Possible malware: Qoobox folder, catchme in registry

Hello,

I noticed a new folder the other day: C:\Qoobox that has a quarantine and Backenv subfolder. I'm concerned that it's malware and would appreciate your help to find out. 

 

Other info in case it's relevant:

  • I run Norton 360 and Malewarebytes' Anti-Maleware 
  • Autoruns shows a process called catchme that it indicates came from the folder C:\ComboFix\catchme.sys and there are catchme folders in the registry.
  • MY OS is Windows 7 and all updates have been applied.
  • I've been having problems booting lately.  The computer runs fine in Safe Mode. I'd been having alot of problems with member disks dropping out of a RAID array so recently broke the RAID.  In the process my user profile got corrupted. The boot issues may be associated with remnants of that issue or hardware problems.
  • Norton 360 recently quarantined some Trojans from a few email messages.
  • My PC was recently at repair shop.  They may have run some virus tests.

 


jmcarignan wrote:

My PC was recently at repair shop.  They may have run some virus tests.

 


Probably not what you want to hear - but I would certainly return to the repair shop and start asking questons in regards to your situation.   If they are the guilty parties - then they are the ones to fix it.


Dimension wrote:

It seems to me that someone has run combofix on your system. It is not for 64bit systems.

 


 

Incorrect: 

At this time ComboFix can only run on the following Windows versions:

  • Windows XP (32-bit only)
  • Windows Vista (32-bit/64-bit)
  • Windows 7 (32-bit/64-bit)

oops. So sorry. I do apologize. I must have been thinking Win 8 when the poster clearly stated win 7.

On that basis I cannot explain why left over files. I only know this can happen when combofix gets stuck but I dont know otherwise the circumstances under which combofix would leave the folders open.

 

Combofix   sould not be run unless request of an experienced helper  has it could do more harm then good


Dimension wrote:

It seems to me that someone has run combofix on your system. It is not for 64bit systems. The folders are likely a left over because combofix could not properly run. The folders should be removed.

 

Combofix is not really for public consumption. Based on the limited info I cant say whether your shop should have tried this.

 

Thats all I can say based on the info.


This is wrong   Which means the user does not know advanced programs.

 

I have the folders on my system and Combofix runs properly, the folders can stay they are harmless,  Just after I use the advanced programs on systems by script I remove the files and quaranrine folder.

 

I does not need to be touched, I keep the folders for advanced programs on my system and nothing wrong, from ORL, Combofix, FRST, NPE etc etc.

 

If you have major malware, t5his forum is too dangerous, as user don't understand advanced programs and how they work to be able to give info, scripts or instructions on how to use them.

 

Quads

Hello,

I noticed a new folder the other day: C:\Qoobox that has a quarantine and Backenv subfolder. I'm concerned that it's malware and would appreciate your help to find out. 

 

Other info in case it's relevant:

  • I run Norton 360 and Malewarebytes' Anti-Maleware 
  • Autoruns shows a process called catchme that it indicates came from the folder C:\ComboFix\catchme.sys and there are catchme folders in the registry.
  • MY OS is Windows 7 and all updates have been applied.
  • I've been having problems booting lately.  The computer runs fine in Safe Mode. I'd been having alot of problems with member disks dropping out of a RAID array so recently broke the RAID.  In the process my user profile got corrupted. The boot issues may be associated with remnants of that issue or hardware problems.
  • Norton 360 recently quarantined some Trojans from a few email messages.
  • My PC was recently at repair shop.  They may have run some virus tests.

 


Quads wrote:

Dimension wrote:

It seems to me that someone has run combofix on your system. It is not for 64bit systems. The folders are likely a left over because combofix could not properly run. The folders should be removed.

 


This is wrong   Which means the user does not know advanced programs.

 

I have the folders on my system and Combofix runs properly, the folders can stay they are harmless,  Just after I use the advanced programs on systems by script I remove the files and quaranrine folder.

 

I does not need to be touched, I keep the folders for advanced programs on my system and nothing wrong, from ORL, Combofix, FRST, NPE etc etc.

 

If you have major malware, t5his forum is too dangerous, as user don't understand advanced programs and how they work to be able to give info, scripts or instructions on how to use them.

 

Quads


The information came from bleepingcomputer.com. Like you say when you have finished you remove the folders. You may do so by instructrion or by script. That is good and it shows you are professional.

The fact that you do not remove them from your machines is entirely another matter I suggest .

 

In this case the folders have not been removed. That is either a sign of an unprofessional shop or a failure as I described. In any event, as a matter of good housekeeping, the folders - whether the folders are harmless or otherwise - should be deleted. If I called for info from this poster and discovered that he had himself applied combofix I would be hesitant about offering advice in this forum. So cleaning up serves a 2nd purpose perhaps.

 

I dont have major malware. If you msg in intended for the poster then stating that users dont understand advanced programs is simply wrong. Some users have a good understanding of advanced programs and advanced programming but maybe you meant something else. ..END..

 

You stated " The folders are likely a left over because combofix could not properly run"

 

The statement is false the folders can be left where they are for all users I leave one folder behind that Combofix creates, and it is for a reason in future, does not mean " The folders are likely a left over because combofix could not properly run" either.

 

Quads

I provided the information in good faith. I have now provided the source of the information. By your own admission you remove the folders except on your machine. Let me remind you a 2nd time what you said

 

"Just after I use the advanced programs on systems by script I remove the files and quarantine folder."

 

This would imply that you script the removal of the folders in question. If you meant you remove other files and other folders other than that which this thread refers to, then at best you are misleading.

 

I think this is getting off topic and therefore I will not respond further in this thread. Suffice to say that in this thread the advice I gave I stand by. I would wish to remove folders not in use and not installed by any action of my doing. Whatever the reasoning that is the advice. You do, are are entitled, to a different opinion and without explanation you would keep the folder open. I suggest the poster can decide for himself.

 

In another thread a user wrote "It is mostly Quads you have to worry about". I had no idea what this meant until now.

I really don't care what people who don't know what they are doing think about me and what I can do.

 

I care about peoples systems, and because of what I can do,  I also can spot when people don't know what they are doing. Just don't being told so. That is all.

 

I have emails from other MR's who can see why the forum is dangerous for a well infected system, no safe guards, and overseer watching for bad instructions to be removed quickly,  MR's like myself talk about malware changes and spot incorrect  instructions.

 

In good faith or not.  That is just the way it is.

 

Quads