Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c:\Qoobox\BackEnv Unable to Delete INFECTION???


  • Please log in to reply
8 replies to this topic

#1 fix0r

fix0r

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 28 December 2010 - 10:15 PM

Ok I have used combofix as a panic button for a long time. And its been working very well, and I know I have to delete the qoobox folder after every run so next time I need it, it will run.

Now I got infected with something that opened multiple ports 411 and 1411

Now I cannot delete the qoobox folder, I even booted to hirems minixp and cannot deleted the folder, marked as read only, and wont let me change its permissions at all.

Now I cannot run combofix to make sure this trojan/rootkit is dead.

I am unable to delete or even access the Qoobox/Backenv directory, I have NEVER seen this Backenv directory within qoobox before.

And information that might help will be gladly recieved

Posted Image

Edited by fix0r, 28 December 2010 - 10:18 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,983 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:26 AM

Posted 28 December 2010 - 11:46 PM

BackEnv is a legitimate folder within Qoobox.

As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or if there is a problem with the computer caused by running the tool. This is because people should not be using ComboFix without being advised to do so by a trained expert (i.e. Malware Response Team) who is assisting a member deal a malware issue on that system. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.

Further, using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

If not and you need assistance with a malware infection that requires using ComboFix, please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
  • When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 fix0r

fix0r
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 29 December 2010 - 12:35 AM

ok thanks for nothin, you basically just called me incompetant, and told me that combofix might muck my machine up, yay, thanks

btw,

A+ certified 10 years exp, Im not a programmer, but im not a frickin caveman either.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,983 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:26 AM

Posted 29 December 2010 - 08:47 AM

Sorry you feel that way but the information I gave is what we provide to all folks who use ComboFix on their own. It's not a matter of compentancy but a matter of ensuring everyone knows the risks associated with its use and that issues can arise when running the tool.

Discussions pertaining to how Combofx works, what it can or cannot do, what the log results mean, any future plans, updates, etc is not available to the public in order to safeguard and protect the integrity of the tool from malware writers. As such, the developer does not want his tool discussed outside of private forums and therefore we cannot answer specific questions. The only public information that is available can be found in this authorized guide: How to use ComboFix

Safeguarding the tool from malware writers is important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read these threads looking for clues on how to circumvent our tools. We don't want to provide any information they can use against us. That's the decision by the creator of ComboFix and we will abide by that decision so it should not be taken personal.

Since you advised you were dealing with malware, I provided instructions for getting assistance with removal.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 fix0r

fix0r
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 29 December 2010 - 09:01 AM

Hey its ok, I found the problem. Microsoft Windows.

As part of my new years resolution, I am now running Debian, and I will never go back to windows again. Ive been preparing for this for a while now, and Im ready to ditch the liability known as windows.

So mark this thread as problem solved.

#6 here 2 help

here 2 help

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 03 January 2011 - 05:36 PM

You Should Use A Program Called Unlocker To Delete it

http://cedrick.collomb.perso.sfr.fr/unlocker/

#7 zorthargthedestroyer

zorthargthedestroyer

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 08 June 2011 - 11:28 AM

Wow, that quietman guy, someone points out a genuine problem with the software and he's all like "any problems caused by our program when not run under our supervision with 3 forms of ID in the presence of a notary public are your fault, and furthermore there is a CAUSAL relationship between any problem our software causes and the fact that it was not run under our explicit direction (of course you can be sure I'll deny this if you actually DO run the program under our direction and experience the same effect, which of course you will)." I wonder if in real life he's a lawyer for a fortune 500 company that uses sweatshop child labor in 3rd world countries to underbid everyone else.

So I have the same thing going on, and I actually tried unlocker, here 2 help, before even finding this post, the problem is, it moves the directory to the recycle bin, and it STILL can't be deleted. It says I do not have permission to access the directory, EVEN WHILE IT IS IN THE RECYCLE BIN! I told unlocker to delete it WHILE it was in the recycle bin, it disappeared but another undeletable directory appears in its stead, with the name "Dc45", and then I deleted "Dc45", and it disappeared and "Dc46" and "Dc47" are there. I had no problem deleting "Dc46", but "Dc47" had the same problem, and so when I used unlocker, it disappeared and "Dc48", "Dc49" and "Dc50" appeared, 2 of which could be deleted. Being a glutton for punishment and a sucker for experimentation, I ran combofix again, expecting that I could at least use unlocker to move one of the undeletable directories inside the other and put them both in the recycle bin and and up with a single undeletable Dc directory, but no, it can't even move one inside the other, and now I have 2 undeletable directories. Nuts, don't you think? Unlocker had no problem moving the directory, or renaming the directory, I can even move it out of the recycle bin and I've put it in a folder called "crud" and renamed them to "bad directory 1" and "bad directory 2", but they still sit there, undeletable (nor can I delete the root "crud" directory). Die, bad directory, die! How do I change the file permissions on that directory?

#8 temporaryy

temporaryy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 09 June 2011 - 05:03 PM

hi. i wanted to share the solution by signing in with a temporary account :P because this problem just made my day (!). fortunately im not a windows user.

i just had the exact same situation on one of my friend's laptop (windows xp installed) as the OP had and i tried the exact same things as zorthargthedestroyer did (except for the multiple undeletable directories). finally i have found a solution. at first, after trying unlocker, it sent the folder (backenv) to the recycle bin and at every try of deleting the folder from the recycle bin (using unlocker) caused existance of another folder with a different name. then i opened the preferences window of the recycle bin and set the max limit of recycle bin size to 0%. and i once again deleted the lastly renamed folder in recycle bin by unlocker. Then the recycle bin appeared empty and the folder was gone.

btw, do not forget to reset the max size limit of the recycle bin.

have a nice day,
temporaryy.

Edited by temporaryy, 09 June 2011 - 05:05 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,983 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:26 AM

Posted 09 June 2011 - 06:07 PM

There are solutions and tools that can be used to resolve the reported issue. fix0r was dealing with a rootkit infection and was appropriately instructed what to do so we could provide further assistance in another forum. Before dealing with the Qoobox folder we would have asked to see the ComboFix log, analyze it and go from there. Removing all the folders related to Combofix would have disallowed access to that information.

However fix0r was able to resolve the issue (and hopefully the infection) and required no further assistance.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users