My daughter's laptop ( Toshiba A100, Vista SP2) has a nasty bit of malware - to get Malwarebytes & File assassin on it I had to load them off of an SD card - same with HJT as any attempt to download them off the internet was deflected or blocked.
The virus scanner ( BitDefender) I loaded today ( previously had trend micro ) which loaded but will not update. The Scan did give a couple of temp files that were removed with FileAssassin ( running of the SD card) but I can't do that trick with Malwarebytes.
Below is the HJT log. Could someone please suggest a solution or is it time to reformat the HD?

thanks for any / all help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:15 AM, on 19/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\VM302Snap.exe
C:\Windows\Domino.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [BigDogPath] C:\Windows\VM302Snap.exe Vimicro USB PC Camera (ZC0302)
O4 - HKLM\..\Run: [Domino] C:\Windows\Domino.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Blood%20Ties/Images/stg_drm.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/...NPUplden-ca.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Blood%20Ties/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...NPUplden-ca.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DD36CAD-AD1C-434F-87C9-523FB6C9579C}: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC2C95CB-0DCB-473E-A14E-0D669B9F73B9}: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.19,85.255.112.120
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
O23 - Service: Windows MSI - Unknown owner - \\?\globalrootC:\Windows\system32\msihost.exe (file missing)

--
End of file - 12107 bytes

Hello Thad and welcome to the forums here at MalwareBytes.

Yes, she definitely picked up some pretty nasty stuff. We can probably clean this but I need to give you a "heads up" on the risks this infection brings.

Identity Theft

It looks like you have been infected by one or more Backdoor Trojans.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we cannot guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found here.

I suggest you do the following immediately:

• Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities. I must remind you that i cannot guarantee that your computer will be completely clean afterwards since we have no way of knowing what has been done to it.

To help you make your decision, here are a few related articles that i suggest you read:

• Danger: Remote Access Trojans.
• When should I re-format? How should I reinstall?
• How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Thank you for your reply - that was a detail I had not considered. I don't think that she uses it for online banking & such , but...
I forgot to mention that when I did install & run Bitdefender there was ~ 45 or so suspect files that were removed & on the initial restart a backdoor trojan ( forgotten which one) was also removed. One file had to be removed with fileassassin - very long 'tmp' file name as well but the problem of no updates remains. Also cannot do a system restore as all of the files are reported as corrupted and even the disk tools will not run.

I've told her that ity may come to a HD reformat with this thing but she wants to try to clean it up first.
What do you suggest?

We can go for the cleaning. She should still change all her passwords to any sites she visits, email, ect...from a clean PC.

The logs that we ask for can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• Malware and the removal process can pose a risk of data loss. I recommend you make a backup of any data that you have created, such as documents, pictures, music, ect... before we begin the fix if possible.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Sorry for the slow response - it took a while to get COmboFix on the laptop as she couldn't directly access this site. I had to email it to her after zipping & renaming it

I've attached the test file - please let me know how it looks
regards
ted

I'm putting the combofix log into the thread here as it's easier to interpret that way. I'll post back tomorrow once I get some sleep.

ComboFix 09-11-23.06 - Emily 24/11/2009 12:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2037.1381 [GMT -7:00]
Running from: c:\users\Emily\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-196863380-2393209088-3299821848-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\program files\ShoppingReport
c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\Microsoft\Windows\Start Menu\Programs\Zango
c:\programdata\Microsoft\Windows\Start Menu\Programs\Zango\Reset Cursor.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Zango\Zango Customer Support Center.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Zango\Zango Games!.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Zango\Zango Screensavers!.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Zango\Zango Videos!.lnk
c:\users\Emily\AppData\Roaming\WeatherDPA
c:\users\Emily\AppData\Roaming\Zango
c:\windows\system32\drivers\ESQULniiimeqqxkxdgkvtyvroejhuotfsdeic.sys
c:\windows\system32\ESQULeptbfxeirqymppxuupyjdwbrpkatbvrs.dll
c:\windows\system32\ESQULgsgtqmdxesroiodpclnquxfgbwqgasyt.dll

