trouble with trojans

W

wmbeyer

New member
I have run Spybot, followed by Spyware Doctor, sytem Security 1.04, and Trojan Hunter. Each have removed some problems but I still have at least one that continues. It reloads itself even after I uncheck it from the startup in system config utility. I cannot delete registry entries without them returning. This is the file name that is showing up on everything c:\windows\system32\vtuurr.dll
The dll file says it is from Real World Graphics and that it is a jpeg photo resizer. My Norton AV keeps telling me that I have a HTTPS Tideserv Request 2 blocked as well as a couple of IP addresses being blocked from intruding.

I have a GMER Scan Log, Hijack This log, Spybot bug report and snapshots of the reports from the various malware removal programs.

If it cannot be fixed, tell me, I just need to know if I am going to have to reformat my pc. Here is the DDs log that I ran just a little while ago.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 23:13:33.02 on Thu 04/29/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.270 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Page = hxxp://srch-qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
uWindow Title =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [sstsqpsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [yabyyxsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [tuvwvwsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [opqppmsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [fcccbcsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [efdedbsys] rundll32.exe "vtuurr.dll",DllRegisterServer
dRun: [iifghfsys] rundll32.exe "vtuurr.dll",DllRegisterServer
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~2\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 vtuurr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2007-2-24 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2007-2-24 51072]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-6-3 3744]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235168]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-6-3 3904]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~4\norton~2\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-6-3 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-10 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NAVENG.Sys [2008-12-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NavEx15.Sys [2008-12-20 876112]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]
S2 mrtRate;mrtRate; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79520]
S3 idrmkl;idrmkl;\??\c:\docume~1\owner\locals~1\temp\idrmkl.sys --> c:\docume~1\owner\locals~1\temp\idrmkl.sys [?]
S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2010-04-26 00:16:42 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-26 00:04:04 0 d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37:28 0 d-----w- c:\docume~1\alluse~1\applic~1\TrojanHunter
2010-04-21 04:10:37 0 d-----w- c:\docume~1\owner\applic~1\TrojanHunter
2010-04-21 03:03:35 0 d-----w- c:\program files\TrojanHunter 5.3
2010-04-15 03:42:14 90112 ---ha-w- c:\windows\system32\vtuurr.dll

==================== Find3M ====================

2010-04-15 05:45:15 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-11-21 23:51:54 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 23:14:59.24 ===============
 
yes still need help

I still need help. I have been trying to monitor the posts. I am not on the infected computer at this time. I am on my lap top. Please post what ever instuctionsthat you may have. I WILL NOT ABANDON YOUR HELP until you of everyone else says that they cannot help. I will be back from work around 8pm today. And, Thanks
 
hi,

ok. Lets start with Malwarebytes and go from there. Link and directions:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
 
I downloaded and installed Malwarebytes, and checked the boxes to update and run. It never started. As soon as I tried to run it I got a notice of an attempted intrusion from Norton AV. I tried several times to launch it. No luck. I uninstalled it and re-installed it, again the attempted hack and no start of Malwarebytes. Here are the logs from Intrusion detection and content blocking. I down loaded the setup file. Do you want me to uninstall it, and re-install it in safe mode? What now?


