I had been plagued by this extremely annoying trojan for 2 straight days. It was a real pain when I had to face an endless barrage of ad popups. I tried using AVG to remove it but failed to do so. I then downloaded the Spyware Terminator 2 but sadly that failed too. Finally I downloaded Spyware Doctor through the google pack. It didn't remove it, but it at least helped me identify the faulty file. It was "core.cache.dsk" in my windows/system32/drivers folder. It however, just didn't let me delete it. I tried using killbox, but that wouldn't work either. I had a dualboot operating system with ubuntu and windows xp, so I tried booting into ubuntu and then deleting the file. To my surprise, there was not core.cache.dsk in the above mentioned folder. I got a hint that the file is created only when windows loads up. I then tried booting up windows xp in safe mode...again there was no file in there. Then I got the idea that there must be some other file in the windows/system32/drivers folder that must actually be responsible for generating the virus file. To find the file I followed the following steps:
- Right click in the windows/system32/drivers folder and select arrange icons>modified. This will arrange the icons according to the date they were modified.
- The last 3 files in the folder were the latest. They included the spyware terminator driver, the spyware doctor driver and then there was a suspicious 3rd one, amdk77.sys.
Now I know that there is an amdk7 but whats with an amdk77.sys. Upon further investigation, I discovered that there already was an amdk7.sys present in the folder, so this one wasn't supposed to be there. Secondly it was created on the same date as my system infection, 30th of January 2008. So, I figured out that the core.cache.dsk virus actually replicates one of the files in the system32 folder and adds a random number to the end of the filename and uses it to create the core.cache.dsk file each time windows boots. So, if it likes a file, as in my case, amdk7.sys....its going to create a file called amdk77.sys and place it in the folder. It may not always be a file named amdk77.sys though, it can be something else as well, so the best thing is to look for clues and their dates of creation. I was still in safe mode so I deleted the file and voila, when I booted back normally into windows, the file core.cache.dsk didn't get created!! I hope this gives you a clear insight onto how to get rid of this little bugger! Also remember that you can delete the file only when you are in safe mode, otherwise windows won't let you delete any file in the system32/drivers folder. Before deleting any file in that folder, you have to be absolutely sure what you are doing. Good luck!
33 comments:
Thank you! After three weeks of struggling, having others try to help, all to no avail, your post and explanation enabled me to finally get rid of the Smitfraud-C.CoreService along with the core.cache.dsk and the second file, the "mother ship," the amdk77.sys. Thank you!
Thank you! Three weeks of others trying to help didn't do it - your solution worked to rid my computer of the core cache.dsk and the "mother ship also in the drivers section. Thank you for your post.
I'm glad I was able to help someone! =)
Mine was called iirspp.sys. So look for that too....
Ohh, yeah thanks for the heads up. Looks like the trojan renames random files in the drivers folder and adds an additional number or character at the end.
My system is now clear (fingers crossed).
My 'extra file' was bridgee.sys. I did spot this when the trouble began a week or so ago, but there were no results found with a google search.
Another sort of problem I had was booting into safe mode using the F8 key. As I have 4 desktops running (one per family member) I couldn't 'Safe Boot'.
I used Run/msconfig/boot.ini/safe mode.
Job done.
~~~~~~~~~~~~
BTW, once the offending files are deleted, go back to run/msconfig etc and uncheck the 'Safe Mode' box or you will re-boot straight back into it.
Thanks and much respect to Skulltrail.
Thanks Pete! =)
I found this on my 2 PCs: qwavedrvv.sys and cbidf2kk
Many Thanks. Excelent Work!
Thats great!! =)
It's been about a week since I got infected by this, and I finally got to delete it thanks to your technique! The infected host file was "mrxdavv.sys" and it kept generating "core.cache.dsk" every time I rebooted my PC. And judging by the names of the other people's host files, it looks like it's usually a file that already exists... except that the last letter is duplicated (bridge.sys = bridgee.sys; mrxdav.sys = mrxdavv.sys; etc.). I hope this helps, and thanks again! ^_^
got it too!
cleaned - another fileXX.sys
compressed exe - have not checked to see what with to uncompress; but theres a reference to "J:\T3\tndriver\driver\sys2img\objfre_wxp_x86\i386\CORE.pdb" inside 'dropper'
...go figure
Ah looks like something I haven't come across before! Is it some other trojan infection?
Since I got rid of the infection a week or so ago, I have found a few more nasties lurking in the Temp files.
