core.cache.dsk removal
I have spent last 7 days 3hrs a day on Google to search for a removal solution of this file/rootkit. I dont have Core file or folder anywhere on my machine. All i have is windows\system32\driver\core.cache.dsk file. My AVG and PC TOOLS spayware doctor can find it and remove it. I can do the same in Safe mode. I have used Killbox to delete it after next reboot. I dont have system restore enabled but after every restart it comes back. I cant fill out forms on any website for registration or anything. A blank window of internet explorer opens up when i try to type anything in txtbox. It thought i am good and smart enough to fight any Spyware but this one has made me surrender. I use Mcafee 2007 suite. Fully updated. I have used Ad-ware SE, Trend HouseCall online virus scan and everything i can find. I dont want to format and give up. I am an IT Consultant for 15yrs now and i dont easily format my Hard Drive for just a Pop-up and probably you guys will agree with me as well. I dont know where and how it came from? I have nothing in Registry either. Anyone out there who can suggest another route and help me to get rid of this RootKit? By the way i have used some Rootkit removal softwares too which i dont remember names of. I have downloaded and used anything i can find on internet to no avail. This is probably my last hope. But i will still not format my machine. Its brand new i have no data in the machine i am not going to loose anything but i want to know the solution of it.
Many thanks to all who are trying to help out here.
I have spent last 7 days 3hrs a day on Google to search for a removal solution of this file/rootkit. I dont have Core file or folder anywhere on my machine. All i have is windows\system32\driver\core.cache.dsk file. My AVG and PC TOOLS spayware doctor can find it and remove it. I can do the same in Safe mode. I have used Killbox to delete it after next reboot. I dont have system restore enabled but after every restart it comes back. I cant fill out forms on any website for registration or anything. A blank window of internet explorer opens up when i try to type anything in txtbox. It thought i am good and smart enough to fight any Spyware but this one has made me surrender. I use Mcafee 2007 suite. Fully updated. I have used Ad-ware SE, Trend HouseCall online virus scan and everything i can find. I dont want to format and give up. I am an IT Consultant for 15yrs now and i dont easily format my Hard Drive for just a Pop-up and probably you guys will agree with me as well. I dont know where and how it came from? I have nothing in Registry either. Anyone out there who can suggest another route and help me to get rid of this RootKit? By the way i have used some Rootkit removal softwares too which i dont remember names of. I have downloaded and used anything i can find on internet to no avail. This is probably my last hope. But i will still not format my machine. Its brand new i have no data in the machine i am not going to loose anything but i want to know the solution of it.
Many thanks to all who are trying to help out here.
jazfromhouston said:I consider myself a pretty good spyware removal expert, but I ALMOST was stumped the other day when a customer's computer was infected with these strange "Powered by Zedo" ad popups. They would popup in the middle of the screen without warning usually when I was trying to search Google or another search engine. Then they would take my search term and put it in the popup ad showing Ebay or a few other sites.
The javascript that was producing the popups had several ad networks that it was using including
xads.zedo.com
upspiral.com
searchlocal.ws
aavalue.com
url.cpvfeed.com
The popups were appearing in Internet Explorer as well as Firefox and popup blockers including Google Toolbar were not stopping the invasion.
Removal Procedures I Tried
Everytime I thought I had these "Powered by Zedo" ads removed, they would return soon after a boot up, The Hijackthis log didn't reveal any major problems.
The customer's computer had a current version of Norton Internet Security 2006 and he had also used Spyware Doctor by PCTools to remove the problems. I used all the basic tools at first to try to remove them including SmitRem, CWShredder, SmitFraudFix, Lop Uninstaller, Look2Me Uninstallers, VundoFix, etc. but nothing seemed to touch this infection.
On to the Online Scanners...First I tried Housecall, then Panda ActiveScan, nothing was found...Finally I tried Kaspersky Online Scanner and it found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.
Upon further investigation, I also found a second file called core.cache.dsk that was related in the same directory. The core.sys file had registered itself as a service and was starting automatically each time Windows booted. Because of such a generic name, it didnt appear suspicious when I was examining the running services early on in the investigation.
How to Remove Core.sys
Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.
1) Boot into Safe Mode
2) Click on Start, Search, and choose All Files and Folders
3) In the all or part of file name box, type the following
core.sys
4) In the Look In box, choose local hard drives and click Search
5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
6) Repeat steps 2-5 for the file core.cache.dsk
7) Close the Search box
8) Click on Start, Run and type REGEDIT and press Enter
9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
10) Click the plus next to SYSTEM
11) Click the plus next to CurrentControlSet
12) Click the plus next to Services
13) Find the folder called CORE and right-click on it and choose Delete
*** WARNING *** If the folder CORE does not exist, dont do anything
14) Close the Registry Editor by clicking on the X in the right-hand corner of the window
15) Reboot your computer in Normal mode
16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.
17) Scan your computer and delete any other files flagged as problems.
Your computer should now be free of these vicious popups