Category: Intrusion Detection
Date,User,Message,Details
5/1/2010 11:39:04 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1069."
5/1/2010 11:39:04 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
5/1/2010 11:33:45 PM,No User,Intrusion Detection is monitoring 1300 signatures.,Intrusion Detection is monitoring 1300 signatures.
5/1/2010 11:33:45 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
5/1/2010 11:33:45 PM,No User,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.
5/1/2010 11:24:18 PM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.159(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1869."
5/1/2010 11:24:18 PM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.159 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.159 will be blocked for 30 minutes.
5/1/2010 11:16:17 PM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.
5/1/2010 11:16:17 PM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.158(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1265."
5/1/2010 12:02:38 PM,No User,Intrusion Detection is monitoring 1300 signatures.,Intrusion Detection is monitoring 1300 signatures.
5/1/2010 12:02:38 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
5/1/2010 12:02:38 PM,No User,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.
4/30/2010 11:14:46 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.158(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 4879."
4/30/2010 11:14:46 AM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.
4/30/2010 12:40:50 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 4330."
4/30/2010 12:40:50 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/30/2010 12:10:49 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/30/2010 12:10:49 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 4080."
4/29/2010 10:12:54 PM,Supervisor,Intrusion: Portscan.,"Intrusion: Portscan. Intruder: 78.138.151.126(10527). Risk Level: Medium. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 9090."
4/29/2010 10:12:54 PM,Supervisor,Intrusion detected and blocked. All communication with 78.138.151.126 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 78.138.151.126 will be blocked for 30 minutes.
4/29/2010 12:56:07 PM,Supervisor,Intrusion Detection is monitoring 1300 signatures.,Intrusion Detection is monitoring 1300 signatures.
4/29/2010 12:56:07 PM,Supervisor,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/29/2010 12:56:07 PM,Supervisor,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.
4/29/2010 12:51:48 PM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.
4/29/2010 12:51:48 PM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.158(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1128."
4/27/2010 10:05:29 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/27/2010 10:05:29 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/27/2010 10:05:29 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/27/2010 9:59:50 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/27/2010 9:59:50 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/27/2010 9:59:50 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/26/2010 11:32:47 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/26/2010 11:32:47 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/26/2010 11:32:47 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/26/2010 11:26:56 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/26/2010 11:26:56 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/26/2010 11:26:56 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/25/2010 10:39:18 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/25/2010 10:39:18 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/25/2010 10:39:18 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:42:28 PM,Supervisor,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.
4/21/2010 12:42:28 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 202.157.171.207(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 3124."
4/21/2010 12:12:27 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 2959."
4/21/2010 12:12:27 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/21/2010 11:44:54 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.
4/21/2010 11:44:54 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 91.212.226.130(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1790."
4/21/2010 11:42:26 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1669."
4/21/2010 11:42:26 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/21/2010 1:37:06 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 1:37:06 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 1:37:06 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:46:14 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1066."
4/21/2010 12:46:14 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/21/2010 12:40:57 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:40:57 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:40:57 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:34:51 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1337."
4/21/2010 12:34:51 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/21/2010 12:29:21 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:29:21 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:29:21 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:19:42 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:19:42 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:19:42 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:15:16 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:15:16 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:15:16 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:13:32 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:13:32 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:13:32 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/20/2010 11:33:12 PM,Supervisor,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.
4/20/2010 11:33:12 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 202.157.171.207(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1920."
4/20/2010 11:03:11 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/20/2010 11:03:11 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1254."
4/20/2010 7:57:52 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/20/2010 7:57:52 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/20/2010 7:57:52 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/19/2010 9:18:36 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/19/2010 9:18:36 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/19/2010 9:18:36 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/17/2010 11:33:16 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/17/2010 11:33:16 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/17/2010 11:33:16 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/17/2010 11:28:39 PM,No User,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 202.157.171.207(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1569."
4/17/2010 11:28:39 PM,No User,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.
4/17/2010 10:58:38 PM,No User,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1470."
4/17/2010 10:58:38 PM,No User,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/17/2010 10:45:57 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/17/2010 10:45:57 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/17/2010 10:45:57 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/18/2010 1:23:08 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/18/2010 1:23:08 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/18/2010 1:23:08 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 5:05:40 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 5:05:40 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 5:05:40 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 2:01:40 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 2:01:40 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 2:01:40 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 1:53:39 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 1:53:39 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 1:53:39 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 1:29:05 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.
4/15/2010 1:29:05 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 91.212.226.130(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1903."
4/15/2010 1:14:57 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1568."
4/15/2010 1:14:57 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/15/2010 12:52:25 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.
4/15/2010 12:52:25 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 91.212.226.130(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1288."
4/15/2010 12:44:56 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/15/2010 12:44:56 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1082."
4/15/2010 12:39:39 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 12:39:39 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 12:39:39 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 12:25:33 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1303."
4/15/2010 12:25:33 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/14/2010 11:55:31 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1075."
4/14/2010 11:55:31 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/14/2010 11:50:14 PM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/14/2010 11:50:14 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/14/2010 11:50:14 PM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/14/2010 11:45:17 PM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/14/2010 11:45:17 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/14/2010 11:45:17 PM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/14/2010 9:09:01 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/14/2010 9:09:01 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.

