Need help with virus on laptop

[tryagain]

A few days ago, my sons starting having trouble accessing the internet on their laptop. After checking connections, we began trying to run scans. Access to both the internet and the scans have been intermittent. Sometimes, when we've been able to briefly connect to the internet, we've still not been able to scan - it just loads perpetually and freezes up. The internet also perpetually loads when not able to connect.

I'm posting the viruses found on an initial Avast boot-time scan. I'm also posting an SAS log that is a couple days old and before a Ccleaner scan, so it still hows cookies. Finally, there is an MBAM log from today, with one adware infection found. Java is up to date. We can't connect to the internet at this point to download HiJackThis. If you could tell me where to go and how to flashdrive it to the laptop, perhaps that would work.
Thanks in advance for any help you can offer.


Viruses found on Avast boot-time scan:
File name                                                       Severity       Status
C:\Users\Downloads\SetupPlaySushi(2).exe          Low             PUP: Win32:Gamevance-Y [PUP]  Moved to Chest

C:\Users\Downloads\SetupPlaySushi.exe              Low             PUP: Win32:Gamevance-Y [PUP]  Moved to Chest



SUPERAntiSpyware Scan Log
 
Generated 10/25/2010 at 06:27 PM
 
Application Version : 4.26.1006
 
Core Rules Database Version : 5750
Trace Rules Database Version: 3562
 
Scan type       : Complete Scan
Total Scan Time : 01:30:29
 
Memory items scanned      : 743
Memory threats detected   : 0
Registry items scanned    : 6913
Registry threats detected : 0
File items scanned        : 48644
File threats detected     : 7
 
Adware.Tracking Cookie
 C:\Users\Gabe\AppData\Roaming\Microsoft\Windows\Cookies\Low\gabe@2o7[1].txt
 C:\Users\Gabe\AppData\Roaming\Microsoft\Windows\Cookies\Low\gabe@adbrite[2].txt
 C:\Users\Gabe\AppData\Roaming\Microsoft\Windows\Cookies\Low\gabe@doubleclick[1].txt
 C:\Users\Gabe\AppData\Roaming\Microsoft\Windows\Cookies\Low\gabe@imrworldwide[2].txt
 C:\Users\Gabe\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
 C:\Users\Gabe\AppData\Roaming\Microsoft\Windows\Cookies\Low\gabe@media6degrees[1].txt
 C:\Users\Gabe\AppData\Roaming\Microsoft\Windows\Cookies\Low\gabe@revsci[1].txt



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18975

10/27/2010 1:13:25 PM
mbam-log-2010-10-27 (13-13-25).txt

Scan type: Quick scan
Objects scanned: 161426
Time elapsed: 13 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Sorry for being so late in getting to your thread. We're very busy.
What browser are you using?

**************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[tryagain]

Hi SuperDave,

No problem on the delay. I  appreciate the time you guys put in to help us all with these messes! My sons are both using Firefox browser. We ran Security Check and Combo Fix and will post the logs below. Security Check ran without a hitch. Combo fix would save to the desktop, so I renamed it in Downloads and sent it to the desktop, where it showed up as a shortcut. Clicked on it there and never got a "Start" to click on and now search box to paste the command to. It just went straight into it's process. Hope that is okay and we haven't inadvertently made things worse. Once the log came up, I also realized I forgot to disable Windows Defender. 

A couple other things to note: We can get internet on my sons accounts but not on admin. If we try to get internet on admin first, then my sons cannot get it on their accounts either unless the laptop is restarted. Also, on one internet connection yesterday, a Google search for something gave inappropriate responses. Though it hasn't happened since, it is another indication of something amiss.

A side question - One of my sons accidently downloaded ArcSoft a while back in connection with an MP3 player. We have found no way to remove it from the comp. Any ideas?

Thanks so much for your time and attention!

