Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: url.cpvfeed.com popup redirector to revenueloop

0 views
Skip to first unread message
Message has been deleted
Message has been deleted

David H. Lipman

unread,
Apr 4, 2007, 7:16:01 PM4/4/07
to
From: <thang>

| I don't know how I picked this up, but nothing I run will detect it,
| let alone get rid of the popup. It appears harmless but is a definite
| infection. HiJack this doesn't pick it up, nor Zone Alarm Security
| Suite 2007, nor Ad Aware, nor EMCO or Spyware Remover nor Pareto
| Logic.
|
| Any ideas on what it is, where it is, how it works, how to detect it
| or how to remove it?
|
| It pops up every time I open a browser (IE7). The first popup is
| "url.cpvfeed.com" and then this changes to "login.revenueloop.com" and
| then a few other popups come up such as
| "searchportal.information.com". It is really bugging me.
|
| Any help appreciated.
|
| thang

Open a Commnad Prompt and type;

ipconfig /all


Copy and paste the results in your reply.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Message has been deleted

David H. Lipman

unread,
Apr 4, 2007, 8:34:41 PM4/4/07
to
From: <th...@nerdshack.com>

< snip >


|
| BTW, I'm not sure of the security implications of posting this
| information, so I have changed my nick in the headers etc.
|
| thang

I wanted to see if you had a DNSChanger Trojan infection but, nope, it isn't that.

Gerald309

unread,
Apr 4, 2007, 9:27:17 PM4/4/07
to

----------------->
url.cpvfeed.com popup redirector to revenueloop....


CA Spyware Info Center:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453107470

cpvfeed.com
Tracking Cookie : Any cookie that is shared among two or more web
pages for the purpose of tracking a user's surfing history.

That's incredible none of your security software picked this up. It is
a simple tracking cookie. Lavasoft Ad-Aware would definately pick this
up and most likely any associated adware installation if it is
understood you mean your browser is being redirected. If your browser
is going to another website then expected and especially if you are
not even clicking anything - then it is a "browser hijacker" or your
symptom - "redirecter" - which is exactly what a browser hijacker
does, re-directs your browser to a different website to either offer
something for sale or to a malicious content website attempting to
install malware such as a trojan or spyware and/or more adware (the
least lethal).

A browser hijacker will install an Active X item in the Windows
Registry, They are called BHO (Browser Help Object). The legitimate
ones are many by Microsoft and other known valid software you use. The
browser hijacker installation is sort of a hackware or piece of a
software in size - just a couple entries. Most of these are the
toolbars in Internet Explorer - like known ones are Google Toolbar,
Yahoo Toolbar, and so on. The bad ones many times are not even visible
in the drop down menu. They can even be a transparent radio button
install. They may be a very visible radio button if you have some full
blown porno malware install and has buttons installed in the browser
like "Show Me More 10-XXX". That takes a manual click rather than some
automated re-direct.

I would do two things. One, download - update - and run
SuperAntispyware free home version which is a very good detector,
perhaps a little better than Ad-Aware. There may be an associated
trojan doing the redirect so two - also get yourself the free A-
Squared Trojan Remover free home version as well. Register for the
updates, update it and run it. You seem to have a well known threat
present rather than some obscure or new unknown threat.

BOOKMARKS:

SUPERAntiSpyware [working-freeware, and premium version]
http://www.superantispyare.com

a-squared trojan remover (Free Working Version for life and Proactive
Premium Version)
http://www.emsisoft.com/en/software/free/
a-squared (a-squared) is a complementary product to antivirus software
and desktop firewalls on MS Windows computers. Antivirus software
specializes in detecting classic viruses. Many available products have
weaknesses in detecting other malicious software (Malware) like
Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
that malware writers exploit. Automatic updates: In a-squared Free the
updater must be run manually. The auto-update feature of a-squared
Personal checks hourly for new available updates and installs them
automatically. a-squared Free is freeware! You can download and use it
completely for free. You are also allowed to distribute it to third
parties. To be able to use it, you only must set up a free a-squared
Account, to get access to the update server. (Note you register by
simple sign up to activate definitions downloads free).
==========>

YOUR POST QUOTED..... -------------->

''QUOTE""
thang View profileI don't know how I picked this up, but nothing I


run will detect it, let alone get rid of the popup. It appears
harmless but is a definite infection. HiJack this doesn't pick it up,
nor Zone Alarm Security Suite 2007, nor Ad Aware, nor EMCO or Spyware
Remover nor Pareto Logic. Any ideas on what it is, where it is, how it
works, how to detect it or how to remove it? It pops up every time I
open a browser (IE7). The first popup is "url.cpvfeed.com" and then
this changes to "login.revenueloop.com" and then a few other popups
come up such as "searchportal.information.com". It is really bugging
me. Any help appreciated. thang

More options Apr 4, 5:26 pm

Newsgroups: alt.privacy.spyware
From: thang <thang>
Date: Thu, 05 Apr 2007 05:26:45 +0800
Local: Wed, Apr 4 2007 5:26 pm
Subject: url.cpvfeed.com popup redirector to revenueloop
Note: The author of this message requested that it not be archived.
This message will be removed from Groups in 6 days (Apr 11, 5:26 pm).
""UNQUOTE""


thang

unread,
Apr 5, 2007, 3:12:15 AM4/5/07
to

I appreciate your help mate. It can't be a tracking cookie because I
run Steganos IE Cleaner which takes out all cookies in Docs folders,
and everything else. Unless the cookie is stored somewhere else.
HiJack this does not pick up any BHOs, so I don't think it is a BHO. I
am at work now, I will dl the freeware you suggested when I get home
and report on it. CA is right though, it is a March 2007 infection.
It is something I have never come across before and I generally run a
watertight rig.

thang

Message has been deleted

FredW

unread,
Apr 5, 2007, 7:29:09 AM4/5/07
to
thang used her/his keyboard to write :

> On 4 Apr 2007 18:27:17 -0700, "Gerald309" <gera...@gmail.com> wrote:
>>
>> SUPERAntiSpyware [working-freeware, and premium version]
>> http://www.superantispyare.com
>>
>> a-squared trojan remover (Free Working Version for life and Proactive
>> Premium Version)
>> http://www.emsisoft.com/en/software/free/
>> a-squared (a-squared) is a complementary product to antivirus software
>> parties. To be able to use it, you only must set up a free a-squared
>> Account, to get access to the update server. (Note you register by
>> simple sign up to activate definitions downloads free).
>
> By the way, the first link to Antispyware.com is bad. Bewildering
> array of spam, search engines and software companies all uninvited and
> unsatisfying. The second one appears good, though - I'll try it in a
> minute (30 day trial).

Typo?
http://www.superantispyware.com/download.html
(SuperAntiSpyware Free Edition - version 3.6.1000)

For the second one registration is not (no longer) required.
(a-squared Free 2.1)
http://www.emsisoft.com/en/software/download/

;-)

--
Fred Wening (NL)


Message has been deleted

FredW

unread,
Apr 6, 2007, 5:33:50 AM4/6/07
to
After serious thinking thang wrote :
> On Thu, 05 Apr 2007 13:29:09 +0200, FredW <fr...@ninmule.invalid>
> Sorry bud, I have run the a-squared 30 day trial fully enabled
> anti-malware. It has not picked up the url.cpvfeed.com infection,
> this is NOT coming from my temp, cookies or IE history caches, and the
> a-squared has left a HUGE 4.2GB folder called a2archive in my temp
> folder. What the hell is that? Thanks, but no thanks. I don't think
> I will try the free one.

Weekly I update and scan with
- a-squared Free 2.1
- AdAware 1.06r1 (Free)
- Spybot Search & Destroy 1.4 (Free)
- SuperAntiSpyware 3.6.1000 Free
I never had the problems you describe (huge folder).

Did you clean all temp files, etc. before scanning?
Did you scan in Safe Mode?

Did you scan with SuperAntiSpyware?

Did you Google on "cpvfeed"?
I just found some 38.000 hits, maybe you can find a solution there?

