TechSpot

Solution is out there

By pubichare
Apr 22, 2007
  1. Sorry it really isn't the solution because I can't remember the file names! The solution is out there. Two DLLs were added in system32 drivers. the names were obvious once you thought about it. My biggest confusion in tracking this down was that HijackThis didn't ever show the problem. It also disabled all scanners AV, spyware before they even ran. safe mode also was no help until it was time to delete the files. Anyways I think I did a Google search for "Random popups" and "cpvfeed", and there is a movie URL that opens as well. I found several forums and finally the answer. Lots of reading involved.
    Hope this helps! I have searched my bookmarks and for some reason the link was never saved if you do find the solution please post the URL!
    Thanks
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Have you tried the steps as listed in my advice? It is true certain malware disables or prevents certain programs and scanners from running, but not all.
    That is why we have that thread as a preliminar removal/detection measure. ComboFix and AVG antispyware logs would help alot in our diagnosis and solving of the problems on your system.

    I would also like you to download the autoruns program from HERE.
    When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here, together with fresh ComboFix, HijackThis and AVG Antispyware logs.


    Regards,
    Your friendly Momok =)
     
  3. jazfromhouston

    jazfromhouston TS Rookie

    I consider myself a pretty good spyware removal expert, but I ALMOST was stumped the other day when a customer's computer was infected with these strange "Powered by Zedo" ad popups. They would popup in the middle of the screen without warning usually when I was trying to search Google or another search engine. Then they would take my search term and put it in the popup ad showing Ebay or a few other sites.

    The javascript that was producing the popups had several ad networks that it was using including

    xads.zedo.com
    upspiral.com
    searchlocal.ws
    aavalue.com
    url.cpvfeed.com
    The popups were appearing in Internet Explorer as well as Firefox and popup blockers including Google Toolbar were not stopping the invasion.


    Removal Procedures I Tried

    Everytime I thought I had these "Powered by Zedo" ads removed, they would return soon after a boot up, The Hijackthis log didn't reveal any major problems.


    The customer's computer had a current version of Norton Internet Security 2006 and he had also used Spyware Doctor by PCTools to remove the problems. I used all the basic tools at first to try to remove them including SmitRem, CWShredder, SmitFraudFix, Lop Uninstaller, Look2Me Uninstallers, VundoFix, etc. but nothing seemed to touch this infection.

    On to the Online Scanners...First I tried Housecall, then Panda ActiveScan, nothing was found...Finally I tried Kaspersky Online Scanner and it found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory.

    Upon further investigation, I also found a second file called core.cache.dsk that was related in the same directory. The core.sys file had registered itself as a service and was starting automatically each time Windows booted. Because of such a generic name, it didnt appear suspicious when I was examining the running services early on in the investigation.

    How to Remove Core.sys

    Follow the instructions below to remove core.sys and core.cache.dsk and rid your computer of the "Powered by Zedo" and other ads.

    1) Boot into Safe Mode
    2) Click on Start, Search, and choose All Files and Folders
    3) In the all or part of file name box, type the following

    core.sys

    4) In the Look In box, choose local hard drives and click Search
    5) When core.sys is found in the c:\windows\system32\drivers directory, right-click on it and choose Delete
    6) Repeat steps 2-5 for the file core.cache.dsk
    7) Close the Search box
    8) Click on Start, Run and type REGEDIT and press Enter
    9) Click on the Plus sign (+) next to HKEY_LOCAL_MACHINE
    10) Click the plus next to SYSTEM
    11) Click the plus next to CurrentControlSet
    12) Click the plus next to Services
    13) Find the folder called CORE and right-click on it and choose Delete

    *** WARNING *** If the folder CORE does not exist, dont do anything

    14) Close the Registry Editor by clicking on the X in the right-hand corner of the window

    15) Reboot your computer in Normal mode
    16) Once the computer is rebooted, open your web browser and go to Kaspersky Online Scanner by clicking on the link below.

    http://www.kaspersky.com/virusscanner

    17) Scan your computer and delete any other files flagged as problems.

    Your computer should now be free of these vicious popups
     
  4. comstar

    comstar TS Rookie

    Fantastic Solution!

    jazfromhuston -- your fix worked perfectly. Thanks for the repair notes, it took only a few minutes and rid my problem with this malware. Cheers!

    Edited by Moderator: Removed quote. There's no need to quote the post directly above your own, unless you're only replying to a specific section, in which case you would only quote that particular section.
     
  5. momok

    momok TS Rookie Posts: 2,265

    Hi comstar and welcome to techspot. =)

    May I suggest you open a new thread and post your HijackThis and ComboFix log for a quick check just to verify your system is fully clean. (Often malware infections come in a bundle and this would help ensure your system is safe from other infections)


    Regards,
    Your friendly momok =)

    This thread is for the use of pubichare only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thread split and posts moved to their own thread.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...