More Trojan Horse virus than I can type names

I opened an email from my best friend, ( he has AOL ). It contained a link, ironically about a subject we had been speaking of. Boom....... my computer went crazy. I have had the following:

win32/sinefef.DAtrojan
Trojan Horse Crypt.AZCW
Plenty of other Crypt followed by a series of letters

seems to have hijacked my browers.

I have a few I use in my work.

Safari
Foxfire
Orca
Cometbird
Flock
IE

When I am first open a browser, any one, Windows Security Alert pops up and working in a browser, my windows pops up and says do you want to keep blocking program, and names the browser.

I have tried the usual Malware and virus scans with no luck. I can usually figure these things out, but this one has me, because I do not know what I have.

I am in need of help.

What do I need to send?

Don

 

Welcome to Major Geeks, ponzaleo!

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Rename RogueKiller.exe to winlogon.exe
Double-click winlogon.exe to run.
When it opens, press the Scan button
When the Scan has completed, press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)

__

Afterwards, proceed with these directions:

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

 

It made two reports.
Also, a folder "RK_Quarantine" was created on my desktop

 

Ignore the RK_Quarantine folder.

Turn User Account Control off again.

Then proceed with the TDSSKiller instructions

 

Attached is the TDSSkiller Report

 

Good job.

Now complete as much of this as possible: READ & RUN ME FIRST Malware Removal Guide

 

Sorry, I posted the Killer report before I read your reply.

I am on XP, dont think it has the ability to "Turn User Account Control off again"

 

My mistake Ignore that.

 

Cleared all browsers
Cleared DNS
Restarted Router

Ran GooredFix - report attached

Ran TDSSkiller again - report attached

Ran fixTDSS - said "have "backdoor.tidserv"

Ran MBRCheck - report attached

I am now running Superantipywaree, Malware, combofix, rootrepel, gmtools.
I will reply with reports when they are finished running.

Tks,
Don

 

Cleared all browsers
Cleared DNS
Restarted Router

Ran GooredFix - report attached

Ran TDSSkiller again - report attached

Ran fixTDSS - said "have "backdoor.tidserv"

Ran MBRCheck - report attached

I am now running Superantipywaree, Malware, combofix, rootrepel, gmtools.
I will reply with reports when they are finished running.

Tks,
Don

 

I ran Supeantispywware and Malware with no problem. Things were looking goo. Then I deleted AVG and rean combofix. I got the message that I have rootkit.zeroaccess in tcp/ip stack.

now my internet connection does not work. I am using my laptop to communicate with you.

I am running combofix the second time as it said do. I will advise you of th outcome.

Attaching files.......

Don

 

Hi, I need to see the logs from SAS and MBAM.

I also need to gather a bit more information so run this customized scan:

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Did you already do this? Noticed you attached 2 combofix logs.

 

still no internet connection. I am running the programs and will send you the logs you requested. I am a bit slow with no internet connection on the infected computer.

AFter the second run of combofix, combofix said I had Rootkit.ZeroAccess and it was in the tcp/ip stack.

will get back to you.

Don

 

No problem. Take your time. We'll be here when you are ready proceed.