Here are the logs, starting with Security Check:

 Results of screen317's Security Check version 0.99.6 
 Windows Vista Service Pack 1 (UAC is enabled)
 Out of date service pack!![/b]
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 avast! Free Antivirus   
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 22 
 Adobe Flash Player 10.1.85.3 
 Mozilla Firefox (3.6.11) Firefox Out of Date! 
 Mozilla Thunderbird (2.0.0) Thunderbird Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Norton ccSvcHst.exe
 Windows Defender MSASCui.exe
 Windows Defender MSASCui.exe   
 Alwil Software Avast5 AvastSvc.exe 
 Alwil Software Avast5 AvastUI.exe 
````````````````````````````````
DNS Vulnerability Check:
 Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````





ComboFix 10-10-30.01 - Admin 10/30/2010  23:03:34.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.1977.809 [GMT -4:00]
Running from: c:\users\John.JOHN-GABE\Downloads\commy.exe.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\John.JOHN-GABE\AppData\Roaming\.#
c:\users\John.JOHN-GABE\AppData\Roaming\.#\MBX@1514@1D32990.###
c:\users\John.JOHN-GABE\AppData\Roaming\.#\MBX@1514@1D329C0.###
c:\users\John.JOHN-GABE\AppData\Roaming\.#\MBX@1514@1D329F0.###

.
(((((((((((((((((((((((((   Files Created from 2010-09-28 to 2010-10-31  )))))))))))))))))))))))))))))))
.

2010-10-31 03:16 . 2010-10-31 03:16   --------   d-----w-   c:\users\John & Gabe\AppData\Local\temp
2010-10-31 03:16 . 2010-10-31 03:16   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-10-31 03:15 . 2010-10-31 03:15   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-10-31 03:15 . 2010-10-31 03:15   --------   d-----w-   c:\users\Gabe\AppData\Local\temp
2010-10-29 13:40 . 2010-10-07 23:21   6146896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AA9B060-4A63-4092-9B8C-FD4AA2961631}\mpengine.dll
2010-10-27 16:16 . 2010-10-27 16:16   28672   ----a-r-   c:\users\Admin\AppData\Roaming\Microsoft\Installer\{ECBC96EF-6D01-477C-94DC-E604DE55BD2F}\_C6A5AD55231E_431F_B374_D2859072C2BF.exe
2010-10-27 15:57 . 2010-10-27 15:57   28672   ----a-r-   c:\users\John.JOHN-GABE\AppData\Roaming\Microsoft\Installer\{ECBC96EF-6D01-477C-94DC-E604DE55BD2F}\_C6A5AD55231E_431F_B374_D2859072C2BF.exe
2010-10-24 22:48 . 2010-09-07 15:12   38848   ----a-w-   c:\windows\avastSS.scr
2010-10-14 23:51 . 2010-09-10 16:35   168960   ----a-w-   c:\program files\Windows Media Player\wmplayer.exe
2010-10-14 23:51 . 2010-09-10 16:37   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-10-14 23:51 . 2010-09-06 16:24   125952   ----a-w-   c:\windows\system32\srvsvc.dll
2010-10-14 23:51 . 2010-09-06 14:13   303616   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-10-14 23:51 . 2010-09-06 14:12   101888   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-10-14 23:51 . 2010-09-06 14:12   145408   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-10-14 23:51 . 2010-09-06 16:23   17920   ----a-w-   c:\windows\system32\netevent.dll
2010-10-14 23:49 . 2010-08-31 15:40   531968   ----a-w-   c:\windows\system32\comctl32.dll
2010-10-11 13:37 . 2010-10-11 13:37   --------   d-----w-   c:\program files\Common Files\Java
2010-10-11 13:37 . 2010-09-15 08:50   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-11 13:37 . 2010-09-15 08:50   472808   ----a-w-   c:\windows\system32\deployJava1.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-02 20:05   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-14 16:46 . 2010-09-14 16:46   28672   ----a-r-   c:\users\Gabe\AppData\Roaming\Microsoft\Installer\{ECBC96EF-6D01-477C-94DC-E604DE55BD2F}\_C6A5AD55231E_431F_B374_D2859072C2BF.exe
2010-09-07 15:11 . 2009-01-22 04:00   167592   ----a-w-   c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2009-01-22 04:00   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2009-01-22 04:00   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2009-01-22 04:00   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2009-01-22 04:00   50768   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 14:47 . 2009-01-22 04:00   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-08-17 13:32 . 2010-09-15 12:57   126464   ----a-w-   c:\windows\system32\spoolsv.exe
2010-08-11 00:39 . 2009-11-01 01:42   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 17:32   279944   ----a-w-   c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-04-27 14:08   2393184   ----a-w-   c:\program files\DVDVideoSoftTB\tbDVDV.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-20 6244896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-02 850440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-22 159744]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-07-24 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-07-24 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-07-18 167936]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-13 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\users\John & Gabe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\users\John.JOHN-GABE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MediaImpression Downloader.lnk - c:\program files\ArcSoft\Software Suite\MediaImpression Downloader\MediaImpressionDownloader.exe [2010-3-30 204800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-29 136176]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2007-01-30 451072]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-11 30192]
R3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\DRIVERS\mr97310c.sys [2008-03-27 116992]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-07-08 541800]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
R3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2007-12-11 480128]
R3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\Drivers\ZS211.sys [2007-12-13 1472000]
S1 aswSP;aswSP;

S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-01-13 72992]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-06-23 72944]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-07-18 61424]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 aswFsBlk;aswFsBlk;

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2009-01-13 1078560]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe [2010-05-23 126904]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-31 93968]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\System32\Drivers\NSM\0200000.030\SymRdr.SYS [2010-05-11 180912]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-29 01:08]

2010-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-29 01:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_4730z
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_4730z
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bkaikqlz.default\
FF - component: c:\programdata\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.0.0.42\coFFFw\components\coFFFw.dll
FF - component: c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bkaikqlz.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\FFExternalAlert.dll
FF - component: c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bkaikqlz.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-{9C049499-055C-4a0c-A916-1D8CA1FF45EB} - c:\program files\\InstallShield Installation Information\{9C049499-055C-4a0c-A916-1D8CA1FF45EB}\Install.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-30 23:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.0.0.71\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-10-30  23:35:23
ComboFix-quarantined-files.txt  2010-10-31 03:35

Pre-Run: 4,290,056,192 bytes free
Post-Run: 6,122,352,640 bytes free

- - End Of File - - 4A9D43A8A460D5BEC80F9C2B04ACD928

[SuperDave]

I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
*****************************************************
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
***********************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

[tryagain]

Thanks for the heads up on Ask. Didn't know it was there and did remove it, though we didn't find AskBarDis in the program files. Also removed Viewpoint. Ran SysProt. Posting the log below. Still can't get internet on the admin account and if you try there first, then you can't get it on the other accounts either without a restart. Thanks again for your continued help!



SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: JOHN-GABE.STNY.RR.COM:49260
Remote Address: FAMILY-D5006C60:EPMAP
Type: TCP
Process: 1952 (PID)
State: SYN_SENT

Local Address: JOHN-GABE.STNY.RR.COM:49254
Remote Address: DAD:NETBIOS-SSN
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: JOHN-GABE.STNY.RR.COM:49172
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1564 (PID)
State: LISTENING

Local Address: JOHN-GABE.STNY.RR.COM:49168
Remote Address: A96-17-157-44.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTPS
Type: TCP
Process: 1564 (PID)
State: ESTABLISHED

Local Address: JOHN-GABE.STNY.RR.COM:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-GABE:49251
Remote Address: LOCALHOST:49253
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: JOHN-GABE:49244
Remote Address: LOCALHOST:49242
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: JOHN-GABE:12995
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12993
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12563
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12465
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1660 (PID)
State: LISTENING

Local Address: JOHN-GABE:9423
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1564 (PID)
State: LISTENING

Local Address: JOHN-GABE:9422
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1564 (PID)
State: LISTENING

Local Address: JOHN-GABE:9421
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1564 (PID)
State: LISTENING

Local Address: JOHN-GABE:4664
Remote Address: 0.0.0.0:0
Type: TCP
Process: 3812 (PID)
State: LISTENING

Local Address: JOHN-GABE:2372
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1636 (PID)
State: LISTENING

Local Address: JOHN-GABE:49208
Remote Address: 0.0.0.0:0
Type: TCP
Process: 660 (PID)
State: LISTENING

Local Address: JOHN-GABE:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: 672 (PID)
State: LISTENING

Local Address: JOHN-GABE:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1952 (PID)
State: LISTENING