Category: Content Blocking
Date Time,User,Feature,URL,Details
5/1/2010 11:40:14 PM,Supervisor,ActiveX,http://www.chinaontv.com/videos/5894.php,"Content Blocked: Date Time: 5/1/2010 11:40:14 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/videos/5894.php Data: (ActiveX) "
5/1/2010 11:19:25 PM,Supervisor,ActiveX,http://www.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 5/1/2010 11:19:25 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/30/2010 11:35:06 AM,Supervisor,ActiveX,http://www.bunnytube.net/539187/Undercovers-Fun-by-stikcumtheatre2-free,"Content Blocked: Date Time: 4/30/2010 11:35:06 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.bunnytube.net/539187/Undercovers-Fun-by-stikcumtheatre2-free Data: (ActiveX) "
4/30/2010 11:15:19 AM,Supervisor,ActiveX,http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net,"Content Blocked: Date Time: 4/30/2010 11:15:19 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net Data: (ActiveX) "
4/30/2010 12:51:10 AM,Supervisor,ActiveX,http://www.flvs.net/parents/Pages/default.aspx,"Content Blocked: Date Time: 4/30/2010 12:51:10 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.flvs.net/parents/Pages/default.aspx Data: (ActiveX) "
4/30/2010 12:50:46 AM,Supervisor,ActiveX,http://www.flvs.net/Pages/default.aspx,"Content Blocked: Date Time: 4/30/2010 12:50:46 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.flvs.net/Pages/default.aspx Data: (ActiveX) "
4/30/2010 12:50:46 AM,Supervisor,ActiveX,http://www.flvs.net/Pages/default.aspx,"Content Blocked: Date Time: 4/30/2010 12:50:46 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.flvs.net/Pages/default.aspx Data: (ActiveX) "
4/22/2010 9:32:16 PM,Supervisor,ActiveX,http://www.onlyspecialoffers.info/submit/?t202id=3475&t202kw=http://ad.doubleclick.net/adi/n3285.casalemedia/b2343920.323;sz=300x250;click0=http://c.casalemedia.com/c/4/1/79693/;ord=1138867922&source=245-0,"Content Blocked: Date Time: 4/22/2010 9:32:16 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.onlyspecialoffers.info/s....com/c/4/1/79693/;ord=1138867922&source=245-0 Data: (ActiveX) "
4/21/2010 1:04:20 PM,Supervisor,ActiveX,http://features.yp.com/launch?from=LN_YP_header_splash,"Content Blocked: Date Time: 4/21/2010 1:04:20 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://features.yp.com/launch?from=LN_YP_header_splash Data: (ActiveX) "
4/21/2010 10:59:46 AM,Supervisor,ActiveX,http://lc1.mycraigslistbusiness.com/AutoPopTemplates/PlainWhite.png,"Content Blocked: Date Time: 4/21/2010 10:59:46 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://lc1.mycraigslistbusiness.com/AutoPopTemplates/PlainWhite.png Data: (ActiveX) "
4/21/2010 12:38:33 AM,Supervisor,ActiveX,http://www.chinaontv.com/travel.php,"Content Blocked: Date Time: 4/21/2010 12:38:33 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/travel.php Data: (ActiveX) "
4/21/2010 12:38:13 AM,Supervisor,ActiveX,http://www.chinaontv.com/learning.php,"Content Blocked: Date Time: 4/21/2010 12:38:13 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/learning.php Data: (ActiveX) "
4/21/2010 12:37:37 AM,Supervisor,ActiveX,http://www.chinaontv.com/videos/6564.php,"Content Blocked: Date Time: 4/21/2010 12:37:37 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/videos/6564.php Data: (ActiveX) "
4/21/2010 12:37:24 AM,Supervisor,ActiveX,http://www.chinaontv.com/business.php,"Content Blocked: Date Time: 4/21/2010 12:37:24 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/business.php Data: (ActiveX) "
4/21/2010 12:36:26 AM,Supervisor,ActiveX,http://www.chinaontv.com/learning.php,"Content Blocked: Date Time: 4/21/2010 12:36:26 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/learning.php Data: (ActiveX) "
4/21/2010 12:35:47 AM,Supervisor,ActiveX,http://www.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 4/21/2010 12:35:47 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/21/2010 12:04:43 AM,Supervisor,ActiveX,http://server2.mediajmp.com/surveys/cpv-index.html?sub=ubid.com,"Content Blocked: Date Time: 4/21/2010 12:04:43 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://server2.mediajmp.com/surveys/cpv-index.html?sub=ubid.com Data: (ActiveX) "
4/20/2010 11:18:41 PM,Supervisor,ActiveX,http://www.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 4/20/2010 11:18:41 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/15/2010 1:43:13 AM,Supervisor,ActiveX,http://www.roxwel.com/d45/flashbox.php?pageID=&state=vidflip&source=player&vidcount=1&filename=cluetokalotheinfiniteorphan&playlistMode=ondemand,"Content Blocked: Date Time: 4/15/2010 1:43:13 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.roxwel.com/d45/flashbox....tokalotheinfiniteorphan&playlistMode=ondemand Data: (ActiveX) "
4/15/2010 1:21:27 AM,Supervisor,ActiveX,http://world.chinaontv.com/videos/5792.php,"Content Blocked: Date Time: 4/15/2010 1:21:27 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/videos/5792.php Data: (ActiveX) "
4/15/2010 12:47:03 AM,Supervisor,ActiveX,http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net,"Content Blocked: Date Time: 4/15/2010 12:47:03 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net Data: (ActiveX) "
4/15/2010 12:36:05 AM,Supervisor,ActiveX,http://world.chinaontv.com/learning.php,"Content Blocked: Date Time: 4/15/2010 12:36:05 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/learning.php Data: (ActiveX) "
4/15/2010 12:35:51 AM,Supervisor,ActiveX,http://world.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 4/15/2010 12:35:51 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/15/2010 12:35:25 AM,Supervisor,ActiveX,http://world.chinaontv.com/index.php,"Content Blocked: Date Time: 4/15/2010 12:35:25 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/index.php Data: (ActiveX) "
4/15/2010 12:34:09 AM,Supervisor,ActiveX,http://world.chinaontv.com/videos/5792.php,"Content Blocked: Date Time: 4/15/2010 12:34:09 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/videos/5792.php Data: (ActiveX) "
4/14/2010 11:25:29 PM,Supervisor,ActiveX,http://www.dancerbating.com/,"Content Blocked: Date Time: 4/14/2010 11:25:29 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.dancerbating.com/ Data: (ActiveX) "
4/14/2010 10:51:16 PM,Supervisor,ActiveX,http://news.yahoo.com/s/ap/20100414/ap_on_bi_ge/us_so_long_sardines,"Content Blocked: Date Time: 4/14/2010 10:51:16 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://news.yahoo.com/s/ap/20100414/ap_on_bi_ge/us_so_long_sardines Data: (ActiveX) "
 
