Jump to content

Note about the core.cache.dsk (Zedo) Trojan


Recommended Posts

--------------------------------------------------------------------------------

Just wanted to share my experience with removing this bad puppy, as I saw a lot of threads on other website forums devoted to malware removal, etc.

After many failures at removing this Trojan, I finally figured out that it is a two-part "package." It seems to consist of two different and independent files -- core.cache.dsk and core.sys -- both of which are installed in C:\WINDOWS\system32\drivers. The core.cache.dsk file is easy to spot, because it has its original name ("Core") and you can see it. BUT the other file, core.sys, gets a disguise so you can't find it by scanning.

Core.cache.dsk causes interminable pop-up ads to plague the Internet browser whenever it's open (no pop-ups when browsers are closed, though), and the potential of infection by other malware whenever the pop-up is for a dangerous website. (I kept getting adware and spyware, Trojans, you name it, thanks to the pop-ups). Core.sys looks to be a "shadow" file that contains the materials to re-create core.cache.dsk whenever your anti-spyware program destroys it. The recreated file appears on reboot.

You have to remove BOTH files (using the Avenger process) together. If you try to remove only the core.cache.dsk file, the core.sys file will regenerate it when your computer re-boots. That's why your anti-virus/adware software may say that it removed core.cache.dsk when you follow the scan-remove process, but when you reboot the file is back.

I found the disguised core.sys file posing as a Microsoft Remote NDIS Miniport system file. It mimicked the file totally, copying its 7-letter name (rndismp.sys) and adding an extra "p" at the end to make an 8-letter filename for the imposter (rndismpp.sys).

The way I found it was by painstakingly rolling my mouse over every file in the system32\driver section, and reading the origin/provenance (e.g. Microsoft, etc.) and creation date of each file. The Zedo/core Trojan infected my computer on Jan 16, 2008, so I looked for files with that creation date. If you keep trying to remove the core.cache.dsk file, it may receive a new "creation" date when core.sys recreates it, but maybe not. So first look for the date when you think the computer was infected, or after.

When I found a .sys file that had no provenance, was identical in name -- except for an extra letter -- to a real Microsoft file next to it, was created on Jan 16 at pretty much the same time the core.cache.dsk file was created, and which I couldn't open ("being used by another person or process") nor delete, I knew I had found the evil imposter.

I cut and pasted it with its complete path, together with the core.cache.dsk file, in the Avenger window with "Files to delete," clicked the green light, and Avenger zapped them to kingdom come. See you in H*LL, Zedo! :)

I don't know whether the Trojan installs the core.sys file the same way in every computer. All I know is that in mine, it mimicked the Microsoft remote miniport systems file I mentioned earlier. However, it may randomly select a file to imitate in different computers. I don't know. But at least you know what to look for. You may have to hand-check everything in that system32 drivers path to find the file, but when you do, you'll be able to get rid of the Trojan's ability to re-create itself, so removing them both at the same time in Avenger should end the problem.

As a note, I didn't have to do anything special, or remove or change anything else. All I did is download Avenger, type in the two files -- with their full file path -- to delete, and use as directed. I'm hoping that in the near future, Malwarebyte's Anti-Malware program will be able to track and scan cloaked files like core.sys so we don't have to do manual "eyeball-and-mouse" analogue scans. :)

Hope this is useful to others who are plagued by Zedo/core as I was.

Link to post
Share on other sites

  • Root Admin

Thanks for the post. Yes I have this one on a test system that neither SAS OR Malwarebytes could remove, yet they could another similar one.

Just didn't have the free time to track it down but when I do, if I find other results I'll post my findings.

--------------------------------------------------------------------------------

Just wanted to share my experience with removing this bad puppy, as I saw a lot of threads on other website forums devoted to malware removal, etc.

After many failures at removing this Trojan, I finally figured out that it is a two-part "package." It seems to consist of two different and independent files -- core.cache.dsk and core.sys -- both of which are installed in C:\WINDOWS\system32\drivers. The core.cache.dsk file is easy to spot, because it has its original name ("Core") and you can see it. BUT the other file, core.sys, gets a disguise so you can't find it by scanning.