Local Address: JOHN-GABE:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1176 (PID)
State: LISTENING

Local Address: JOHN-GABE:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1084 (PID)
State: LISTENING

Local Address: JOHN-GABE:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: 616 (PID)
State: LISTENING

Local Address: JOHN-GABE:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-GABE:10000
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1704 (PID)
State: LISTENING

Local Address: JOHN-GABE:8384
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2148 (PID)
State: LISTENING

Local Address: JOHN-GABE:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-GABE:5151
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2192 (PID)
State: LISTENING

Local Address: JOHN-GABE:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-GABE:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 3788 (PID)
State: LISTENING

Local Address: JOHN-GABE:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-GABE:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 948 (PID)
State: LISTENING

Local Address: JOHN-GABE.STNY.RR.COM:54811
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

Local Address: JOHN-GABE.STNY.RR.COM:49526
Remote Address: NA
Type: UDP
Process: 1564 (PID)
State: NA

Local Address: JOHN-GABE.STNY.RR.COM:49525
Remote Address: NA
Type: UDP
Process: 1564 (PID)
State: NA

Local Address: JOHN-GABE.STNY.RR.COM:SSDP
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

Local Address: JOHN-GABE.STNY.RR.COM:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: JOHN-GABE.STNY.RR.COM:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: JOHN-GABE:57939
Remote Address: NA
Type: UDP
Process: 1176 (PID)
State: NA

Local Address: JOHN-GABE:54812
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

Local Address: JOHN-GABE:52343
Remote Address: NA
Type: UDP
Process: 1564 (PID)
State: NA

Local Address: JOHN-GABE:52342
Remote Address: NA
Type: UDP
Process: 1564 (PID)
State: NA

Local Address: JOHN-GABE:49524
Remote Address: NA
Type: UDP
Process: 1564 (PID)
State: NA

Local Address: JOHN-GABE:SSDP
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

Local Address: JOHN-GABE:50761
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

Local Address: JOHN-GABE:10001
Remote Address: NA
Type: UDP
Process: 1704 (PID)
State: NA

Local Address: JOHN-GABE:LLMNR
Remote Address: NA
Type: UDP
Process: 1524 (PID)
State: NA

Local Address: JOHN-GABE:5005
Remote Address: NA
Type: UDP
Process: 3788 (PID)
State: NA

Local Address: JOHN-GABE:5004
Remote Address: NA
Type: UDP
Process: 3788 (PID)
State: NA

Local Address: JOHN-GABE:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: 1176 (PID)
State: NA

Local Address: JOHN-GABE:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

Local Address: JOHN-GABE:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

Local Address: JOHN-GABE:500
Remote Address: NA
Type: UDP
Process: 1176 (PID)
State: NA

Local Address: JOHN-GABE:123
Remote Address: NA
Type: UDP
Process: 1356 (PID)
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found

[SuperDave]

Ok. Let's run this scan and then sign into your Adm account the run the second test.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

*********************************
Using the Adm account run this please.

Please run Notepad (start > All Programs > Accessories >
Notepad) and copy and paste the text in the code box into a new file:

Code: [Select]

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

•Go to the File menu at the top of the Notepad and select Save as.

•Select save in: desktop

•Fill in File name: test.bat

•Save as type: All file types (*.*)

•Click save.

•Close the Notepad.

•Locate and double-click test.bat on the desktop.

•A notepad opens, copy and paste the content it (log1.txt) to your reply.

[tryagain]

Need to add to the last post. I noticed after posting that only Port information was listed. This was accidently checked instead of Kernel Hooks. The error was made because we had to run it more than once and misclicked along the way. Even though we ran it on two accounts with admin privileges, each time it would would cite a failure because we needed admin privileges and the log would be empty except for the headers. When the ports listing showed up I thought we had a successful log, and maybe we do since something showed up, but I'm not sure. Here's the log, empty except for headers, run with the proper boxes checked but also flagged ahead of time by the failure due to lack of admin access:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

[tryagain]

SuperDave,

I must have been typing the follow up post while you were posting your response. Having read my additional post, do you still want want me to go ahead with your most recent directions?

[SuperDave]

SuperDave,

I must have been typing the follow up post while you were posting your response. Having read my additional post, do you still want want me to go ahead with your most recent directions?

Yes. Please go ahead with the other instructions.

[lindaprince]

Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.