I have a nasty and i need some help in cleaning this off of my system.There is an awful Anitvirus ad that pops up saying that my computer is infected and that "Antivirus Pro 2010" can fix the problem. Sounds to me like this is the problem.

Here is the list of steps I have taken that has lead me to this post.

step 1- the option to view hidden files is not available for me to change (my

Computer/ tools/folder options/ the only thing i see is....
Map network drive...
Disconnect network drive
Synchronize

Also I am logged in as the administrator and under my computer/ properties

there is no tab that is labeled System Restore.

Step 2- Atf- cleaner downloaded

Step 4- Antivirus pro 2010

also these icons keep installing on my desktop...
"C:\Program Files\Internet Explorer\iexplore.exe" nudetube.com

"C:\Program Files\Internet Explorer\iexplore.exe" youporn.com

"C:\Program Files\Internet Explorer\iexplore.exe" pornotube.com

Step 5- show all files option unavaliable
he option to view hidden files is not avaliable for me to change (my

Computer/ tools/folder options/ the only thing i see is....

Map network drive...
Disconnect network drive
Synchronize

Step 6- will not run Microsoft® Windows® Malicious Software Removal Tool .. says it is extracting files/ dialog box disappears and

then nothing...

Step 7- ATF Cleaner Successful

Step 8- Malwarebytes' Anti-Malware will not run setup

Step 9- ESET results are as follows....

C:\Documents and Settings\Guest\Local Settings\Temp\debug.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\install.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\svchost.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\system.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Guest\Local Settings\Temp\taskmgr.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined
C:\WINDOWS\braviax.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\cru629.dat Win32/Small.EJX trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\braviax.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\cru629.dat Win32/Small.EJX trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\tapi.nfo Win32/Oficla.F trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\wingenocx.dll Win32/Adware.CoreguardAntivirus application cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\wisdstr.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\_scui.cpl a variant of Win32/Kryptik.AKT trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys a variant of Win32/UltimateDefender.A trojan cleaned by deleting - quarantined
C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS a variant of Win32/UltimateDefender.A trojan unable to clean
C:\WINDOWS\SYSTEM32\DRIVERS\ce369842.sys a variant of Win32/Rustock.NKU trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\1846686026.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\2245236574.exe a variant of Win32/Kryptik.AKT trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\735105362.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\973492060.exe a variant of Win32/Kryptik.AKT trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\csrss.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\install.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\login.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\lsass.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\mdm.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\msupd_2.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\notepad.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\services.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\smss.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\spoolsv.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\svchost.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\system.exe a variant of Win32/Kryptik.AIQ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\TMP000000010A13B33D6A0CEDB1 a variant of Win32/Cryptoz trojan cleaned by deleting - quarantined
Operating memory Win32/Olmarik.KI trojan contained infected files


I cannot get Hijack this to run and am stuck at this point...I need a little help!!

I cannot get Hijack this to run and am stuck at this point...I need a little help!!

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

this is the log that popped up...

Looking for cngaudit.dll

No matches found.


Looking for eventlog.dll

C:\I386\
eventlog.dll Wed Aug 4 2004 6:00:00a A.... 55,808 54.50 K

C:\WINDOWS\$NTSER~3\
eventlog.dll Wed Aug 4 2004 6:00:00a ..... 55,808 54.50 K

C:\WINDOWS\SYSTEM32\
eventlog.dll Sun Apr 13 2008 7:11:54p A.... 62,464 61.00 K

C:\WINDOWS\SERVIC~1\I386\
eventlog.dll Sun Apr 13 2008 7:11:54p ..... 56,320 55.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 230,400 bytes 225.00 K


Looking for logevent.dll

C:\WINDOWS\SYSTEM32\
logevent.dll Sun Apr 13 2008 7:11:54p A.... 56,320 55.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56,320 bytes 55.00 K


