PC infecté par trojan js:Banker-j : l´analyse ComboFix

cozal · le 30 juillet 2011

Bonjour,

Mon PC, qui tourne sous Windows Vista, vient d´être infecté par un trojan js:Banker-j. J´ai l´antivirus avast!, et celui-ci est évidemment impuissant à éliminer le trojan. J´ai téléchargé le logiciel ComboFix, que j´ai exécuté. Voici le rapport :

ComboFix 11-07-29.03 - corujinha 30/07/2011 15:43:18.1.2 - x86

Microsoft® Windows Vista™ Business 6.0.6002.2.1252.55.1046.18.2038.869 [GMT -3:00]

Executando de: c:\users\corujinha\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\corujinha\AppData\Roaming\Desktopicon

c:\users\corujinha\AppData\Roaming\Desktopicon\mc.ico

c:\windows\IsUn0416.exe

.

(((((((((((((((( Arquivos/Ficheiros criados de 2011-06-28 to 2011-07-30 ))))))))))))))))))))))))))))

.

2011-07-29 11:41 . 2011-07-29 11:41 -------- d-----w- c:\program files\CCleaner

2011-07-29 11:40 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{95F044EB-4B29-427C-A79C-9D2475B4B0C9}\mpengine.dll

2011-07-22 11:35 . 2011-07-22 11:35 -------- d-----w- c:\program files\Common Files\Java

2011-07-14 01:16 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-14 01:15 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-07-14 01:15 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-13 02:01 . 2011-07-13 02:01 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-07-13 02:00 . 2009-09-04 20:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2011-07-13 02:00 . 2009-09-04 20:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2011-07-13 02:00 . 2009-09-04 20:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-04 11:43 . 2010-10-05 11:53 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:43 . 2009-08-22 01:42 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-07-04 11:36 . 2011-03-01 12:12 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-07-04 11:36 . 2009-08-22 01:42 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-07-04 11:35 . 2009-08-22 01:42 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-07-04 11:32 . 2009-08-22 01:42 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-07-04 11:32 . 2009-08-22 01:42 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-07-04 11:32 . 2009-08-22 01:42 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-05-24 22:14 . 2009-10-03 17:47 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-13 19:03 . 2011-05-13 19:03 49016 ----a-w- c:\windows\system32\sirenacm.dll

2011-05-13 18:42 . 2011-05-13 18:42 302448 ----a-w- c:\windows\WLXPGSS.SCR

2011-05-04 07:52 . 2010-04-22 17:44 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-02 17:16 . 2011-06-27 00:08 739328 ----a-w- c:\windows\system32\inetcomm.dll

2011-06-27 00:10 . 2011-05-06 01:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por padrão não são apresentadas.

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-11-23 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-11-23 20:55 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

2010-11-23 20:55 3908192 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-02-04 19:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-11-23 3908192]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-23 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-11-23 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-07-10 163840]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 141848]

"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [2010-05-27 375296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-3-14 2938184]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 MrFilter;EasyWrite Driver; [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Conteúdo da pasta 'Tarefas Agendadas'

.

2011-07-30 c:\windows\Tasks\User_Feed_Synchronization-{5560F1BD-5211-442D-ADCA-8EE1E2EC9450}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:25]

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.bol.com.br/

IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.09\AMVConverter\grab.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.09\MediaManager\grab.html

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\corujinha\AppData\Roaming\Mozilla\Firefox\Profiles\hlkv4or2.default\

FF - prefs.js: network.proxy.type - 2

.

- - - - ORFÃOS REMOVIDOS - - - -

.

HKLM-Run-hpqSRMon - (no file)

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2011-07-30 16:08

Windows 6.0.6002 Service Pack 2 NTFS

.

Procurando processos ocultos ...

.

Procurando entradas auto inicializáveis ocultas ...

.

Procurando ficheiros/arquivos ocultos ...

.

c:\users\CORUJI~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

C:\## aswSnx private storage

.

Varredura completada com sucesso

arquivos/ficheiros ocultos: 2

.

