Whitesmoke toolbar? Total novice, love some help.

[allsuprussell]

I believe this is the one

All processes killed

========== OTL ==========

Use Chrome's Settings page to remove the default_search_provider items.

Use Chrome's Settings page to remove the default_search_provider items.

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Russell Allsup

->Java cache emptied: 713347 bytes

Total Java Files Cleaned = 1.00 mb

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 56466 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Public

User: Russell Allsup

->Temp folder emptied: 4725881508 bytes

->Temporary Internet Files folder emptied: 47066271 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 386444678 bytes

->Google Chrome cache emptied: 344954729 bytes

->Flash cache emptied: 161843 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 532085769 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67822 bytes

RecycleBin emptied: 3103773312 bytes

Total Files Cleaned = 8,717.00 mb

[EMPTYFLASH]

User: All Users

User: Default

->Flash cache emptied: 0 bytes

[MrCharlie]

OK...please do this:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[allsuprussell]

Okay, here it is ( sorry to say conduit is still the url, dont know why..)

ComboFix 13-04-29.01 - Russell Allsup 30/04/2013 18:55:01.1.2 - x64

Running from: c:\users\Russell Allsup\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\_ctypes.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\_elementtree.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\_hashlib.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\_socket.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\_ssl.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\pyexpat.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\pysqlite2._sqlite.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\python27.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\pythoncom27.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\PyWinTypes27.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\select.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\unicodedata.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32api.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32com.shell.shell.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32crypt.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32event.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32file.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32inet.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32pdh.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32process.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32profile.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32security.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\win32ts.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\windows._cacheinvalidation.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wx._controls_.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wx._core_.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wx._gdi_.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wx._html2.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wx._misc_.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wx._windows_.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wx._wizard.pyd

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wxbase294u_net_vc90.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wxbase294u_vc90.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wxmsw294u_adv_vc90.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wxmsw294u_core_vc90.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wxmsw294u_html_vc90.dll

c:\users\RUSSEL~1\AppData\Local\Temp\_MEI38042\wxmsw294u_webview_vc90.dll

c:\users\Russell Allsup\AppData\Local\assembly\tmp

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\_ctypes.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\_elementtree.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\_hashlib.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\_socket.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\_ssl.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\pyexpat.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\pysqlite2._sqlite.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\python27.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\pythoncom27.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\PyWinTypes27.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\select.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\unicodedata.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32api.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32com.shell.shell.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32crypt.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32event.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32file.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32inet.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32pdh.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32process.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32profile.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32security.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\win32ts.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\windows._cacheinvalidation.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wx._controls_.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wx._core_.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wx._gdi_.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wx._html2.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wx._misc_.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wx._windows_.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wx._wizard.pyd

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wxbase294u_net_vc90.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wxbase294u_vc90.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wxmsw294u_adv_vc90.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wxmsw294u_core_vc90.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wxmsw294u_html_vc90.dll

c:\users\Russell Allsup\AppData\Local\Temp\_MEI38042\wxmsw294u_webview_vc90.dll

c:\users\Russell Allsup\DLL32.DLL

c:\windows\SysWow64\lsprst7.dll

.

.

((((((((((((((((((((((((( Files Created from 2013-04-01 to 2013-05-01 )))))))))))))))))))))))))))))))

.

.

2013-05-01 01:59 . 2013-05-01 01:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-04-30 20:06 . 2013-04-30 20:06 -------- d-----w- C:\_OTL

2013-04-30 19:12 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F93B3D93-8503-4463-91D5-C20E5A0651DD}\mpengine.dll

2013-04-30 01:45 . 2013-04-30 01:45 -------- d-----w- c:\windows\ERUNT

2013-04-30 01:11 . 2013-04-30 01:44 -------- d-----w- C:\JRT

2013-04-25 04:35 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-16 07:31 . 2013-04-16 07:31 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center

2013-04-09 21:43 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll

2013-04-09 21:43 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\SysWow64\mstscax.dll

2013-04-09 21:43 . 2013-02-15 06:08 44032 ----a-w- c:\windows\system32\tsgqec.dll

2013-04-09 21:43 . 2013-02-15 06:02 158720 ----a-w- c:\windows\system32\aaclient.dll

2013-04-09 21:43 . 2013-02-15 04:34 131584 ----a-w- c:\windows\SysWow64\aaclient.dll

2013-04-09 21:43 . 2013-02-15 03:25 36864 ----a-w- c:\windows\SysWow64\tsgqec.dll

