BleepingComputer.com: Rootkit.0Access) won't cure

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Rootkit.0Access) won't cure Google redirect virus - don't know how to remove

#16 User is offline   Jason121 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-January 12

Posted 03 February 2012 - 08:26 PM

Still having issues with the DOS commands -
The first one returns "The directory is not empty" while the second one returns "The filename, directory name or volume label syntax is incorrect."

Below are the command prompt results

C:\windows\system32>cmd /c rd "c:\users\Jason\AppData\Local\ca017659
The directory is not empty.

C:\windows\system32>cmd /c del /a/f/q "<file.path>"C:\Windows\winsxs\x86_microso
ft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
"
The filename, directory name, or volume label syntax is incorrect.
-----
I also tried w/ and w/o closing " for both commands- all return same error messages.

Thanks!

#17 User is offline   RPMcMurphy 

  • Bleeping *^#@%~
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,398
  • Joined: 16-May 10
  • Gender:Male

Posted 04 February 2012 - 12:42 AM

Time for a better hammer:

Posted Image Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
c:\users\Jason\AppData\Local\ca017659
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image

#18 User is offline   Jason121 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-January 12

Posted 05 February 2012 - 11:01 PM

Looks like the OTM strategy worked. Here's the result from the s/w -
#############

c:\users\Jason\AppData\Local\ca017659\U folder moved successfully.
c:\users\Jason\AppData\Local\ca017659 folder moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys moved successfully.

OTM by OldTimer - Version 3.1.19.0 log created on 02052012_195102

################
Should I continue w/ the Adobe upgrade and deletion of the s/w recommended in previous post?
Thanks!

#19 User is offline   Jason121 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-January 12

Posted 05 February 2012 - 11:02 PM

Looks like the OTM strategy worked. Here's the result from the s/w -
#############

c:\users\Jason\AppData\Local\ca017659\U folder moved successfully.
c:\users\Jason\AppData\Local\ca017659 folder moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys moved successfully.

OTM by OldTimer - Version 3.1.19.0 log created on 02052012_195102

################
Should I continue w/ the Adobe upgrade and deletion of the s/w recommended in previous post?
Thanks!

#20 User is offline   RPMcMurphy 

  • Bleeping *^#@%~
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,398
  • Joined: 16-May 10
  • Gender:Male

Posted 05 February 2012 - 11:24 PM

Great! Please continue on with those other instructions now adding this one after you uninstall ComboFix:

Posted Image Cleanup with OTM
  • Double-click OTM.exe to start the program.
  • Close all other programs apart from OTM as this step will require a reboot
  • On the OTM main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
  • Manually delete any remaining tools or logs from our work

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image

#21 User is offline   Jason121 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-January 12

Posted 06 February 2012 - 10:40 PM

Thanks!
I've removed all the tools and logs from our work.
I also re-enabled MBAB and performed a full scan.
Everything's clean and there is no more re-direction of search results.
Thanks for everything! Much appreciated.

#22 User is offline   RPMcMurphy 

  • Bleeping *^#@%~
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,398
  • Joined: 16-May 10
  • Gender:Male

Posted 06 February 2012 - 11:24 PM

You're welcome! Take care.
Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image

#23 User is offline   RPMcMurphy 

  • Bleeping *^#@%~
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,398
  • Joined: 16-May 10
  • Gender:Male

Posted 07 February 2012 - 05:25 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users