This is indication of root kit activity. Rootkits can hide from traditional malware/virus scanners. I wouldnt use this computer until its cleaned up. In fact make sure there is no connectivity by keeping it powered off or pulling the etherent cable.
Is there anyway you could download two small files and transfer them to the computer in question via a usb flash drives?

If so you can get Combofix and TDSS killer for now.
There is a guide to using combofix, Read through and follow whats presented in the guide. Use combofix first and post its log. hold off on using TDSS killer for now.

links:
guide:http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop for now.
 
for some reason my Norton AV tried to restart after reboot. I turned it off again but have no idea if Combo Fix was affected in any way. Also, Vtuurr.dll tried to start 7 times but the notice said that no file could be found.

ComboFix 10-05-02.01 - Owner 05/02/2010 16:46:07.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.497 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000008
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000011
c:\recycler\NPROTECT\00000014.DAT
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000018
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000021.DAT
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024.DAT
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038.dat
c:\recycler\NPROTECT\00000040
c:\recycler\NPROTECT\00000041
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000045
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000057
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000063
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108.dat
c:\recycler\NPROTECT\00000109.dat
c:\recycler\NPROTECT\00000110
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000121.dat
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000124.bat
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000142
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000176
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000179.dat
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181.bad
c:\recycler\NPROTECT\00000182
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000192.md5
c:\recycler\NPROTECT\00000201
c:\recycler\NPROTECT\00000202
c:\recycler\NPROTECT\NPROTECT.LOG
c:\recycler\S-1-5-21-357484485-327093594-2519368713-1003
c:\windows\patch.exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\vtuurr.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.

