A new Evil has Arisen - Zedo
Moderators: Aergis, Invisusira
13 posts
• Page 1 of 1
A new Evil has Arisen - Zedo
by Dunkan » Fri Feb 08, 2008 2:18 pm
This little fucker seems impossible to kill.
Zonelabs didn't see it.
Trend Micro didn't see it.
Manually deleting my Temp directory and IE cache didn't fix it.
CCleaner couldn't remove.
Kaspersky removed "most" of it.
What is it? A pernicius bit of adware that starts everytime IE is used (I use it for banking).
NONE of the removal Tips work...
The sick thing is, you may have it and not know...
Kaspersky is available on a one year demo. I recommend you install it and see if you have it...
Zonelabs didn't see it.
Trend Micro didn't see it.
Manually deleting my Temp directory and IE cache didn't fix it.
CCleaner couldn't remove.
Kaspersky removed "most" of it.
What is it? A pernicius bit of adware that starts everytime IE is used (I use it for banking).
NONE of the removal Tips work...
The sick thing is, you may have it and not know...
Kaspersky is available on a one year demo. I recommend you install it and see if you have it...
Khaz'goroth Oceanic
-
Dunkan - Posts: 597
- Joined: Sun May 13, 2007 1:05 am
fix
by Sapphires » Fri Feb 08, 2008 3:05 pm
Source: http://www.pchell.com/support/poweredbyzedo.shtml
Try Kaspersky Online Scanner and it will probably find a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.
There should also be a second file called core.cache.dsk that was related in the same directory. The core.sys file will have registered itself as a service and be starting automatically each time Windows boots. Because of such a generic name, it doesn't appear suspicious when examining the running services.
How to Remove Core.sys
Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.
1) Boot into Safe Mode
2) Click on Start, Search, and choose All Files and Folders
3) In the all or part of file name box, type the following
core.sys
4) In the Look In box, choose local hard drives and click Search
5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
6) Repeat steps 2-5 for the file core.cache.dsk
7) Close the Search box
Click on Start, Run and type REGEDIT and press Enter
9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
10) Click the plus next to SYSTEM
11) Click the plus next to CurrentControlSet
12) Click the plus next to Services
13) Find the folder called CORE and right-click on it and choose Delete
*** WARNING *** If the folder CORE does not exist, dont do anything
14) Close the Registry Editor by clicking on the X in the right-hand corner of the window
15) Reboot your computer in Normal mode
16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.
http://www.kaspersky.com/virusscanner
17) Scan your computer and delete any other files flagged as problems.
Your computer should now be free of these vicious popups.
Try Kaspersky Online Scanner and it will probably find a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.
There should also be a second file called core.cache.dsk that was related in the same directory. The core.sys file will have registered itself as a service and be starting automatically each time Windows boots. Because of such a generic name, it doesn't appear suspicious when examining the running services.
How to Remove Core.sys
Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.
1) Boot into Safe Mode
2) Click on Start, Search, and choose All Files and Folders
3) In the all or part of file name box, type the following
core.sys
4) In the Look In box, choose local hard drives and click Search
5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
6) Repeat steps 2-5 for the file core.cache.dsk
7) Close the Search box
Click on Start, Run and type REGEDIT and press Enter
9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
10) Click the plus next to SYSTEM
11) Click the plus next to CurrentControlSet
12) Click the plus next to Services
13) Find the folder called CORE and right-click on it and choose Delete
*** WARNING *** If the folder CORE does not exist, dont do anything
14) Close the Registry Editor by clicking on the X in the right-hand corner of the window
15) Reboot your computer in Normal mode
16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.
http://www.kaspersky.com/virusscanner
17) Scan your computer and delete any other files flagged as problems.
Your computer should now be free of these vicious popups.
- Sapphires
- Posts: 25
- Joined: Wed Oct 03, 2007 12:57 pm
by guillex » Fri Feb 08, 2008 3:15 pm
I don't have it on my pc at home... might want to talk to your techs ... make sure A) they're aware of the threat and B) they get their heads out of their asses and do something about it.
We'dve been all over that like flies on shit at the board, lemme tell you.
We'dve been all over that like flies on shit at the board, lemme tell you.
Póg mo thóin
-
guillex - Moderator
- Posts: 7490
- Joined: Mon Jul 09, 2007 8:32 pm
- Location: Montreal, Quebec, Canada
by Dunkan » Fri Feb 08, 2008 3:34 pm
Well, according to various sites, Zedo has used a variety of methods to compromise a system.
One included adding a Service to the Services list...
I do not think it is an MBR attack,, mainly because my BIOS and AV protects non-authorised access.
One included adding a Service to the Services list...
I do not think it is an MBR attack,, mainly because my BIOS and AV protects non-authorised access.
Khaz'goroth Oceanic
-
Dunkan - Posts: 597
- Joined: Sun May 13, 2007 1:05 am
by Oramac » Fri Feb 08, 2008 3:55 pm
what exactly is Zedo? keylogger? virus? adware? does it compromise a wow account?
and most importantly, would i have it if i've never used IE on this PC? i use firefox for everything, even my banking.
and most importantly, would i have it if i've never used IE on this PC? i use firefox for everything, even my banking.
Aplus wrote:Yeah every time I get a big head, I go and try to solo a warlock.brings me back down to earth pretty fast
-
Oramac - Posts: 721
- Joined: Wed Sep 12, 2007 10:16 am
by Dunkan » Fri Feb 08, 2008 4:00 pm
Adware platform for their "partners" including a company that sells the only known cure for their popup.
Can someone in the states pay a personal vist and give the CEO a Glaswegian Kiss from me, please?
Or round up them and their 100 employees and AOE 'em?
Can someone in the states pay a personal vist and give the CEO a Glaswegian Kiss from me, please?
Or round up them and their 100 employees and AOE 'em?
Khaz'goroth Oceanic
-
Dunkan - Posts: 597
- Joined: Sun May 13, 2007 1:05 am
by Warsadin » Sat Feb 09, 2008 11:50 am
I was unaware I had this until just now reading this while running spybot S&D. Zedo came up. Though I don't have popups due to my firefox browser and my need to never ever use IE.
I will be looking for a way to destroy this fucking thing now.
I will be looking for a way to destroy this fucking thing now.
-
Warsadin - Posts: 224
- Joined: Thu Feb 07, 2008 2:00 pm
- Location: Boston, MA
by Dunkan » Sat Feb 09, 2008 6:18 pm
Good luck. I am gonna try this next time I have a chance.
http://forums.majorgeeks.com/archive/in ... 32806.html
http://forums.majorgeeks.com/archive/in ... 32806.html
Khaz'goroth Oceanic
-
Dunkan - Posts: 597
- Joined: Sun May 13, 2007 1:05 am
by Neuron » Mon Feb 11, 2008 8:25 am
i ended up reformatting the drive and installing a fresh OS. it sucks, but it solves it.
also, use firefox, or only use IE for the one website you need to.
also, use firefox, or only use IE for the one website you need to.
http://www.ardentdefender.com - A combat log parsing API
-
Neuron - Posts: 716
- Joined: Mon Aug 27, 2007 8:26 am
- Location: Nail Salon
13 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 8 guests