Serious adware problem

I want to look for the existence of another file. Please do the below.

Click Start and select Search
Now Select "All files and folders"
Enter the korcdsbhpqf in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

Report back what is found (if anything).

 

Are the below two programs things you knowingly installed?
AdPush Software
XiaoiAlerts

 

Yes if they appear in Add/Remove Programs, uninstall them. Also tell us if you see anything else in Add/Remove Programs that you do not recognize.

After uninstalling those two items, use RegistrarLite to delete that dj6fn6a registry key again.

Then while still in RegistrarLite select the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce key and then on the top menu select Security and then Edit Permissions. In the Permissions form that opens up. Tell what group or user names appear and what the permissions are for each one. For example if you see System in the top box, select it and then look in the lower box to see Permissions for System and tell me what is checked for the Read, Full Control and Special Permissions options. I want the same info for all user names appearing in the top box.

 

I did not really want you to delete it, but did it come back after the next reboot?

If it came back, uninstall the copy or Registrar Lite that you have installed now and then reboot. After reboot, install the below version and see if you cannot follow my previous instructions:

Registrar Lite 2.00


Also please run this: Using Silent Runners and attach the log.

 

Darn!!!! I thought that older one would be okay! Uninstall it and try the below version that BJ has saved. It is the one we use and it does allow for this:

RegistrarLite 2.00 build 200.30803


Did you knowingly install and do you use Kontiki?

Also can you check to see if it is related to things that your comany is possibly doing with that VBS script we asked about. During boot up, your company appears to be running a bunch of stuff. See if anyone else also has the dj6fn6a key in their HJT log.

 

Change the Permissions for Administrator and SYSTEM by putting a check in the Deny column for both the Full Control option (this will automatically put a check in the Deny Read box too). Then click Apply and OK the popup warning. Do this for both Adminstrators and System.

Then delete that dj6fn6a registry key again. And then tell me does it come back? I think you said last time it only came back after a reboot. If that is true, then you will need to reboot to see if it comes back. Also watch for error messages and tell me if you get any and what they say exactly.

Okay we will look into removing this too. Run the below procedure and attach the requested log:

Getting Uninstall Programs List From The Registry

 

Okay before we continue with this, let's take care of some other items and also get some new logs. After I looked back a bit, it appears that some items that were supposed to get fixed by various procedures may not have been fixed.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to KService
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below Service (if you do not find it or get any errors, just continue):
  • Symantec Core LC
• Click OK until you get back to Windows.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [dj6fn6a] %systemroot%\system32\Rundll32.exe %systemroot%\system32\dj6fn6a.dll,DllUnregisterServer
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\Khost.exe -all
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

After clicking Fix, exit HJT.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

 

Okay back to the issue with the registry key. Let's change things a little from what I gave you last time.

Run Registrar Lite then delete that dj6fn6a registry key again.

Now select the below key by clicking on it

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Then change the Permissions for the above key by selecting Security, Edit Permissions. And then select the SYSTEM user and put a check in the Deny column the Full Control option (this will automatically put a check in the Deny Read box too). Then click Apply and OK the popup warning. Do this only for SYSTEM.

Now double check to see if the dj6fn6a registry key is still gone.
If yes, then open up a browser and check to see if the dj6fn6a key is still gone.
If it is still gone, then reboot and then tell me does it come back?

If it did come back, please run the below procedure and attach the log:

Running GMER to detect rootkits

 

Is this the order you did it in because that is not the order that I requested.

 

Okay GMER showed us some other hidden problems. Before we continue with fixing them, I need you to run the below.


Now please download ProcessDLL.zip and save to your desktop.

Extract the ProcessDll.exe file from inside and run it by double clicking on it.

This will create a new file on your Desktop called procdll.txt

Attach this log as your next post.

Also take a look (with Windows Explorer not Windows Search) for anything named similar to the below file. Don't do anything with it, just look and report back:
C:\WINDOWS\system32\winlib

 

Continue by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
winlib .dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)


Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\RunOnce: [dj6fn6a] %systemroot%\system32\Rundll32.exe %systemroot%\system32\dj6fn6a.dll,DllUnregisterServer

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I have to ask why software we had already uninstalled multiple times (CPUSH/AdPush Software) keeps coming back. Are you reinstalling or is anyone else reinstalling software on this PC while we are attempting to clean it up?

Uninstall AdPush Software now and make sure that no one installs anything on this PC unless we request it.

Also have HijackThis fix the below lines if they still exist:

O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
O4 - HKLM\..\RunOnce: [dj6fn6a] %systemroot%\system32\Rundll32.exe %systemroot%\system32\dj6fn6a.dll,DllUnregisterServer


Now exit HijackThis and delete the below folder:
C:\Program Files\Common Files\CPUSH

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run the procedure with GMER again to get a new log!


Now attach new logs from:

• HijackThis
• ShowNew
• GMER log
• also get a new procdll.txt log

I don't know too much about Flock but I do not believe it is considered malware.

 

Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
winlib .dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)


Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines (if found) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\RunOnce: [dj6fn6a] %systemroot%\system32\Rundll32.exe %systemroot%\system32\dj6fn6a.dll,DllUnregisterServer

After clicking Fix, exit HJT.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Get a new log from GMER.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GMER log
3. ShowNew
4. HJT

Also please put a copy of the below file into a ZIP file and attach it here. I think it is for Registrar Lite but I want to be sure.
C:\WINDOWS\system32\rrMon.sys


Make sure you tell me how things are working now! Also DO NOT reboot or power down you PC after attach the above logs! Wait for the next steps!!

 

Okay it looks like we may almost be finished.

The rrMon.sys was from Registrar Lite as I expected.

Run HijackThis (select Do a system scan only) and select the following lines (if found) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll


After clicking Fix, exit HJT.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Get a new log from GMER.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GMER log
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

This is more than likely not a malware issue. It could just be due to things you are allowing to run at startup and the fan issue may be a sign of overheating. You should consider not running the below at startup especially BitComet which will slow down your surfing and overall PC performance.


O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

 

Okay the below line from HJT did not get fixed. Please try fixing it again and then attach a new log from HijackThis.

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)

Everything else looks fine.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Run Registrar Lite navigate to the following key by copying and pasting it into the Address Bar of Registrar Lite and click Go

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Now take ownership of the BHO registry key by following the below steps.

• Click-on the above Registry Key
• Click-on Security in the Menu
• Select Take Ownership

Now locate the below subkey under the Browser Helper Objects key and select it and right click on it and select delete:

{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}

After deleting the key exit Registrar Lite

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new HJT log.

 

Your log is clean! Now you need to get your system properly protected which will be included in the below instructions.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Try booting in safe mode and deleting the folder. If that does not work, go into the c:\Avenger folder and delete each file in there manually. Then try to delete the folder. If this still does not work, look at a new HJT log. Has this pctools.dll line come back?

 

See if you can rename the pctools.dll file by right clicking on it and selecting Rename. Just rename it to something like pctools.bad

Then reboot and see if you can delete the file and then the remaining folders.