How to Remove url.cpvfeed.com popups and core.sys Rootkit

Remove url.cpvfeed.com

Url.cpvfeed.com is part of the Adware zedo and is a browser hijacker. Url.cpvfeed.com pop ups are extremely difficult to remove manually and can cause computers to freeze.

Are you seeing this scenario where whenever you start Firefox or Internet Explorer page, you start to see pop ups beginning with url.cpvfeed.com or Powered by Zedo pop ups. Usualy IE7 would show a “page cannot be displayed” but occasionally you are directed to an unknown site. Would they take your search term if you try to do a Google search and display a popup ad showing Ebay or some other site? You are infected by the core.sys Rootkit

I usually consider myself pretty good at removing these nasty spyware and rootkits but this one definitely stumped for a while. The javascript that was producing these popups was part of several ad networks including zero dot com, aavalue dot com and the biggest url.cpvfeed.com

With regard to internet explorer, I started off by trying to add url.cpvfeed.com to my list of blocked sites. Google Toolbar and Firefox were not blocking these popups.

I started off with

a. Downloaded Lavasoft AdAware SE personal. It did its usual scan but did not detect anything that would stop the url.cpvfeed.com popups or remove the core.sys rootkit.

b. I then got Spybot and ran it in safe mode. Again, no detection and the result was a clean system.

c. I tried to run Avenger, but it would not run of Windows Vista :(

I used other tools including CWShredder, VundoFix and other tools in my spyware disc but nothing could remove this infection. I then moved to online scanners such as Panda ActiveScan and also Kaspersky Online Scanner… nothing. Any removals through these tools, the spyware keeps coming back

cpvfeed.com spyware keeps coming back

Finally, I go get PC Tools Spyware Doctor which is part of Google Pack. You can also including the PC Tools Spyware Doctor. You might want to go ahead and download this as we will be using this for the rest of our disinfection process.

PC Tools Spyware Doctor found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory. I also found other files called core.cache.dsk. core.sys was running as a service and was starting automatically everytime Windows started. There were multiple components to the core.sys rootkit

remove core.sys rootkit

core.sys rootkit

core.sys, because of its generic name did not immediately strike as suspicious to me and I actually thought it was a false positive early on during the spyware removal process.

How to remove core.sys Rootkit and the url.cpvfeed.com popups

1. Download PC Tools Spyware Doctor

PC Tools Spyware Doctor is part of Google Pack. Get PC Tools Spyware Doctor and

2. Disable System Restore on your computer

* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore.
* Click Apply, and then click OK.
* Restart the computer.
How to Remove Core.sys

3. Boot into Safe Mode

a. After booting into safe mode, Click on Start –> Search and then type in core.sys in the search box.

b. If core.sys is found, right click and delete. Also go to your C:\Windows\System32\drivers directory and search for core.sys and core.cache.dsk and delete them if they exist. If they don’t do not panic.

c. Now, press <Windows key> + R and from the run command press regedit

d. Click on Plus sign(+) next to HKEY_LOCAL_MACHINE. Click on (+) next to SYSTEM. There you will see CurrentControlSet and usually CurrentControlSet1 and also CurrentControlSet2.

e. Under each one of the CurrentControlSets, click on (+) next to Service. You WILL see the folder called CORE in one of these CurrentControlSets. Right click on the folder and press Delete.

remove core.sys rootkit

4. Run Spyware scan under Normal Mode

Reboot your computer in Normal Mode. Now, go to PC Tools Spyware Doctor, and run a complete system scan. You will find some infections, some advert cookies and tracking and tracing cookies. Remove them. Your Computer is now free from the core.sys Rootkit and url.cpvfeed.com popups.

remove url.cpvfeed.com

33 Comments »

  1. Anand & Manan said,

    June 6, 2007 @ 12:59 pm

    Dude,
    1) Poison your HOSTS file and point the URLs that show up in popups to 127.0.0.1

    2) Use Firebug to debug the javascripts that popup in Firefox. You will get breakpoints and shit to figure out what the hell is wrong.

    3) Tell all potential users to switch to Opera in case they have/want to surf “p*orn” :)

  2. Jeff said,

    July 6, 2007 @ 10:00 am

    Oh great! Finally the perfect solution outlined perfectly. I have been looking at many forums and all of this twist and turn you without telling you how to solve it. Thanks dude. Works perfectly. removed those nasty popups

  3. Remove url.cpvfeed.com | AskStudent said,

    July 6, 2007 @ 10:09 am

    [...] on the link to remove url.cpvfeed.com browser hijacker and also remove core.sys [...]

  4. lola said,

    July 14, 2007 @ 7:22 pm

    After doing all this…..I won’t lose any “programs” will I? I new at this computer thing, that is the reason I ask.