2010-05-02 03:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 03:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 03:22 . 2010-05-02 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 04:02 . 2010-04-30 04:03 -------- d-----w- c:\program files\ERUNT
2010-04-26 00:04 . 2010-04-26 00:04 -------- d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37 . 2010-04-21 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\TrojanHunter
2010-04-21 04:10 . 2010-04-21 04:10 -------- d-----w- c:\documents and settings\Owner\Application Data\TrojanHunter
2010-04-21 03:03 . 2010-04-26 16:16 -------- d-----w- c:\program files\TrojanHunter 5.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 03:23 . 2003-10-14 13:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 20:55 . 2007-02-25 00:44 435 -c--a-w- c:\windows\system.tmp
2010-04-21 15:12 . 2004-04-02 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 15:10 . 2004-04-02 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 05:39 . 2007-02-25 00:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-18 02:51 . 2007-02-25 00:28 -------- d-----w- c:\program files\Spyware Doctor
2010-04-15 05:45 . 2003-11-15 08:22 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-04-14 13:05 . 2005-06-03 06:35 -------- d-----w- c:\program files\Norton SystemWorks
2010-03-18 22:49 . 2007-08-01 02:10 -------- d-----w- c:\program files\RegCure
2010-03-11 12:38 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-04 06:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2003-11-15 08:22 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 00:28 . 2007-02-25 00:44 730 -c--a-w- c:\windows\win.tmp
2010-03-09 11:09 . 2003-11-15 07:58 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:00 . 2009-11-24 12:10 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 12:31 . 2003-10-11 10:06 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2003-11-15 08:23 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2002-08-29 08:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36 . 2003-11-15 08:22 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:08 . 2003-11-15 07:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~2\NPROTECT.EXE [11/3/2005 7:08 PM 95832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S2 mrtRate;mrtRate; [x]
S3 idrmkl;idrmkl;\??\c:\docume~1\Owner\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\Owner\LOCALS~1\Temp\idrmkl.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\progra~1\NORTON~4\NORTON~1\Navw32.exe [2005-09-23 16:13]

2010-04-26 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2006-08-03 00:05]

2010-05-02 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-26 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-sstsqpsys - vtuurr.dll
HKLM-Run-yabyyxsys - vtuurr.dll
HKLM-Run-tuvwvwsys - vtuurr.dll
HKLM-Run-opqppmsys - vtuurr.dll
HKLM-Run-fcccbcsys - vtuurr.dll
HKLM-Run-efdedbsys - vtuurr.dll
HKU-Default-Run-iifghfsys - vtuurr.dll
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 16:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6240)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\progra~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2010-05-02 16:59:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-02 20:59

Pre-Run: 138,818,932,736 bytes free
Post-Run: 138,574,831,616 bytes free

- - End Of File - - 0EE70E64E7A0A06FBFC386A90951037A
 
BTW the infected computer is, and has been disconnected from the internet except for the time that I downloaded the Malwarebytes program. I didn't know how big the download was or if it required a net connection. I transfer the data from my lap top to the infected computer by cd
 
ok good. Thanks for all the info. We will use Combofix again:
Temporarily disable your AV and any anti-malware apps before using Combofix.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:


Code: 
DDS::
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

File::
C:\DOCUME~1\Owner\LOCALS~1\Temp\idrmkl.sys

Driver::
idrmkl

Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved and the combofix icon, both on your desktop.
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
Please post the new combofix log.
 
Last edited:
I was not able to observe anything this time. It appears that everything went asdesired. No windows opened of any kind. At least none that stayed open.



ComboFix 10-05-02.01 - Owner 05/02/2010 20:35:24.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.374 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\docume~1\Owner\LOCALS~1\Temp\idrmkl.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000008
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000011
c:\recycler\NPROTECT\00000014.DAT
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000018
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000021.DAT
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024.DAT
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037.dat
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000039
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000052
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000110.dat
c:\recycler\NPROTECT\00000111.dat
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000122
c:\recycler\NPROTECT\00000124.dat
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000127.bat
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000129
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000133
c:\recycler\NPROTECT\00000134
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000179
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181
c:\recycler\NPROTECT\00000182.dat
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000187
c:\recycler\NPROTECT\00000188.bad
c:\recycler\NPROTECT\00000189
c:\recycler\NPROTECT\00000190
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT\00000192
c:\recycler\NPROTECT\00000193
c:\recycler\NPROTECT\00000199.md5
c:\recycler\NPROTECT\00000208
c:\recycler\NPROTECT\00000209
c:\recycler\NPROTECT\NPROTECT.LOG
c:\recycler\NPROTECT . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IDRMKL
-------\Service_idrmkl