--
Fred Wening (NL)


Message has been deleted
Message has been deleted
Message has been deleted

David H. Lipman

unread,
Apr 7, 2007, 8:30:37 AM4/7/07
to
From: <thang>

< snip >

|
| Fixed it. Nothing found it bar Kasperskly Online Scanner, it was the
| ONLY ONE!!! It only identified two of the files though, and didn't
| pick up the service in registry. Also, it treated the files as locked
| and didn't implement a boottime delete. I did that myself using
| GiPo@Utilities. It is now gone.The malware came from a torrent
| screensaver I DL'd, it is a particularly nasty infection - the exe
| installstwo files core.sys and core.cache.dsk in \system32\drivers\
| and registers itself as a service
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core
| deleted the lot on boot and presto, free of this fucking infection.
|
| I must point out that the only suite to identify these files and the
| service was Kaspersky Online. Nothing else did, including my
| Zonealarm by which I normally swear. None of the forums were anywhere
| near the mark either, so much for the geeks and techo's who think they
| know it all. I found the solution in a piratebay comment forum on the
| particular torrent which has caused all of the problems. I will be
| very careful in the future.
|
| By the way, the simple expedient of setting the url to 127.0.0.1 in
| hosts stops it from promulgating, but it doesn't stop the popup.
|
| Hope this helps someone else, because no one here could help me, thats
| for sure, even though in a condescending way a few people thought they
| could help.
|
| thang

If would have others MORE if you didn't delete the file but submitted them to the various
anti malware organizations so Kaspersky would not be the only one detecting this crap.

Message has been deleted

kget...@gmail.com

unread,
Apr 7, 2007, 2:12:16 PM4/7/07
to
Thanks thang! Deleting the 'core' files and reg key fixed my system
too (I did it by booting into Safe Mode). Someone should let the
folks on all those "Submit your HiJackThis log" groups know about this
solultion. You rock!

David H. Lipman

unread,
Apr 7, 2007, 5:19:15 PM4/7/07
to
From: <thang>

< snip >

|
| Do you want me to post the whole exe? I still have it, you will need
| to install, and then pick the two files out along with the reg entry.
| No big deal. Tell me if you want it, I am sure someone will test and
| send to the "various anti malware organisations".
|
| thang

If you have it -- Great !

Send it to me in a password protected ZIP file with the password being; infected

Just remove ~nospam~ from; DLipman~nospam~@Verizon.Net

I will make sure that it is distributed to all the anti malware companies and it *will* be
thoroughly examined as well.

Message has been deleted

David H. Lipman

unread,
Apr 7, 2007, 6:11:03 PM4/7/07
to
From: <thang>


| Thanks David but I don't email people I don't know, just privacy and
| all that - I use anonymous email accounts but use the same smtp server
| which will link back to me ( I don't use remailers etc though). Here
| is the file in any case. No one should execute this though, it is
| pure poison. I do not know how these sites exist, here in Australia
| they would be prosecuted.
|
| No one but Kaspersky ID'd it. And, this smart young downloader who
| has identified it here
|
| http://thepiratebay.org/tor/3647979/3D_Galaxy_Journey_Screensaver_1.4_With_Serial
|
| regards
|
| thang

I understand. You can do this instead. I make sure Julio gioves this one attention. But
you will have to post the final Virus Total report so I can have Julio give this submission
that attention.

Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:sc...@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

Message has been deleted
Message has been deleted

David H. Lipman

unread,
Apr 7, 2007, 7:04:38 PM4/7/07
to
From: <thang>


|
| Sorry, left off the attachment.
|
| thang

I HOPE you aren't trying to attach the file here becuase this is a discussion only, text,
News Group and attachments are not allowed.

Paul Pirosca

unread,
Apr 8, 2007, 3:12:37 AM4/8/07
to
On Apr 8, 2:04 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:

hi

i've got the same problem and i removed the files with windows sp2
boot cd into recovery mode, i still got the 2 files if any1 needs them

David H. Lipman

unread,
Apr 8, 2007, 8:42:06 AM4/8/07
to
From: "Paul Pirosca" <pir...@gmail.com>


|
| hi
|
| i've got the same problem and i removed the files with windows sp2
| boot cd into recovery mode, i still got the 2 files if any1 needs them

Cool...
Send them to me in a password protected ZIP file with the password being; infected

Just remove ~nospam~ from; DLipman~nospam~@Verizon.Net

I will make sure that they are distributed to all the anti malware companies and they will


be
thoroughly examined as well.

