lurkingatu2 Posted February 10, 2008 ID:13030 Share Posted February 10, 2008 hellof/p mabe the file says date created 2-8-08 0bytes Malwarebytes' Anti-Malware 1.03Database version: 337Scan type: Full Scan (C:\|)Objects scanned: 50034Time elapsed: 8 minute(s), 58 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\drivers\core.sys (Rootkit.Agent) -> No action taken. [CREATE=Rootkit.Agent, C:\WINDOWS\system32\drivers\core.sys] thanks Link to post Share on other sites More sharing options...
nosirrah Posted February 10, 2008 ID:13032 Share Posted February 10, 2008 This is a well known rootkit and I do not know of a file with this path that is legit .If you can , please zip a copy of that file and attach it to your next post .You can also save yourself some time by submitting it to virustotal.com .If you are unable to locate this file it likely indicates that it is cloaked and a legit malware detection .This has been defs for a very long time , if you have been scanning on a regular basis this would have been detected much earlier .There is a slim chance that this is a MBAM glitch , you be able to tell this if the file if 0 kb as in a completely empty file . Link to post Share on other sites More sharing options...
lurkingatu2 Posted February 11, 2008 Author ID:13045 Share Posted February 11, 2008 helloi have been scanning with mbam every day i get d.b.v updates since i started herei was one of the ones that mbam made files on this pc and i deleted them i tryed to scan this file at virustotal and it's 0bytes so i went in to safe modeand scaned with avira antivir pe classic and superantispyware pro and only superfound it in the sameplace as rootkit.tncore/trace avria found nothing i also copyedit to my documents folder to zip it up for here and super did not find it there just in system32/drivers i also went in to system32/drivers and right clicked scaned core.sys and nothing i ran hjt and doin't see it there so i ran rootkit revealer andhere thay are HKLM\SECURITY\Policy\Secrets\SAC* 11/7/2003 2:10 PM 0 bytes Key name contains embedded nulls (*)HKLM\SECURITY\Policy\Secrets\SAI* 11/7/2003 2:10 PM 0 bytes Key name contains embedded nulls (*)HKLM\SOFTWARE\Classes\webcal\URL Protocol 6/16/2004 5:57 PM 13 bytes Data mismatch between Windows API and raw hive data.C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_47b5977b\AV0000057c$000005d5.AV$ 2/10/2008 3:33 PM 47.00 KB Hidden from Windows API.Logfile of HijackThis v1.99.1Scan saved at 4:08:13 PM, on 2/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Returnil\Rvsystem.exeC:\Program Files\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\COMODO\Firewall\cmdagent.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exeC:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exeC:\hijack this\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;help.msn.com;;www.msnusers.com;<local>O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [avgnt] C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe /minO4 - HKLM\..\Run: [Rvsystem] C:\Program Files\Returnil\Rvsystem.exeO4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -sO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O11 - Options group: [iNTERNATIONAL] International*O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLLO20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLO23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exeO23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: MBAMService - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exealso should i delete it so it doin't get picked no more thanks Link to post Share on other sites More sharing options...
Root Admin RubbeR DuckY Posted February 11, 2008 Root Admin ID:13048 Share Posted February 11, 2008 Sounds like a COMODO problem. I remember another member speaking about this. You have to allow MBAM to do something. It may have been sho-dan. Link to post Share on other sites More sharing options...
lurkingatu2 Posted February 11, 2008 Author ID:13052 Share Posted February 11, 2008 hello ok i deleted core.sys and cant see no trouble from deleteing it and about comodowhen i do a scan with ewido 4(avg antispyware) or superantispyware or avira antiviror mbam i do it off line and exit comodo before i scan but when i scan with mbam comodo has like 191 files in it's pending list after the scan and i know comodo has had trouble with the my pending list but none of my other scanners after a scan has things left in comodos pending list and i know it's probably a comodo thing but i'mgoing to try to post the list from comodo in the my pending files i say try becausei copy it and save it and i can read it but after i restart my pc you can't read it know more it's all squares and stuff so i doin't know if i can post it Link to post Share on other sites More sharing options...
Root Admin RubbeR DuckY Posted February 11, 2008 Root Admin ID:13053 Share Posted February 11, 2008 MBAM attempts to create these files and then delete them to make sure they do not exist and are hidden (like a rootkit). Why Comodo retains this information is beyond me. Link to post Share on other sites More sharing options...
lurkingatu2 Posted February 11, 2008 Author ID:13068 Share Posted February 11, 2008 hello i doin't no if telling comodo is going to help thay reworded my post topic but atleast thaysee it i guess thay did not like me calling it a bug lol thanks Link to post Share on other sites More sharing options...
lurkingatu2 Posted February 11, 2008 Author ID:13071 Share Posted February 11, 2008 hellook a mod at comodo said to put comodo's defence+ in to train with safe mode not cleanpc mode and this seens to work at least when i scan with mbam comodo doin't have nothingon my pending files list so i will wait and see and sorry for posting so much in f/p's thanks Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now