2013-04-09 21:43 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys

2013-04-09 21:42 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys

2013-04-09 21:42 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-04-09 21:42 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-04-09 21:42 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-04-09 21:42 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-04-09 21:42 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-04-09 21:42 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-10 09:07 . 2012-10-01 07:47 72702784 ----a-w- c:\windows\system32\MRT.exe

2013-03-13 07:58 . 2012-05-14 09:44 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-13 07:58 . 2012-05-14 09:44 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-03-12 08:10 . 2010-11-21 03:27 282744 ------w- c:\windows\system32\MpSigStub.exe

2013-02-19 06:53 . 2013-01-25 07:24 39768 ----a-w- c:\windows\system32\drivers\avgtpx64.sys

2013-02-12 05:45 . 2013-03-14 03:16 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-02-12 05:45 . 2013-03-14 03:16 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-02-12 05:45 . 2013-03-14 03:16 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-02-12 05:45 . 2013-03-14 03:16 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-02-12 04:48 . 2013-03-14 03:16 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-02-12 04:48 . 2013-03-14 03:16 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-02-12 04:12 . 2013-03-14 21:05 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2013-03-07 19357112]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2011-09-20 341360]

"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"BackupManagerTray"="c:\program files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" [2012-01-05 296984]

"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2012-03-23 1105488]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

"ConnectionManager"="c:\program files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2012-08-14 152424]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2012-12-09 336992]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]

R3 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2011-06-21 173424]

R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]

R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2013-01-30 50800]

R3 Sage 50 Transaction Manager 2013 - CDN;Sage 50 Transaction Manager 2013 - CDN;c:\program files (x86)\Winsim\TransactionManager2013 - CDN\Sage_SA.TransactionManager.exe [2012-12-11 35696]

R3 Sage Simply Accounting Transaction Manager 2012 - CDN;Sage Simply Accounting Transaction Manager 2012 - CDN;c:\program files (x86)\Winsim\TransactionManager2012 - CDN\Sage_SA.TransactionManager.exe [2011-08-02 46408]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-21 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2013-02-19 39768]

S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2012-05-14 22648]

S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2012-05-14 20520]

S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2012-05-14 62776]

S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2012-03-23 355920]

S2 ePowerSvc;ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2012-02-08 871296]

S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2012-02-29 28264]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-11-30 13592]

S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2012-02-03 628448]

S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2012-02-07 128280]

S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2012-02-07 161560]

S2 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2012-02-07 255376]

S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]

S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2012-01-05 256536]

S2 Simply Accounting Database Connection Manager;Sage 50 Database Connection Manager;c:\program files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe [2012-08-14 22376]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-02-07 363800]

S2 ZAtheros Wlan Agent;ZAtheros Wlan Agent;c:\program files (x86)\Atheros\Ath_WlanAgent.exe [2012-01-18 72864]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-05 331264]

S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys [2012-02-01 292968]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-03-16 685672]

S3 SmbDrv;SmbDrv;c:\windows\system32\DRIVERS\Smb_driver.sys [2012-02-14 22800]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-04-29 22:35 1642448 ----a-w- c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-14 07:58]

.

2013-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-20 03:03]

.

2013-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-20 03:03]

.

2013-05-01 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

2013-04-30 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2013-03-07 23:31 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2013-03-07 23:31 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2013-03-07 23:31 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2013-03-07 23:31 776144 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-04-22 170264]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-04-22 398616]

"Persistence"="c:\windows\system32\igfxpers.exe" [2012-04-22 439064]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-02-21 12452456]

"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2012-02-08 1829768]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]

.

------- Supplementary Scan -------

.

uStart Page = https://www.google.ca/

uLocal Page = c:\windows\system32\blank.htm

mDefault_Page_URL = hxxp://acer.msn.com

mStart Page = hxxp://www.google.com

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 64.59.144.93 64.59.150.139

FF - ProfilePath - c:\users\Russell Allsup\AppData\Roaming\Mozilla\Firefox\Profiles\d3p9l5pa.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://www.google.ca/

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Launch Manager\LMutilps32.exe

c:\program files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

.

**************************************************************************

.

Completion time: 2013-04-30 19:07:36 - machine was rebooted

ComboFix-quarantined-files.txt 2013-05-01 02:07

.

Pre-Run: 405,304,791,040 bytes free

Post-Run: 404,797,775,872 bytes free

.

