TechSpot

Core.Cache.Dsk

By Tech88240
Apr 1, 2008
  1. Smitfraud is evil.
    I have done the following:
    Spybot found and removed 29.
    Dr. Web found and removed 37.
    Ran hi jack this and removed 14 items.
    Ran Vundo Fix found nothing.
    Ran CCleaner.
    Deleted temp and temp int files.
    Fixed 292 issues in registry with ccleaner.
    Deleted all files associated with Awola.
    Ran Smitfraud fix.
    Looked through reg my self and removed keys.
    Ran hi jack this again removed 11 items.
    Ran A Squared.
    Did a repair install
    AVG found and removed 4.
    Ran sfc /scannow.
    Ran spybot again found and removed 30.
    manually removed C;\Windows\system32\drivers\core.cache.dsk
    Ran checkdisk.
    Ran combofix.
    Went into recovery console and tried deleting core.cache.dsk again and it was not there. I still don't see it so it had to leave something right?
    Cannot change background. Nothing above "all programs"I've even tried going into start menu properties and enabling ie and email to be there but everytime it's not there even in safe mode.
    Here is the latest HiJackThis log



    Thanks in advance:)
     
  2. kritius

    kritius TS Guru Posts: 2,084

    What did you remove with HIjackThis?

    Next please follow these instructions. Your version of Hijackthis is out of date AND installed in wrong folder

    First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log into your reply.
     
  3. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    I'm at work so I cannot go onto photobucket and save log and etc so I'm not sure how else to do it. I will post it on here as of now and then later remove it. SORRY
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Who said anything about having to use photobucket, use the paperclip icon.

    You still havnt mentioned what you "fixed" with HijackThis.

    im going over your log now.
     
  5. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    lol you'll probably think i'm carzy but i see no paper clip icon that's what i've been looking for... i bet it's something with the firewall thank you for helping :)

    i *tried* removing O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    but obviously they didn't remove.... and i didn't write down the other ones i removed.. but i did google them and etc and remove but the log i did i didn't remove any just saved log and posted
     
  6. kritius

    kritius TS Guru Posts: 2,084

    What did you do with combofix? It shouldnt be used by untrained people.

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"

    DELDOMAINS

    Download Deldomains.
    • Save it to your desktop.
    • Right-click DelDomains.inf and select: Install (no need to restart)
    • You may not see any noticeable changes or prompts; this is normal.
    Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below (if still there)
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF4335.exe /c C:\ComboFix\Combobatch.bat
    O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF4335.exe /c C:\ComboFix\\Combobatch.bat
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Find and Delete Suspect File
    Using Start > Search > All Files and Folders
    Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
    Enter ALCXMNTR.EXE in the 'All or part of file name' box
    Select C: in the 'Look in' dropdown box
    Click Search Now
    Right-click on ALCXMNTR.EXE and select Delete
    Repeat for each copy of the file
    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


    Do not redownload combofix unless instructed to do so,

    Post a fresh HijackThis log.

    When you post a reply, as in not just use quick reply you will see this button,
    [​IMG]

    It is the attachment button.
     
  7. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    Ran combofix selection 2 (this is also what i was doing before). Ran hi jack this removed files selected. Made sure search options were all selected did search no files were found. Ran hi jack this.
     
  8. kritius

    kritius TS Guru Posts: 2,084

    ok,

    Go to start>run and type regedit
    Navigate here
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

    The settings should look like this
    [​IMG]

    If not change them so that they do.

    Norton Removal Tool

    Use this, you are still running Norton and AVG, get rid of Norton.

    After you have done the above boot into safe mode,

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below(if still present)
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Boot back into Normal mode,
    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.

    Run another HijackThis scan and post the two logs back as attachments.
     
  9. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    I tried about 3 times yesterday to try to get it to scan but kept telling me i had to be an administrator for the updates to load (active x) I went into the registry and enabled the admin account (hklm\soft\mic\win nt\cur ver\win log on\special accounts\user list) then added administrator as a DWORD and changed value to one.... took longer booting up and still no admin so right now i'm in safe mode with networking (under admin) running the scan it is " Initializing kaspersky online scanner" will post back if i can get it done

    Ok so I just downloaded the free trial because it would not work any other way I just barely started the scan I'll post after I'm done

    k it's found 6 so far not done yet but they are deleted 69% complete

    ok 8 deleted and one not found?


    it won't let me post the kaspersky just goes to web page not avaiable after i press upload even tried in a new message
     
  10. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    Detected
    --------
    Status Object
    ------ ------
    deleted: adware not-a-virus:AdWare.Win32.OneStep.h File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0MHI22H3\upgrade[1].cab/upgrade.exe//stream//data0001
    deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0MHI22H3\upgrade[1].cab/upgrade.exe//stream//data0002
    deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0MHI22H3\upgrade[1].cab/upgrade.exe//stream//data0003
    deleted: adware not-a-virus:AdWare.Win32.OneStep.d File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TGDQYH6U\upgrade[1].cab/upgrade.exe//stream//data0001
    deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TGDQYH6U\upgrade[1].cab/upgrade.exe//stream//data0002
    deleted: adware not-a-virus:AdWare.Win32.OneStep.c File: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\TGDQYH6U\upgrade[1].cab/upgrade.exe//stream//data0003
    deleted: adware not-a-virus:AdWare.Win32.Rabio.h File: C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir
    deleted: adware not-a-virus:AdWare.Win32.TTC.d File: C:\QooBox\Quarantine\C\WINDOWS\system32\c4\np89104.exe.vir//data0002
    not found: Trojan program Rootkit.Win32.Agent.to File: C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\wmilibb.sys.vir
    deleted: virus EICAR-Test-File File: C:\WINDOWS\Temp\Av-test.txt



    I went into winpe after they were deleted and i restarted pc and found c:\Qoobox and deleted it. also into C:\doc and set\loc ser\loc set\ and cleaned out temp and temp int files
     
  11. kritius

    kritius TS Guru Posts: 2,084

    Really shouldnt have deleted that without me seeing it first.
    This, c:\Qoobox is combofix's quarantine folder.

    The reason I asked for a Kaspersky scan was that it doesnt take any action, just finds things, I was going to give you instructions after it had finished.

    If you want help please stop attempting to fix things yourself.

    Download the diagnostic tool MGADiag and save it to your desktop.
    • Double-click on MGADiag.exe.
    • Click Run and Run again.
    • Click Continue, then Copy.
    • Next open Notepad, in the empty pane right click and select Paste. Save the file to your desktop so that you can attach it here
     
  12. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    k here is the log
     
  13. kritius

    kritius TS Guru Posts: 2,084

    Can you go here and follow the steps and then try the diagnostic again?
     
  14. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    ok that wouldn't work the windows active x wouldn't download but all are enabled even tried setting all defaults in ie options so i'm going to try in safe mode with networking
     
  15. Tech88240

    Tech88240 TS Rookie Topic Starter Posts: 29

    well i did a repair install and made a new user account and that user account seems to be fine so i'm going to transfer all docs and settings and delete the old one hopefully it's just the user account that is infected thanks for all your help
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...