Popups to url.cpvfeed.com

[RenegadeTempest]

I am getting periodic pop-ups trying to connect to url.cpvfeed.com. Google Desktop blocks the request from going through, but I can't seem to disinfect the app. I was infected when I installed Vista and decided to use IE to down load some of the drivers rather than first install firefox.

I ran through all of the steps on the top of the forum. The exceptions are that the online anti-virus didn't run, AVG Spyware remover wouldn't work in Vista and a couple of the other tools would not run in Vista.

1) Attached is the HJT

2) I have cleaned with Spybot and Adware a number of times, thinking I got the problem, but still seeing the remaining popups.

3) AVG came up with a couple trojans that were removed, mostly from the intial popups.

4) AVG rootkit came up clean.

Let me know any next steps.

 

[momok]

Hi

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.

Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

VundoFixSVC.exe
cbxvvsr.dll

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

VundoFixSVC.exe
cbxvvsr.dll

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\qqojkkrj.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

Close HJT.

Navigate in Windows Explorer and delete the following bold files. C:\WINDOWS\system32\VundoFixSVC.exe
C:\Windows\SYSTEM32\cbxvvsr.dll

Reboot into normal mode and rehide your protected OS files.

Please visit this link http://virusscan.jotti.org/

Click the Browse... button and navigate to the following file:
C:\Windows\system32\nvsvc.dll
Click Open
Please let me know the results.

Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.

 

[RenegadeTempest]

Followed steps above, attached are the HJT results. AVG Antispyware still won't run on Vista.

Here are the Virus Scan results:

Service
Service load:
0% 100%
File: nvsvc.dll
Status:
OK
MD5 dcfc1a6e1034dc9ccca199c3eb63c72f
Packers detected:
-
Scanner results
Scan taken on 14 Apr 2007 01:21:31 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Sorry that HiJackThis was from Safe mode...here is from normal mode.

Also the tcpip entries are my DNS Server. I use OpenDNS, I had to add them back after removing them in safe mode.

 

[momok]

Hi,

Your logs look clean now.

Turn off system restore (XP/ME only). Learn how to do that HERE.

This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Should you have any further problems, please post in this thread.


Regards,
Your friendly Momok =)

 

[RenegadeTempest]

Although my scans look clean, the problem remains. Periodic popups to url.cpvfeed.com or upspirial. Looksl ike there may be some triggering coming from firefox as some of the URLS contain URL information for pages I am hitting in Firefox.

Any additional scans I can run. I have rerun Ad Aware, SPybot in safe mode as well as AVG Anitvirus and Rootkit. I have also run Windows defender in full mode. All come up clean.

 

[momok]

Hi

Often times, HijackThis alone is not enough to diagnose the problems for an infection. This is because it only checks your system throroughly for any modifications to settings that enable programs to startup in windows. Please read the following steps (you can skip the ad aware and spy bot scans if you have already done them)

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer.
Do follow all the instructions exactly.

Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
The logs will enable us to understand more about the problems on your system.


Regards,
Your friendly Momok =)

This thread is for the use of RenegadeTempest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.