Rootkit.0Access infection + browser hijack + can't install new programs

[david777]

Hi,

I've got some issues:

1) Browser hijack: I do a search and sometimes (not every) it will redirect to some ad page. I always get redirected to a windows live login page when trying to access site (e.g., Microsoft, or malwarebytes) that will help get rid of viruses. P.S. I'm accessing this forum from a 2nd computer.

2) Can't install programs: I tried to install various programs and an error pops up immediately saying the installer has stopped working and will close.

I've already run the dds and attached the two files.

Also attached are 2 MWB logs. One shows a couple viruses from an early scan run in regular vista mode. The other is a log running from safe mode and shows the Rootkit.0Access.

Other than the hassle of browser hijack and not installing programs, the computer runs fine (albeit a little slowly). Occasionally I get a command line interface error, which ends itself. And maybe 3 times it has spontaneously restarted. But no black or blue screens, etc.

Any suggestions?

Thanks!

David

attach.txt

dds.txt

mbam-log-2012-07-01.txt

mbam-log-2012-07-04_SAFE-MODE.txt

[david777]

I just ran a scan using rogue killer. Here are the results:

-----------------------------

RogueKiller V7.6.2 [07/02/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: David Moerschel [Admin rights]

Mode: Scan -- Date: 07/05/2012 10:04:10

¤¤¤ Bad processes: 1 ¤¤¤

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 13 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : Utiroqo ("C:\Users\David Moerschel\AppData\Roaming\Ocozaf\ozygo.exe") -> FOUND

[sUSP PATH] HKCU\[...]\Run : Fyhiz ("C:\Users\David Moerschel\AppData\Roaming\Binaur\opip.exe") -> FOUND

[bLACKLIST DLL] HKLM\[...]\Run : izinec ("C:\Windows\System32\rundll32.exe" "C:\Users\David Moerschel\AppData\Roaming\izinec.dll",SHRotateZ) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-3822217949-1633032186-3584141650-1000[...]\Run : Utiroqo ("C:\Users\David Moerschel\AppData\Roaming\Ocozaf\ozygo.exe") -> FOUND

[sUSP PATH] HKUS\S-1-5-21-3822217949-1633032186-3584141650-1000[...]\Run : Fyhiz ("C:\Users\David Moerschel\AppData\Roaming\Binaur\opip.exe") -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{4ed2900c-4d83-6285-2c40-4ecb334c4f32}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{4ed2900c-4d83-6285-2c40-4ecb334c4f32}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{4ed2900c-4d83-6285-2c40-4ecb334c4f32}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\david moerschel\appdata\local\{4ed2900c-4d83-6285-2c40-4ecb334c4f32}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\david moerschel\appdata\local\{4ed2900c-4d83-6285-2c40-4ecb334c4f32}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\david moerschel\appdata\local\{4ed2900c-4d83-6285-2c40-4ecb334c4f32}\L --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS541660J9SA00 ATA Device +++++

--- User ---

[MBR] a5907dab3341c17ef95b627731c3eec1

[bSP] 6e09ef48b2e89b0ce36ecc338d6f2192 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 70 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 145408 | Size: 2048 Mo

2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 4339712 | Size: 55111 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[Maniac]

Hello David and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

I want to see a new fresh DDS log file with Attach.txt .

[david777]

I was afraid you'd say that. I already changed passwards, etc. I think I'll have to reformat. Thanks for the help. I'm used to reformatting...

[Maniac]

Sorry about that!

Some malware prevention tips:

http://forums.malwarebytes.org/index.php?showtopic=104379&pid=515983&st=0entry515983

Safe surfing!

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!