--

Paul Pirosca

unread,
Apr 8, 2007, 1:43:51 PM4/8/07
to
On Apr 8, 3:42 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "Paul Pirosca" <piro...@gmail.com>

>
> |
> | hi
> |
> | i've got the same problem and i removed the files withwindowssp2
> | boot cd into recovery mode, i still got the 2 files if any1 needs them
>
> Cool...
> Send them to me in a password protected ZIP file with the password being; infected
>
> Just remove ~nospam~ from; DLipman~nosp...@Verizon.Net

>
> I will make sure that they are distributed to all the anti malware companies and they will
> be
> thoroughly examined as well.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

cant send it yahoo says unknown email address and qmail is returning
the message

David H. Lipman

unread,
Apr 8, 2007, 1:59:07 PM4/8/07
to
From: "Paul Pirosca" <pir...@gmail.com>


|
| cant send it yahoo says unknown email address and qmail is returning
| the message

The email address is good, the view from Google is bastardised.

DLipman<at>Verizon.Net Replace <at> with; @

ashwin....@gmail.com

unread,
Apr 10, 2007, 6:49:24 PM4/10/07
to
On Apr 7, 2:41 am, thang <thang> wrote:

> On Fri, 06 Apr 2007 11:33:50 +0200, FredW <f...@ninmule.invalid>
> wrote:
>
>
>
>
>
> >After serious thinking thang wrote :
> >> On Thu, 05 Apr 2007 13:29:09 +0200, FredW <f...@ninmule.invalid>

> >>> thang used her/his keyboard to write :
> Fixed it. Nothing found it bar Kasperskly Online Scanner, it was the
> ONLY ONE!!! It only identified two of the files though, and didn't
> pick up the service in registry. Also, it treated the files as locked
> and didn't implement a boottime delete. I did that myself using
> GiPo@Utilities. It is now gone.The malware came from a torrent
> screensaver I DL'd, it is a particularly nasty infection - the exe
> installstwo files core.sys and core.cache.dsk in \system32\drivers\
> and registers itself as a service
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core
> deleted the lot on boot and presto, free of this fucking infection.
>
> I must point out that the only suite to identify these files and the
> service was Kaspersky Online. Nothing else did, including my
> Zonealarm by which I normally swear. None of the forums were anywhere
> near the mark either, so much for the geeks and techo's who think they
> know it all. I found the solution in a piratebay comment forum on the
> particular torrent which has caused all of the problems. I will be
> very careful in the future.
>
> By the way, the simple expedient of setting the url to 127.0.0.1 in
> hosts stops it from promulgating, but it doesn't stop the popup.
>
> Hope this helps someone else, because no one here could help me, thats
> for sure, even though in a condescending way a few people thought they
> could help.
>
> thang- Hide quoted text -
>
> - Show quoted text -

Thang,

I seem to be having the exact same problem. I have tried the same
fix, but I am having trouble locating either one of the two files that
you mentioned. ie. core.sys and core.cache.dsk. Please provide
assistance if you can.

Message has been deleted
Message has been deleted

David H. Lipman

unread,
Apr 11, 2007, 4:54:08 PM4/11/07
to
From: <thang>


|
| I was. Not binary, now I see. I thought it was my reader.
|
| thang

A News Group you can use for attachments is; alt.binaries.comp.virus
Just reference what you posted in the text News Group and of course malware should be
password protected.

jason....@gmail.com

unread,
May 31, 2007, 5:31:44 PM5/31/07
to
On Apr 8, 1:42 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "Paul Pirosca" <piro...@gmail.com>

>
> |
> | hi
> |
> | i've got the same problem and i removed the files with windows sp2
> | boot cd into recovery mode, i still got the 2 files if any1 needs them
>
> Cool...
> Send them to me in a password protected ZIP file with the password being; infected
>
> Just remove ~nospam~ from; DLipman~nosp...@Verizon.Net

>
> I will make sure that they are distributed to all the anti malware companies and they will
> be
> thoroughly examined as well.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

What a Nasty ! infection.

Been looking for a solution for ages. Thanks!!!

0 new messages