((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-02 03:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 03:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 03:22 . 2010-05-02 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 04:02 . 2010-04-30 04:03 -------- d-----w- c:\program files\ERUNT
2010-04-26 00:04 . 2010-04-26 00:04 -------- d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37 . 2010-04-21 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\TrojanHunter
2010-04-21 04:10 . 2010-04-21 04:10 -------- d-----w- c:\documents and settings\Owner\Application Data\TrojanHunter
2010-04-21 03:03 . 2010-04-26 16:16 -------- d-----w- c:\program files\TrojanHunter 5.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 00:43 . 2003-10-14 13:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 20:55 . 2007-02-25 00:44 435 -c--a-w- c:\windows\system.tmp
2010-04-21 15:12 . 2004-04-02 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 15:10 . 2004-04-02 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 05:39 . 2007-02-25 00:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-18 02:51 . 2007-02-25 00:28 -------- d-----w- c:\program files\Spyware Doctor
2010-04-15 05:45 . 2003-11-15 08:22 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-04-14 13:05 . 2005-06-03 06:35 -------- d-----w- c:\program files\Norton SystemWorks
2010-03-18 22:49 . 2007-08-01 02:10 -------- d-----w- c:\program files\RegCure
2010-03-11 12:38 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-04 06:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2003-11-15 08:22 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 00:28 . 2007-02-25 00:44 730 -c--a-w- c:\windows\win.tmp
2010-03-09 11:09 . 2003-11-15 07:58 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:00 . 2009-11-24 12:10 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 12:31 . 2003-10-11 10:06 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2003-11-15 08:23 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2002-08-29 08:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36 . 2003-11-15 08:22 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:08 . 2003-11-15 07:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-02_20.55.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-03 00:43 . 2010-05-03 00:43 16384 c:\windows\Temp\Perflib_Perfdata_d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~2\NPROTECT.EXE [11/3/2005 7:08 PM 95832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\progra~1\NORTON~4\NORTON~1\Navw32.exe [2005-09-23 16:13]

2010-04-26 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2006-08-03 00:05]

2010-05-02 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-26 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 20:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\progra~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2010-05-02 20:47:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 00:47
ComboFix2.txt 2010-05-02 20:59

Pre-Run: 138,475,220,992 bytes free
Post-Run: 138,550,755,328 bytes free

- - End Of File - - A674137CE620F33E0371CBE86E33FE3E
 
hi,

If you have extracted TDSSkiller to your desktop you can run it now.
double click the extracted file to run it. follow the prompts.
It will create a log file in your root drive--> Local Disk (C)

labeled like this:
TDSSkiller .2.2.8.1_02.05.2010_20.55.12_log.txt (version,date,time)

Please post the log

I will not be back on line for about 18 hrs.
 
here is the log file. it looks clean. I'll look for your post in about 19 -20 hours when I get off work tomorrow. Thanks for your help.



22:47:29:703 7640 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
22:47:29:703 7640 ================================================================================
22:47:29:703 7640 SystemInfo:

