Re: url.cpvfeed.com popup redirector to revenueloop

[Gerald309]

----------------->
url.cpvfeed.com popup redirector to revenueloop....


CA Spyware Info Center:
http://www3.ca.com/securityadvisor/p...x?id=453107470

cpvfeed.com
Tracking Cookie : Any cookie that is shared among two or more web
pages for the purpose of tracking a user's surfing history.

That's incredible none of your security software picked this up. It is
a simple tracking cookie. Lavasoft Ad-Aware would definately pick this
up and most likely any associated adware installation if it is
understood you mean your browser is being redirected. If your browser
is going to another website then expected and especially if you are
not even clicking anything - then it is a "browser hijacker" or your
symptom - "redirecter" - which is exactly what a browser hijacker
does, re-directs your browser to a different website to either offer
something for sale or to a malicious content website attempting to
install malware such as a trojan or spyware and/or more adware (the
least lethal).

A browser hijacker will install an Active X item in the Windows
Registry, They are called BHO (Browser Help Object). The legitimate
ones are many by Microsoft and other known valid software you use. The
browser hijacker installation is sort of a hackware or piece of a
software in size - just a couple entries. Most of these are the
toolbars in Internet Explorer - like known ones are Google Toolbar,
Yahoo Toolbar, and so on. The bad ones many times are not even visible
in the drop down menu. They can even be a transparent radio button
install. They may be a very visible radio button if you have some full
blown porno malware install and has buttons installed in the browser
like "Show Me More 10-XXX". That takes a manual click rather than some
automated re-direct.

I would do two things. One, download - update - and run
SuperAntispyware free home version which is a very good detector,
perhaps a little better than Ad-Aware. There may be an associated
trojan doing the redirect so two - also get yourself the free A-
Squared Trojan Remover free home version as well. Register for the
updates, update it and run it. You seem to have a well known threat
present rather than some obscure or new unknown threat.

BOOKMARKS:

SUPERAntiSpyware [working-freeware, and premium version]
http://www.superantispyare.com

a-squared trojan remover (Free Working Version for life and Proactive
Premium Version)
http://www.emsisoft.com/en/software/free/
a-squared (a-squared) is a complementary product to antivirus software
and desktop firewalls on MS Windows computers. Antivirus software
specializes in detecting classic viruses. Many available products have
weaknesses in detecting other malicious software (Malware) like
Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
that malware writers exploit. Automatic updates: In a-squared Free the
updater must be run manually. The auto-update feature of a-squared
Personal checks hourly for new available updates and installs them
automatically. a-squared Free is freeware! You can download and use it
completely for free. You are also allowed to distribute it to third
parties. To be able to use it, you only must set up a free a-squared
Account, to get access to the update server. (Note you register by
simple sign up to activate definitions downloads free).
==========>

YOUR POST QUOTED..... -------------->

''QUOTE""
thang View profileI don't know how I picked this up, but nothing I
run will detect it, let alone get rid of the popup. It appears
harmless but is a definite infection. HiJack this doesn't pick it up,
nor Zone Alarm Security Suite 2007, nor Ad Aware, nor EMCO or Spyware
Remover nor Pareto Logic. Any ideas on what it is, where it is, how it
works, how to detect it or how to remove it? It pops up every time I
open a browser (IE7). The first popup is "url.cpvfeed.com" and then
this changes to "login.revenueloop.com" and then a few other popups
come up such as "searchportal.information.com". It is really bugging
me. Any help appreciated. thang
More options Apr 4, 5:26 pm

Newsgroups: alt.privacy.spyware
From: thang <thang>
Date: Thu, 05 Apr 2007 05:26:45 +0800
Local: Wed, Apr 4 2007 5:26 pm
Subject: url.cpvfeed.com popup redirector to revenueloop
Note: The author of this message requested that it not be archived.
This message will be removed from Groups in 6 days (Apr 11, 5:26 pm).
""UNQUOTE""

[thang]

On 4 Apr 2007 1817 -0700, "Gerald309" <gerald309@gmail.com> wrote:

>
>----------------->
>url.cpvfeed.com popup redirector to revenueloop....
>
>
>CA Spyware Info Center:
>http://www3.ca.com/securityadvisor/p...x?id=453107470
>
>cpvfeed.com
>Tracking Cookie : Any cookie that is shared among two or more web
>pages for the purpose of tracking a user's surfing history.
>
>That's incredible none of your security software picked this up. It is
>a simple tracking cookie. Lavasoft Ad-Aware would definately pick this
>up and most likely any associated adware installation if it is
>understood you mean your browser is being redirected. If your browser
>is going to another website then expected and especially if you are
>not even clicking anything - then it is a "browser hijacker" or your
>symptom - "redirecter" - which is exactly what a browser hijacker
>does, re-directs your browser to a different website to either offer
>something for sale or to a malicious content website attempting to
>install malware such as a trojan or spyware and/or more adware (the
>least lethal).
>
>A browser hijacker will install an Active X item in the Windows
>Registry, They are called BHO (Browser Help Object). The legitimate
>ones are many by Microsoft and other known valid software you use. The
>browser hijacker installation is sort of a hackware or piece of a
>software in size - just a couple entries. Most of these are the
>toolbars in Internet Explorer - like known ones are Google Toolbar,
>Yahoo Toolbar, and so on. The bad ones many times are not even visible
>in the drop down menu. They can even be a transparent radio button
>install. They may be a very visible radio button if you have some full
>blown porno malware install and has buttons installed in the browser
>like "Show Me More 10-XXX". That takes a manual click rather than some
>automated re-direct.
>
>I would do two things. One, download - update - and run
>SuperAntispyware free home version which is a very good detector,
>perhaps a little better than Ad-Aware. There may be an associated
>trojan doing the redirect so two - also get yourself the free A-
>Squared Trojan Remover free home version as well. Register for the
>updates, update it and run it. You seem to have a well known threat
>present rather than some obscure or new unknown threat.
>
>BOOKMARKS:
>
>SUPERAntiSpyware [working-freeware, and premium version]
>http://www.superantispyare.com
>
>a-squared trojan remover (Free Working Version for life and Proactive
>Premium Version)
>http://www.emsisoft.com/en/software/free/
>a-squared (a-squared) is a complementary product to antivirus software
>and desktop firewalls on MS Windows computers. Antivirus software
>specializes in detecting classic viruses. Many available products have
>weaknesses in detecting other malicious software (Malware) like
>Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
>that malware writers exploit. Automatic updates: In a-squared Free the
>updater must be run manually. The auto-update feature of a-squared
>Personal checks hourly for new available updates and installs them
>automatically. a-squared Free is freeware! You can download and use it
>completely for free. You are also allowed to distribute it to third
>parties. To be able to use it, you only must set up a free a-squared
>Account, to get access to the update server. (Note you register by
>simple sign up to activate definitions downloads free).
>==========>
>
>YOUR POST QUOTED..... -------------->
>
>''QUOTE""
>thang View profileI don't know how I picked this up, but nothing I
>run will detect it, let alone get rid of the popup. It appears
>harmless but is a definite infection. HiJack this doesn't pick it up,
>nor Zone Alarm Security Suite 2007, nor Ad Aware, nor EMCO or Spyware
>Remover nor Pareto Logic. Any ideas on what it is, where it is, how it
>works, how to detect it or how to remove it? It pops up every time I
>open a browser (IE7). The first popup is "url.cpvfeed.com" and then
>this changes to "login.revenueloop.com" and then a few other popups
>come up such as "searchportal.information.com". It is really bugging
>me. Any help appreciated. thang
> More options Apr 4, 5:26 pm
>
>Newsgroups: alt.privacy.spyware
>From: thang <thang>
>Date: Thu, 05 Apr 2007 05:26:45 +0800
>Local: Wed, Apr 4 2007 5:26 pm
>Subject: url.cpvfeed.com popup redirector to revenueloop
>Note: The author of this message requested that it not be archived.
>This message will be removed from Groups in 6 days (Apr 11, 5:26 pm).
>""UNQUOTE""
>
I appreciate your help mate. It can't be a tracking cookie because I
run Steganos IE Cleaner which takes out all cookies in Docs folders,
and everything else. Unless the cookie is stored somewhere else.
HiJack this does not pick up any BHOs, so I don't think it is a BHO. I
am at work now, I will dl the freeware you suggested when I get home
and report on it. CA is right though, it is a March 2007 infection.
It is something I have never come across before and I generally run a
watertight rig.

thang

[FredW]

thang used her/his keyboard to write :
> On 4 Apr 2007 1817 -0700, "Gerald309" <gerald309@gmail.com> wrote:
>>
>> SUPERAntiSpyware [working-freeware, and premium version]
>> http://www.superantispyare.com
>>
>> a-squared trojan remover (Free Working Version for life and Proactive
>> Premium Version)
>> http://www.emsisoft.com/en/software/free/
>> a-squared (a-squared) is a complementary product to antivirus software
>> parties. To be able to use it, you only must set up a free a-squared
>> Account, to get access to the update server. (Note you register by
>> simple sign up to activate definitions downloads free).
>
> By the way, the first link to Antispyware.com is bad. Bewildering
> array of spam, search engines and software companies all uninvited and
> unsatisfying. The second one appears good, though - I'll try it in a
> minute (30 day trial).

Typo?
http://www.superantispyware.com/download.html
(SuperAntiSpyware Free Edition - version 3.6.1000)

For the second one registration is not (no longer) required.
(a-squared Free 2.1)
http://www.emsisoft.com/en/software/download/

;-)

--
Fred Wening (NL)

[FredW]

