completed cleaning but...

Hi there and a warm welcome.

Then you need to attach logs from

• SUPERantispyware
• Malware Bytes
• RootRepeal (Unless you have 64 bit windows)
• Combofix
• MGTools

Then you need to run the below and attach the log.

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
• Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
• Click Start scan
• It will run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

You still need to attach these logs:

• SAS
• MBAM
• TDSSKiller log

 

Also the log from RootRepeal needs to be attach. You attached the RootRepeal program that you downloaded.

 

First off, it is a very bad idea to allow all users to have Admin. privileges!!

TDSSKiller took care of part of your issues, so let's get rid of the rest.

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Documents and Settings\Tad Ackerman\Local Settings\Application Data\cheprtrau\hbgmrwntssd.exe
C:\Documents and Settings\Tad Ackerman\Local Settings\Application Data\asam.exe
C:\Documents and Settings\Tad Ackerman\Local Settings\Application Data\tilraoytg\ysncfkhtssd.exe
c:\windows\ecumenipavu.dll
Folder::
C:\Documents and Settings\Tad Ackerman\Local Settings\Application Data\cheprtrau
C:\Documents and Settings\Tad Ackerman\Local Settings\Application Data\tilraoytg
C:\Documents and Settings\Tad Ackerman\Local Settings\temp\gfpvcljmm
C:\Documents and Settings\Tad Ackerman\Local Settings\temp\jykdghrcq
C:\Documents and Settings\Tad Ackerman\Application Data\16ced5

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yjimuc"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"snjimiwp"=-
"asam"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\AutorunsDisabled]
"snjimiwp"=-
"asam"=-
"bhqlkgfu"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now download and install:
Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It's just where it was described:

C:\MGTools\analyse.exe and not it is not the same as MGTools.exe

 

You did not fix anything that I asked you to do. Also:

Which is probably why Combo never completed. I do not even see it listed as being on your desktop where it should be.

Please follow these instructions:

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

If you never actually ran it, you will not find a log.

 

I will caution you again about allowing all users to have Admin. privileges!!

You did not do the HJT fix. SO for the third time:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now I suggest that you run both SAS and MBAM on each user account. Attach the logs that show infections and be sure to identify them so I know which user account they come from.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\MGlogs.zip