  5. Ajit Gaddam said,

    July 16, 2007 @ 5:23 am

    No lola you would not lose any “programs”. The files you are deleting were added on through the rootkit. So go ahead and finish up the clean up process on your computer

  6. DanZee said,

    July 18, 2007 @ 1:09 pm

    Your instructions got rid of the core.sys bug in my system where McAfee, Spybot, etc. could not.

  7. DaveL said,

    July 23, 2007 @ 9:43 am

    Excellent clear instructions and an effective fix at last. Thanks very much, this has been driving me crazy !!:)

  8. Ajit Gaddam said,

    July 30, 2007 @ 4:31 am

    Animesh I believe a lot of people who were infected with this rootkit in the first place got it because they downloaded something from a source that should not be trusted. I am not sure about combofix… I havent researched about it yet..

    While a one stop solution might work in most cases, a solution that goes in depth in cleaning out the problem would work better when we are dealing with nasty computer viruses or spyware. Cleaning out a problem straight from the registry represents the best possible solution

  9. Raja said,

    August 4, 2007 @ 3:16 pm

    Yo, thx for the solution man… Even though I never found core.sys or .cache etc, I def found the damn Reg Entry n after taking it out in safe mode n scanning with the Spyware Doctor, it all seems A+ Ok! Well, the only thing I was going to suggest was, to, A) either put a direct link to the Spyware Dr setup file and give some info on how to get it free, or B) Post the file here ;)
    I didn’t think having to download that whole Google Package was the best bet. Anyways, thx a LOT for your help! :)

  10. Bob Cofod said,

    August 13, 2007 @ 9:45 pm

    Man, your description for killing cpvfeed was right on the mark! Been plagued with the darn thing for a couple of months and tried everything I could find from Hijack to XSoftSpy – NOTHING! Even had about a dozen go rounds with XSoftSpy experts – as they advertise that the product kills cpvfeed. One of their “fixes” destroyed svchost.exe and was less fun than cpvfeed. Finally I hit your solution which worked like clockwork.
    Can’t thank you enough for writing such a clear and concise description of the process. I bought Spyware Dr, and hope you’re getting a big kickback there. Thanks again for being smart and knowing how to write effective procedures.

  11. MESavage said,

    August 16, 2007 @ 12:35 am

    Thank you for the great suggestions and identifying the problem files. For some reason I could not start in safe mode (hang at agp440.sys) and so could not delete the files OR remove CORE from the registry. SO…

    My solution was to use KillBox and set the two files to be removed on the next boot:

    killbox removed:
    c:\windows\system32\drivers\core.sys
    and c:\windows\system32\drivers\core.cache.dsk

    After that I was able to remove the CORE sections from the registry.

    Running well for the last half hour -so good so far….

  12. Saint Amy Jane said,

    August 16, 2007 @ 9:51 am

    i went through a bunch of crap to get rid of mine…. two 8 hour days… blah… now I have to do it for a friend and this way is so much easier x;)

  13. William McKinlay said,

    August 17, 2007 @ 2:31 pm

    great system… except I removed core.sys AND core.cache and I am still getting ‘zedo’ pop-ups (I ran a search on core.sys and it has not reappeared)

    PLUS I am still getting the windowsantivirus2007 pop-ups!

    Any OTHER ideas out there!?

  14. Andrej said,

    August 19, 2007 @ 7:37 am

    Great solution but didn’t quite work for me as I rund an (old, I know) Windows 2k professional which I don’t wanna’ re-install on this old mashine which I still have to use though (at least once in a while).

    My problems:
    1. Google Pack won’t work on Windows 2000.
    2. After working around this problem with other Anti-Spyware tools I found out that I won’t be allowed to start in Safe Mode. Everytime I try, the system just freezes. So the Malware has somehow managed to only allow a normal starting rotuine which of course will execute the rootkit.
    3. Killbox couldn’t kill it, even in reboot.

    Any ideas, anybody?

  15. Frostbitten said,

    August 19, 2007 @ 7:31 pm

    Ajit

    Thirty hours with seven commercial syyware killers….then I found your post. 15 minutes later, it’s alive. You are a techweenie of the first order, and I bow before you!

  16. rudolf said,

    November 4, 2007 @ 5:07 am

    just done this thing, but funny was that i could not find the core folder in the regedit anymore after running Spyware Doctor for the second time plus
    Disabled System Restore
    and worste thing is that something is still interfering in the background on IE
    Please advice what still could be wrong, thanks

  17. ann said,

    November 9, 2007 @ 8:59 am

    on my computer there are 17 blocked pop ups,the question is,how can i unblock to zero?

