Jump to content

Recommended Posts

hello

f/p mabe the file says date created 2-8-08 0bytes

Malwarebytes' Anti-Malware 1.03

Database version: 337

Scan type: Full Scan (C:\|)

Objects scanned: 50034

Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\core.sys (Rootkit.Agent) -> No action taken. [CREATE=Rootkit.Agent, C:\WINDOWS\system32\drivers\core.sys]

thanks :)

Link to post
Share on other sites

This is a well known rootkit and I do not know of a file with this path that is legit .

If you can , please zip a copy of that file and attach it to your next post .

You can also save yourself some time by submitting it to virustotal.com .

If you are unable to locate this file it likely indicates that it is cloaked and a legit malware detection .

This has been defs for a very long time , if you have been scanning on a regular basis this would have been detected much earlier .

There is a slim chance that this is a MBAM glitch , you be able to tell this if the file if 0 kb as in a completely empty file .

Link to post
Share on other sites

hello

i have been scanning with mbam every day i get d.b.v updates since i started here

i was one of the ones that mbam made files on this pc and i deleted them

i tryed to scan this file at virustotal and it's 0bytes so i went in to safe mode

and scaned with avira antivir pe classic and superantispyware pro and only super

found it in the sameplace as rootkit.tncore/trace avria found nothing i also copyed

it to my documents folder to zip it up for here and super did not find it there just

in system32/drivers i also went in to system32/drivers and right clicked scaned

core.sys and nothing i ran hjt and doin't see it there so i ran rootkit revealer and

here thay are

HKLM\SECURITY\Policy\Secrets\SAC* 11/7/2003 2:10 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 11/7/2003 2:10 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\webcal\URL Protocol 6/16/2004 5:57 PM 13 bytes Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\TEMP\AVGUARD_47b5977b\AV0000057c$000005d5.AV$ 2/10/2008 3:33 PM 47.00 KB Hidden from Windows API.

Logfile of HijackThis v1.99.1

Scan saved at 4:08:13 PM, on 2/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Returnil\Rvsystem.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe

C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe

C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;help.msn.com;;www.msnusers.com;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avgnt] C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe /min

O4 - HKLM\..\Run: [Rvsystem] C:\Program Files\Returnil\Rvsystem.exe

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: MBAMService - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

also should i delete it so it doin't get picked no more

thanks :)

Link to post
Share on other sites

hello

ok i deleted core.sys and cant see no trouble from deleteing it and about comodo

when i do a scan with ewido 4(avg antispyware) or superantispyware or avira antivir

or mbam i do it off line and exit comodo before i scan but when i scan with mbam

comodo has like 191 files in it's pending list after the scan and i know comodo has

had trouble with the my pending list but none of my other scanners after a scan has

things left in comodos pending list and i know it's probably a comodo thing but i'm

going to try to post the list from comodo in the my pending files i say try because

i copy it and save it and i can read it but after i restart my pc you can't read it

know more it's all squares and stuff so i doin't know if i can post it

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.