Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Re-directs To Copy-book.


  • Please log in to reply
3 replies to this topic

#1 sonar

sonar

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 12 July 2008 - 02:10 PM

Firstly, apologies for beach of forum etiquette by posting my problem on someone else's thread, I can only plead ignorance.

For the last 2 weeks at least, my Google links have been redirected, via copy-book.com, to places various. I've looked on various forums and tried several Spyware and Malware removal programs.

I've tried both the method recommended by Quietman 7 and also the alternative from fireman4it, both sadly without success. The first method found only cookies; the second, despite finding DNS changer Trojans, did not cure the problem.

One recent effort, using a functional trial version of Counterspy uncovered all sorts of nasties, Hijackers, Backdoors and another Trojan, but despite removing all of them, the problem remains.

My last attempt, using Spybot S&D, found Spyhunter, Right Media, Media Plex and Virtumonde. I removed all those and the problem continues.

As an aside, the F8 method for safe mode doesn't seem to work for me, neither holding down nor repeated presses (my PC doesn't beep on booting). I had to use the MS Config method but did note the warnings in other threads.

I'm running a copy of XP Pro and my Antivirus program is ESET Nod 32 which is supposed to stop most types of infiltrations. A full system scan using that found nothing!!

I'd appreciate any advice and will watch this thread.................I'm just hoping it won't have to be a disk rebuild. I've tried a System Restore as far back as I can but still no luck.

Cheers

Sonar

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:27 AM

Posted 12 July 2008 - 07:05 PM

You can try this tool if you haven't alsready and post back the results.
NOTE: For Operating System: Windows XP/2K (tool must be run in Safe Mode)

How to use SDFix

Let us know..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sonar

sonar
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 13 July 2008 - 12:42 PM

Thanks for the advice, boopme; I ran SD Fix as per the instructions but the problem persists. The log is as follows:



SDFix: Version 1.205
Run by Paul S on 13/07/2008 at 10:37

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 10:44:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Watchdog\Display]
"ShutdownCount"=dword:0000038d
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Epoch]
"Epoch"=dword:000077ba
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0A082A17-0599-4DA2-B87D-E057E3540B75}]
"LeaseObtainedTime"=dword:4879cb87
"T1"=dword:4879cb87
"T2"=dword:4879cb87
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{0A082A17-0599-4DA2-B87D-E057E3540B75}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:4879cb87
"T1"=dword:4879cb87
"T2"=dword:4879cb87

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\PROGRAM FILES\\GhostSurf 2005\\Proxy.exe"="D:\\PROGRAM FILES\\GhostSurf 2005\\Proxy.exe:*:Enabled:GhostSurf proxy"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"D:\\PROGRAM FILES\\SpeedTouch\\Dr SpeedTouch\\drst.exe"="D:\\PROGRAM FILES\\SpeedTouch\\Dr SpeedTouch\\drst.exe:*:Disabled:Dr SpeedTouch"
"D:\\PROGRAM FILES\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"="D:\\PROGRAM FILES\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"D:\\PROGRAM FILES\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"="D:\\PROGRAM FILES\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Wed 5 Oct 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 21 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 1 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c79a760b77d34ccd877ca1bd959fe478\BIT12.tmp"

Finished!




For general information, although I ran SD Fix in Safe Mode as per the guide, when I booted back into normal mode it performed the "Final" checks following the line I've highlighted in red and then displayed the log in notepad.

I'll be grateful for any more ideas from members.

Many thanks.

Sonar.

Edited by sonar, 13 July 2008 - 12:43 PM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:27 AM

Posted 13 July 2008 - 02:22 PM

http://www.bleepingcomputer.com/forums/t/157351/zlobdnschanger/

there's a newer zlob dnschanger infection that gets your router, see if this applies to you
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users