  18. vista windows explorer hang said,

    December 25, 2007 @ 6:28 pm

    vista windows explorer hang…

    Nice points……

  19. Fred said,

    January 12, 2008 @ 4:59 pm

    I could not locate core.sys, but I did find core.cache.dsk. I ran spybot and ad aware, yet they could not locate the registry entries or the files that would reproduce them after a reboot. You mentioned spy doctor, so I tried to get it BUT IT WILL NOT LET ME CLEAN IT UNLESS I BUY THE PRODUCT. I thought I would try google pack, but GOOGLE will not GIVE ME their pack because I AM ON 2000. SO, I had to DUMP 30 BUCKS to try to remove this infection, and should it fail, Spyware DR better refund my money

  20. Lynne said,

    January 13, 2008 @ 4:31 pm

    Well, it didn’t work for me. I only had the core.casche.dsk file, and after 2 dsys of tryin to rid my PC of this, I finally said f’it. I am just so pissed off that some jack ass had to put this out there!!! It’s just ridiculous and should be a crime punishible BY LAW.

  21. Brandon said,

    January 17, 2008 @ 4:28 pm

    It worked for me! THANKS!

  22. matt said,

    January 17, 2008 @ 4:55 pm

    Has anyone figured this out yet? Especially those who have (core.cache.dsk)I cannot get rid of this thing. I really dont want to wipe the whole drive.

  23. jason said,

    January 18, 2008 @ 9:16 pm

    I can’t find core.sys.dsk nor core.sys in safemode, but when i log in window(vista) in the normal mode, its there again!! try spydoctor, it detects it, and clean it, but it is still there!!! try killbox, both kill now and remove in reboot, still didn’t work!! Please help, anybody!!!!!

  24. Chris Zimmerman said,

    January 18, 2008 @ 10:12 pm

    I had the same core.cach.dsk problem on several customer systems over the past couple of weeks. However, the core.sys file and service were NOT present. I made several attempts at this that the other (basiclly fixe’s from other forums), none helped at all.

    Finally, I decided to simply reinstall the OS, but not before going midevil on the darn thing. I decided to copy the IExplorer main files (program files\Internet Explorer) from another system. This gerenrated an ierutitl.dll not found error. Looking that up, it is basicly an identifier for the browser version and this and that lead to the conclusion that even though the OS was reporting that IE6 was installed, in fact IE7 was. Go figure… next step, uninstall IE7. Add Remove had it listed, but no tab to un-install. Bit more googling and found the uninstaller is located in windows\ie7. Naturually that folder didn’t exisit. Copied it from another system, it worked! No more IE7… but still had the pop-ups. Until I reinstalled IE7. In a nut shell… uninstall IE7 with the unistaller from another system if needed, delete the core.cache.dsc (from ERD commander or PE disk) reinstall IE7.

    Hope this helps

  25. Bob S. said,

    January 24, 2008 @ 4:58 am

    This little bugger is still around. The CORE.SYS file may be resident elsewhere. Im my case, it was in the root directory. There was also another “randomly-named” file in \windows\system32\devices that “happened” to have the same timestamp as the CORE.CACHE.SYS file in the same directory. I booted into “safe/commandprompt” and deleted both, and then CORE.CACHE.SYS no longer “returned from the dead”. Finally, I did “cleanups”, with various tools, and all is well. Go figure, eh?

  26. Sean said,

    January 24, 2008 @ 8:55 pm

    I can not find this “core” folder in my registry. I was able to locate and delete the core.cache.dsk file through safemode but just doing this does not solve the problem. Please help!

    Thanks

  27. Robert said,

    February 9, 2008 @ 5:30 pm

    Hi. I can´t delete this stupid kinda virus i have tried for about 10 times and i still have core.cache.dsk…. please can someone explain what i have done wrong. I have tried your deleting thing but i can just delete it in safe-mode and then its back again when i restart it… Sorry About my English //Robert

  28. Jerry said,

    April 21, 2008 @ 12:35 am

    I have tried the solutions posted on this site, but it doesnt help. I have tried other methods as well. Nothing I do stops core.cache.dsk from coming back after I reboot. Has anyone found something that can help?

    Thanks

  29. IJAZ AHMAD TANOLI said,

    August 18, 2010 @ 3:25 pm

    please remove the url blocked

  30. treating toenail fungus said,

    May 5, 2013 @ 5:46 pm

    I have read so many content on the topic of the blogger
    lovers however this piece of writing is in fact a nice piece
    of writing, keep it up.

  31. hotel pest management companies said,

    July 17, 2013 @ 12:39 pm

    Hi there! I just would like to offer you a huge thumbs up for your excellent info you have right here on this post.
    I am coming back to your website for more soon.

  32. Dominick said,

    August 1, 2013 @ 8:56 am

    If some one wishes expert view concerning running a blog after that i advise
    him/her to go to see this weblog, Keep up the nice job.

  33. Terminix said,

    October 10, 2013 @ 8:53 am

    Hi to all, as I am genuinely keen of reading this website’s post to be updated on a regular
    basis. It includes nice data.

RSS feed for comments on this post · TrackBack URI

Leave a Comment