- - End Of File - - DC8980940DF5EFEE9F6ECEF36BD7F44A

[MrCharlie]

Download and run AVAST Browser Cleanup...let it fix anything it finds:

http://techdows.com/...standalone.html

------------------------------------

If there's nothing found and no improvement:

Download, unzip and run (right click run as administrator) the attached Zoek.zip (Zoek.exe)

Click on Options and then Reset Chrome then Run Script

Let me know......MrC

[allsuprussell]

Wow, okay so i did AVAST and nothing seemed to work, but Zoek...well chrome didnt automatically go to the conduit url, it just went to a normal tab like homepage. However, Im also signed out from my google account, so im afraid if i log back on itll send me back to it, wondering if that may be a problem signing back in? In other words, this is the first time something has changed with the homepage and i don't want to screw it up.

Here is the log from zoek

Zoek.exe Version 4.0.0.2 Updated 23-04-2013

Tool run by Russell Allsup on 30/04/2013 at 19:54:53.37.

InstallShield* 6.1.7601 x64 WMI=failure

Running in: Normal Mode Internet Access Detected

==== Reset Google Chrome ======================

C:\users\Russell Allsup\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully

C:\users\Russell Allsup\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

[MrCharlie]

Go ahead and try it.

MrC (be back in the am)

[allsuprussell]

Okay thanks for the help today

Just logged into my google account and regrettably, it did send me back to conduit the next time i loaded chrome up. So, i guess somehow this is tied to my google account or log-in.

See you in the am/

[MrCharlie]

OK, run Zoek.exe again and click Chrome Look this time, run it > post the log.

MrC

[allsuprussell]

Here ya go

Zoek.exe Version 4.0.0.2 Updated 23-04-2013

Tool run by Russell Allsup on 01/05/2013 at 10:06:45.01.

Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64

Running in: Normal Mode Internet Access Detected

==== Chrome Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions

ndibdjnfmopecpmkdieinmbadjfpblof - C:\ProgramData\AVG Secure Search\ChromeExt\14.2.0.1\avg.crx[]

Google Docs - Russell Allsup - Default\Extensions\aohghmighlieiainnegkcijnfilokake

Google Drive - Russell Allsup - Default\Extensions\apdfllckaahabafndbhieahigkjlhalf

YouTube - Russell Allsup - Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo

Google Search - Russell Allsup - Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf

Gmail - Russell Allsup - Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia

Tapatalk Notifier - Russell Allsup - Default\Extensions\plfhcjljnfjpfcbjpgnflfofmahljkjj

[MrCharlie]

Download, unzip the attached fix.zip (fix.reg)

Now double click on it and allow it to merge into the registry.

Delete this folder:

C:\ProgramData\AVG Secure Search

Reboot and let me know.....MrC

[allsuprussell]

So I clicked continue and allowed it to merge into the registry, and then i searched in My program data for AVG but it came up with no results for a folder of that name, am i looking in the wrong place? Computer, ACER (C:), ProgramData? As well after I allowed it to merge, nothing else came up, is that normal?

[MrCharlie]

Yes that's all normal and it's possible the file isn't there.

Any difference?????? MrC

[allsuprussell]

sorry , still same homepage problems.

[MrCharlie]

I'm not out of ideas yet....

Open up Chrome > click the 3 bars in the upper right hand corner.

Go to Tools > Clear Browser Data

Put a check next to all of these:

1. Clear browsing history
   
2. Clear download history
   
3. Empty the cache
   

Click "Clear Browsing Data"

-------------------------------------

Carefully check for any odd extensions or plugins: (it's a good idea to disable them all and see if you're still redirected and then add each one back until you find the culprit)

Open up Chrome:

Type the following into the address box and hit Enter:

chrome:plugins

Do the same for:

chrome:extensions

Let me know.....MrC

[allsuprussell]

Disabled all plugins and extensions, nothing looked suspicious, nonetheless no dice, conduit home page lives on.

[MrCharlie]

Open up Chrome again > settings > On Startup > Open a specific page or set of pages

Click the Set Pages (in blue to the right)

See what's there

MrC

[allsuprussell]

wow, okay so it shows a box labeled startup pages, and for search it says "http://search.conduit.com/?ctid=CT3198785&SearchSource=48", and then under it it says add a new page, and then blank next to it.

[MrCharlie]

If you mouse over it, you should be able to delete it.

MrC

[allsuprussell]

Yup, and then just add google as the homepage? Will I have to reboot to make sure?

[MrCharlie]

Yes add www.google.com

https://www.google.com/

Just reload Chrome to see how it is.

MrC

[allsuprussell]

Just off the cuff it doesnt seem to go to the redirect anymore, it just starts at google. Think thats all it was?

[MrCharlie]

I guess we'll see...use it and let me know. MrC

[MrCharlie]

How are we doing???? MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!