Url.cpvfeed.com is part of the Adware zedo and is a browser hijacker. Url.cpvfeed.com pop ups are extremely difficult to remove manually and can cause computers to freeze.
Are you seeing this scenario where whenever you start Firefox or Internet Explorer page, you start to see pop ups beginning with url.cpvfeed.com or Powered by Zedo pop ups. Usualy IE7 would show a “page cannot be displayed” but occasionally you are directed to an unknown site. Would they take your search term if you try to do a Google search and display a popup ad showing Ebay or some other site? You are infected by the core.sys Rootkit
With regard to internet explorer, I started off by trying to add url.cpvfeed.com to my list of blocked sites. Google Toolbar and Firefox were not blocking these popups.
I started off with
a. Downloaded Lavasoft AdAware SE personal. It did its usual scan but did not detect anything that would stop the url.cpvfeed.com popups or remove the core.sys rootkit.
b. I then got Spybot and ran it in safe mode. Again, no detection and the result was a clean system.
c. I tried to run Avenger, but it would not run of Windows Vista
I used other tools including CWShredder, VundoFix and other tools in my spyware disc but nothing could remove this infection. I then moved to online scanners such as Panda ActiveScan and also Kaspersky Online Scanner… nothing. Any removals through these tools, the spyware keeps coming back
Finally, I go get PC Tools Spyware Doctor which is part of Google Pack. You can also including the PC Tools Spyware Doctor. You might want to go ahead and download this as we will be using this for the rest of our disinfection process.
PC Tools Spyware Doctor found a Rootkit (Rootkit.Win32.Agent.EQ) infecting a file called core.sys in the c:\windows\system32\drivers directory. I also found other files called core.cache.dsk. core.sys was running as a service and was starting automatically everytime Windows started. There were multiple components to the core.sys rootkit
core.sys, because of its generic name did not immediately strike as suspicious to me and I actually thought it was a false positive early on during the spyware removal process.
How to remove core.sys Rootkit and the url.cpvfeed.com popups
1. Download PC Tools Spyware Doctor
PC Tools Spyware Doctor is part of Google Pack. Get PC Tools Spyware Doctor and
2. Disable System Restore on your computer
* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore.
* Click Apply, and then click OK.
* Restart the computer.
How to Remove Core.sys
3. Boot into Safe Mode
a. After booting into safe mode, Click on Start –> Search and then type in core.sys in the search box.
b. If core.sys is found, right click and delete. Also go to your C:\Windows\System32\drivers directory and search for core.sys and core.cache.dsk and delete them if they exist. If they don’t do not panic.
c. Now, press <Windows key> + R and from the run command press regedit
d. Click on Plus sign(+) next to HKEY_LOCAL_MACHINE. Click on (+) next to SYSTEM. There you will see CurrentControlSet and usually CurrentControlSet1 and also CurrentControlSet2.
e. Under each one of the CurrentControlSets, click on (+) next to Service. You WILL see the folder called CORE in one of these CurrentControlSets. Right click on the folder and press Delete.
4. Run Spyware scan under Normal Mode
Reboot your computer in Normal Mode. Now, go to PC Tools Spyware Doctor, and run a complete system scan. You will find some infections, some advert cookies and tracking and tracing cookies. Remove them. Your Computer is now free from the core.sys Rootkit and url.cpvfeed.com popups.