Rookie spyware infectee...please help!!

On 4/19, I clicked on a site and got bombarded with spyware stuff. Ever since then, I got tons of pop ups. I got this on my work computer, so had the IT staff do some magic, I downloaded Ad Aware, Microsoft Antispyware, and SpySweeper. All of these actions have deleted the aurora pop ups and others I had, but I still get about 13 in a two hour frame whether or not I am connected to IE.

They are all the Microsoft pop ups if that means anything to you.

So far they have been non-offensive...google, debt consolidation, party poker, Monster, etc.

I did a Hijack This scan and have a log, but won't post until asked.

Please help!

While they are not near as annoying as there were before IT helped and I downloaded those programs above, they are still annoying.

Brandon

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Ok after doing ALL of the advised procedures and a couple hours of wasted work time, I am still getting the pop ups.

Now what?

 

Read my post carefully and you would know, please post a current HJT log from normal mode. Read my previous post, you will see what im talking about.

 

Here is my Hijack This log

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

wlpq.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [ievfo] C:\WINDOWS\System32\civckkp\ievfo.exe
O4 - HKLM\..\Run: [nvvnydde] C:\WINDOWS\System32\awhd\nvvnydde.exe
O4 - HKCU\..\Run: [KBr2RTHEg] ltfservc.exe

O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0026.exe
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://naveed04/nav/webinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab

O23 - Service: nvvnyddeawhd - Unknown owner - C:\WINDOWS\System32\awhd\nvvnydde.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\civckkp ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\awhd ←–– Delete this whole folder if it exist!

C:\WINDOWS\system\wlpq.exe

ltfservc.exe ←–– Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Ok after completing your most resent request, I ran into some problems potentially.

While in same mode, I was unable to delete the following:

C:\\windows\system 32\civckkp

C:\\windows\system 32\awhd

The error message I got was "cannot delete civckkp (and awhd): the directory is not empty."

I re-ran Hijack This and have attached the new log.

 

obviously I meant safe mode not same mode.

I have not had any popups (yet) on this rebooting, but then again it's only been a few minutes.

 

Scan with Hijack This and have it fix this entry:

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)

After removing this entry your log will be clean!

Reboot, into Safe Mode:

C:\WINDOWS\System 32\civckkp

C:\WINDOWS\System 32\awhd

Go into each of these two folders and delete everything in them, then go back and delete the folder!

 

Over an hour has gone by AND NO POP UPS HAVE SURFACED!!!! YES!!!

As for those folders. I don't know if I can't remove them because I am on a work (network) computer or what. But when I double click on them it says: "...is not accessible. Access is denied."

So I can't delete them.

Running Hijack This now. Will post new log.

 

The account your logged in under, does it have Admin privileges?

 

I don't think it does because it is a computer on a network of over 40,000 employees. So I assume I am not.

By the way, on Friday, I went 4 hours with no popups after completing the tasks above/below. I THINK that this is now fixed.

Can you give me hints to what these folders are that you are having me delete that I can't get to?

 

All I know is that they are bad and dont belong in that folder. It could be a permissions problem or because something is in use. Go into Control Panel and open Folder Options. Go to the View Tab and scroll down towards the bottom and look for "Use simple file sharing (Recommended)" and uncheck this. Click OK.

Now, Right click on each folder, select properties, then click on the Security Tab. Click the Advanced button and go to the OWNER TAB. Find your account name, select it and hit ok. Then hit OK to exit.

Now, Right click on the folder again, select properties, then click on the Security Tab. Now, click ADD to add your username. Type your name in the box when it pops up. After you enter you name it will show in the list, select your name and click the box below that says "Full Control", press OK.

You will need to do this for BOTH folders. After you do this you should have access to them.

 

I just can't change the properties no matter what I do. I followed your instructions to a T. But alas, NO POP-UPS HAVE HAPPENED EITHER ON FRIDAY OR TODAY.

So I am going to say, PROBLEM FIXED.

Thank you and YOU ROCK!!!!!

 

Great!

You should see this article on How to Protect yourself from malware!