe. I found these files using ZTree on my C:\ drive. I do not want to uninstall these programs. I don't understand how renaming the icon on the uninstall.exe will uninstall ComboFix instead of the files below.

Disk Volume: 11-09-11 13:43:49

Page 1 Available space 39,086,481,408 bytes

119,414 logged files using 34,370,012,661 bytes

7 tagged files using 782,549 bytes

Path: C:\Program Files\Belarc\Advisor1 tagged files using 164,864 bytes

9-28-01 17:00:28 164,864 .... Uninstall.exe

Path: C:\Program Files\Canon\IJ Manual\CANON IP4700 SERIES1 tagged files using 238,936 bytes

1-22-09 5:00:48 238,936 ra.. uninstall.exe

Path: C:\Program Files\CDex_1501 tagged files using 37,803 bytes

5-20-08 14:11:41 37,803 .... uninstall.exe

Path: C:\Program Files\CDex_150_New1 tagged files using 37,803 bytes

5-14-09 9:30:24 37,803 .a.. uninstall.exe

Path: C:\Program Files\Secunia\PSI1 tagged files using 208,039 bytes

1-12-11 15:47:11 208,039 .a.. Uninstall.exe

Path: C:\Program Files\ZTree1 tagged files using 47,775 bytes

5-29-11 20:33:14 47,775 .a.. uninstall.exe

Path: C:\Program Files\ZTreeOld_Ver11 tagged files using 47,329 bytes

6-23-08 20:45:46 47,329 .... uninstall.exe



Link to post
Share on other sites


Here is a best attempt at a ZTree catalog of Qoobox and Combofix files

I did a Google search on "32788R22FWJFW1" and learned that this may have been created when my first attempt at ComboFix aborted. Could this be causing problems? Can I just use ZTree to delete these, if I can access them?



Disk Volume: 11-09-11 14:06:34

Page 1 Available space 39,045,824,512 bytes

119,415 logged files using 34,370,014,077 bytes

6 tagged files using 4,566,972 bytes

Path: C:\1 tagged files using 16,527 bytes

11-02-11 15:05:46 16,527 .a.. ComboFix.txt

Path: C:\32788R22FWJFW1 tagged files using 236,032 bytes

8-30-00 16:00:00 236,032 .a.. ComboFix-Download.3XE

Path: C:\Documents and Settings\John Baum\Desktop1 tagged files using 4,280,796 bytes

11-02-11 14:41:47 4,280,796 .... ComboFix.exe

Path: C:\Documents and Settings\John Baum\Recent2 tagged files using 1,113 bytes

11-08-11 22:35:08 444 .a.. Qoobox .lnk

11-08-11 22:31:42 669 .a.. ComboFix-quarantined-files.txt.lnk

Path: C:\WINDOWS\Prefetch1 tagged files using 32,504 bytes

11-09-11 10:48:49 32,504 .a.. COMBOFIX.EXE-3B629577.pf

Link to post
Share on other sites


I used ZTree and deleted all the ComboFix associated files, I think.

When I log C:\ I still see Qoobox as a folder. When I log that folder I see a subfolder, BackEnv. Acess to that folder is denied. Without access neither folder can be deleted. Perhaps you have another trick?

Also, ZTree reveals the C:\32788R22FWJFW1 folder and its contents are still there. See the image below. One folder is at the top, the other just above the RECYCLER.


Uploaded with ImageShack.us



Link to post
Share on other sites

When I log C:\ I still see Qoobox as a folder. When I log that folder I see a subfolder, BackEnv. Acess to that folder is denied
That's by design. BackEnv is a backup you could run the the Recovery Console.

I don't know if you can Right Click on them and uncheck read only, then delete them.

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.