-------------------------------------------------------------------------------- Just wanted to share my experience with removing this bad puppy, as I saw a lot of threads on other website forums devoted to malware removal, etc. After many failures at removing this Trojan, I finally figured out that it is a two-part "package." It seems to consist of two different and independent files -- core.cache.dsk and core.sys -- both of which are installed in C:\WINDOWS\system32\drivers. The core.cache.dsk file is easy to spot, because it has its original name ("Core") and you can see it. BUT the other file, core.sys, gets a disguise so you can't find it by scanning. Core.cache.dsk causes interminable pop-up ads to plague the Internet browser whenever it's open (no pop-ups when browsers are closed, though), and the potential of infection by other malware whenever the pop-up is for a dangerous website. (I kept getting adware and spyware, Trojans, you name it, thanks to the pop-ups). Core.sys looks to be a "shadow" file that contains the materials to re-create core.cache.dsk whenever your anti-spyware program destroys it. The recreated file appears on reboot. You have to remove BOTH files (using the Avenger process) together. If you try to remove only the core.cache.dsk file, the core.sys file will regenerate it when your computer re-boots. That's why your anti-virus/adware software may say that it removed core.cache.dsk when you follow the scan-remove process, but when you reboot the file is back. I found the disguised core.sys file posing as a Microsoft Remote NDIS Miniport system file. It mimicked the file totally, copying its 7-letter name (rndismp.sys) and adding an extra "p" at the end to make an 8-letter filename for the imposter (rndismpp.sys). The way I found it was by painstakingly rolling my mouse over every file in the system32\driver section, and reading the origin/provenance (e.g. Microsoft, etc.) and creation date of each file. The Zedo/core Trojan infected my computer on Jan 16, 2008, so I looked for files with that creation date. If you keep trying to remove the core.cache.dsk file, it may receive a new "creation" date when core.sys recreates it, but maybe not. So first look for the date when you think the computer was infected, or after. When I found a .sys file that had no provenance, was identical in name -- except for an extra letter -- to a real Microsoft file next to it, was created on Jan 16 at pretty much the same time the core.cache.dsk file was created, and which I couldn't open ("being used by another person or process") nor delete, I knew I had found the evil imposter. I cut and pasted it with its complete path, together with the core.cache.dsk file, in the Avenger window with "Files to delete," clicked the green light, and Avenger zapped them to kingdom come. See you in H*LL, Zedo! I don't know whether the Trojan installs the core.sys file the same way in every computer. All I know is that in mine, it mimicked the Microsoft remote miniport systems file I mentioned earlier. However, it may randomly select a file to imitate in different computers. I don't know. But at least you know what to look for. You may have to hand-check everything in that system32 drivers path to find the file, but when you do, you'll be able to get rid of the Trojan's ability to re-create itself, so removing them both at the same time in Avenger should end the problem. As a note, I didn't have to do anything special, or remove or change anything else. All I did is download Avenger, type in the two files -- with their full file path -- to delete, and use as directed. I'm hoping that in the near future, Malwarebyte's Anti-Malware program will be able to track and scan cloaked files like core.sys so we don't have to do manual "eyeball-and-mouse" analogue scans. Hope this is useful to others who are plagued by Zedo/core as I was.