----- BITS: Possible infected sites -----

hxxp://epg.tvdownload.microsoft.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_Windows MSI
-------\Legacy_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-24 20:20 . 2009-11-24 20:41 -------- d-----w- c:\users\Emily\AppData\Local\temp
2009-11-24 20:20 . 2009-11-24 20:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-24 19:36 . 2009-11-24 19:36 -------- d-----w- C:\found.000
2009-11-19 07:12 . 2009-11-19 07:17 4096 d-----w- c:\windows\BDOSCAN8
2009-11-19 06:17 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-19 06:17 . 2009-11-19 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-19 06:17 . 2009-11-19 06:17 -------- d-----w- c:\programdata\Malwarebytes
2009-11-19 06:17 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-19 05:57 . 2009-11-24 20:37 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2009-11-19 02:40 . 2009-11-19 02:41 -------- d-----w- c:\users\Emily\AppData\Roaming\BitDefender
2009-11-19 02:40 . 2009-11-19 02:50 -------- d-----w- c:\programdata\BitDefender
2009-11-19 02:40 . 2009-11-19 02:40 -------- d-----w- c:\program files\BitDefender
2009-11-19 02:36 . 2009-11-19 02:41 4096 d-----w- c:\program files\Common Files\BitDefender
2009-11-17 23:58 . 2009-11-17 23:58 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-17 23:52 . 2009-11-17 23:54 4096 d-----w- c:\program files\iTunes
2009-11-17 21:31 . 2009-11-17 21:31 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-11 00:04 . 2009-11-11 00:04 152456 ----a-w- c:\windows\system32\drivers\bdfm.sys
2009-11-11 00:03 . 2009-11-11 00:03 105736 ----a-w- c:\windows\system32\drivers\bdhv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 07:56 . 2007-06-14 02:57 4096 d-----w- c:\program files\Trend Micro
2009-11-19 02:31 . 2007-07-28 23:04 -------- d-----w- c:\program files\Lavasoft
2009-11-19 02:27 . 2007-06-14 01:59 4096 d-----w- c:\programdata\Trend Micro
2009-11-18 00:02 . 2008-07-29 23:37 8192 d-----w- c:\program files\Safari
2009-11-17 23:52 . 2007-06-17 00:08 -------- d-----w- c:\program files\iPod
2009-11-17 23:52 . 2007-12-22 09:17 -------- d-----w- c:\program files\Common Files\Apple
2009-10-20 05:51 . 2009-08-16 22:12 4096 d-----w- c:\users\Emily\AppData\Roaming\uTorrent
2009-10-19 23:04 . 2009-10-19 23:04 72200 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2009-10-18 23:07 . 2009-10-18 23:06 -------- d-----w- c:\programdata\WinZip
2009-10-18 21:40 . 2009-10-18 21:40 4096 d-----w- c:\program files\Ask.com
2009-10-17 00:38 . 2008-07-06 04:28 4096 d-----w- c:\programdata\NOS
2009-09-30 02:04 . 2007-06-17 00:10 4096 d-----w- c:\users\Emily\AppData\Roaming\Apple Computer
2009-09-29 04:33 . 2009-09-29 04:33 -------- d-----w- c:\programdata\McAfee
2009-09-27 04:32 . 2009-09-27 04:32 -------- d-----w- c:\programdata\McAfee Security Scan
2009-09-27 04:32 . 2009-09-27 04:32 -------- d-----w- c:\program files\McAfee Security Scan
2009-09-27 04:32 . 2008-07-06 04:28 -------- d-----w- c:\program files\NOS
2009-09-25 06:17 . 2007-06-14 00:55 65272 ----a-w- c:\users\Emily\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-22 15:22 . 2009-09-22 15:22 83208 ----a-w- c:\windows\system32\drivers\BDVEDISK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 20:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM302Snap.exe Vimicro USB PC Camera (ZC0302)" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-06 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-06 81920]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-12 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-12 530552]
"Domino"="c:\windows\Domino.exe" [2006-07-04 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2009-10-23 1118144]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-07 3772416]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-5 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 122880]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 AFS;AFS;c:\windows\System32\drivers\AFS.SYS [27/06/2007 5:55 PM 77004]
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\windows\System32\drivers\BdfNdisf6.sys [19/10/2009 4:04 PM 72200]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [22/09/2009 8:22 AM 83208]
R3 BDFM;BDFM;c:\windows\System32\drivers\bdfm.sys [10/11/2009 5:04 PM 152456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [06/12/2006 6:09 PM 7168]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [19/10/2009 4:06 PM 183880]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [26/07/2008 10:07 PM 21504]
S3 vvftav302;vvftav302;c:\windows\System32\drivers\vvftav302.sys [18/03/2007 10:06 AM 475136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\User_Feed_Synchronization-{D3AC53DA-5636-441A-B7D3-64C62A11F552}.job
- c:\windows\system32\msfeedssync.exe [2009-08-26 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: gov.bc.ca\www.aved
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
AddRemove-Malwarebytes' Anti-Malware_is1 - f:\malwarebytes' anti-malware\unins000.exe
AddRemove-RollerCoaster Tycoon - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 13:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3875440204-3311934249-855918885-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3100)
c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
c:\windows\System32\SyncCenter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\BitDefender\BitDefender 2010\vsserv.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\VM302Snap.exe
c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2009-11-24 14:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-24 21:02

Pre-Run: 28,719,599,616 bytes free
Post-Run: 30,310,998,016 bytes free

- - End Of File - - B13D22F19AD4F073540F6260D3BA51CC

Hi,

Looking better. I would suggest you uninstall the Ask Toolbar. While not really "malicious" I would consider it unwanted and certainly don't run it on my PC's. More info. at the link below.

http://blogs.zdnet.com/Spyware/?p=858

Can you run MalwareBytes now? Please try if you haven't already, making sure to update it first. Then post the log back here and let me know how it's running.

Thanks - I'll see what happens & keep you posted. I agree with you on that ASK toolbar - it's definitely an irritant.

BTW - thank you for the time & effort you've put into this

Did you have a chance to run MBAM? If so please post the log.

Just catching up here....

Did you still want help?

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.