Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google redirect virus


  • Please log in to reply

#1
iuorno

iuorno

    New Member

  • Member
  • Pip
  • 1 posts
I was having some trouble getting rid of google redirect virus but finally did it with combofix. What do I have to do next? I read some things about using OTM but don't know how to use it.

I'd really appreciate some help.

Here is Combofix log file:

ComboFix 10-08-30.02 - Eduardo 30/08/2010 22:27:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2046.1465 [GMT -3:00]
Executando de: c:\documents and settings\Eduardo\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100830-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
ADS - drivers: deleted 216 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000016_.tmp.dll

.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-07-28 to 2010-08-31 ))))))))))))))))))))))))))))
.

2010-08-30 09:38 . 2010-08-30 09:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-28 12:35 . 2010-08-30 00:23 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2010-08-28 12:30 . 2010-08-29 04:30 -------- d-----w- C:\3a833a6c60e90c0c5fa631
2010-08-28 12:25 . 2010-08-28 12:25 -------- d-----w- c:\arquivos de programas\MSXML 4.0
2010-08-28 12:08 . 2010-08-28 12:08 6144 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator\sp_rsdel.exe
2010-08-28 12:08 . 2010-08-28 12:08 5632 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator\fileobjinfo.sys
2010-08-28 12:08 . 2010-08-28 12:08 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-08-28 12:08 . 2010-08-30 11:08 -------- d-----w- c:\documents and settings\Eduardo\Dados de aplicativos\Spyware Terminator
2010-08-28 12:08 . 2010-08-30 00:48 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spyware Terminator
2010-08-28 12:02 . 2009-11-21 15:58 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-28 12:02 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-28 12:02 . 2010-06-24 12:24 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-28 12:01 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-31 00:38 . 2001-09-06 13:00 84812 ----a-w- c:\windows\system32\perfc016.dat
2010-08-31 00:38 . 2001-09-06 13:00 484912 ----a-w- c:\windows\system32\perfh016.dat
2010-08-30 01:28 . 2009-11-09 20:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2010-08-30 01:21 . 2009-12-04 23:26 -------- d-----w- c:\arquivos de programas\Microsoft Works
2010-08-23 01:13 . 2010-06-19 15:22 -------- d-----w- c:\documents and settings\Eduardo\Dados de aplicativos\ZoomBrowser EX
2010-07-27 11:20 . 2009-11-06 21:00 45472 ----a-w- c:\windows\system32\drivers\gbpkm.sys
2010-07-15 12:54 . 2010-07-15 12:47 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PhotoStitch
2010-07-15 00:39 . 2010-06-19 15:11 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\ZoomBrowser
2010-07-06 01:30 . 2009-12-24 13:38 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nokia
2010-07-06 01:30 . 2010-07-06 01:26 -------- d-----w- c:\arquivos de programas\Nokia
2010-07-06 00:18 . 2010-04-14 02:03 -------- d-----w- c:\documents and settings\Eduardo\Dados de aplicativos\Skype
2010-06-30 12:32 . 2004-08-04 03:45 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:24 . 2004-08-04 03:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 2004-08-04 03:38 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 02:14 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 03:45 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 21:56 . 2010-06-14 21:56 1078 ----a-r- c:\documents and settings\Eduardo\Dados de aplicativos\Microsoft\Installer\{DE0F5F48-B60F-4E7D-9B81-17CA3872A260}\_9c511b6.exe
2010-06-14 14:31 . 2009-10-29 03:17 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:42 . 2004-08-04 03:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-10 7557120]
"nwiz"="nwiz.exe" [2006-03-10 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-10 86016]
"avast!"="d:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-25 81000]
"SunJavaUpdateSched"="d:\arquivos de programas\Java\jre6_2\bin\jusched.exe" [2009-11-07 149280]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2010-07-27 11:18 335136 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Eduardo^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk]
path=c:\documents and settings\Eduardo\Menu Iniciar\Programas\Inicializar\Recorte de tela e Iniciador do OneNote 2007.lnk
backup=c:\windows\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\arquivos de programas\Arquivos comuns\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\arquivos de programas\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2003-05-21 20:37 229437 ----a-w- c:\arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-29 23:51 133104 ----atw- c:\documents and settings\Eduardo\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 21:51 233472 ----a-w- c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 13:24 49152 ----a-w- c:\arquivos de programas\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 00:55 54832 ------w- d:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 13:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 17:10 56928 ------w- d:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-30 02:55 198160 ----a-w- c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Eduardo\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
"SpybotSD TeaTimer"=d:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NokiaMServer"=c:\arquivos de programas\Arquivos comuns\Nokia\MPlatform\NokiaMServer /watchfiles startup
"NokiaMusic FastStart"="c:\arquivos de programas\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart
"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SkyTel"=SkyTel.EXE
"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Arquivos de Programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Arquivos de Programas\\eMule\\emule.exe"=
"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Arquivos de Programas\\Java\\jre6_2\\bin\\javaw.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"d:\\Arquivos de Programas\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [6/11/2009 18:00 45472]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [31/10/2009 02:12 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [28/8/2010 09:08 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [31/10/2009 02:12 20560]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [6/11/2009 18:00 55072]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - KLMD24
*Deregistered* - klmd24

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Conteúdo da pasta 'Tarefas Agendadas'
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.globo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {94438815-11E2-4842-9881-4CC7D0FC57B4} = 200.149.55.142 200.165.132.154
DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab
.
- - - - ORFÃOS REMOVIDOS - - - -

MSConfigStartUp-NokiaMusic FastStart - d:\arquivos de programas\Nokia\Ovi Player\NokiaOviPlayer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 22:29
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\arquivos de programas\GBPLUGIN\gbieh.dll
.
Tempo para conclusão: 2010-08-30 22:30:55
ComboFix-quarantined-files.txt 2010-08-31 01:30

Pré-execução: 7 pasta(s) 47.513.829.376 bytes disponíveis
Pós execução: 8 pasta(s) 47.805.988.864 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 246D898D1999844A97CFEA5BDCC3CC14
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP