Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS & google keeps redirecting


  • This topic is locked This topic is locked
2 replies to this topic

#1 Alcyr Lima

Alcyr Lima

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 21 November 2011 - 02:09 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by ATL at 16:30:25 on 2011-11-21
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2010.1188 [GMT -2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\BabylonToolbar\BabylonToolbar\1.4.15.10\BabylonToolbarsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ATL\Bluebirds\BlueBirds.exe
C:\Arquivos de programas\Shutterfly\Studio\BIN\SFlyStudio.exe
C:\Arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Arquivos de programas\HOTALBUMMyBOX\MediaChecker.exe
svchost.exe 4
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe
C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2481031
uSearch Page =
uSearch Bar =
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: CUOLSearchHook Object: {1fe8243e-0a3a-41b9-b9ce-effee51974d3} - c:\arquivos de programas\arquivos comuns\uol\urlsearch\UOLSearchHook.dll
uURLSearchHooks: Ashampoo BR Toolbar: {e7cb019e-bf3b-4c48-9673-48c323b18e31} - c:\arquivos de programas\ashampoo_br\prxtbAsh0.dll
mURLSearchHooks: CUOLSearchHook Object: {1fe8243e-0a3a-41b9-b9ce-effee51974d3} - c:\arquivos de programas\arquivos comuns\uol\urlsearch\UOLSearchHook.dll
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ssh2 Class: {2e3c3651-b19c-4dd9-a979-901ec3e930af} - c:\arquivos de programas\scpad\scpsssh2.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\arquivos de programas\babylontoolbar\babylontoolbar\1.4.15.10\bh\BabylonToolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\arquivos de programas\epson software\easy photo print\EPTBL.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll
BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - c:\arquivos de programas\dealply\DealPlyIE.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540007} - c:\arquiv~1\gbplugin\gbiehAbn.dll
BHO: TBSB07405 Class: {d554776b-0aa2-4a4a-9af0-7a5caa0c008c} - c:\arquivos de programas\globalenglish\gpt\gept.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: Ashampoo BR Toolbar: {e7cb019e-bf3b-4c48-9673-48c323b18e31} - c:\arquivos de programas\ashampoo_br\prxtbAsh0.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\arquivos de programas\epson software\easy photo print\EPTBL.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\arquivos de programas\babylontoolbar\babylontoolbar\1.4.15.10\BabylonToolbarTlbr.dll
TB: Global English Productivity Toolbar: {d2ec0085-c9b2-4860-bc38-8a5fb2da836c} - c:\arquivos de programas\globalenglish\gpt\gept.dll
TB: Ashampoo BR Toolbar: {e7cb019e-bf3b-4c48-9673-48c323b18e31} - c:\arquivos de programas\ashampoo_br\prxtbAsh0.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {5BBFC00A-312C-4777-A5DF-DDA65C67120C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {E6B34E36-FC46-4216-BC18-6D31790DB0BF} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [bluebirds] c:\documents and settings\atl\bluebirds\BlueBirds.exe
uRun: [ShutterflyStudio] c:\arquivos de programas\shutterfly\studio\bin\SFlyStudio.exe /trayonly
uRun: [MP4 Player] "c:\arquivos de programas\mp4 player\mp4Player.exe" hmw
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\arquivos de programas\avira\antivir desktop\avgnt.exe" /min
mRun: [NeroFilterCheck] c:\arquivos de programas\arquivos comuns\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\arquivos de programas\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [MBBalloon] c:\arquivos de programas\hotalbummybox\MBBalloon.exe
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\arquivos de programas\arquivos comuns\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\arquivos comuns\java\java update\jusched.exe"
mRun: [BabylonToolbar] "c:\arquivos de programas\babylontoolbar\babylontoolbar\1.4.15.10\BabylonToolbarsrv.exe" /md I
mRun: [Babylon Client] c:\arquivos de programas\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
dRunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\ConduitEngine /f
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\mcafee~1.lnk - c:\arquivos de programas\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\mediac~1.lnk - c:\arquivos de programas\hotalbummybox\MediaChecker.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\arquivos de programas\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bancoreal.com.br\www
Trusted Zone: bancosantander.com.br\www
Trusted Zone: realsecureweb.com.br\www
Trusted Zone: realsecureweb.com.br\www2
Trusted Zone: realsecureweb.com.br\wwws
Trusted Zone: santander.com.br\www
Trusted Zone: santanderempresarial.com.br\www
Trusted Zone: santandernet.com.br\www
Trusted Zone: santandernet.com.br\wwws
Trusted Zone: santandernetibe.com.br\www
Trusted Zone: secureweb.com.br\www
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FD58444F-BE31-4DCF-B3D8-D011DA5B24FF} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: GbPluginAbn - c:\arquiv~1\gbplugin\gbiehAbn.dll
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - c:\arquivos de programas\scpad\scpLIB.dll
STS: compIB Class: {a3717295-941d-416f-9384-ed1736729f1c} - c:\arquivos de programas\scpad\scpLIB.dll
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399007} - c:\arquiv~1\gbplugin\gbiehAbn.dll
.
============= SERVICES / DRIVERS ===============
.
R0 360HookOem;360HookOem;c:\windows\system32\drivers\360HookOem.sys [2011-8-14 54912]
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2010-10-16 47512]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2009-12-5 15172]
R1 360FileOem;360FileOem;c:\windows\system32\drivers\360FileOem.sys [2011-8-14 146304]
R1 360RegOem;360RegOem;c:\windows\system32\drivers\360RegOem.sys [2011-8-14 23168]
R1 avgio;avgio;c:\arquivos de programas\avira\antivir desktop\avgio.sys [2009-11-10 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\avira\antivir desktop\sched.exe [2009-11-10 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\arquivos de programas\avira\antivir desktop\avguard.exe [2009-11-10 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-10 66616]
R2 GbpSv;Gbp Service;c:\arquiv~1\gbplugin\GbpSv.exe [2010-10-16 57624]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S2 PSafeSVC;PSafeSVC;c:\arquivos de programas\psafe\psafesvc.exe --> c:\arquivos de programas\psafe\PSafesvc.exe [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\arquivos de programas\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2020-07-30 23:02:36 -------- d-----w- c:\documents and settings\all users\dados de aplicativos\Pinnacle VideoSpin
2020-07-30 23:02:36 -------- d-----w- c:\arquivos de programas\arquivos comuns\Yahoo!
2011-11-21 18:30:17 -------- d--h--w- c:\windows\PIF
.
==================== Find3M ====================
.
2011-10-10 14:22:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:39 605184 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 14:41:48 613376 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 14:41:48 22016 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 14:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:12 1859072 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): O arquivo já está sendo usado por outro processo.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D92AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000067[0x89DC53B8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP1T1L0-5[0x89D53D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x61e; }
user != kernel MBR !!!
.
============= FINISH: 16:30:52,87 ===============

Edit: Moved topic from Internal Hardware to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:08 AM

Posted 21 November 2011 - 04:14 PM

Hi,

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.





Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

unite_blue.png

Please post the final results, good or bad. We like to know!


#3 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:08 AM

Posted 21 December 2011 - 05:55 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

unite_blue.png

Please post the final results, good or bad. We like to know!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users