Need spyware assistance

[macho23m]

core.cache.dsk removal

I have spent last 7 days 3hrs a day on Google to search for a removal solution of this file/rootkit. I dont have Core file or folder anywhere on my machine. All i have is windows\system32\driver\core.cache.dsk file. My AVG and PC TOOLS spayware doctor can find it and remove it. I can do the same in Safe mode. I have used Killbox to delete it after next reboot. I dont have system restore enabled but after every restart it comes back. I cant fill out forms on any website for registration or anything. A blank window of internet explorer opens up when i try to type anything in txtbox. It thought i am good and smart enough to fight any Spyware but this one has made me surrender. I use Mcafee 2007 suite. Fully updated. I have used Ad-ware SE, Trend HouseCall online virus scan and everything i can find. I dont want to format and give up. I am an IT Consultant for 15yrs now and i dont easily format my Hard Drive for just a Pop-up and probably you guys will agree with me as well. I dont know where and how it came from? I have nothing in Registry either. Anyone out there who can suggest another route and help me to get rid of this RootKit? By the way i have used some Rootkit removal softwares too which i dont remember names of. I have downloaded and used anything i can find on internet to no avail. This is probably my last hope. But i will still not format my machine. Its brand new i have no data in the machine i am not going to loose anything but i want to know the solution of it.
Many thanks to all who are trying to help out here.

I consider myself a pretty good spyware removal expert, but I ALMOST was stumped the other day when a customer's computer was infected with these strange "Powered by Zedo" ad popups. They would popup in the middle of the screen without warning usually when I was trying to search Google or another search engine. Then they would take my search term and put it in the popup ad showing Ebay or a few other sites.

The javascript that was producing the popups had several ad networks that it was using including

xads.zedo.com
upspiral.com
searchlocal.ws
aavalue.com
url.cpvfeed.com
The popups were appearing in Internet Explorer as well as Firefox and popup blockers including Google Toolbar were not stopping the invasion.


Removal Procedures I Tried

Everytime I thought I had these "Powered by Zedo" ads removed, they would return soon after a boot up, The Hijackthis log didn't reveal any major problems.


The customer's computer had a current version of Norton Internet Security 2006 and he had also used Spyware Doctor by PCTools to remove the problems. I used all the basic tools at first to try to remove them including SmitRem, CWShredder, SmitFraudFix, Lop Uninstaller, Look2Me Uninstallers, VundoFix, etc. but nothing seemed to touch this infection.

On to the Online Scanners...First I tried Housecall, then Panda ActiveScan, nothing was found...Finally I tried Kaspersky Online Scanner and it found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.

Upon further investigation, I also found a second file called core.cache.dsk that was related in the same directory. The core.sys file had registered itself as a service and was starting automatically each time Windows booted. Because of such a generic name, it didnt appear suspicious when I was examining the running services early on in the investigation.

How to Remove Core.sys

Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.

1) Boot into Safe Mode
2) Click on Start, Search, and choose All Files and Folders
3) In the all or part of file name box, type the following

core.sys

4) In the Look In box, choose local hard drives and click Search
5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
6) Repeat steps 2-5 for the file core.cache.dsk
7) Close the Search box
8) Click on Start, Run and type REGEDIT and press Enter
9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
10) Click the plus next to SYSTEM
11) Click the plus next to CurrentControlSet
12) Click the plus next to Services
13) Find the folder called CORE and right-click on it and choose Delete

*** WARNING *** If the folder CORE does not exist, dont do anything

14) Close the Registry Editor by clicking on the X in the right-hand corner of the window

15) Reboot your computer in Normal mode
16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.


17) Scan your computer and delete any other files flagged as problems.

Your computer should now be free of these vicious popups

 

[kimsland]

OK I had a good search around too.
Basically I don't like to format too, it would be a shame to format a customer's computer over this.

Actually googled yielded quite a number of posts, but they all seem to say do the above (with restore off)

Obviously keep the bug on your computer until you have the solution (ie don't format. You could also submit the bug to Symantec or Kaspersky or Spybots and lots of others, these companies are set up to deal with thes new threats, and will likely post a fix. (possible not to you exactly though)

You could download sysinternals "Autoruns" to see what is starting with your computer.
Also "filemon" to show what is actually running (process wise) when your trying to delete the file.
Even "bootvis" shows you what drivers are loaded with Windows (delayed) and that may pinpoint the culprit.

I suspect Autoruns is the best.

Please try those, and report back.
Don't leave TechSpot, I believe you may be ideal.

By the way welcome to TechSpot

EDIT:
Hmmm. you should've created a new thread, this one started 9 months ago