WhiteSmoke Toolbar - Infected

tigrr · September 10, 2012

I installed a piece of P2P software (like an idiot), and this was bundled in as part of it. It changed my start page, installed the toolbar, and now I get popups asking to pay for fake software. I have the DDS logs, as instructed from the FAQ.

Also, as a note, this is a Japanese copy of Windows 7, as I live in Japan. I hope that is OK.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by John at 9:59:48 on 2012-09-10

Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1041.18.8089.4522 [GMT 9:00]

.

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\BUFFALO\clientmgrv\bin\BWH32S.exe

C:\Program Files\Intel\iCLS Client\HeciServer.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

C:\Program Files (x86)\Norton Internet Security\Engine\19.0.0.128\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\BUFFALO\WDTool\bwdbackground.exe

C:\Program Files (x86)\Norton Internet Security\Engine\19.0.0.128\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\JWord\Plugin2\jwdsrch_64.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\BUFFALO\WDTool\bwdnotification.exe

C:\Program Files (x86)\BUFFALO\clientmgrv\bin\cmvMain.exe

C:\Program Files (x86)\JWord\Plugin2\jwdsrch.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe

C:\Program Files (x86)\CyberLink\Shared files\brs.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Buffalo\RakUpdate\RakUpdate.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\World of Warcraft\Wow-64.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://isearch.avg.com/?cid={0485021A-4A4C-421F-936F-8E920319F440}&mid=2599b38fd74047d097bbc13194aa26c1-ad1491be2ce6c122f6b66faa90e70c2decf7d34c〈=en&ds=oo011&pr=sa&d=2012-08-08 19:16:48&v=12.1.0.21&sap=hp

uDefault_Page_URL = hxxp://www.unisearch.jp/

mDefault_Page_URL = hxxp://www.unisearch.jp/

mStart Page = hxxp://www.unisearch.jp/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: MyUrlSearchHook Class: {2acecade-0bc7-4c6f-95cf-a221cc161b52} - C:\PROGRA~2\JWord\Plugin2\jwdsrch.dll

mWinlogon: Userinit=userinit.exe

BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - C:\Program Files (x86)\PriceGong\2.6.4\PriceGongIE.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.0.0.128\coIEPlg.dll

BHO: JWord プラグイン拡張ヘルパー: {624ebd88-df97-4810-a282-26286b8bf95f} - C:\PROGRA~2\JWord\Plugin2\jwdpm.dll

BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.0.0.128\IPS\IPSBHO.DLL

BHO: JWord 検索バーヘルパー: {70879f23-6ed6-4461-ba7b-bc9f383fa84f} - C:\PROGRA~2\JWord\Plugin2\COMPON~1\JWDEXP~1\JWDEXP~2.DLL

BHO: JWord スピードダイアルヘルパー: {866816c6-95bb-4fdb-8485-6ff360152987} - C:\Program Files (x86)\JWord\Common\SpeedDial\SpeedDial.dll

BHO: Windows Live ID サインインヘルパー: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.0.0.128\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: {AEF44653-C059-42CB-A5B7-41C640DA4A67} - No File

{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

EB: JWord 検索バー: {113ea296-53f8-460b-bc77-1b9d28e9f0cf} - C:\PROGRA~2\JWord\Plugin2\COMPON~1\JWDEXP~1\JWDEXP~2.DLL

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

mRun: [jwdsrch] C:\Program Files (x86)\JWord\Plugin2\jwdsrch.exe

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"

mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"

mRun: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\らくら~1.LNK - C:\Program Files (x86)\Buffalo\RakUpdate\RakUpdate.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AIRSTA~1.LNK - C:\Program Files (x86)\BUFFALO\WDTool\bwdnotification.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\クライ~1.LNK - C:\Program Files (x86)\BUFFALO\clientmgrv\bin\cmvMain.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: JWord でサイト検索 - C:\Program Files (x86)\JWord\Plugin2\jwdsrch.dll/300

IE: {06926B30-424E-4f1c-8EE3-543CD96573DF} - C:\Program Files (x86)\Kingsoft\Kssetup\starthome.exe

IE: {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton&pver=2

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {978DB49B-35F4-411D-B7D2-88858A359B66} - {978DB49B-35F4-411D-B7D2-88858A359B66} - C:\PROGRA~2\JWord\Plugin2\COMPON~1\JWDEXP~1\JWDEXP~2.DLL

IE: {B8FA14E5-8AE7-452C-AA3B-23C32388CDA0} - {B8FA14E5-8AE7-452C-AA3B-23C32388CDA0} - C:\PROGRA~2\JWord\Plugin2\JwdPH.dll

TCP: DhcpNameServer = 192.168.11.1

TCP: Interfaces\{0511829E-B6D9-4479-A9A1-C786BC9C58FC} : DhcpNameServer = 192.168.11.1

TCP: Interfaces\{5F1953FC-CD71-4D9B-8892-27C840806B28} : DhcpNameServer = 192.168.11.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

{1631550F-191D-4826-B069-D9439253D926}

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}

{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}

{624EBD88-DF97-4810-A282-26286B8BF95F}

{6D53EC84-6AAE-4787-AEEE-F4628F01010C}

{70879F23-6ED6-4461-BA7B-BC9F383FA84F}

{866816C6-95BB-4FDB-8485-6FF360152987}

{9030D464-4C02-4ABF-8ECC-5164760863C6}

{AA58ED58-01DD-4d91-8333-CF10577473F7}

{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

{2318C2B1-4965-11d4-9B18-009027A5CD4F}

TB-X64: {AEF44653-C059-42CB-A5B7-41C640DA4A67} - No File

EB-X64: {113EA296-53F8-460B-BC77-1B9D28E9F0CF} - No File

mRun-x64: [jwdsrch] C:\Program Files (x86)\JWord\Plugin2\jwdsrch.exe

mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun-x64: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

mRun-x64: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"

mRun-x64: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"

mRun-x64: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

IE-X64: {06926B30-424E-4f1c-8EE3-543CD96573DF} - C:\Program Files (x86)\Kingsoft\Kssetup\starthome.exe

IE-X64: {34D67ED2-C837-4627-838C-2264E347D291} - http://www.jword.jp/intro/?partner=AP&type=lk&frm=iebutton&pver=2

IE-X64: {06926B30-424E-4f1c-8EE3-543CD96573DF} - C:\Program Files (x86)\Kingsoft\Kssetup\starthome.exe

.

============= SERVICES / DRIVERS ===============

.

R0 iusb3hcs;インテル® USB 3.0 ホスト・コントローラー・スイッチ・ドライバー;C:\Windows\system32\DRIVERS\iusb3hcs.sys --> C:\Windows\system32\DRIVERS\iusb3hcs.sys [?]

R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1300000.080\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1300000.080\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1300000.080\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1300000.080\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20110519.002\BHDrvx64.sys [2012-5-23 1143416]

R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1300000.080\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1300000.080\ccSetx64.sys [?]

R1 EncryptedDisk;EncryptedDisk;C:\ProgramData\Kingsoft\klive\bin\encrypteddisk-x64.sys [2012-2-20 125544]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20110519.031\IDSviA64.sys [2012-5-23 488056]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1300000.080\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1300000.080\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\drivers\NISx64\1300000.080\SYMNETS.SYS --> C:\Windows\system32\drivers\NISx64\1300000.080\SYMNETS.SYS [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 BWH32S;BWH32S;C:\Program Files (x86)\BUFFALO\clientmgrv\bin\BWH32S.exe [2012-8-6 126328]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-5-23 13592]

R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-8 607456]

R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2012-5-23 128280]

R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-5-23 161560]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-10 655944]

R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.0.0.128\ccSvcHst.exe [2012-5-23 138760]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-5-23 1262400]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-5-23 363800]

R2 WirelessDiagnosis;Wireless Diagnosis;C:\Program Files (x86)\BUFFALO\WDTool\bwdbackground.exe [2012-8-6 230776]

R3 IntcDAud;インテル® ディスプレイ用オーディオ;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]

R3 iusb3hub;インテル® USB 3.0 ハブドライバー;C:\Windows\system32\DRIVERS\iusb3hub.sys --> C:\Windows\system32\DRIVERS\iusb3hub.sys [?]

R3 iusb3xhc;インテル® USB 3.0 eXtensible ホスト・コントローラー・ドライバー;C:\Windows\system32\DRIVERS\iusb3xhc.sys --> C:\Windows\system32\DRIVERS\iusb3xhc.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S2 CLKMSVC10_38F51D56;CyberLink Product - 2012/05/23 10:52:34;C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [2011-4-20 241648]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google アップデートサービス (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-8-6 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-6 250056]

S3 Bufeap;BUFFALO EAP Driver;C:\Windows\system32\DRIVERS\bufeap64.sys --> C:\Windows\system32\DRIVERS\bufeap64.sys [?]

S3 cphs;Intel® Content Protection HECI Service;C:\Windows\SysWOW64\IntelCpHeciSvc.exe [2012-5-23 274200]

S3 gupdatem;Google Update サービス (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-8-6 136176]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 ucg450;BUFFALO WLI-UC-G450 Wireless LAN Driver;C:\Windows\system32\DRIVERS\ucg450x.sys --> C:\Windows\system32\DRIVERS\ucg450x.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-09-09 17:43:48 -------- d-----w- C:\Users\John\AppData\Roaming\Malwarebytes

2012-09-09 17:43:46 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-09 17:43:46 -------- d-----w- C:\ProgramData\Malwarebytes

2012-09-09 17:43:46 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-09 17:18:28 -------- d-----w- C:\Users\John\AppData\Local\CRE

2012-09-09 17:18:11 -------- d-----w- C:\Program Files (x86)\StreamTorrent 1.0

2012-09-07 13:53:51 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4ACD4758-B3EA-4C5C-B38E-09B3CC368C00}\mpengine.dll

2012-09-06 01:43:12 -------- d-----w- C:\Users\John\AppData\Roaming\StreamTorrent

2012-09-03 04:43:20 -------- d-----w- C:\Program Files (x86)\NCH Software

2012-09-03 04:43:17 -------- d-----w- C:\Users\John\AppData\Roaming\NCH Software

2012-09-02 03:02:04 -------- d-----w- C:\Program Files (x86)\StarCraft II

2012-08-30 10:34:57 -------- d-----w- C:\Program Files\Bonjour

2012-08-30 10:34:57 -------- d-----w- C:\Program Files (x86)\Bonjour

2012-08-30 04:04:17 -------- d-----w- C:\Users\John\AppData\Roaming\ApplicationManager

2012-08-16 14:59:57 -------- d-----w- C:\ProgramData\Battle.net

2012-08-15 08:28:47 503808 ----a-w- C:\Windows\System32\srcore.dll

2012-08-15 08:28:47 43008 ----a-w- C:\Windows\SysWow64\srclient.dll

2012-08-15 08:28:43 751104 ----a-w- C:\Windows\System32\win32spl.dll

2012-08-15 08:28:43 67072 ----a-w- C:\Windows\splwow64.exe

2012-08-15 08:28:43 559104 ----a-w- C:\Windows\System32\spoolsv.exe

2012-08-15 08:28:43 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2012-08-15 08:28:42 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-08-15 08:28:42 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-08-15 08:28:42 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-08-15 08:28:42 136704 ----a-w- C:\Windows\System32\browser.dll

2012-08-15 08:28:41 956928 ----a-w- C:\Windows\System32\localspl.dll

.

==================== Find3M ====================

.

2012-08-15 01:01:00 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-15 01:01:00 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

.

============= FINISH: 10:00:05.45 ===============

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 8/6/2012 9:37:06 PM

System Uptime: 9/10/2012 9:22:24 AM (1 hours ago)

.

Motherboard: MouseComputer Co.,Ltd. | | Z77H2-A3

Processor: Intel® Core i7-3770K CPU @ 3.50GHz | SOCKET 0 | 3501/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 1863 GiB total, 1702.263 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP37: 8/29/2012 4:10:04 AM - Windows Update

RP38: 8/30/2012 7:35:08 PM - Installed iTunes

RP39: 9/5/2012 12:17:44 PM - Windows Update

RP40: 9/10/2012 3:10:09 AM - OTL Restore Point - 9/10/2012 3:10:08 AM

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader 9.1 - Japanese

Apple Application Support

Apple Software Update

ApplicationManager 2011.4.27.209

BUFFALO AirStation おたすけナビ

BUFFALO AirStation倍速設定ツールアンインストール

BUFFALO エアステーション設定ツール

BUFFALO クライアントマネージャ

BUFFALO パソコン環境表示ツール

Call of Duty: Modern Warfare 3

Call of Duty: Modern Warfare 3 - Multiplayer

Cities XL 2012

D3DX10

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

Intel® Control Center

Intel® Manageability Engine Firmware Recovery Agent

Intel® Management Engine Components

Intel® OpenCL CPU Runtime

Intel® Processor Graphics

Intel® Rapid Storage Technology

Intel® USB 3.0 eXtensible Host Controller Driver

Junk Mail filter update

JWord プラグイン

KDrive

Kingsoft Office 2012 (8.1.0.3185)

Left 4 Dead 2

LG CyberLink Media Suite

LG CyberLink Power2Go

LG CyberLink PowerBackup

LG CyberLink PowerDVD 10

LG CyberLink PowerProducer

Magicka

Malwarebytes Anti-Malware version 1.62.0.1300

Mesh Runtime

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Might & Magic R Heroes R VI

Mirror's Edge

MSVCRT

MSVCRT_amd64

Nation Red

Norton Internet Security

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

Orcs Must Die!

Plants vs. Zombies: Game of the Year

PriceGong 2.6.4

Realtek High Definition Audio Driver

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Sid Meier's Civilization V

StarCraft II

Steam

StreamTorrent 1.0

The Elder Scrolls V: Skyrim

Total War: SHOGUN 2

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

VideoPad Video Editor

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Live フォトギャラリー

Windows Live メール

World of Warcraft

World of Warcraft Beta

リモート接続用の Windows Live Mesh ActiveX コントロール (日本語)

.

==== End Of File ===========================

Maniac · September 10, 2012

Hello tigrr and :welcome: ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please uninstall the following applications:

PriceGong 2.6.4

StreamTorrent 1.0

Step 2

Please download AdwCleaner from here and save it on your Desktop.

Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
Now click on the Search tab.
Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

In your next reply, post the following log files:

AdwCleaner log
a new fresh DDS log

tigrr · September 10, 2012

I saw someone else had a similar problem, and was advised to DL and run ADWCleaner, search, and post the log. I did the same, here are the results. Theres a bunch of junk towards the bottom, under the Chrome/Preferences section, that show the searchnu.com and search.conduit.com pages that get loaded when I launch Chrome.

# AdwCleaner v2.001 - Logfile created 09/10/2012 at 20:21:35

# Updated 09/09/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : John - JOHN-PC

# Boot Mode : Normal

# Running from : C:\Users\John\Downloads\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\Users\John\AppData\Local\Temp\Searchqu.ini

File Found : C:\Users\John\AppData\Local\Temp\searchqutoolbar-manifest.xml

File Found : C:\Users\John\AppData\Local\Temp\SetupDataMngr_Searchqu.exe

Folder Found : C:\Program Files (x86)\Ilivid

Folder Found : C:\Program Files (x86)\Searchqu Toolbar

Folder Found : C:\ProgramData\boost_interprocess

Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PriceGong

Folder Found : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkcangbigakljkjeglcofaomihpejif

Folder Found : C:\Users\John\AppData\LocalLow\Conduit

Folder Found : C:\Users\John\AppData\LocalLow\Searchqutoolbar

***** [Registry] *****

Data Found : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll

Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\AppDataLow\Software\PriceGong

Key Found : HKCU\Software\AppDataLow\Software\SmartBar

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\DataMngr

Key Found : HKCU\Software\DataMngr_Toolbar

Key Found : HKCU\Software\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif

Key Found : HKCU\Software\ilivid

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Found : HKLM\SOFTWARE\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}

Key Found : HKLM\SOFTWARE\Classes\AppID\PriceGongIE.DLL

Key Found : HKLM\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO

Key Found : HKLM\SOFTWARE\Classes\PriceFactorIE.PriceGongBHO.1

Key Found : HKLM\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl

Key Found : HKLM\SOFTWARE\Classes\PriceGongIE.PriceGongCtrl.1

Key Found : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard

Key Found : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{8B3372D0-09F0-41A5-8D9B-134E148672FB}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

Key Found : HKLM\Software\Conduit

Key Found : HKLM\Software\DataMngr

Key Found : HKLM\Software\ilivid

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS

Key Found : HKLM\Software\SearchquMediabarTb

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{1631550F-191D-4826-B069-D9439253D926}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9D717F81-9148-4F12-8568-69135F087DB0}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bkomkajifikmkfnjgphkjcfeepbnojok

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ilivid

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PriceGong

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu Toolbar

Key Found : HKLM\SOFTWARE\Classes\CLSID\{9D717F81-9148-4F12-8568-69135F087DB0}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}

Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Found : HKLM\SOFTWARE\DataMngr

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0}

Key Found : HKU\S-1-5-21-809618916-2752423478-2162408894-1001\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Found : HKU\S-1-5-21-809618916-2752423478-2162408894-1001\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

Value Found : HKCU\Software\Mozilla\Firefox\Extensions [{8a9386b4-e958-4c4c-adf4-8f26db3e4829}]

Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]

Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://www.unisearch.jp/

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.unisearch.jp/

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.searchnu.com/406

[HKCU\Software\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://www.unisearch.jp/

-\\ Google Chrome v [unable to get version]

File : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.8] : homepage = "hxxp://www.searchnu.com/406",

Found [l.12] : urls_to_restore_on_startup = [ "hxxp://www.searchnu.com/406", "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ]

Found [l.43] : icon_url = "hxxp://search.conduit.com/fav.ico",

Found [l.46] : keyword = "search.conduit.com",

Found [l.49] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3244149",

Found [l.1343] : homepage = "hxxp://www.searchnu.com/406",

Found [l.1851] : urls_to_restore_on_startup = [ "hxxp://www.searchnu.com/406", "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ]

*************************

AdwCleaner[R1].txt - [7998 octets] - [10/09/2012 20:21:35]

########## EOF - C:\AdwCleaner[R1].txt - [8058 octets] ##########

tigrr · September 10, 2012

Hello tigrr and ! My name is Maniac and I will be glad to help you solve your malware problem.
Please note:
If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
Step 1
Please uninstall the following applications:
PriceGong 2.6.4
StreamTorrent 1.0
Step 2
Please download AdwCleaner from here and save it on your Desktop.
Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
Now click on the Search tab.
Please post the contents of the log-file created in your next post.
Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.
In your next reply, post the following log files:
AdwCleaner log
a new fresh DDS log

Oh hi, wow I mustve posted just at the same time that you did! Thanks for your help, I will proceed with your recommendations and then report back.

Maniac · September 10, 2012

Yes, please repeat my steps from the beginning and post a new fresh AdwCleaner log.

tigrr · September 10, 2012