core.cache.dsk has me; I've tried it all

Discussion in 'Malware Help (A Specialist Will Reply)' started by lhess42, Jan 26, 2008.

  1. lhess42

    lhess42 Private E-2

    I have a core.cache.dsk infection, and while I have read through the threads posted by people similarly affected, the given direction for removal are highly individualized and I can't repeat them on my machine (because they call for files to be deleted that don't exist on my machine and so forth).

    Problem: I get Internet Explorer windows popping up even when I am not using Internet Explorer. Sometimes I get several in a row, and if I leave my computer unattended, when I come back my screen is full of these IE windows. They contain advertisements or web pages that are usually somehow related to a page I am viewing or a search term I have entered.

    When it started: About a week ago

    What I was doing: Surfing the web, though I clearly downloaded and ran something that I shouldn't have sometime prior.

    What I think it is: Research and a week's worth of scanning and malware removal with SpyBot and AVG, as well as this forum's recommended fixes has me certain that it is core.cache.dsk, a file I can't remove. I removed it in Safemode once, and the file was deleted, but was back when I rebooted into normal mode.

    The file is in C:\WINDOWS\system32\drivers\core.cache.dsk

    I've run ComboFix, SpyBot, AVG, MGtools, and SmitFraudFix.
    After running the above, I still have the same problem, core.cache.dsk is still where it's always been, but now AVG does not note it as an infection. Anyway the log files from MGtools and Combofix are attached. When I use AVG, there is no "Scanner" button and no "Report" option. There is a "Results" menu, and from that I copied all the information displayed into a file I named avg.txt. I read the instructions on http://forums.majorgeeks.com/showthread.php?t=107374 that explain how to run AVG and configure it to create logs, but they don't seem to apply at all to any of the AVG components I have installed. I already had AVG (and Spybot) installed before coming to this forum, so I may need to get a dfferent version of AVG. I hope not. If the information in avg.txt is insufficient, let me know and I will do whatever you recommend.

    Thank you for even reading this. core.cache.dsk is one hell of a little file.
     

    Attached Files:

    lhess42, Jan 26, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You needed to follow the instructions properly! We did not ask you to run AVG Antivirus. We asked you to install and run AVG Antispyware which you did not do and that is why you had a problem.


    Recommendation: Cleanup all the unnecessary junk on your Desktop. Cluttered Desktops are nice places for malware to hide and can also cause you PC to perform slower as all items in the Desktop get loaded/refreshed frequently and this could also cause your antivirus to scan them each time. In short, if it is not a shortcut, get rid of it.


    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03
    LiveUpdate 2.6 (Symantec Corporation)
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {844B68D4-5164-4DA4-A3E5-EA4D4EEECBD3} - C:\WINDOWS\system32\vturp.dll (file missing)
    O2 - BHO: 0 - {8914A665-149E-4F34-9590-6B42749F540B} - C:\Program Files\Common Files\sahu.dll (file missing)
    O4 - Startup: PowerReg Scheduler .exe
    O20 - Winlogon Notify: awtroom - awtroom.dll (file missing)

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    RenV::
----a-w           256,000 2008-01-20 05:23:55  C:\Documents and Settings\Liesel\Start Menu\Programs\Startup\PowerReg Scheduler     .exe
----a-w            81,920 2008-01-20 05:23:31  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           249,856 2008-01-20 05:23:33  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm  .exe
----a-w           185,896 2008-01-20 05:23:35  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            49,152 2008-01-20 05:23:31  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w         1,032,192 2008-01-20 05:23:25  C:\Program Files\Dell\QuickSet\quickset .exe
----a-w           460,784 2008-01-20 05:23:48  C:\Program Files\DellSupport\DSAgnt .exe
----a-w           847,872 2008-01-20 05:23:45  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w           267,048 2008-01-20 05:23:44  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,121,792 2008-01-20 05:23:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w           286,720 2008-01-20 05:23:41  C:\Program Files\QuickTime\QTTask  .exe
----a-w           761,947 2008-01-20 05:23:27  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w           208,952 2008-01-20 05:23:33  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w            15,360 2008-01-20 05:23:57  C:\WINDOWS\system32\ctfmon .exe
----a-w            77,824 2008-01-20 05:23:20  C:\WINDOWS\system32\hkcmd .exe
----a-w           118,784 2008-01-20 05:23:22  C:\WINDOWS\system32\igfxpers .exe
----a-w            98,304 2008-01-20 05:23:20  C:\WINDOWS\system32\igfxtray .exe
----a-w         1,347,584 2008-01-20 05:23:28  C:\WINDOWS\system32\WLTRAY .exe
----a-w           127,036 2008-01-20 05:23:40  C:\WINDOWS\system32\dla\DLACTRLW .EXE
----a-w            59,392 2008-01-20 05:23:31  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w           455,168 2008-01-20 05:23:34  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
 
DirLook::
C:\WINDOWS\TGllc2Vs
 
Files::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\Liesel\Start Menu\Programs\Startup\PowerReg Scheduler     .exe
Folders::
C:\Temp\tn3
C:\Program Files\Enigma Software Group
C:\WINDOWS\system32\re9
C:\WINDOWS\system32\kt8
C:\WINDOWS\system32\gz4
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\dp2
C:\Temp\Ryuan1
 
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtroom]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 27, 2008
    #2
  3. lhess42

    lhess42 Private E-2

    You're complete right about the AVG Antispyware; I can't believe I overlooked that. Thanks for helping me anyway; here's what happened:

    I followed the instructions, but I noticed that core.cache.dsk has been persistent. ComboFix failed to delete it. I was working through the steps you gave me, getting ready to download the latest Java Runtime environment, and I noticed the Internet Explorer popups coming up again as ever.

    Is there anything else that could be tried?

    Thank for your assistance! That response came so quickly; I really appreciate the help.
     

    Attached Files:

    lhess42, Jan 27, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow instructions in the order given from now on. You should have already installed this before getting the logs. Also I still see Java 2 Runtime Environment, SE v1.4.2_16 installed. Was this not showing in Add/Remove programs?



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Code box below, and paste it in the box that opens:
    Code:
    Files to delete:
C:\Program Files\Common Files\sahu
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sthdaa.sys
C:\WINDOWS\TGllc2Vs\asappsrv.dll
C:\MGtools\backups\backup-20080127-130537-257-PowerReg Scheduler     .exe

Folders to delete:
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\TGllc2Vs
C:\WINDOWS\system32\re9
C:\WINDOWS\system32\kt8
C:\WINDOWS\system32\gz4
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\dp2
C:\Temp\tn3
C:\Temp\Ryuan1
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Jan 27, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds