smitfraud detection --- core.cache.dsk problem -> unremoveable

Discussion in 'Malware Help (A Specialist Will Reply)' started by nickwearby, Feb 24, 2008.

  1. nickwearby

    nickwearby Private E-2

    Hello,
    about a week ago popup windows started appearing in the internet explorer
    with a windows security message like this:
    "Actual website is trying to open a page from the internet.
    Do you allow?
    Actual website:url.adtrgrt.com"
    I choose no,
    but these messages continue to appear whenever I open a new internet window, or navigate to another website.

    I looked for help at first in hungarian forums, but without much success,
    and after I found this forum, I did everything you said to do in "READ & RUN ME FIRST".

    Previously, according to the hungarian forum's instructions,
    I installed and run spybot Search & Destroy and it detected "Smitfraud-C.CoreService" in the D:\WINDOWS\system32\drivers\core.cache.dsk file.
    After that I run smitfraudfix.exe in safe mode,
    but it didn't help also.

    Then I found out that hijackthis (which I tried also, but couldn't find anything) needs to be renamed because of new type of malware, and it did find four core.cache.dsk process running, which I fixed after closing all windows and apps,
    but it didn't succeed, the problem is still there.

    So after all this I did all you said to do in READ & RUN ME FIRST,
    I did each and every step,
    and still the infection exists,
    so I attach the log files
    and ask for your help.

    I read the similar threads about my problem, but I'm not an expert, so
    I'm still not sure what to do.
     

    Attached Files:

    nickwearby, Feb 24, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This could get interesting as I don't know some of the language ....however:
    What are these:
    D:\Documents and Settings\banyuc\Sablonok
    D:\Documents and Settings\banyuc\Dokumentumok
    D:\Documents and Settings\banyuc\Asztal

    download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Feb 25, 2008
    #2
  3. nickwearby

    nickwearby Private E-2

    Thank you for your answer,
    and sorry for the inconvenience caused by the language.

    The three things are folders of user "banyuc": Templates, Documents and the Desktop, so they're ok.

    Er, I have done some research meanwhile (sorry, I'm an impatient type, I look for solution everywhere possible ) and bumped into this discussion :
    http://www.malwarebytes.org/forums/index.php?showtopic=3519

    And following the method Geek Wannabee described, I have already found and with the Avenger removed these two files from your list:
    D:\WINDOWS\system32\drivers\core.cache.dsk
    D:\WINDOWS\system32\nwlnknbb.sys

    I think it worked, because they didn't come back and the problem seems to be gone.

    As for the other items I found that the sbfc.dat and sbrc.dat files remained from Sunbelt CounterSpy which I previously installed, used and then removed from my pc;
    oggdsu~1.exe is really OggDSuninst.exe the uninstaller of ogg directShow filter;
    and spmsg2.dll is a microsoft-verified file, doing something with WinXP service pack.

    Is it necessary to remove them still,
    or the may remain where they are?
    If I better remove them,
    should I use Avenger, or am I allowed to delete them manually?

    Because the main problem-causing files gone,
    I think I can attach the logs you asked.
     

    Attached Files:

    nickwearby, Feb 25, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can delete the left over files from Counterspy ....and the main two are what was the problem. SO you're good to go ...
    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    *How to Protect yourself from malware!
     
    TimW, Feb 25, 2008
    #4
  5. nickwearby

    nickwearby Private E-2

    Everything is working well.
    Thank you very much for the help and for your time :)
     
    nickwearby, Feb 27, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem ..safe surfing. :)
     
    TimW, Feb 28, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds