Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with TDSS & google keeps redirecting

  • This topic is locked This topic is locked
2 replies to this topic

#1 Alcyr Lima

Alcyr Lima

  • Members
  • 1 posts
  • Local time:05:08 PM

Posted 21 November 2011 - 02:09 PM

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by ATL at 16:30:25 on 2011-11-21
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2010.1188 [GMT -2:00]
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
svchost.exe 4
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\BabylonToolbar\BabylonToolbar\\BabylonToolbarsrv.exe
C:\Documents and Settings\ATL\Bluebirds\BlueBirds.exe
C:\Arquivos de programas\Shutterfly\Studio\BIN\SFlyStudio.exe
C:\Arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Arquivos de programas\HOTALBUMMyBOX\MediaChecker.exe
svchost.exe 4
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe
C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2481031
uSearch Page =
uSearch Bar =
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: CUOLSearchHook Object: {1fe8243e-0a3a-41b9-b9ce-effee51974d3} - c:\arquivos de programas\arquivos comuns\uol\urlsearch\UOLSearchHook.dll
uURLSearchHooks: Ashampoo BR Toolbar: {e7cb019e-bf3b-4c48-9673-48c323b18e31} - c:\arquivos de programas\ashampoo_br\prxtbAsh0.dll
mURLSearchHooks: CUOLSearchHook Object: {1fe8243e-0a3a-41b9-b9ce-effee51974d3} - c:\arquivos de programas\arquivos comuns\uol\urlsearch\UOLSearchHook.dll
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ssh2 Class: {2e3c3651-b19c-4dd9-a979-901ec3e930af} - c:\arquivos de programas\scpad\scpsssh2.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\arquivos de programas\babylontoolbar\babylontoolbar\\bh\BabylonToolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\arquivos de programas\epson software\easy photo print\EPTBL.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll
BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - c:\arquivos de programas\dealply\DealPlyIE.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540007} - c:\arquiv~1\gbplugin\gbiehAbn.dll
BHO: TBSB07405 Class: {d554776b-0aa2-4a4a-9af0-7a5caa0c008c} - c:\arquivos de programas\globalenglish\gpt\gept.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: Ashampoo BR Toolbar: {e7cb019e-bf3b-4c48-9673-48c323b18e31} - c:\arquivos de programas\ashampoo_br\prxtbAsh0.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\arquivos de programas\epson software\easy photo print\EPTBL.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\arquivos de programas\babylontoolbar\babylontoolbar\\BabylonToolbarTlbr.dll
TB: Global English Productivity Toolbar: {d2ec0085-c9b2-4860-bc38-8a5fb2da836c} - c:\arquivos de programas\globalenglish\gpt\gept.dll
TB: Ashampoo BR Toolbar: {e7cb019e-bf3b-4c48-9673-48c323b18e31} - c:\arquivos de programas\ashampoo_br\prxtbAsh0.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {5BBFC00A-312C-4777-A5DF-DDA65C67120C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {E6B34E36-FC46-4216-BC18-6D31790DB0BF} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [bluebirds] c:\documents and settings\atl\bluebirds\BlueBirds.exe
uRun: [ShutterflyStudio] c:\arquivos de programas\shutterfly\studio\bin\SFlyStudio.exe /trayonly
uRun: [MP4 Player] "c:\arquivos de programas\mp4 player\mp4Player.exe" hmw
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\arquivos de programas\avira\antivir desktop\avgnt.exe" /min
mRun: [NeroFilterCheck] c:\arquivos de programas\arquivos comuns\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\arquivos de programas\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [MBBalloon] c:\arquivos de programas\hotalbummybox\MBBalloon.exe
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\arquivos de programas\arquivos comuns\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\arquivos comuns\java\java update\jusched.exe"
mRun: [BabylonToolbar] "c:\arquivos de programas\babylontoolbar\babylontoolbar\\BabylonToolbarsrv.exe" /md I
mRun: [Babylon Client] c:\arquivos de programas\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
dRunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\ConduitEngine /f
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\mcafee~1.lnk - c:\arquivos de programas\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\mediac~1.lnk - c:\arquivos de programas\hotalbummybox\MediaChecker.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bancoreal.com.br\www
Trusted Zone: bancosantander.com.br\www
Trusted Zone: realsecureweb.com.br\www
Trusted Zone: realsecureweb.com.br\www2
Trusted Zone: realsecureweb.com.br\wwws
Trusted Zone: santander.com.br\www
Trusted Zone: santanderempresarial.com.br\www
Trusted Zone: santandernet.com.br\www
Trusted Zone: santandernet.com.br\wwws
Trusted Zone: santandernetibe.com.br\www
Trusted Zone: secureweb.com.br\www
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
TCP: DhcpNameServer =
TCP: Interfaces\{FD58444F-BE31-4DCF-B3D8-D011DA5B24FF} : DhcpNameServer =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: GbPluginAbn - c:\arquiv~1\gbplugin\gbiehAbn.dll
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - c:\arquivos de programas\scpad\scpLIB.dll
STS: compIB Class: {a3717295-941d-416f-9384-ed1736729f1c} - c:\arquivos de programas\scpad\scpLIB.dll
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399007} - c:\arquiv~1\gbplugin\gbiehAbn.dll
============= SERVICES / DRIVERS ===============
R0 360HookOem;360HookOem;c:\windows\system32\drivers\360HookOem.sys [2011-8-14 54912]
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2010-10-16 47512]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2009-12-5 15172]
R1 360FileOem;360FileOem;c:\windows\system32\drivers\360FileOem.sys [2011-8-14 146304]
R1 360RegOem;360RegOem;c:\windows\system32\drivers\360RegOem.sys [2011-8-14 23168]
R1 avgio;avgio;c:\arquivos de programas\avira\antivir desktop\avgio.sys [2009-11-10 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\avira\antivir desktop\sched.exe [2009-11-10 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\arquivos de programas\avira\antivir desktop\avguard.exe [2009-11-10 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-10 66616]
R2 GbpSv;Gbp Service;c:\arquiv~1\gbplugin\GbpSv.exe [2010-10-16 57624]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S2 PSafeSVC;PSafeSVC;c:\arquivos de programas\psafe\psafesvc.exe --> c:\arquivos de programas\psafe\PSafesvc.exe [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\arquivos de programas\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
=============== Created Last 30 ================
2020-07-30 23:02:36 -------- d-----w- c:\documents and settings\all users\dados de aplicativos\Pinnacle VideoSpin
2020-07-30 23:02:36 -------- d-----w- c:\arquivos de programas\arquivos comuns\Yahoo!
2011-11-21 18:30:17 -------- d--h--w- c:\windows\PIF
==================== Find3M ====================
2011-10-10 14:22:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:39 605184 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 14:41:48 613376 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 14:41:48 22016 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 14:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:12 1859072 ----a-w- c:\windows\system32\win32k.sys
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
CreateFile("\\.\PHYSICALDRIVE0"): O arquivo já está sendo usado por outro processo.
device: opened successfully
user: error reading MBR
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D92AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000067[0x89DC53B8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP1T1L0-5[0x89D53D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x61e; }
user != kernel MBR !!!
============= FINISH: 16:30:52,87 ===============

Edit: Moved topic from Internal Hardware to the more appropriate forum. ~ Animal

Attached Files

BC AdBot (Login to Remove)


#2 Gammo


  • Members
  • 202 posts
  • Gender:Not Telling
  • Local time:12:08 AM

Posted 21 November 2011 - 04:14 PM


Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now


Please post the final results, good or bad. We like to know!

#3 Gammo


  • Members
  • 202 posts
  • Gender:Not Telling
  • Local time:12:08 AM

Posted 21 December 2011 - 05:55 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.


Please post the final results, good or bad. We like to know!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users