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Tempo para conclusão: 2011-07-30 16:14:30

ComboFix-quarantined-files.txt 2011-07-30 19:14

.

Pré-execução: 18.732.507.136 bytes disponíveis

Pós execução: 19.285.553.152 bytes disponíveis

.

Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10

- - End Of File - - EE872539606EF3C2232DC58599A8EA29

Merci d´avance pour votre aide.

Cozal

pear · le 31 juillet 2011

Bonjour,

1)

Combofix est très puissant et ne doit pas être utilisé sans une aide compétente sous peine de risquer des dommages irréversibles.

Veuillez noter que ce logiciel est régulièrement mis à jour et que la version que vous avez chargée sera obsolète dans quelques jours.

Pour supprimer Combofix:

Démarrer > Exécuter ->

Copier/coller:

"%userprofile%\Bureau\ComboFix.exe" /uninstall

En cas d'échec:

Renommer ComboFix.exe qui est sur votre bureau -> Uninstall.exe et double cliquez dessus.

Supprimez C:\qoobox si vous le trouvez

2)

Téléchargez AD-Remover sur le bureau

Déconnectez-vous et fermez toutes les applications en cours

Cliquer sur "Ad-R.exe" pour lancer l'installation et laisser les paramètres par défaut .

Une fenêtre s'affichera Vous prévenant des risques de l'utilisation de ce logiciel

Cliquez sur "OUI"

Double cliquer sur l'icône Ad-remover sur le bureau

Au menu principal choisir l'optionScanner et Validez

Patientez pendant le travail de l'outil.

Poster le rapport qui apparait à la fin .

Il est sauvegardé aussi sous C:\Ad-report.log

Ensuite

Relancer Ad- remover , choisir l'option Nettoyer

Il y aura 2 rapports à poster après :Scanner et Nettoyer

Une fois la désinfrction terminée, mais pas avant:

désinstaller AD-Remover, lancez avec l'option D puis supprimer l'icône du bureau.

Téléchargez MBAM

Branchez tous les supports amovibles avant de faire ce scan (clé usb/disque dur externe etc)

Avant de lancer Mbam

Vous devez d'abord désactiver vos protections mais vous ne savez pas comment faire

Exécuter avec droits d'administrateur.

Sous Vista , désactiver l'Uac

Double cliquez sur l'icône Download_mbam-setup.exe pour lancer le processus d'installation.

Enregistrez le sur le bureau .

Fermer toutes les fenêtres et programmes

Suivez les indications (en particulier le choix de la langue et l'autorisation d'accession à Internet)

N'apportez aucune modification aux réglages par défaut et, en fin d'installation,

Vérifiez que les options Update et Launch soient cochées

MBAM démarrera automatiquement et enverra un message demandant de mettre à jour le programme avant de lancer une analyse.

cliquer sur OK pour fermer la boîte de dialogue..

Dans l'onglet "mise à jour", cliquez sur le bouton Recherche de mise à jour:

Si le pare-feu demande l'autorisation de connecter MBAM, acceptez.

Une fois la mise à jour terminée, allez dans l'onglet Recherche.

Sélectionnez "Exécuter un examen complet"

Cliquez sur "Rechercher"

.L' analyse prendra un certain temps, soyez patient !

A la fin , un message affichera :

L'examen s'est terminé normalement.

Et un fichier Mbam.log apparaitra

Nettoyage

Relancez Mbam(Malewares'Bytes)

Sélectionnez "Exécuter un examen complet"

Cliquez sur "Rechercher"

L' analyse prendra un certain temps, soyez patient !

A la fin , un message affichera :

L'examen s'est terminé normalement.

Sélectionnez tout et cliquez sur Supprimer la sélection ,

MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.

puis ouvrir le Bloc-notes et y copier le rapport d'analyse qui peut être retrouvé sous l'onglet Rapports/logs.

Copiez-collez ce rapport dans la prochaine réponse.

3)

Téléchargez ZhpDiag de Coolman

Décompresser le fichier ZHPDiag.fix sur le bureau

puis double-cliquer sur le fichier ZHPDiag.exe pour installer l'outil

Sur le bureau ,il y aura 3 icônes

Sous XP, double clic sur ZhpDiag

Sous Vista/7, faire un clic droit et Exécuter en tant qu'administrateur

Clic sur la Loupe pour lancer le scan

En cas de blocage sur O80, cliquez sur le tournevis pour le décocher

Postez en le rapport ZhpDiag.txt qui apparait sur le bureau

Comment poster les rapports

Vous copiez/collez tout ou partie des rapports dans un ou plusieurs messages.

Autre solution:

Aller sur le site :Ci-Joint

Appuyez sur Parcourir et chercher les rapports sur le disque,

Ensuite appuyez sur Créer le lien CJoint,

>> dans la page suivante --> ,,

une adresse http//.. sera créée

Copier /coller cette adresse dans votre prochain message.

cozal · le 3 août 2011

Bonsoir,

Merci pour vos indications, que j´ai suivi à la lettre. Je vous poste les rapports demandés :

1) Ad-Report-SCAN

======= REPORT FROM AD-REMOVER 2.0.0.2,G | ONLY XP/VISTA/7 =======

Updated by TeamXscript on 12/04/11

Contact: AdRemover[DOT]contact[AT]gmail[DOT]com

website: http://www.teamxscript.org'>http://www.teamxscript.org

C:\Program Files\Ad-Remover\main.exe (SCAN [1]) -> Launched at 20:05:02 on 02/08/2011, Normal boot

Microsoft® Windows Vista™ Business Service Pack 2 (X86)

corujinha@CORUJINHA-PC (Dell Inc. Vostro A860)

============== SEARCH ==============

File found: C:\Program Files\Mozilla FireFox\Components\AskSearch.js

File found: C:\Windows\system32\Tasks\Scheduled Update for Ask Toolbar

File found: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\searchplugins\ask.xml

File found: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\searchplugins\askcom.xml

Folder found: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\conduit

Folder found: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\ConduitEngine

Folder found: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\extensions\engine@conduit.com

File found: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\searchplugins\conduit.xml

Folder found: C:\Program Files\Ask.com

Folder found: C:\Users\corujinha\AppData\LocalLow\Conduit

Folder found: C:\Program Files\Conduit

Folder found: C:\Users\corujinha\AppData\LocalLow\ConduitEngine

Folder found: C:\Program Files\ConduitEngine

Key found: HKLM\Software\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key found: HKLM\Software\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}

Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}

Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}

Key found: HKLM\Software\Classes\CLSID\{9007F15E-EFA1-4C97-8D44-9AEBC16CA45C}

Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9007F15E-EFA1-4C97-8D44-9AEBC16CA45C}

Key found: HKLM\Software\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key found: HKLM\Software\Classes\CLSID\{F5672D02-7492-490A-BC49-271F2AFA609C}

Key found: HKLM\Software\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key found: HKLM\Software\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key found: HKLM\Software\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key found: HKLM\Software\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key found: HKLM\Software\Classes\Conduit.Engine

Key found: HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd

Key found: HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd.1

Key found: HKLM\Software\Classes\Toolbar.CT2504091

Key found: HKLM\Software\Classes\AppID\GenericAskToolbar.DLL

Key found: HKLM\Software\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key found: HKLM\Software\Conduit

Key found: HKLM\Software\conduitEngine

Key found: HKCU\Software\Ask.com

Key found: HKCU\Software\Conduit

Key found: HKCU\Software\AppDataLow\AskToolbarInfo

Key found: HKCU\Software\AppDataLow\Toolbar

Key found: HKCU\Software\AppDataLow\Software\AskToolbar

Key found: HKCU\Software\AppDataLow\Software\Conduit

Key found: HKCU\Software\AppDataLow\Software\conduitEngine

Key found: HKLM\Software\aTube Catcher\OpenCandy

Key found: HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Userdata\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key found: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}

Key found: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}

Key found: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key found: HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key found: HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F8826702-0CDD-4ABC-A336-F5F35DAB2121}

Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine

Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine

Key found: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar

Value found: HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks|{00000000-6E41-4FD3-8538-502F5495E5FC}

Value found: HKLM\Software\Microsoft\Internet Explorer\Toolbar|{D4027C7F-154A-4066-A1AD-4243D8127440}

Value found: HKLM\Software\Microsoft\Internet Explorer\Toolbar|{30F9B915-B755-4826-820B-08FBA6BD249D}

Value found: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{D4027C7F-154A-4066-A1AD-4243D8127440}

============== ADDITIONNAL SCAN ==============

**** Mozilla Firefox Version [5.0 (pt-BR)] ****

HKLM_MozillaPlugins\Adobe Reader (x)

Searchplugins\buscape.xml (hxxp://busca.buscape.com.br/cprocura)

Searchplugins\mercadolivre.xml (hxxp://pmstrk.mercadolivre.com.br/jm/PmsTrk)

Searchplugins\wikipedia-br.xml (hxxp://pt.wikipedia.org/wiki/Especial:Busca)

Searchplugins\yahoo-br.xml (hxxp://br.search.yahoo.com/search)

Components\AskSearch.js

Components\browsercomps.dll (Mozilla Foundation)

Extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} (Skype extension )

Extensions - "{B13721C7-F507-4982-B2E5-502A71474FED}" (?)

HKLM_Extensions|smartwebprinting@hp.com - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

HKCU_Extensions|smartwebprinting@hp.com - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

-- C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default --

Extensions\engine@conduit.com (Conduit Engine )

Extensions\{87F8774F-B485-47E2-A755-A40A8A5E886D} (Adicional de Seguranca CAIXA®)

Extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc} (Vuze Remote Community Toolbar)

Searchplugins\ask.xml (?)

Searchplugins\askcom.xml (?)

Searchplugins\conduit.xml (hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}/)

Prefs.js - browser.startup.homepage_override.buildID, 20110615151330

Prefs.js - browser.startup.homepage_override.mstone, rv:5.0

========================================

**** Internet Explorer Version [7.0.6002.18005] ****

HKCU_Main|Search Page - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKCU_Main|Start Page - hxxp://www.bol.com.br/

HKLM_Main|Default_Page_URL - hxxp://go.microsoft.com/fwlink/?LinkId=69157

HKLM_Main|Default_Search_URL - hxxp://go.microsoft.com/fwlink/?LinkId=54896

HKLM_Main|Search Page - hxxp://go.microsoft.com/fwlink/?LinkId=54896

HKLM_Main|Start Page - hxxp://go.microsoft.com/fwlink/?LinkId=69157

HKCU_URLSearchHooks|{00000000-6E41-4FD3-8538-502F5495E5FC} - "UrlSearchHook Class" (C:\Program Files\Ask.com\GenericAskToolbar.dll)

HKCU_URLSearchHooks|{ba14329e-9550-4989-b3f2-9732e92d17cc} - "Vuze Remote Toolbar" (C:\Program Files\Vuze_Remote\tbVuze.dll)

HKLM_URLSearchHooks|{ba14329e-9550-4989-b3f2-9732e92d17cc} - "Vuze Remote Toolbar" (C:\Program Files\Vuze_Remote\tbVuze.dll)

HKCU_SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} - "Ask Search" (hxxp://websearch.ask.com/redirect?client=ie&tb=ATU3&o=15380&src=crm&q={searchTer...)

HKCU_SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420} - "Ask Search" (hxxp://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q={searchTerms}&crm=1&tool...)

HKCU_Toolbar\WebBrowser|{D4027C7F-154A-4066-A1AD-4243D8127440} (C:\Program Files\Ask.com\GenericAskToolbar.dll)

HKCU_Toolbar\WebBrowser|{BA14329E-9550-4989-B3F2-9732E92D17CC} (C:\Program Files\Vuze_Remote\tbVuze.dll)

HKLM_Toolbar|{D4027C7F-154A-4066-A1AD-4243D8127440} (C:\Program Files\Ask.com\GenericAskToolbar.dll)

HKLM_Toolbar|{8dcb7100-df86-4384-8842-8fa844297b3f} (C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll)

HKLM_Toolbar|{ba14329e-9550-4989-b3f2-9732e92d17cc} (C:\Program Files\Vuze_Remote\tbVuze.dll)

HKLM_Toolbar|{30F9B915-B755-4826-820B-08FBA6BD249D} (C:\Program Files\ConduitEngine\ConduitEngine.dll)

HKCU_ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} - C:\Program Files\Ask.com\SaUpdate.exe (?)

HKLM_ElevationPolicy\{073CE199-5E74-4F48-A6F6-8076835C0CF6} - C:\Program Files\Vuze_Remote\Vuze_RemoteToolbarHelper.exe (?)

HKLM_ElevationPolicy\{07d873dc-b9b9-44f5-af0b-fb59fa54fb7a} - C:\Windows\system32\wpcer.exe (x)

HKLM_ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A} - C:\Program Files\Ask.com\SaUpdate.exe (?)

HKLM_ElevationPolicy\{F8826702-0CDD-4ABC-A336-F5F35DAB2121} - C:\Program Files\ConduitEngine\ConduitEngineHelper.exe (?)

BHO\{30F9B915-B755-4826-820B-08FBA6BD249D} - "Conduit Engine" (C:\Program Files\ConduitEngine\ConduitEngine.dll)

BHO\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - "Search Helper" (C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll)

BHO\{ba14329e-9550-4989-b3f2-9732e92d17cc} - "Vuze Remote Toolbar" (C:\Program Files\Vuze_Remote\tbVuze.dll)

BHO\{D4027C7F-154A-4066-A1AD-4243D8127440} - "aTube Toolbar" (C:\Program Files\Ask.com\GenericAskToolbar.dll)

========================================

C:\Program Files\Ad-Remover\Quarantine: 0 File(s)

C:\Program Files\Ad-Remover\Backup: 1 File(s)

C:\Ad-Report-SCAN[1].txt - 02/08/2011 20:06:38 (9931 Byte(s))

End at: 20:07:24, 02/08/2011

============== E.O.F ==============

2) Ad-Report-CLEAN

======= REPORT FROM AD-REMOVER 2.0.0.2,G | ONLY XP/VISTA/7 =======

Updated by TeamXscript on 12/04/11

Contact: AdRemover[DOT]contact[AT]gmail[DOT]com

website: http://www.teamxscript.org

C:\Program Files\Ad-Remover\main.exe (CLEAN [1]) -> Launched at 20:09:09 on 02/08/2011, Normal boot

Microsoft® Windows Vista™ Business Service Pack 2 (X86)

corujinha@CORUJINHA-PC (Dell Inc. Vostro A860)

============== ACTION(S) ==============

File deleted: C:\Program Files\Mozilla FireFox\Components\AskSearch.js

File deleted: C:\Windows\system32\Tasks\Scheduled Update for Ask Toolbar

File deleted: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\searchplugins\ask.xml

File deleted: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\searchplugins\askcom.xml

Folder deleted: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\conduit

Folder deleted: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\ConduitEngine

Folder deleted: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\extensions\engine@conduit.com

File deleted: C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default\searchplugins\conduit.xml

Folder deleted: C:\Program Files\Ask.com

Folder deleted: C:\Users\corujinha\AppData\LocalLow\Conduit

Folder deleted: C:\Program Files\Conduit

Folder deleted: C:\Users\corujinha\AppData\LocalLow\ConduitEngine

Folder deleted: C:\Program Files\ConduitEngine

(!) -- Temporary files deleted.

Key deleted: HKLM\Software\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key deleted: HKLM\Software\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}

Key deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}

Key deleted: HKLM\Software\Classes\CLSID\{9007F15E-EFA1-4C97-8D44-9AEBC16CA45C}

Key deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9007F15E-EFA1-4C97-8D44-9AEBC16CA45C}

Key deleted: HKLM\Software\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key deleted: HKLM\Software\Classes\CLSID\{F5672D02-7492-490A-BC49-271F2AFA609C}

Key deleted: HKLM\Software\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key deleted: HKLM\Software\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key deleted: HKLM\Software\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key deleted: HKLM\Software\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key deleted: HKLM\Software\Classes\Conduit.Engine

Key deleted: HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd

Key deleted: HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd.1

Key deleted: HKLM\Software\Classes\Toolbar.CT2504091

Key deleted: HKLM\Software\Classes\AppID\GenericAskToolbar.DLL

Key deleted: HKLM\Software\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key deleted: HKLM\Software\Conduit

Key deleted: HKLM\Software\conduitEngine

Key deleted: HKCU\Software\Ask.com

Key deleted: HKCU\Software\Conduit

Key deleted: HKCU\Software\AppDataLow\AskToolbarInfo

Key deleted: HKCU\Software\AppDataLow\Toolbar

Key deleted: HKCU\Software\AppDataLow\Software\AskToolbar

Key deleted: HKCU\Software\AppDataLow\Software\Conduit

Key deleted: HKCU\Software\AppDataLow\Software\conduitEngine

Key deleted: HKLM\Software\aTube Catcher\OpenCandy

Key deleted: HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

Key deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Userdata\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}

Key deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}

Key deleted: HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key deleted: HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key deleted: HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F8826702-0CDD-4ABC-A336-F5F35DAB2121}

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine

Key deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine

Key deleting error: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar

Value deleted: HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks|{00000000-6E41-4FD3-8538-502F5495E5FC}

Value deleted: HKLM\Software\Microsoft\Internet Explorer\Toolbar|{D4027C7F-154A-4066-A1AD-4243D8127440}

Value deleted: HKLM\Software\Microsoft\Internet Explorer\Toolbar|{30F9B915-B755-4826-820B-08FBA6BD249D}

Value deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{D4027C7F-154A-4066-A1AD-4243D8127440}

============== ADDITIONNAL SCAN ==============

**** Mozilla Firefox Version [5.0 (pt-BR)] ****

HKLM_MozillaPlugins\Adobe Reader (x)

Searchplugins\buscape.xml (hxxp://busca.buscape.com.br/cprocura)

Searchplugins\mercadolivre.xml (hxxp://pmstrk.mercadolivre.com.br/jm/PmsTrk)

Searchplugins\wikipedia-br.xml (hxxp://pt.wikipedia.org/wiki/Especial:Busca)

Searchplugins\yahoo-br.xml (hxxp://br.search.yahoo.com/search)

Components\browsercomps.dll (Mozilla Foundation)

Extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} (Skype extension )

Extensions - "{B13721C7-F507-4982-B2E5-502A71474FED}" (?)

HKLM_Extensions|smartwebprinting@hp.com - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

HKCU_Extensions|smartwebprinting@hp.com - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

-- C:\Users\corujinha\AppData\Roaming\Mozilla\FireFox\Profiles\hlkv4or2.default --

Extensions\{87F8774F-B485-47E2-A755-A40A8A5E886D} (Adicional de Seguranca CAIXA®)

Extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc} (Vuze Remote Community Toolbar)

Prefs.js - browser.startup.homepage_override.buildID, 20110615151330

Prefs.js - browser.startup.homepage_override.mstone, rv:5.0

========================================

**** Internet Explorer Version [7.0.6002.18005] ****

HKCU_Main|Default_Page_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

HKCU_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKCU_Main|Search bar - hxxp://go.microsoft.com/fwlink/?linkid=54896

HKCU_Main|Start Page - hxxp://fr.msn.com/

HKLM_Main|Default_Page_URL - hxxp://go.microsoft.com/fwlink/?LinkId=54896

HKLM_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM_Main|Search bar - hxxp://search.msn.com/spbasic.htm

HKLM_Main|Search Page - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM_Main|Start Page - hxxp://fr.msn.com/