TechSpot

URL CPV Feed

By doornfontein
Jun 1, 2007
  1. hi to all
    I need sort a problem, url cpv feed keeps opening new tabs as I browse.
    Have got ZLabs Super antiSpyware and Spyware Bot all no help .

    best regards doorndontein
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is infected with malware.

    You should uninstall the following from add remove programme in your control panel(if there).

    SpywareBot
    BroadJump
    Client Foundation

    Close control panel.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. doornfontein

    doornfontein TS Rookie Topic Starter

    Hi Howard
    sorry for not getting back sooner. Firstly a big thank you for your help
    I am up to step 13 and will be attaching logs of bombifix and hijack this shortly
    Doornfontein

    Hi Howard
    Got to do this in 2 as file too largestages as

    hi
    hope this is ok let me know if I am going wrong

    Hi Howard
    combifix has had a positve result, it has quarantined some file. Would like to see the log , which is huge or just the quarantined log
    kind regards
    Doornfontein
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hi doornfontein.

    I need you to follow the instructions I gave you and post the following logfiles as attachments.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. doornfontein

    doornfontein TS Rookie Topic Starter

    Finally

    Hi Howard
    have completed the steps and attached file. The root scan came up clean.
    I do not seem to be getting the problems of my browser being hijacked by Cp Feed. I am grateful for all your help and assistance
    Best regards
    Doornfontein
     

    Attached Files:

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     

    Attached Files:

  7. doornfontein

    doornfontein TS Rookie Topic Starter

    Swandog

    Hi Howard
    had a small problem with this but managed to do it eventually, correctly I hope
    Doornfontein
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Since Howard is not around at the moment, I'll help out for now.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SpywareBot

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {60E2AF64-41D9-6854-F04C-69E34AE2FD97} - (no file)
    O2 - BHO: (no name) - {61E0A337-43DA-3957-F04C-69E34AE2F898} - (no file)
    O2 - BHO: (no name) - {64B4F633-138C-3855-A14C-69E34AE2AA9C} - (no file)
    O2 - BHO: (no name) - {64E3A162-4182-6E57-F64C-69E34AEDA898} - (no file)
    O2 - BHO: (no name) - {65E1F163-108D-3B50-A54C-69E34AEDAE98} - (no file)
    O2 - BHO: (no name) - {863C51D7-A648-4D46-82EF-052D244D99AE} - (no file)
    O2 - BHO: (no name) - {9E7D1431-15A5-419D-8C9B-094D3C1C17Ac} - (no file)

    O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
    O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

    O20 - Winlogon Notify: cbxyyaa - cbxyyaa.dll (file missing)
    O20 - Winlogon Notify: ljjkklk - ljjkklk.dll (file missing)
    O20 - Winlogon Notify: ssqpomk - ssqpomk.dll (file missing)

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\Program Files\SpywareBot\

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post afresh HJT log from normal mode as an attachment into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of doornfontein only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Aad1934

    Aad1934 TS Rookie

    How to kill CPV Feed:

    Hi, here's my solution:

    Go to "Start/Run" and type

    sc stop core

    press ok

    again go to "Start/Run" and type

    sc delete core

    press ok

    Shut down your computer. (You might get a blue screen, don't panic)

    Restart the computer in safe modus (press down F8 at the beginning of the reboot)

    Delete the two files below:

    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drivers\core.cache.dsk

    (You can find them by using start/search/filefinder, make sure that you can view hidden folders/files)

    Restart the computer. Pop's should be gone...

    Use Ad-aware or Xoftspy to clean up the rest of the mess


    Greetings,

    Nout.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Aad1934: May I ask what makes you think doornfontein`s system is infected with core.sys? The reason I ask is because I haven`t seen any evidence in doornfontein`s logfiles of that infection.

    Regards Howard :wave: :wave:

    This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. doornfontein

    doornfontein TS Rookie Topic Starter

    Hi Howard

    Hi Howard
    Glad to see you are back,I have just finished the last lot of instructions from momok and have attached the latest hijack file
    Best regards
    Doornfontein
     
  12. Aad1934

    Aad1934 TS Rookie

    Please, correct me if I'm wrong

    This topic started with :

    "hi to all
    I need sort a problem, url cpv feed keeps opening new tabs as I browse.
    Have got ZLabs Super antiSpyware and Spyware Bot all no help .

    best regards doorndontein"

    The problem described above by doorndontein can be solved by following the instructions I posted earlier today. Just give it a try, and you'll see that it solves the problem!

    Greetings,

    Nout.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Spywarebot programme is still showing in your HJT log. This is a rogue programme which needs to be got rid of.

    Turn off Superantispyware, or temporarily uninstall it.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    spywarebot

    Close control panel.

    Click on the processes tab and end process for(if there).

    SpywareBot.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\SpywareBot<Delete the entire folder.

    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    Click edit and choose find. Type SpywareBot into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to SpywareBot and display them in the righthand pane. Right click on any such SpywareBot entries and choose delete.

    Now click edit again and choose find next. Again, delete any entries that reference SpywareBot.

    Repeat the above, until no more SpywareBot entries are found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    EDIT: Aad1934 That`s all well and good, but I love learning new things and I don`t particularly care who or where from. ;)

    If you`d be so kind as to explain what leads you to believe it`s the Core.sys that`s to blame, I`d be very grateful.

    I am aware that Core.sys is nasty, but as I said earlier, I can`t find any evidence of it in doornfontein`s logfiles, particularly his Combofix log.


    Regards Howard :)

    This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. dissipatedfog

    dissipatedfog TS Rookie

    URL CPVFEED - get rid of all cookies

    I had this problem and tried antispy ware and did several thorough scans, but it kept coming back. Then on a whim I went into
    "C:\Documents and Settings\Owner\Cookies" (I had to open up C:\ and manually type in the rest). I deleted ALL of the cookies and haven't had the problem since. Of course I now have to re-register my computer on my financial websites and sign in again on sites like Netflix, but it's definitely worth it.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...