Core.Cache.Dsk

[Tech88240]

Smitfraud is evil.
I have done the following:
Spybot found and removed 29.
Dr. Web found and removed 37.
Ran hi jack this and removed 14 items.
Ran Vundo Fix found nothing.
Ran CCleaner.
Deleted temp and temp int files.
Fixed 292 issues in registry with ccleaner.
Deleted all files associated with Awola.
Ran Smitfraud fix.
Looked through reg my self and removed keys.
Ran hi jack this again removed 11 items.
Ran A Squared.
Did a repair install
AVG found and removed 4.
Ran sfc /scannow.
Ran spybot again found and removed 30.
manually removed C;\Windows\system32\drivers\core.cache.dsk
Ran checkdisk.
Ran combofix.
Went into recovery console and tried deleting core.cache.dsk again and it was not there. I still don't see it so it had to leave something right?
Cannot change background. Nothing above "all programs"I've even tried going into start menu properties and enabling ie and email to be there but everytime it's not there even in safe mode.
Here is the latest HiJackThis log



Thanks in advance

 

[kritius]

What did you remove with HIjackThis?

Next please follow these instructions. Your version of Hijackthis is out of date AND installed in wrong folder

First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log into your reply.

 

[Tech88240]

I'm at work so I cannot go onto photobucket and save log and etc so I'm not sure how else to do it. I will post it on here as of now and then later remove it. SORRY

 

[kritius]

Who said anything about having to use photobucket, use the paperclip icon.

You still havnt mentioned what you "fixed" with HijackThis.

im going over your log now.

 

[Tech88240]

lol you'll probably think i'm carzy but i see no paper clip icon that's what i've been looking for... i bet it's something with the firewall thank you for helping

i *tried* removing O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

but obviously they didn't remove.... and i didn't write down the other ones i removed.. but i did google them and etc and remove but the log i did i didn't remove any just saved log and posted

 

[kritius]

What did you do with combofix? It shouldnt be used by untrained people.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"

DELDOMAINS

Download Deldomains.

• Save it to your desktop.
• Right-click DelDomains.inf and select: Install (no need to restart)
• You may not see any noticeable changes or prompts; this is normal.

Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below (if still there)

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF4335.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF4335.exe /c C:\ComboFix\\Combobatch.bat
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Find and Delete Suspect File
Using Start > Search > All Files and Folders
Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
Enter ALCXMNTR.EXE in the 'All or part of file name' box
Select C: in the 'Look in' dropdown box
Click Search Now
Right-click on ALCXMNTR.EXE and select Delete
Repeat for each copy of the file
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


Do not redownload combofix unless instructed to do so,

Post a fresh HijackThis log.

When you post a reply, as in not just use quick reply you will see this button,

It is the attachment button.

 

[Tech88240]

Ran combofix selection 2 (this is also what i was doing before). Ran hi jack this removed files selected. Made sure search options were all selected did search no files were found. Ran hi jack this.

 

[kritius]

ok,

Go to start>run and type regedit
Navigate here
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

The settings should look like this

If not change them so that they do.

Norton Removal Tool

Use this, you are still running Norton and AVG, get rid of Norton.

After you have done the above boot into safe mode,

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below(if still present)

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Boot back into Normal mode,
I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  o Extended (If available, otherwise use standard)
  o Scan Options:
  o Scan Archives
  o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.

Run another HijackThis scan and post the two logs back as attachments.

 

[Tech88240]

I tried about 3 times yesterday to try to get it to scan but kept telling me i had to be an administrator for the updates to load (active x) I went into the registry and enabled the admin account (hklm\soft\mic\win nt\cur ver\win log on\special accounts\user list) then added administrator as a DWORD and changed value to one.... took longer booting up and still no admin so right now i'm in safe mode with networking (under admin) running the scan it is " Initializing kaspersky online scanner" will post back if i can get it done

Ok so I just downloaded the free trial because it would not work any other way I just barely started the scan I'll post after I'm done

k it's found 6 so far not done yet but they are deleted 69% complete

ok 8 deleted and one not found?


it won't let me post the kaspersky just goes to web page not avaiable after i press upload even tried in a new message

 

[Tech88240]

Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.OneStep.h File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0MHI22H3\upgrade[1].cab/upgrade.exe//stream//data0001
deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0MHI22H3\upgrade[1].cab/upgrade.exe//stream//data0002
deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0MHI22H3\upgrade[1].cab/upgrade.exe//stream//data0003
deleted: adware not-a-virus:AdWare.Win32.OneStep.d File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TGDQYH6U\upgrade[1].cab/upgrade.exe//stream//data0001
deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TGDQYH6U\upgrade[1].cab/upgrade.exe//stream//data0002
deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TGDQYH6U\upgrade[1].cab/upgrade.exe//stream//data0003
deleted: adware not-a-virus:AdWare.Win32.Rabio.h File: C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir
deleted: adware not-a-virus:AdWare.Win32.TTC.d File: C:\QooBox\Quarantine\C\WINDOWS\system32\c4\np89104.exe.vir//data0002
not found: Trojan program Rootkit.Win32.Agent.to File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\wmilibb.sys.vir
deleted: virus EICAR-Test-File File: C:\WINDOWS\Temp\Av-test.txt



I went into winpe after they were deleted and i restarted pc and found c:\Qoobox and deleted it. also into C:\doc and set\loc ser\loc set\ and cleaned out temp and temp int files

 

[kritius]

Really shouldnt have deleted that without me seeing it first.
This, c:\Qoobox is combofix's quarantine folder.

The reason I asked for a Kaspersky scan was that it doesnt take any action, just finds things, I was going to give you instructions after it had finished.

If you want help please stop attempting to fix things yourself.

Download the diagnostic tool MGADiag and save it to your desktop.

• Double-click on MGADiag.exe.
• Click Run and Run again.
• Click Continue, then Copy.
• Next open Notepad, in the empty pane right click and select Paste. Save the file to your desktop so that you can attach it here

 

[Tech88240]

k here is the log

 

[kritius]

Can you go here and follow the steps and then try the diagnostic again?

 

[Tech88240]

ok that wouldn't work the windows active x wouldn't download but all are enabled even tried setting all defaults in ie options so i'm going to try in safe mode with networking

 

[Tech88240]

well i did a repair install and made a new user account and that user account seems to be fine so i'm going to transfer all docs and settings and delete the old one hopefully it's just the user account that is infected thanks for all your help