TechSpot

Popups to url.cpvfeed.com

By RenegadeTempest
Apr 13, 2007
  1. I am getting periodic pop-ups trying to connect to url.cpvfeed.com. Google Desktop blocks the request from going through, but I can't seem to disinfect the app. I was infected when I installed Vista and decided to use IE to down load some of the drivers rather than first install firefox.

    I ran through all of the steps on the top of the forum. The exceptions are that the online anti-virus didn't run, AVG Spyware remover wouldn't work in Vista and a couple of the other tools would not run in Vista.

    1) Attached is the HJT

    2) I have cleaned with Spybot and Adware a number of times, thinking I got the problem, but still seeing the remaining popups.

    3) AVG came up with a couple trojans that were removed, mostly from the intial popups.

    4) AVG rootkit came up clean.

    Let me know any next steps.
     

    Attached Files:

  2. momok

    momok TS Rookie Posts: 2,265

    Hi

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.

    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    VundoFixSVC.exe
    cbxvvsr.dll


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    VundoFixSVC.exe
    cbxvvsr.dll


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":

    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\qqojkkrj.dll (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer = 208.67.222.222,208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer = 208.67.222.222,208.67.220.220
    O17 - HKLM\System\CS2\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer = 208.67.222.222,208.67.220.220
    O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

    Close HJT.

    Navigate in Windows Explorer and delete the following bold files. C:\WINDOWS\system32\VundoFixSVC.exe
    C:\Windows\SYSTEM32\cbxvvsr.dll

    Reboot into normal mode and rehide your protected OS files.

    Please visit this link http://virusscan.jotti.org/

    Click the Browse... button and navigate to the following file:
    C:\Windows\system32\nvsvc.dll
    Click Open
    Please let me know the results.

    Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.
     
  3. RenegadeTempest

    RenegadeTempest TS Rookie Topic Starter

    Followed steps above, attached are the HJT results. AVG Antispyware still won't run on Vista.

    Here are the Virus Scan results:

    Service
    Service load:
    0% 100%
    File: nvsvc.dll
    Status:
    OK
    MD5 dcfc1a6e1034dc9ccca199c3eb63c72f
    Packers detected:
    -
    Scanner results
    Scan taken on 14 Apr 2007 01:21:31 (GMT)
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    F-Secure Anti-Virus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    Panda Antivirus
    Found nothing
    Rising Antivirus
    Found nothing
    VirusBuster
    Found nothing
    VBA32
    Found nothing

    Sorry that HiJackThis was from Safe mode...here is from normal mode.

    Also the tcpip entries are my DNS Server. I use OpenDNS, I had to add them back after removing them in safe mode.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now.

    Turn off system restore (XP/ME only). Learn how to do that HERE.

    This will remove all the remaining nasties from your old restore points.
    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)
     
  5. RenegadeTempest

    RenegadeTempest TS Rookie Topic Starter

    Although my scans look clean, the problem remains. Periodic popups to url.cpvfeed.com or upspirial. Looksl ike there may be some triggering coming from firefox as some of the URLS contain URL information for pages I am hitting in Firefox.

    Any additional scans I can run. I have rerun Ad Aware, SPybot in safe mode as well as AVG Anitvirus and Rootkit. I have also run Windows defender in full mode. All come up clean.
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi

    Often times, HijackThis alone is not enough to diagnose the problems for an infection. This is because it only checks your system throroughly for any modifications to settings that enable programs to startup in windows. Please read the following steps (you can skip the ad aware and spy bot scans if you have already done them)

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
    The logs will enable us to understand more about the problems on your system.


    Regards,
    Your friendly Momok =)

    This thread is for the use of RenegadeTempest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...