Looking for netlogon.dll

C:\I386\
netlogon.dll Wed Aug 4 2004 6:00:00a A.... 407,040 397.50 K

C:\WINDOWS\$NTSER~3\
netlogon.dll Wed Aug 4 2004 6:00:00a ..... 407,040 397.50 K

C:\WINDOWS\SYSTEM32\
netlogon.dll Sun Apr 13 2008 7:12:02p A.... 407,040 397.50 K

C:\WINDOWS\SERVIC~1\I386\
netlogon.dll Sun Apr 13 2008 7:12:02p ..... 407,040 397.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 1,628,160 bytes 1.55 M


Looking for scecli.dll

C:\I386\
scecli.dll Wed Aug 4 2004 6:00:00a A.... 180,224 176.00 K

C:\WINDOWS\$NTSER~3\
scecli.dll Wed Aug 4 2004 6:00:00a ..... 180,224 176.00 K

C:\WINDOWS\SYSTEM32\
scecli.dll Sun Apr 13 2008 7:12:06p A.... 181,248 177.00 K

C:\WINDOWS\SERVIC~1\I386\
scecli.dll Sun Apr 13 2008 7:12:06p ..... 181,248 177.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 722,944 bytes 706.00 K

this is the log that popped up...

OK - Let's do this next:

Please Download Win32kDiag from a linky below and save it to your Desktop. Leave it there for now.
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:


Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.


THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.


PP :)

here are the logs I was given

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

==

Running from: C:\Documents and Settings\Ashley Austin\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Ashley Austin\Desktop\Win32kDiag.txt

Removing all found mount points.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe ()

here are the logs I was given

AllRightyThen! Let's now do this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.


PP :)

Combo Fix Log

Ok - You are making good progress.

Now:
-- Download the attached file CFScript.txt to your Desktop
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

Then:
Please download JavaRa.zipto your Desktop and Extract it to its own folder.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.


NEXT:
Check and see if MBA-M can be updated and will run now (in Normal Windows Boot) and, if it does, do a Full Scan and have it remove what it finds and post that log too....


Also - I do not know what these are:
c:\program files\Common Files\qyroj.dat
c:\windows\puguk.dat
c:\windows\anolod.dat
c:\windows\ewopoho.dat
c:\windows\carupy.com
c:\windows\ydaqi.dat
c:\windows\system32\ezivufely.dat
c:\program files\Common Files\potup.lib
c:\program files\Common Files\sakefifo._sy
c:\program files\Common Files\xipywixe.lib
c:\program files\Common Files\ewaloc._sy
c:\program files\Common Files\yjur.db

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Upload them for analysis.
If they come back as malware, you'll need to DELETE them.

Let me know how you fare with these steps and we'll go from there.

PP:)

thank you so much! and Thanks a million for the Help!!

regarding ...
"Also - I do not know what these are:
c:\program files\Common Files\qyroj.dat
c:\windows\puguk.dat
c:\windows\anolod.dat
c:\windows\ewopoho.dat
c:\windows\carupy.com
c:\windows\ydaqi.dat
c:\windows\system32\ezivufely.dat
c:\program files\Common Files\potup.lib
c:\program files\Common Files\sakefifo._sy
c:\program files\Common Files\xipywixe.lib
c:\program files\Common Files\ewaloc._sy
c:\program files\Common Files\yjur.db"

none of these came back as Malware!

You are welcome - Happy to help :)

Everything looks OK to me. I think you are good to go - How are things working now?

--- I am still a bit worried about those files you scanned, but if they came back clean it would be best to err an the side of caution and leave them alone.

Let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know how things are working and if Combofix was successfully removed.

Cheers :)
PP

ComboFix was successfully removed.

Everything is back to working conditions! Best of all.. no more annoying pop up ad!

Once again thank you so much for your help. It is greatly appreciated!

**Monica**

Once again thank you so much for your help. It is greatly appreciated

You're welcome, Monica :)

If all is working properly, please mark this one as solved.

Cheers :)
PP