Remove Advertisements

A new Evil has Arisen - Zedo

Invisusira's playground

Moderators: Aergis, Invisusira

A new Evil has Arisen - Zedo

Postby Dunkan » Fri Feb 08, 2008 2:18 pm

This little fucker seems impossible to kill.

Zonelabs didn't see it.

Trend Micro didn't see it.

Manually deleting my Temp directory and IE cache didn't fix it.

CCleaner couldn't remove.

Kaspersky removed "most" of it.

What is it? A pernicius bit of adware that starts everytime IE is used (I use it for banking).

NONE of the removal Tips work...

The sick thing is, you may have it and not know...

Kaspersky is available on a one year demo. I recommend you install it and see if you have it...
Khaz'goroth Oceanic
Image
User avatar
Dunkan
 
Posts: 597
Joined: Sun May 13, 2007 1:05 am

Postby Echevarian » Fri Feb 08, 2008 2:24 pm

firefox ftw :P
Echevarian
 
Posts: 204
Joined: Fri Jan 11, 2008 5:17 am

Postby Dunkan » Fri Feb 08, 2008 2:47 pm

Use Firefox too. Unfortunately my crappy bank is not Firefox friendly...
Khaz'goroth Oceanic
Image
User avatar
Dunkan
 
Posts: 597
Joined: Sun May 13, 2007 1:05 am

fix

Postby Sapphires » Fri Feb 08, 2008 3:05 pm

Source: http://www.pchell.com/support/poweredbyzedo.shtml

Try Kaspersky Online Scanner and it will probably find a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.

There should also be a second file called core.cache.dsk that was related in the same directory. The core.sys file will have registered itself as a service and be starting automatically each time Windows boots. Because of such a generic name, it doesn't appear suspicious when examining the running services.

How to Remove Core.sys

Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.

1) Boot into Safe Mode
2) Click on Start, Search, and choose All Files and Folders
3) In the all or part of file name box, type the following

core.sys

4) In the Look In box, choose local hard drives and click Search
5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
6) Repeat steps 2-5 for the file core.cache.dsk
7) Close the Search box
8) Click on Start, Run and type REGEDIT and press Enter
9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
10) Click the plus next to SYSTEM
11) Click the plus next to CurrentControlSet
12) Click the plus next to Services
13) Find the folder called CORE and right-click on it and choose Delete

*** WARNING *** If the folder CORE does not exist, dont do anything

14) Close the Registry Editor by clicking on the X in the right-hand corner of the window

15) Reboot your computer in Normal mode
16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.

http://www.kaspersky.com/virusscanner

17) Scan your computer and delete any other files flagged as problems.

Your computer should now be free of these vicious popups.
Sapphires
 
Posts: 25
Joined: Wed Oct 03, 2007 12:57 pm

Postby Dunkan » Fri Feb 08, 2008 3:13 pm

Doesn't work.

Kaspersky IS good and caught most of it.

I think Zedo is staying ahead of the curve...
Khaz'goroth Oceanic
Image
User avatar
Dunkan
 
Posts: 597
Joined: Sun May 13, 2007 1:05 am

Postby guillex » Fri Feb 08, 2008 3:15 pm

I don't have it on my pc at home... might want to talk to your techs ... make sure A) they're aware of the threat and B) they get their heads out of their asses and do something about it.

We'dve been all over that like flies on shit at the board, lemme tell you.
Póg mo thóin
Image
User avatar
guillex
Moderator
 
Posts: 7490
Joined: Mon Jul 09, 2007 8:32 pm
Location: Montreal, Quebec, Canada

fix

Postby Sapphires » Fri Feb 08, 2008 3:22 pm

If it is still having a problem, it may be hiding in your MBR (Master Boot Record) in which case you would probably have to overwrite to get rid of that.
Sapphires
 
Posts: 25
Joined: Wed Oct 03, 2007 12:57 pm

Postby Dunkan » Fri Feb 08, 2008 3:34 pm

Well, according to various sites, Zedo has used a variety of methods to compromise a system.

One included adding a Service to the Services list...

I do not think it is an MBR attack,, mainly because my BIOS and AV protects non-authorised access.
Khaz'goroth Oceanic
Image
User avatar
Dunkan
 
Posts: 597
Joined: Sun May 13, 2007 1:05 am

Postby Oramac » Fri Feb 08, 2008 3:55 pm

what exactly is Zedo? keylogger? virus? adware? does it compromise a wow account?

and most importantly, would i have it if i've never used IE on this PC? i use firefox for everything, even my banking.
Aplus wrote:Yeah every time I get a big head, I go and try to solo a warlock.brings me back down to earth pretty fast
Oramac
 
Posts: 724
Joined: Wed Sep 12, 2007 10:16 am

Postby Dunkan » Fri Feb 08, 2008 4:00 pm

Adware platform for their "partners" including a company that sells the only known cure for their popup.

Can someone in the states pay a personal vist and give the CEO a Glaswegian Kiss from me, please?

Or round up them and their 100 employees and AOE 'em?
Khaz'goroth Oceanic
Image
User avatar
Dunkan
 
Posts: 597
Joined: Sun May 13, 2007 1:05 am

Postby Warsadin » Sat Feb 09, 2008 11:50 am

I was unaware I had this until just now reading this while running spybot S&D. Zedo came up. Though I don't have popups due to my firefox browser and my need to never ever use IE.

I will be looking for a way to destroy this fucking thing now.
Image
User avatar
Warsadin
 
Posts: 224
Joined: Thu Feb 07, 2008 2:00 pm
Location: Boston, MA

Postby Dunkan » Sat Feb 09, 2008 6:18 pm

Good luck. I am gonna try this next time I have a chance.

http://forums.majorgeeks.com/archive/in ... 32806.html
Khaz'goroth Oceanic
Image
User avatar
Dunkan
 
Posts: 597
Joined: Sun May 13, 2007 1:05 am

Postby Neuron » Mon Feb 11, 2008 8:25 am

i ended up reformatting the drive and installing a fresh OS. it sucks, but it solves it.

also, use firefox, or only use IE for the one website you need to.
http://www.ardentdefender.com - A combat log parsing API
User avatar
Neuron
 
Posts: 716
Joined: Mon Aug 27, 2007 8:26 am
Location: Nail Salon


Return to Arkham Asylum

Who is online

Users browsing this forum: No registered users and 1 guest


Remove Advertisements

Who is online

In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 380 on Tue Oct 14, 2008 6:28 pm

Users browsing this forum: No registered users and 1 guest