core.cache.dsk

Spybot Search & Destroy does not find this.

HiJackThis does not find this.

You will find C:\WINDOWS\System32\drivers has a file called core.cache.dsk. ComboFix finds it and knows it is bad but has trouble getting rid of it. It always comes back.

Turns out there is a file with .sys extension that is causing all the popups. It will have a recent date/time (date and time of the infection), and will have a name of a valid .sys file except the last character of the name duplicated. In my case the offending file was scisportt.sys (note the extra 't').

To cure this one, reboot into single-user mode, and delete both files (core.cache.dsk and filexx.sys) with Explorer. One of the easier ones to get rid of.

No comments: