PDA

View Full Version : need some help with Smitfraud-C.CoreService



conesean
2008-12-08, 23:41
I ran Spybot and tried to get rid of the infected file. It would not let me delete the file because it is being used by a program.

tashi
2008-12-09, 00:00
Hello,

Did you run a Spybot-S&D scan in safe mode? In safe mode, you have access to only basic files and drivers. When the machine is operating in normal mode all processes are running.
Scanning with Spybot-S&D in safe mode allows the program to try and remove items that keep reappearing after a scan, despite having been 'fixed'.

Reboot your computer into SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, begin tapping F8.
Instead of Windows loading as normal, a menu should appear.
Select the first option, to run Windows in Safe Mode.

Open Spybot-S&D while still in safe mode.

Close all browsers, check for problems and fix everything found in red
Repeat until no more items are found in red
Close Spybot-S&D
Reboot back into Windows


How to Start Vista in Safe Mode
Windowshelp-Microsoft (http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx)

A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/kb/315222

How to Start a Windows 98-Based Computer in Safe Mode
http://support.microsoft.com/kb/180902

conesean
2008-12-09, 01:40
Thank you for responding to my problem. I ran spybot in safe mode as per your previously responds. I detected the problem and fixed it. When i opened back off of safe mode I ran SB again and the problem was still there. I will add the results and hopefully that can help.

Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-72573027-3237433578-4085058161-1006\Software\Microsoft\instkey

Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, nothing done)
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk

drragostea
2008-12-09, 02:31
It seems that the core.cache.dsk might be persistent to remove. Follow the directions below:
___
Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
___

conesean
2008-12-09, 03:14
Thanks for you assistance.