Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searching In Google Redirects Me Through Copy-book.com! Arghhhh


  • Please log in to reply
14 replies to this topic

#1 stupatrick

stupatrick

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:53 AM

Posted 10 July 2008 - 02:25 PM

I'm running XP on my PC & just recently I reckon I've got infected with an annoying virus which is playing around with the search results in google. Lets say I search on 'bbc news'. Google returns its usual list of results with their urls.
Clicking any link doesn't take me to the link it says it's at. Instead it redirects me to a completely unrelated site. In my browser's tab I can see it going via 'copy-book.com' before it ends up at the obscure site.
If I go back to the search results from there & try again, it often works OK for a bit, then goes redirecting again!
I've got anti-spy, avg (free), exterminate it & spyware doctor. They all say I'm clean apart from Estalive appearing with annoying regularity in anti-spy's results.
Having managed to search for similar probs in other forums etc, I reckon I may need some form of 'DNS-Changer remover'.
Is there anything I can do to sort this?
Hope someone can help.
Thanks,
Stupatrick.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:53 AM

Posted 10 July 2008 - 05:09 PM

have u tried using Malwareantimalware removal tool?


If not look in the post for that tool and run as directed.



http://www.bleepingcomputer.com/forums/t/156914/trojanwimad-infection/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 AM

Posted 10 July 2008 - 06:35 PM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 stupatrick

stupatrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:53 AM

Posted 12 July 2008 - 11:03 AM

Thanks quietman7.

Followed the instructions, but still get redirected via 'copy-book.com'.
Any other ideas?

I see fireman4it recommends Malwareantimalware. Is this any good or is SUPERantispyware supposed to be better, even though it didn't locate any DNS Changer viruses?

Is there anything out there which can specifically hunt down these viruses & wipe em out?

If I revert my PC back to a version say, a week ago, would this be any good or would the problem still be there?

I'm no PC expert as you can see!
Stupatrick.

#5 sonar

sonar

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 12 July 2008 - 11:25 AM

Hi there, hope I'm not butting in?? I've been having the same problem as stupatrick for around 2 weeks now. I've looked on various forums and tried several Spyware and Malware removal programs.

I've tried both the method recommended by Quietman 7 and also the alternative from fireman4it, both sadly without success. The first method found only cookies; the second, despite finding DNS changer Trojans, did not cure the problem.

My latest effort, using a functional trial version of Counterspy uncovered all sorts of nasties, Hijackers, Backdoors and another Trojan, but despite removing all of them, the problem remains.

I'm running a copy of XP Pro and my Antivirus program is ESET Nod 32 which is supposed to stop most types of infiltrations. A full system scan using that found nothing!!

I'd appreciate any advice and will watch this thread.................I'm just hoping it won't have to be a disk rebuild. I've tried a System Restore as far back as I can but still no luck.

Cheers

Sonar

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 AM

Posted 12 July 2008 - 01:50 PM

Welcome to BC sonar

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

stupatrick

Please download HostsXpert - Hosts File Manager
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".
-- If you were using a custom Hosts file you will need to replace any of those entries yourself.


Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 stupatrick

stupatrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:53 AM

Posted 12 July 2008 - 03:05 PM

OK, I'm up for that.
I've run the HostsXpert as you described. Nothing obvious happened - should it have?
I'm guessing out of all the fixes listed on the SDFix, it's the one headed up 'Need to restore your registry after running SDFix'?
stupatrick

#8 stupatrick

stupatrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:53 AM

Posted 12 July 2008 - 05:30 PM

Thanks quietman7,
Done all that & the problem persists.
Here's the contents of the report.txt file from SDFix:

*******************************************

SDFix: Version 1.204
Run by Stuart on 12/07/2008 at 21:35

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 22:25:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1165185944\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1165185944\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1165185944\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1165185944\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Tue 15 Apr 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 4 Dec 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 4 Dec 2006 782 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Mon 4 Dec 2006 782 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Sat 18 Nov 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Wed 13 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp"
Mon 4 Dec 2006 4,348 ...H. --- "C:\Documents and Settings\Stuart\My Documents\My Music\License Backup\drmv1key.bak"
Mon 4 Dec 2006 782 A..H. --- "C:\Documents and Settings\Stuart\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 4 Dec 2006 400 ...H. --- "C:\Documents and Settings\Stuart\My Documents\My Music\License Backup\drmv2key.bak"
Mon 4 Dec 2006 1,536 A..H. --- "C:\Documents and Settings\Stuart\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 AM

Posted 13 July 2008 - 06:55 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different or the same tools to do the job. Even then, with some types of malware infections, the task can be arduous.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Maximillian

Maximillian

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 17 July 2008 - 01:17 PM

Hi All

New to this forum, but I think I might be able to help.

Check your network settings and see if you have the correct DNS server set. It sounds like you may be running and odd DNS server IP in which case it is possible for someone to redirect your internet requests. You may also have noticed a decrease in your browsing speed.

If in doubt about the correct DNS addy, then simply leave them blank and your ISP (or router) should assign the correct ones.

Good Luck,
Max

#11 CARRUTHERS

CARRUTHERS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 18 July 2008 - 10:47 AM

Hi,

Thanks for that tip Max, I've finally got this fixed after a week of sheer misery at the hands of this "copy-book" nuisance !!

I tried every Antispyware going (Adaware, SuperAntiSpyware, Spybot, etc etc etc) to no avail, and about ten thousand other options, including following many other forum suggestions, before trying what you suggested ...

I'm not saying it will work for everybody, and obviously everybody's computer setup will be different, but I hope the principle for getting rid of this pain in the a*** will be the same ...

For me, it went like this . . .
Open "Network Connections" in the Control Panel
Right-click your particular Internet connection (in my case Tiscali Broadband)
Select "Properties"
Select the "Networking" tab, then select "Properties" again

For me (and hopefully others too), this brings up the DNS Server details, NOW ... this is where my problem was.

The "Use the following DNS server addresses" box was checked, and there were two addresses filled in, a preferred one and an alternate one.

All I had to do was uncheck that box and check the "Obtain DNS server addresses automatically" box, and after restarting my browser the problem was fixed !!!

I hope this doesn't seem like I am over-simplifying the problem, but after the nightmare I have had trying all the usual routes (Hijack This, every Antispyware product you can think of, I even uninstalled my AVG Antivirus and tried a couple of others one by one as a last resort), I just had to let somebody know that this MAY be the answer.

Thanks to Max for the suggestion and anbody else for their patience in reading this ... I just hope it helps somebody.

#12 stupatrick

stupatrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:53 AM

Posted 18 July 2008 - 02:03 PM

Yes! That's done it!
Many thanks Curruthers (& Maximillian) - worked a treat.
So simple too.
stupatrick.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 AM

Posted 18 July 2008 - 04:11 PM

Ok folks I'm glad to hear that this has resolved the problem. However, it's not a safe practice to be following specific instructions provided to someone else. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware. Using someone else's fix instructions could lead to disastrous problems with your operating system.

For instance, when making this type of change you need to use CAUTION: It is possible that an Internet Service Provider requires specific settings here. So you need to make sure you know if you need specific DNS settings or not before you make these changes or you may lose your Internet connection.

stupatrick, if there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 stupatrick

stupatrick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:53 AM

Posted 19 July 2008 - 11:56 AM

Thanks quietman7.
I've done what you suggested :thumbsup:
stupatrick

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:53 AM

Posted 19 July 2008 - 05:50 PM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid online gaming sites and peer-to-peer (P2P) or file sharing programs as they are a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans target and spread across P2P files sharing networks and gaming sites. In some instances the infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS. The best way to reduce the risk of infection is to avoid gaming sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users