URL CPV Feed

[doornfontein]

hi to all
I need sort a problem, url cpv feed keeps opening new tabs as I browse.
Have got ZLabs Super antiSpyware and Spyware Bot all no help .

best regards doorndontein

 

[howard_hopkinso]

Your system is infected with malware.

You should uninstall the following from add remove programme in your control panel(if there).

SpywareBot
BroadJump
Client Foundation

Close control panel.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[doornfontein]

Hi Howard
sorry for not getting back sooner. Firstly a big thank you for your help
I am up to step 13 and will be attaching logs of bombifix and hijack this shortly
Doornfontein

Hi Howard
Got to do this in 2 as file too largestages as

hi
hope this is ok let me know if I am going wrong

Hi Howard
combifix has had a positve result, it has quarantined some file. Would like to see the log , which is huge or just the quarantined log
kind regards
Doornfontein

 

[howard_hopkinso]

Hi doornfontein.

I need you to follow the instructions I gave you and post the following logfiles as attachments.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[doornfontein]

Finally

Hi Howard
have completed the steps and attached file. The root scan came up clean.
I do not seem to be getting the problems of my browser being hijacked by Cp Feed. I am grateful for all your help and assistance
Best regards
Doornfontein

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[doornfontein]

Swandog

Hi Howard
had a small problem with this but managed to do it eventually, correctly I hope
Doornfontein

 

[momok]

Hi,

Since Howard is not around at the moment, I'll help out for now.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

SpywareBot

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {60E2AF64-41D9-6854-F04C-69E34AE2FD97} - (no file)
O2 - BHO: (no name) - {61E0A337-43DA-3957-F04C-69E34AE2F898} - (no file)
O2 - BHO: (no name) - {64B4F633-138C-3855-A14C-69E34AE2AA9C} - (no file)
O2 - BHO: (no name) - {64E3A162-4182-6E57-F64C-69E34AEDA898} - (no file)
O2 - BHO: (no name) - {65E1F163-108D-3B50-A54C-69E34AEDAE98} - (no file)
O2 - BHO: (no name) - {863C51D7-A648-4D46-82EF-052D244D99AE} - (no file)
O2 - BHO: (no name) - {9E7D1431-15A5-419D-8C9B-094D3C1C17Ac} - (no file)

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O20 - Winlogon Notify: cbxyyaa - cbxyyaa.dll (file missing)
O20 - Winlogon Notify: ljjkklk - ljjkklk.dll (file missing)
O20 - Winlogon Notify: ssqpomk - ssqpomk.dll (file missing)

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\Program Files\SpywareBot\

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post afresh HJT log from normal mode as an attachment into this thread.


Regards,
Your friendly momok =)

This thread is for the use of doornfontein only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Aad1934]

How to kill CPV Feed:

Hi, here's my solution:

Go to "Start/Run" and type

sc stop core

press ok

again go to "Start/Run" and type

sc delete core

press ok

Shut down your computer. (You might get a blue screen, don't panic)

Restart the computer in safe modus (press down F8 at the beginning of the reboot)

Delete the two files below:

C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\core.cache.dsk

(You can find them by using start/search/filefinder, make sure that you can view hidden folders/files)

Restart the computer. Pop's should be gone...

Use Ad-aware or Xoftspy to clean up the rest of the mess


Greetings,

Nout.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Aad1934: May I ask what makes you think doornfontein`s system is infected with core.sys? The reason I ask is because I haven`t seen any evidence in doornfontein`s logfiles of that infection.

Regards Howard :wave: :wave:

This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[doornfontein]

Hi Howard

Hi Howard
Glad to see you are back,I have just finished the last lot of instructions from momok and have attached the latest hijack file
Best regards
Doornfontein

 

[Aad1934]

Please, correct me if I'm wrong

This topic started with :

"hi to all
I need sort a problem, url cpv feed keeps opening new tabs as I browse.
Have got ZLabs Super antiSpyware and Spyware Bot all no help .

best regards doorndontein"

The problem described above by doorndontein can be solved by following the instructions I posted earlier today. Just give it a try, and you'll see that it solves the problem!

Greetings,

Nout.

 

[howard_hopkinso]

The Spywarebot programme is still showing in your HJT log. This is a rogue programme which needs to be got rid of.

Turn off Superantispyware, or temporarily uninstall it.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

spywarebot

Close control panel.

Click on the processes tab and end process for(if there).

SpywareBot.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\SpywareBot<Delete the entire folder.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Click edit and choose find. Type SpywareBot into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to SpywareBot and display them in the righthand pane. Right click on any such SpywareBot entries and choose delete.

Now click edit again and choose find next. Again, delete any entries that reference SpywareBot.

Repeat the above, until no more SpywareBot entries are found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

EDIT: Aad1934 That`s all well and good, but I love learning new things and I don`t particularly care who or where from.

If you`d be so kind as to explain what leads you to believe it`s the Core.sys that`s to blame, I`d be very grateful.

I am aware that Core.sys is nasty, but as I said earlier, I can`t find any evidence of it in doornfontein`s logfiles, particularly his Combofix log.


Regards Howard

This thread is for the use of doornfontein only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[dissipatedfog]

URL CPVFEED - get rid of all cookies

I had this problem and tried antispy ware and did several thorough scans, but it kept coming back. Then on a whim I went into
"C:\Documents and Settings\Owner\Cookies" (I had to open up C:\ and manually type in the rest). I deleted ALL of the cookies and haven't had the problem since. Of course I now have to re-register my computer on my financial websites and sign in again on sites like Netflix, but it's definitely worth it.