Hi there,

Please can someone help me rid me of this problem. I have IE popups appearing sperodically. Spybot finds an infection Smitfraud-c. Coreservice related to the file core.cache.dsk but cannot remove this file. I've tried other solutions to rid me of this file but nothing has worked.

Following is my ComboFix.txt file. Your help appreciated.

ComboFix 08-02.02.5 - Mohammed Shafiq 2008-02-02 17:57:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1449 [GMT 0:00]
Running from: G:\ComboFix.exe
Command switches used :: G:\Documents and Settings\Mohammed Shafiq\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
G:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 17:41 . 2008-02-02 17:41 1,593,209 --a------ G:\ComboFix.exe
2008-02-02 17:17 . 2008-02-02 17:31 167,545 --a------ G:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-02 17:13 . 2008-02-02 17:13 <DIR> d-------- G:\WINDOWS\ERUNT
2008-02-02 14:29 . 2008-02-02 14:29 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\Bitdefender
2008-02-02 14:28 . 2008-02-02 14:28 <DIR> d-------- G:\Program Files\BitDefender
2008-02-02 14:28 . 2008-02-02 14:29 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\BitDefender
2008-02-02 14:22 . 2008-02-02 17:20 <DIR> d-------- G:\SDFix
2008-02-02 14:13 . 2008-02-02 14:15 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\SmitfraudFix
2008-02-02 14:13 . 2007-09-05 23:22 289,144 --a------ G:\WINDOWS\system32\VCCLSID.exe
2008-02-02 14:13 . 2006-04-27 16:49 288,417 --a------ G:\WINDOWS\system32\SrchSTS.exe
2008-02-02 14:13 . 2008-02-02 00:55 83,456 --a------ G:\WINDOWS\system32\VACFix.exe
2008-02-02 14:13 . 2008-01-27 14:37 81,920 --a------ G:\WINDOWS\system32\IEDFix.exe
2008-02-02 14:13 . 2003-06-05 20:13 53,248 --a------ G:\WINDOWS\system32\Process.exe
2008-02-02 14:13 . 2004-07-31 17:50 51,200 --a------ G:\WINDOWS\system32\dumphive.exe
2008-02-02 14:13 . 2007-10-03 23:36 25,600 --a------ G:\WINDOWS\system32\WS2Fix.exe
2008-02-02 14:13 . 2008-02-02 14:22 2,792 --a------ G:\WINDOWS\system32\tmp.reg
2008-01-31 17:06 . 2008-01-31 17:07 <DIR> d-------- G:\temp2
2008-01-31 16:15 . 2008-01-31 16:15 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\Command & Conquer 3 Tiberium Wars
2008-01-31 16:12 . 2008-01-31 17:06 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\GetRightToGo
2008-01-31 10:26 . 2008-01-31 10:26 <DIR> d-------- G:\Images
2008-01-22 17:02 . 2008-02-02 16:40 293 --a------ G:\WINDOWS\wininit.ini
2008-01-22 16:48 . 2008-02-02 18:00 121 --a------ G:\WINDOWS\bdagent.INI
2008-01-22 16:44 . 2008-02-02 14:28 <DIR> d-------- G:\Program Files\Common Files\BitDefender
2008-01-22 16:34 . 2008-01-22 17:35 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 13:29 . 2008-02-01 08:00 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\AVG7
2008-01-22 13:29 . 2008-01-22 13:29 <DIR> d-------- G:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-22 13:23 . 2008-01-22 13:33 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Avg7
2008-01-22 09:06 . 2008-01-22 09:06 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\Grisoft
2008-01-22 09:06 . 2007-05-30 12:10 10,872 --a------ G:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 08:56 . 2008-01-22 08:56 <DIR> d-------- G:\VundoFix Backups
2008-01-22 08:26 . 2008-01-22 08:26 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 07:30 . 2008-01-22 07:30 86,144 --a------ G:\WINDOWS\system32\drivers\diskdumpp.sys
2008-01-20 16:52 . 2008-01-20 16:52 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-11 15:03 . 2008-01-11 15:03 <DIR> d-------- G:\WINDOWS\system32\URTTEMP
2008-01-05 23:02 . 2008-02-02 11:56 <DIR> d-------- G:\Program Files\Mozilla Thunderbird
2008-01-05 23:02 . 2008-01-05 23:02 <DIR> d-------- G:\Documents and Settings\Mohammed Shafiq\Application Data\Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 14:06 --------- d-----w G:\Documents and Settings\Mohammed Shafiq\Application Data\uTorrent
2008-01-29 22:45 --------- d-----w G:\Documents and Settings\Mohammed Shafiq\Application Data\ZoomBrowser EX
2008-01-22 13:29 --------- d-----w G:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-22 08:25 --------- d-----w G:\Program Files\Common Files\Wise Installation Wizard
2008-01-11 15:23 --------- d--h--w G:\Program Files\InstallShield Installation Information
2007-12-26 20:27 --------- d-----w G:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-21 14:42 --------- d-----w G:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-12-16 21:27 --------- d-----w G:\Program Files\BitCtrl Systems GmbH
2007-12-12 22:14 --------- d-----w G:\Program Files\DIFX
2007-12-08 10:52 --------- d-----w G:\Program Files\Haali
2007-12-08 10:51 --------- d-----w G:\Program Files\CoreCodec
2007-12-08 05:01 --------- d-----w G:\Documents and Settings\Mohammed Shafiq\Application Data\dvdcss
2007-11-14 19:53 160,721 ----a-w G:\WINDOWS\Star Assault Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4F90-B10D-FC6124A40F8C}

[HKEY_CLASSES_ROOT\clsid\{381ffde8-2394-4f90-b10d-fc6124a40f8c}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"NVIDIA nTune"="G:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="G:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 14:18 94208]
"H/PC Connection Agent"="G:\Programs\Apps\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="G:\WINDOWS\JM\JMInsIDE.exe" [2006-10-31 04:44 36864]
"36X Raid Configurer"="G:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-17 01:05 1953792]
"Adobe Reader Speed Launcher"="G:\Program Files\Apps\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"GrooveMonitor"="G:\Program Files\Apps\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"NWEReboot"="" []
"NeroFilterCheck"="G:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="G:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"!AVG Anti-Spyware"="G:\Programs\Apps\System\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"AVG7_CC"="G:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 13:29 579072]
"BitDefender Antiphishing Helper"="G:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="G:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2007-11-16 16:37 319488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="G:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-22 13:29 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R1 bdftdif;bdftdif;G:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys [2007-11-12 16:28]
R1 diskdumpp;diskdumpp;G:\WINDOWS\system32\drivers\diskdumpp.sys [2008-01-22 07:30]
R3 bdfsfltr;bdfsfltr;G:\WINDOWS\system32\drivers\bdfsfltr.sys [2007-08-02 16:03]
R3 BDSelfPr;BDSelfPr;G:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys [2008-02-02 14:29]
R3 scan;BitDefender Threat Scanner;G:\WINDOWS\System32\svchost.exe [2004-08-03 23:56]
S2 IBMWAS61Service - mohammed-ea4b2cNode01;IBM WebSphere Application Server V6.1 - mohammed-ea4b2cNode01;"G:\Programs\Dev\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS61Service []
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;G:\DOCUME~1\MOHAMM~1\LOCALS~1\Temp\TCCpuInfo.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 18:01:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: G:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> G:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll
-> G:\Program Files\Haali\MatroskaSplitter\mkunicode.dll
.
------------------------ Other Running Processes ------------------------
.
G:\Programs\Apps\System\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
G:\Program Files\Canon\CAL\CALMAIN.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Programs\Apps\MICROS~1\rapimgr.exe
G:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-02-02 18:04:47 - machine was rebooted [Mohammed Shafiq]
ComboFix-quarantined-files.txt 2008-02-02 18:04:43
ComboFix2.txt 2008-02-02 17:35:29
ComboFix3.txt 2008-02-02 16:51:36
ComboFix4.txt 2008-01-22 08:17:40
.
2007-12-12 03:02:57 --- E O F ---

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Further, you did not follow the required instructions for using ComboFix as its log indicates your machine does not have the Recovery Console Installed.

This infection is basically a rootkit componet protected by a driver which must be identified and removed in order to remove the infection. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.

Thanks for the reply.

Do I have any other options before formatting my hard drive?

You can use the guidance of the HJT team. As you will need to do things properly. You will need to follow carefully the instructions in Preparation Guide for use before posting a HijackThis Log . The team is extremely busy right now with a probable wait of 5 days. You can proceed to do that.

After posting a log, the HJT member assisting you will probably provide further guidance on how to properly install ComboFix so that it can be used again to remove your infection.

Just follow the directions boopme has given you and post your ComboFix log along with your HijackThis log.

Thanks guys.

I've uploaded the hijack log on the forums and hopefully someone will be able to help me.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.