Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix quarantined file


  • Please log in to reply
15 replies to this topic

#1 lonniek

lonniek

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 26 July 2009 - 05:58 PM

Hi All, I downloaded and ran ComboFix the other day and it quarantined a file from C:Windows/ERDNT and named it MoveEx_SysHive_Link.vir. I uninstalled ComboFix and went to delete the Qoobox folder but was denied, a popup box saying the file was in use by another person or program. Tried safe mode same result. Any ideas of what this file is or how to delete the Qoobox folder or if I should do anything. My computer is running fine now

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by lonniek, 27 July 2009 - 10:32 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 27 July 2009 - 08:21 AM

I uninstalled ComboFix

How?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 27 July 2009 - 10:29 AM

Start button then in the run box I typed combofix /u. Combofix then uninstalled succesfully.

Edited by lonniek, 27 July 2009 - 10:31 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:58 AM

Posted 28 July 2009 - 11:36 AM

Try safe mode to delete it or see if Autoruns detects it and disable it from there

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer

Edited by garmanma, 28 July 2009 - 11:37 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 29 July 2009 - 12:28 PM

Garmanna,
I don't get any errors when I startup. As I mentioned everything is running fine. The problem I'm having now is after I ran Combofix it created a quarintined file in Qoobox titled MoveEx_SysHive_Link.vir. After uninstalling Comofix, the Qoobox folder with the MoveEx_SysHive_Link.vir file was still there. I tried to delete it in both normal & safe modes. That's when I get the error box saying: Cannot delete MoveEx_SysHive_Link.vir. The file is in use by another person or program. Please close program and try again. Can you or anyone tell me what program might be running so that I can try closing it so that I may delete the file?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 29 July 2009 - 01:00 PM

Looks like several folks are reporting the same issue. I have asked the tool's developer about it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 29 July 2009 - 02:04 PM

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Files
C:\Qoobox

:Commands
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 29 July 2009 - 05:18 PM

The file MoveEx_SysHive_Link.vir is still there. Also there were no registry entrys removed as shown at the bottom of the OTM log.
Here is the OTM log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS\ERDNT scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine scheduled to be moved on reboot.
Folder move failed. C:\Qoobox scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Lonnie
->Temp folder emptied: 2961257 bytes
->Temporary Internet Files folder emptied: 102175729 bytes
->Java cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 105016 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 100.40 mb


OTM by OldTimer - Version 3.0.0.5 log created on 07292009_160620

Files moved on Reboot...
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS\ERDNT scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS\ERDNT scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS\ERDNT scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS\ERDNT scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS\ERDNT scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C\WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine\C scheduled to be moved on reboot.
Folder move failed. C:\Qoobox\Quarantine scheduled to be moved on reboot.
Folder move failed. C:\Qoobox scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Edited by lonniek, 29 July 2009 - 08:07 PM.


#9 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 29 July 2009 - 05:23 PM

FYI, I'm running Windows XP sp3, ie8. I run Eset NOD32 AV, windows firewall, Malwarebytes. Spywareblaster. I also have run Superantispyware and Ad-Aware scans.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 30 July 2009 - 08:55 AM

I just spoke with sUBs again. Go here, download the latest version of ComboFix and run it again per the instructions provided in the Guide.

When done
  • Go to Start > Run and type or copy/paste in the run dialog box: Combofix /u
  • press OK.
    Posted Image
  • When shown the disclaimer, Select "2"
  • This will delete ComboFix's related folders and files, reset your clock settings, hide file extensions/system files and reset System Restore.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 31 July 2009 - 01:02 PM

Sorry I was gone yesterday so I couldn't post. Anyway I reran Combo fix as directed when it came time to uninstall combofix the cmd box appeared for a brief second then disappeared. There was no disclaimer visible in the cmd box, therefore I had no option 2 available. Combofix said uninstall was sucessfull. I even ran windows xp in diagnostic mode & ran combofix to see if i could delete the folder i've mentioned in my other post, it still gives me the same error messsage as previously stated. Also ran OTM in diagnostic mode nothing & nothing changed. Any ideas?

Edited by lonniek, 31 July 2009 - 01:23 PM.


#12 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 31 July 2009 - 08:28 PM

Is there a code for OTM that will kill all processes and then delete the C:\\ Qoobox folder before windows shutsdown? Would this even work?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:58 PM

Posted 31 July 2009 - 10:40 PM

Please copy and paste the header version of the log file created by ComboFix. It can be found at C:\ComboFix.txt. We need to verify the version you are using.

This is an example of what we want to see:

ComboFix 09-07-31.02 - Owner 07/31/2009 22:44.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1087 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 01 August 2009 - 08:23 AM

ComboFix 09-07-31.02 - Lonnie 07/31/2009 17:23.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.160 [GMT -6:00]
Running from: c:\documents and settings\Lonnie\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

I know it updated to newest version. When I ran it again yesterday

Edited by lonniek, 01 August 2009 - 08:25 AM.


#15 lonniek

lonniek
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 01 August 2009 - 11:53 AM

Sucess! I ran windows disc cleanup and now the Qoobox folder is gone!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users