Smitfraud C.Coreservice, Win32agent, refuse to leave

chattenooga · Dec 11, 2008

Spybot, then Hijackthis, then Smitfraudfix, then combofix. Nothing works. Popups keep generating in IE windows, and File 'core.cache.dsk' refuses to be deleted. I even booted the machine in windows recovery console command prompt, and seemingly deleted the file through dos command, but once booted in windows, the file is still there. Not sure if it gets regenerated or never really deleted. Please help!! I am attaching the combifix, hijackthis and smitfraud logs.
Thanks!

TimW · Dec 14, 2008

Welcome to Major Geeks!

Please uninstall HJT as it will be properly installed when you do the following:

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

Corporal Punishment · Dec 14, 2008

When you are done with that - and don;t skip steps. Try this:

1- Boot to safe mode.
2- Open an explorer window and go to TOOL>Folder Options > File Types and remove file type .dsk
3-Now navigate to c:\windows\system32\drivers and look for the core.cache.dsk file
Right click on it and choose Open With > Notepad.
4- Delete the contents and resave it as core.cache.dsk
5 - Rescan with an anti malware product.
6 - Drop and give me 20.

chaslang · Dec 14, 2008

Corporal Punishment said: ↑

When you are done with that - and don;t skip steps. Try this:
Click to expand...

When he is done with the READ ME, he will not need this. The hidden driver is the reason for the core.cache.dsk file does not go away.
Code:
 
2008-12-10 15:07 . 2008-12-10 15:07 86,272 -ra------ c:\windows\system32\drivers\imapii.sys
The tools in the READ ME normally get the other related files and if necessary final steps remove any left overs.

chattenooga · Dec 15, 2008

Thank You all for the help. It worked like a charm, and I am clean as a whistle!!

TimW · Dec 15, 2008

Without your logs to check, we can not confirm that. But you are welcome in any case.

chattenooga · Jan 6, 2009

HelllllllPPPPP!!!

Everything seemed to be fine for a while. Then the computer started slowing down. I once again followed the read and runme. Everything seemed to run fine. Then the next day i installed the avg free antivirus. as soon as i did, it detected a bunch of sheur, unknown downloader, some word like tonato.m, etc. I tried to run the spybot, the mahine crashed on me. Since then, it gives me the registry editing disabled by admin message, and everytime i try to run ccleaner, it gives me an error message and stops, if i try spybot, the hourglass disappears after 3 seconds of clicking on the icon, and nothing happens, its wierd. No scanning is possible except superantispyware which doesnt pull up anything. What now?

TimW · Jan 7, 2009

Perhaps if you had followed our instructions when you started this thread we could have prevented this.

Are you willing to do this now?

chattenooga · Jan 7, 2009

Absolutely!
My apologies for thinking that I know it all!!

Here is the current scenario.. I did go through the entire read and run me instructions, though somewhere along the way i discovered:
1) though i had enabled hidden files and folders to be visible right at the start, something keeps reverting them back to hidden
2) A whole bunch of trojans and viruses were found in the malware removal scan, which apparently were clean after the scan, same with spybot and same with superantispyware.

However, somewhere along the way malware removal started generating runtime error messages, then i tried running spybot, and except for the hourglass appearing for 3 seconds then dissapearing, nothing seems to be happening.
I tried booting in safe mode, and started facing crash's halfway through boot up. I have since tried a whole bunch of recovery console tricks, even reinstalled xp on the same partition to get the computer to boot. The culprits are still there and I'm afraid to reboot now cause i'm sure they'll mess up my registry again. I give up and surrender myself at the mercy of you experts here. Please HELP. the computer is on at the moment, booted into the new windows install, but can see all previous files and folders under old user in docs and settings. Where do i go from here?

TimW · Jan 9, 2009

I did go through the entire read and run me instructions,
Click to expand...

Then you would know to attach the logs for:
SAS
MBAM
Combo
C:\MGTools.exe ---> C:\MGLogs.zip

Log in or Sign up

Smitfraud C.Coreservice, Win32agent, refuse to leave

chattenooga Private E-2

Attached Files:

combifix.txt

smitfraud.txt

hijackthis.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Corporal Punishment Head of Software Shenanigans Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chattenooga Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

chattenooga Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

chattenooga Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member