Popups to url.cpvfeed.com

By RenegadeTempest ยท 5 replies
Apr 13, 2007
  1. I am getting periodic pop-ups trying to connect to url.cpvfeed.com. Google Desktop blocks the request from going through, but I can't seem to disinfect the app. I was infected when I installed Vista and decided to use IE to down load some of the drivers rather than first install firefox.

    I ran through all of the steps on the top of the forum. The exceptions are that the online anti-virus didn't run, AVG Spyware remover wouldn't work in Vista and a couple of the other tools would not run in Vista.

    1) Attached is the HJT

    2) I have cleaned with Spybot and Adware a number of times, thinking I got the problem, but still seeing the remaining popups.

    3) AVG came up with a couple trojans that were removed, mostly from the intial popups.

    4) AVG rootkit came up clean.

    Let me know any next steps.

    Attached Files:

  2. momok

    momok TS Rookie Posts: 2,265


    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.

    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":

    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\qqojkkrj.dll (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\..\{048F5CD9-50FF-40DA-8A75-35D17874CB24}: NameServer =,
    O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

    Close HJT.

    Navigate in Windows Explorer and delete the following bold files. C:\WINDOWS\system32\VundoFixSVC.exe

    Reboot into normal mode and rehide your protected OS files.

    Please visit this link http://virusscan.jotti.org/

    Click the Browse... button and navigate to the following file:
    Click Open
    Please let me know the results.

    Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.
  3. RenegadeTempest

    RenegadeTempest TS Rookie Topic Starter

    Followed steps above, attached are the HJT results. AVG Antispyware still won't run on Vista.

    Here are the Virus Scan results:

    Service load:
    0% 100%
    File: nvsvc.dll
    MD5 dcfc1a6e1034dc9ccca199c3eb63c72f
    Packers detected:
    Scanner results
    Scan taken on 14 Apr 2007 01:21:31 (GMT)
    Found nothing
    Found nothing
    Found nothing
    AVG Antivirus
    Found nothing
    Found nothing
    Found nothing
    Found nothing
    F-Prot Antivirus
    Found nothing
    F-Secure Anti-Virus
    Found nothing
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    Found nothing
    Norman Virus Control
    Found nothing
    Panda Antivirus
    Found nothing
    Rising Antivirus
    Found nothing
    Found nothing
    Found nothing

    Sorry that HiJackThis was from Safe mode...here is from normal mode.

    Also the tcpip entries are my DNS Server. I use OpenDNS, I had to add them back after removing them in safe mode.
  4. momok

    momok TS Rookie Posts: 2,265


    Your logs look clean now.

    Turn off system restore (XP/ME only). Learn how to do that HERE.

    This will remove all the remaining nasties from your old restore points.
    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Should you have any further problems, please post in this thread.

    Your friendly Momok =)
  5. RenegadeTempest

    RenegadeTempest TS Rookie Topic Starter

    Although my scans look clean, the problem remains. Periodic popups to url.cpvfeed.com or upspirial. Looksl ike there may be some triggering coming from firefox as some of the URLS contain URL information for pages I am hitting in Firefox.

    Any additional scans I can run. I have rerun Ad Aware, SPybot in safe mode as well as AVG Anitvirus and Rootkit. I have also run Windows defender in full mode. All come up clean.
  6. momok

    momok TS Rookie Posts: 2,265


    Often times, HijackThis alone is not enough to diagnose the problems for an infection. This is because it only checks your system throroughly for any modifications to settings that enable programs to startup in windows. Please read the following steps (you can skip the ad aware and spy bot scans if you have already done them)

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
    The logs will enable us to understand more about the problems on your system.

    Your friendly Momok =)

    This thread is for the use of RenegadeTempest only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...