I consider myself a pretty good spyware removal expert, but I ALMOST was stumped the other day when a customer's computer was infected with these strange "Powered by Zedo" ad popups. They would popup in the middle of the screen without warning usually when I was trying to search Google or another search engine. Then they would take my search term and put it in the popup ad showing Ebay or a few other sites.
The javascript that was producing the popups had several ad networks that it was using including
xads.zedo.com
upspiral.com
searchlocal.ws
aavalue.com
url.cpvfeed.com
The popups were appearing in Internet Explorer as well as Firefox and popup blockers including Google Toolbar were not stopping the invasion.
Removal Procedures I Tried
Everytime I thought I had these "Powered by Zedo" ads removed, they would return soon after a boot up, The Hijackthis log didn't reveal any major problems.
The customer's computer had a current version of Norton Internet Security 2006 and he had also used Spyware Doctor by PCTools to remove the problems. I used all the basic tools at first to try to remove them including SmitRem, CWShredder, SmitFraudFix, Lop Uninstaller, Look2Me Uninstallers, VundoFix, etc. but nothing seemed to touch this infection.
On to the Online Scanners...First I tried Housecall, then Panda ActiveScan, nothing was found...Finally I tried Kaspersky Online Scanner and it found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.
Upon further investigation, I also found a second file called core.cache.dsk that was related in the same directory. The core.sys file had registered itself as a service and was starting automatically each time Windows booted. Because of such a generic name, it didnt appear suspicious when I was examining the running services early on in the investigation.
How to Remove Core.sys
Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.
1) Boot into Safe Mode
2) Click on Start, Search, and choose All Files and Folders
3) In the all or part of file name box, type the following
core.sys
4) In the Look In box, choose local hard drives and click Search
5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
6) Repeat steps 2-5 for the file core.cache.dsk
7) Close the Search box
8) Click on Start, Run and type REGEDIT and press Enter
9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
10) Click the plus next to SYSTEM
11) Click the plus next to CurrentControlSet
12) Click the plus next to Services
13) Find the folder called CORE and right-click on it and choose Delete
*** WARNING *** If the folder CORE does not exist, dont do anything
14) Close the Registry Editor by clicking on the X in the right-hand corner of the window
15) Reboot your computer in Normal mode
16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.
http://www.kaspersky.com/virusscanner
17) Scan your computer and delete any other files flagged as problems.
Your computer should now be free of these vicious popups