Core.cache.dsk causes interminable pop-up ads to plague the Internet browser whenever it's open (no pop-ups when browsers are closed, though), and the potential of infection by other malware whenever the pop-up is for a dangerous website. (I kept getting adware and spyware, Trojans, you name it, thanks to the pop-ups). Core.sys looks to be a "shadow" file that contains the materials to re-create core.cache.dsk whenever your anti-spyware program destroys it. The recreated file appears on reboot.

You have to remove BOTH files (using the Avenger process) together. If you try to remove only the core.cache.dsk file, the core.sys file will regenerate it when your computer re-boots. That's why your anti-virus/adware software may say that it removed core.cache.dsk when you follow the scan-remove process, but when you reboot the file is back.

I found the disguised core.sys file posing as a Microsoft Remote NDIS Miniport system file. It mimicked the file totally, copying its 7-letter name (rndismp.sys) and adding an extra "p" at the end to make an 8-letter filename for the imposter (rndismpp.sys).

The way I found it was by painstakingly rolling my mouse over every file in the system32\driver section, and reading the origin/provenance (e.g. Microsoft, etc.) and creation date of each file. The Zedo/core Trojan infected my computer on Jan 16, 2008, so I looked for files with that creation date. If you keep trying to remove the core.cache.dsk file, it may receive a new "creation" date when core.sys recreates it, but maybe not. So first look for the date when you think the computer was infected, or after.

When I found a .sys file that had no provenance, was identical in name -- except for an extra letter -- to a real Microsoft file next to it, was created on Jan 16 at pretty much the same time the core.cache.dsk file was created, and which I couldn't open ("being used by another person or process") nor delete, I knew I had found the evil imposter.

I cut and pasted it with its complete path, together with the core.cache.dsk file, in the Avenger window with "Files to delete," clicked the green light, and Avenger zapped them to kingdom come. See you in H*LL, Zedo! ;)

I don't know whether the Trojan installs the core.sys file the same way in every computer. All I know is that in mine, it mimicked the Microsoft remote miniport systems file I mentioned earlier. However, it may randomly select a file to imitate in different computers. I don't know. But at least you know what to look for. You may have to hand-check everything in that system32 drivers path to find the file, but when you do, you'll be able to get rid of the Trojan's ability to re-create itself, so removing them both at the same time in Avenger should end the problem.

As a note, I didn't have to do anything special, or remove or change anything else. All I did is download Avenger, type in the two files -- with their full file path -- to delete, and use as directed. I'm hoping that in the near future, Malwarebyte's Anti-Malware program will be able to track and scan cloaked files like core.sys so we don't have to do manual "eyeball-and-mouse" analogue scans. :)

Hope this is useful to others who are plagued by Zedo/core as I was.

Link to post
Share on other sites

rndismpp.sys

This file did come through last update , I believe that we have it now .

Sounds like that would mean that the Trojan is using the same modus operandi each time, installing itself in the same place, and not randomly mimicking any file or randomly making up its name. That will make it easier to catch. It's apparently not as sophisticated a critter as some people seemed to think.

Link to post
Share on other sites

I wonder what the odds were of my computer's infection having had the same core.sys cloaking filename as the one nosirrah confirmed has been found in Malwarebyte's latest research? Maybe this Trojan is "semi-random" -- has a rotating list of filenames it alternates randomly, but not a completely random any-old-filename approach?

Oh well. Even if it is random, at least it seems to stay contained within system32\drivers, so you can hunt-and-peck in an "analogue scan" with your eyeballs and mouse.

What interested me, is that so many people were trying to remove the Trojan by just deleting core.cache.dsk, not realizing that there was a hidden second file that has to be gotten rid of with it.

Link to post
Share on other sites

I wonder when the files cited in those Google samples were first observed? My computer was infected on January 16, but some of those cited cases are dated a week or two later. Either people were waiting to post their questions and logs, or perhaps this particular filename was used for more than just a day or two. But changing filenames every couple days makes sense when you want to keep a Trojan from being predictable and vulnerable to removal.

By the way, the most recent sample (from MajorGeeks.com forums) in that Google list was my post. I posted this same topic in their malware removal forum. So that one doesn't count.

Link to post
Share on other sites

  • Staff
I wonder what the odds were of my computer's infection having had the same core.sys cloaking filename as the one nosirrah confirmed has been found in Malwarebyte's latest research? Maybe this Trojan is "semi-random" -- has a rotating list of filenames it alternates randomly, but not a completely random any-old-filename approach?

Oh well. Even if it is random, at least it seems to stay contained within system32\drivers, so you can hunt-and-peck in an "analogue scan" with your eyeballs and mouse.

What interested me, is that so many people were trying to remove the Trojan by just deleting core.cache.dsk, not realizing that there was a hidden second file that has to be gotten rid of with it.

The randomly named drivers can be distinguished by their filesizes.

Link to post
Share on other sites

  • 7 months later...
--------------------------------------------------------------------------------

Just wanted to share my experience with removing this bad puppy, as I saw a lot of threads on other website forums devoted to malware removal, etc.

After many failures at removing this Trojan, I finally figured out that it is a two-part "package." It seems to consist of two different and independent files -- core.cache.dsk and core.sys -- both of which are installed in C:\WINDOWS\system32\drivers. The core.cache.dsk file is easy to spot, because it has its original name ("Core") and you can see it. BUT the other file, core.sys, gets a disguise so you can't find it by scanning.

Core.cache.dsk causes interminable pop-up ads to plague the Internet browser whenever it's open (no pop-ups when browsers are closed, though), and the potential of infection by other malware whenever the pop-up is for a dangerous website. (I kept getting adware and spyware, Trojans, you name it, thanks to the pop-ups). Core.sys looks to be a "shadow" file that contains the materials to re-create core.cache.dsk whenever your anti-spyware program destroys it. The recreated file appears on reboot.

You have to remove BOTH files (using the Avenger process) together. If you try to remove only the core.cache.dsk file, the core.sys file will regenerate it when your computer re-boots. That's why your anti-virus/adware software may say that it removed core.cache.dsk when you follow the scan-remove process, but when you reboot the file is back.

I found the disguised core.sys file posing as a Microsoft Remote NDIS Miniport system file. It mimicked the file totally, copying its 7-letter name (rndismp.sys) and adding an extra "p" at the end to make an 8-letter filename for the imposter (rndismpp.sys).

The way I found it was by painstakingly rolling my mouse over every file in the system32\driver section, and reading the origin/provenance (e.g. Microsoft, etc.) and creation date of each file. The Zedo/core Trojan infected my computer on Jan 16, 2008, so I looked for files with that creation date. If you keep trying to remove the core.cache.dsk file, it may receive a new "creation" date when core.sys recreates it, but maybe not. So first look for the date when you think the computer was infected, or after.

When I found a .sys file that had no provenance, was identical in name -- except for an extra letter -- to a real Microsoft file next to it, was created on Jan 16 at pretty much the same time the core.cache.dsk file was created, and which I couldn't open ("being used by another person or process") nor delete, I knew I had found the evil imposter.

I cut and pasted it with its complete path, together with the core.cache.dsk file, in the Avenger window with "Files to delete," clicked the green light, and Avenger zapped them to kingdom come. See you in H*LL, Zedo! :unsure:

I don't know whether the Trojan installs the core.sys file the same way in every computer. All I know is that in mine, it mimicked the Microsoft remote miniport systems file I mentioned earlier. However, it may randomly select a file to imitate in different computers. I don't know. But at least you know what to look for. You may have to hand-check everything in that system32 drivers path to find the file, but when you do, you'll be able to get rid of the Trojan's ability to re-create itself, so removing them both at the same time in Avenger should end the problem.

As a note, I didn't have to do anything special, or remove or change anything else. All I did is download Avenger, type in the two files -- with their full file path -- to delete, and use as directed. I'm hoping that in the near future, Malwarebyte's Anti-Malware program will be able to track and scan cloaked files like core.sys so we don't have to do manual "eyeball-and-mouse" analogue scans. ;)

Hope this is useful to others who are plagued by Zedo/core as I was.

Link to post
Share on other sites

Yep, Malware version 1.28 cured this zedo with standard quick scan! Thank you Malware! Norton, PC pitstop exterminate were no help. This Zedo thing was very persistant. Geek wanabee, you found and fixed this yourself ! No wanabee, you are a true Geek. I mean that as a compliment.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.