Check for the following entries:-
bootup.exe.xml ~ http://www.in-t-e-r--e-t.com/
cmd?op=findscript&name=appsettings ~ http://www.i-nt-e-r-n-e-t.com/cmd?opfindscript
perl?op=findscript&sid=23 http://www.i-nt-e-r-n-e-t.com/perl?
adsDirect.phpban?=&id=adoffer&cid=681
~ http://mp.clicksor.net/adsDirect?php
I hope this helps a few others here!
Thanks Pete, I bet many people will find that useful!
THANK U so much. After many links of trying to find the answer I found your page. That was it. My file was different, mine was dxgg.exe. dxg.sys is the real ligitimate file but this one was dxgg.sys and I only found it by your suggestion of looking for files created today. I was able to delete it in safe mode along with the core.cache.dsk file. THANKS AGAIN
You are welcome Rachel! =)
If ever you're in upstate NY, I'll buy you a beer (or soda if you prefer). All day on my son's PC, Spybot S&D, AVG, MS Defender... they all saw the problem but no fix. Checked the date/time, deleted and voila. And I'm a Systems Engineer, and you've taught me a new trick! Thanks a bunch.
Thanks Jerry!! If I ever come to New York all the way from Gothenburg, I would certainly look forward to your offer! Cheers! =)
You are a lifesaver! I saw the problem and I downloaded so many so-called "fixes" that I was [_] <-- THIS close to wiping and reinstalling Windows!
THANKS!!!
Thank you. After five days of this nightmare; you supplied the answer I needed. I don't even think "Thank You" is enough. I really appreciate it.
You are welcome Glon!
My file just happened to be called amdk77.sys as well, thats how I found this post so THANK YOU!!!
One question though, do I need to delete the core.cache.dsk file from the drivers folder as well, or am I ok now that I deleted amdk77?
Amdk77 is gone after restarting but core.cache.dsk is still in there, just wondering if its supposed to be in there or not. Please let me know, thank you!
Hello Jayme,,
Well, the core.cache.dsk file shouldn't be there, which means that there is still some file in the system 32 folder which is creating it, so boot again in safe mode and arrange the files according to modified date in the system 32 foler (right click in windows explorer and select arrange icons by modified) and look at the last few files, if u see a suspicious file name delete it. For example the original file name would be abc.sys while in the last few files in the view, there would be a duplicate called abc6.sys or something. Delete that file and restart your system. Most probably it will be the last file when arranged by modified date or second last one. Usually these files are duplicates of other files in the same folder with a number at the end, like xyz.sys is the orginal in the folder while xyz3.sys would be a fake one and you will find them both in the system 32 folder. Oh and since the fake file would be newly created, it would be among the last files shown in the folder since u arranged it by modified date. Hope this helps!
Dude - you just saved me. I've spent 3+ weeks working on and off with this virus.
Mine was mrxdavv.sys with the same creation date as the core.cache.dsk file.
The only other reference to this virus as at: http://www.avertlabs.com/research/blog/index.php/2007/06/page/2/ where they refer to it as an XML virus. What's crazy about this virus is that NONE of the virus programs will pick it up. It uses XML commands within the browser to send and receive different instructions everytime you open your browser.
Thanks again!!!
You are welcome Brian! Ah, I actually didn't know about the virus using XML oommands within the browser! Thanks for the update! =)
Consider another offer for beer/soda/drink if you in the NJ region.
It was sooooooo frustrating to see the problem and not being able to fix it. Absolutely marvelous trick look at the time stamp and delete !
Mine was tcpi777.sys
Thanks a million !!
Oh my god! Yes! This works 100%.
-go to safe mode
-make sure core.cache.dsk is deleted (if not delete it)
to delete the .sys that creates it:
1. go to WINDOWS/system32/drivers
2. view > details
3. Sort by date created
4. Look under the date that you first got the popups
5. Many of the system files under that date could be vital.
6. Look for one with no description (when you hover over it)
7. Deselect all files, and quickly type the first few characters of the suspicious file (essentially look for another .sys with the same name)
8. If it leads you to another file with all the characters the same except the last one (it doesn't have to be a number) it's probably the little bugger.
9. Zip it or store it in the recycling bin in case it's not what you're looking for.
10. Restart in normal mode and look to see if core.cache.dsk has been created. Hopefully it's not there!
THANK YOU SO MUCH OH MY GOD THANK YOU THANK YOU THANK YOU
You are welcome Evan! =)
haaa!!! i found the mines... lol
it's
ndiss.sys < fake file
ndis.sys << real file
hey and thats the only file to delete ????
i got another file ...
when you hover over it...it doesnt have description and is the same day...that "ndiss.sys" created...but no same time...
any help ?
Post a Comment