Jump to content

Geek Wannabee

Members
  • Posts

    5
  • Joined

  • Last visited

Everything posted by Geek Wannabee

  1. Loaded the update and ran it today. Works fine! My full scans of the C: drive seem to take longer than everyone else's though, even with roughly the same number of files, etc. being scanned. Scan time is almost a half hour!
  2. I wonder when the files cited in those Google samples were first observed? My computer was infected on January 16, but some of those cited cases are dated a week or two later. Either people were waiting to post their questions and logs, or perhaps this particular filename was used for more than just a day or two. But changing filenames every couple days makes sense when you want to keep a Trojan from being predictable and vulnerable to removal. By the way, the most recent sample (from MajorGeeks.com forums) in that Google list was my post. I posted this same topic in their malware removal forum. So that one doesn't count.
  3. I wonder what the odds were of my computer's infection having had the same core.sys cloaking filename as the one nosirrah confirmed has been found in Malwarebyte's latest research? Maybe this Trojan is "semi-random" -- has a rotating list of filenames it alternates randomly, but not a completely random any-old-filename approach? Oh well. Even if it is random, at least it seems to stay contained within system32\drivers, so you can hunt-and-peck in an "analogue scan" with your eyeballs and mouse. What interested me, is that so many people were trying to remove the Trojan by just deleting core.cache.dsk, not realizing that there was a hidden second file that has to be gotten rid of with it.
  4. Sounds like that would mean that the Trojan is using the same modus operandi each time, installing itself in the same place, and not randomly mimicking any file or randomly making up its name. That will make it easier to catch. It's apparently not as sophisticated a critter as some people seemed to think.
  5. -------------------------------------------------------------------------------- Just wanted to share my experience with removing this bad puppy, as I saw a lot of threads on other website forums devoted to malware removal, etc. After many failures at removing this Trojan, I finally figured out that it is a two-part "package." It seems to consist of two different and independent files -- core.cache.dsk and core.sys -- both of which are installed in C:\WINDOWS\system32\drivers. The core.cache.dsk file is easy to spot, because it has its original name ("Core") and you can see it. BUT the other file, core.sys, gets a disguise so you can't find it by scanning. Core.cache.dsk causes interminable pop-up ads to plague the Internet browser whenever it's open (no pop-ups when browsers are closed, though), and the potential of infection by other malware whenever the pop-up is for a dangerous website. (I kept getting adware and spyware, Trojans, you name it, thanks to the pop-ups). Core.sys looks to be a "shadow" file that contains the materials to re-create core.cache.dsk whenever your anti-spyware program destroys it. The recreated file appears on reboot. You have to remove BOTH files (using the Avenger process) together. If you try to remove only the core.cache.dsk file, the core.sys file will regenerate it when your computer re-boots. That's why your anti-virus/adware software may say that it removed core.cache.dsk when you follow the scan-remove process, but when you reboot the file is back. I found the disguised core.sys file posing as a Microsoft Remote NDIS Miniport system file. It mimicked the file totally, copying its 7-letter name (rndismp.sys) and adding an extra "p" at the end to make an 8-letter filename for the imposter (rndismpp.sys). The way I found it was by painstakingly rolling my mouse over every file in the system32\driver section, and reading the origin/provenance (e.g. Microsoft, etc.) and creation date of each file. The Zedo/core Trojan infected my computer on Jan 16, 2008, so I looked for files with that creation date. If you keep trying to remove the core.cache.dsk file, it may receive a new "creation" date when core.sys recreates it, but maybe not. So first look for the date when you think the computer was infected, or after. When I found a .sys file that had no provenance, was identical in name -- except for an extra letter -- to a real Microsoft file next to it, was created on Jan 16 at pretty much the same time the core.cache.dsk file was created, and which I couldn't open ("being used by another person or process") nor delete, I knew I had found the evil imposter. I cut and pasted it with its complete path, together with the core.cache.dsk file, in the Avenger window with "Files to delete," clicked the green light, and Avenger zapped them to kingdom come. See you in H*LL, Zedo! I don't know whether the Trojan installs the core.sys file the same way in every computer. All I know is that in mine, it mimicked the Microsoft remote miniport systems file I mentioned earlier. However, it may randomly select a file to imitate in different computers. I don't know. But at least you know what to look for. You may have to hand-check everything in that system32 drivers path to find the file, but when you do, you'll be able to get rid of the Trojan's ability to re-create itself, so removing them both at the same time in Avenger should end the problem. As a note, I didn't have to do anything special, or remove or change anything else. All I did is download Avenger, type in the two files -- with their full file path -- to delete, and use as directed. I'm hoping that in the near future, Malwarebyte's Anti-Malware program will be able to track and scan cloaked files like core.sys so we don't have to do manual "eyeball-and-mouse" analogue scans. Hope this is useful to others who are plagued by Zedo/core as I was.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.