After serious thinking thang wrote :
> On Thu, 05 Apr 2007 13:29:09 +0200, FredW <fredw@ninmule.invalid>
>> thang used her/his keyboard to write :
>>> On 4 Apr 2007 1817 -0700, "Gerald309" <gerald309@gmail.com> wrote:
>>>>
>>>> SUPERAntiSpyware [working-freeware, and premium version]
>>>> http://www.superantispyare.com
>>>>
>>>> a-squared trojan remover (Free Working Version for life and Proactive
>>>> Premium Version)
>>>> http://www.emsisoft.com/en/software/free/
>>>> a-squared (a-squared) is a complementary product to antivirus software
>>>> parties. To be able to use it, you only must set up a free a-squared
>>>> Account, to get access to the update server. (Note you register by
>>>> simple sign up to activate definitions downloads free).
>>>
>>> By the way, the first link to Antispyware.com is bad. Bewildering
>>> array of spam, search engines and software companies all uninvited and
>>> unsatisfying. The second one appears good, though - I'll try it in a
>>> minute (30 day trial).
>>
>> Typo?
>> http://www.superantispyware.com/download.html
>> (SuperAntiSpyware Free Edition - version 3.6.1000)
>>
>> For the second one registration is not (no longer) required.
>> (a-squared Free 2.1)
>> http://www.emsisoft.com/en/software/download/
>
> Sorry bud, I have run the a-squared 30 day trial fully enabled
> anti-malware. It has not picked up the url.cpvfeed.com infection,
> this is NOT coming from my temp, cookies or IE history caches, and the
> a-squared has left a HUGE 4.2GB folder called a2archive in my temp
> folder. What the hell is that? Thanks, but no thanks. I don't think
> I will try the free one.

Weekly I update and scan with
- a-squared Free 2.1
- AdAware 1.06r1 (Free)
- Spybot Search & Destroy 1.4 (Free)
- SuperAntiSpyware 3.6.1000 Free
I never had the problems you describe (huge folder).

Did you clean all temp files, etc. before scanning?
Did you scan in Safe Mode?

Did you scan with SuperAntiSpyware?

Did you Google on "cpvfeed"?
I just found some 38.000 hits, maybe you can find a solution there?

--
Fred Wening (NL)

[David H. Lipman]

From: <thang>

< snip >

|
| Fixed it. Nothing found it bar Kasperskly Online Scanner, it was the
| ONLY ONE!!! It only identified two of the files though, and didn't
| pick up the service in registry. Also, it treated the files as locked
| and didn't implement a boottime delete. I did that myself using
| GiPo@Utilities. It is now gone.The malware came from a torrent
| screensaver I DL'd, it is a particularly nasty infection - the exe
| installstwo files core.sys and core.cache.dsk in \system32\drivers\
| and registers itself as a service
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\core
| deleted the lot on boot and presto, free of this ****ing infection.
|
| I must point out that the only suite to identify these files and the
| service was Kaspersky Online. Nothing else did, including my
| Zonealarm by which I normally swear. None of the forums were anywhere
| near the mark either, so much for the geeks and techo's who think they
| know it all. I found the solution in a piratebay comment forum on the
| particular torrent which has caused all of the problems. I will be
| very careful in the future.
|
| By the way, the simple expedient of setting the url to 127.0.0.1 in
| hosts stops it from promulgating, but it doesn't stop the popup.
|
| Hope this helps someone else, because no one here could help me, thats
| for sure, even though in a condescending way a few people thought they
| could help.
|
| thang

If would have others MORE if you didn't delete the file but submitted them to the various
anti malware organizations so Kaspersky would not be the only one detecting this crap.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[kgeter67@gmail.com]

Thanks thang! Deleting the 'core' files and reg key fixed my system
too (I did it by booting into Safe Mode). Someone should let the
folks on all those "Submit your HiJackThis log" groups know about this
solultion. You rock!

[David H. Lipman]

From: <thang>

< snip >

|
| Do you want me to post the whole exe? I still have it, you will need
| to install, and then pick the two files out along with the reg entry.
| No big deal. Tell me if you want it, I am sure someone will test and
| send to the "various anti malware organisations".
|
| thang

If you have it -- Great !

Send it to me in a password protected ZIP file with the password being; infected

Just remove ~nospam~ from; DLipman~nospam~@Verizon.Net

I will make sure that it is distributed to all the anti malware companies and it *will* be
thoroughly examined as well.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[David H. Lipman]

From: <thang>


| Thanks David but I don't email people I don't know, just privacy and
| all that - I use anonymous email accounts but use the same smtp server
| which will link back to me ( I don't use remailers etc though). Here
| is the file in any case. No one should execute this though, it is
| pure poison. I do not know how these sites exist, here in Australia
| they would be prosecuted.
|
| No one but Kaspersky ID'd it. And, this smart young downloader who
| has identified it here
|
| http://thepiratebay.org/tor/3647979/....4_With_Serial
|
| regards
|
| thang

I understand. You can do this instead. I make sure Julio gioves this one attention. But
you will have to post the final Virus Total report so I can have Julio give this submission
that attention.

Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[David H. Lipman]

From: <thang>


|
| Sorry, left off the attachment.
|
| thang

I HOPE you aren't trying to attach the file here becuase this is a discussion only, text,
News Group and attachments are not allowed.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Paul Pirosca]

On Apr 8, 2:04 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: <thang>
>
> |
> | Sorry, left off the attachment.
> |
> | thang
>
> I HOPE you aren't trying to attach the file here becuase this is a discussion only, text,
> News Group and attachments are not allowed.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

hi

i've got the same problem and i removed the files with windows sp2
boot cd into recovery mode, i still got the 2 files if any1 needs them