22:47:29:703 7640 OS Version: 5.1.2600 ServicePack: 2.0
22:47:29:703 7640 Product type: Workstation
22:47:29:703 7640 ComputerName: BILLSR
22:47:29:703 7640 UserName: Owner
22:47:29:703 7640 Windows directory: C:\WINDOWS
22:47:29:703 7640 Processor architecture: Intel x86
22:47:29:703 7640 Number of processors: 1
22:47:29:703 7640 Page size: 0x1000
22:47:29:703 7640 Boot type: Normal boot
22:47:29:703 7640 ================================================================================
22:47:29:703 7640 UnloadDriverW: NtUnloadDriver error 2
22:47:29:703 7640 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:47:29:718 7640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:47:29:718 7640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:47:29:718 7640 wfopen_ex: Trying to KLMD file open
22:47:29:718 7640 wfopen_ex: File opened ok (Flags 2)
22:47:29:718 7640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:47:29:718 7640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:47:29:718 7640 wfopen_ex: Trying to KLMD file open
22:47:29:718 7640 wfopen_ex: File opened ok (Flags 2)
22:47:29:718 7640 Initialize success
22:47:29:718 7640
22:47:29:718 7640 Scanning Services ...
22:47:30:031 7640 Raw services enum returned 382 services
22:47:30:031 7640
22:47:30:031 7640 Scanning Kernel memory ...
22:47:30:031 7640 Devices to scan: 6
22:47:30:031 7640
22:47:30:031 7640 Driver Name: Disk
22:47:30:031 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:031 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:031 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:031 7640 IRP_MJ_READ : F74C7D9B
22:47:30:031 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:031 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:031 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:031 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:031 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:031 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:031 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:031 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:031 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:031 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:031 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:031 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:031 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:031 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:031 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:031 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:031 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:031 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:031 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:062 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:062 7640
22:47:30:062 7640 Driver Name: USBSTOR
22:47:30:062 7640 IRP_MJ_CREATE : F77B4218
22:47:30:062 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:062 7640 IRP_MJ_CLOSE : F77B4218
22:47:30:062 7640 IRP_MJ_READ : F77B423C
22:47:30:062 7640 IRP_MJ_WRITE : F77B423C
22:47:30:062 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:062 7640 IRP_MJ_FLUSH_BUFFERS : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_DEVICE_CONTROL : F77B4180
22:47:30:062 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77AF9E6
22:47:30:062 7640 IRP_MJ_SHUTDOWN : 804F3418
22:47:30:062 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:062 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_POWER : F77B35F0
22:47:30:062 7640 IRP_MJ_SYSTEM_CONTROL : F77B1A6E
22:47:30:062 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:062 7640 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
22:47:30:062 7640
22:47:30:062 7640 Driver Name: Disk
22:47:30:062 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:062 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:062 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:062 7640 IRP_MJ_READ : F74C7D9B
22:47:30:062 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:062 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:062 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:062 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:062 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:062 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:062 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:062 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:062 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:062 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:062 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:062 7640
22:47:30:062 7640 Driver Name: Disk
22:47:30:062 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:062 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:062 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:062 7640 IRP_MJ_READ : F74C7D9B
22:47:30:062 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:062 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:062 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:062 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:062 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:062 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:062 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:062 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:062 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:062 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:078 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:078 7640
22:47:30:078 7640 Driver Name: Disk
22:47:30:078 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:078 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:078 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:078 7640 IRP_MJ_READ : F74C7D9B
22:47:30:078 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:078 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:078 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:078 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:078 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:078 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:078 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:078 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:078 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:078 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:078 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:078 7640
22:47:30:078 7640 Driver Name: atapi
22:47:30:078 7640 IRP_MJ_CREATE : F731A572
22:47:30:078 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:078 7640 IRP_MJ_CLOSE : F731A572
22:47:30:078 7640 IRP_MJ_READ : 804F3418
22:47:30:078 7640 IRP_MJ_WRITE : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:078 7640 IRP_MJ_FLUSH_BUFFERS : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_DEVICE_CONTROL : F731A592
22:47:30:078 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73167B4
22:47:30:078 7640 IRP_MJ_SHUTDOWN : 804F3418
22:47:30:078 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:078 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_POWER : F731A5BC
22:47:30:078 7640 IRP_MJ_SYSTEM_CONTROL : F7321164
22:47:30:078 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:109 7640 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
22:47:30:109 7640
22:47:30:109 7640 Completed
22:47:30:109 7640
22:47:30:109 7640 Results:
22:47:30:109 7640 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
22:47:30:109 7640 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:47:30:109 7640 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:47:30:109 7640
22:47:30:109 7640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:47:30:109 7640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:47:30:109 7640 KLMD(ARK) unloaded successfully
 
Sorry to take so long. I got off work late. Here is the log of the scan. It failed to update, but I ran it as is. I had to connect to the internet to try the update. The scan found 3 more problems, and rebooted to remove them. So I tried to update a second time and had the same results. Lastly I ran malwarebytes a second time. It came up empty, but as I said, It never did update. Here are the logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/4/2010 12:06:54 AM
mbam-log-2010-05-04 (00-06-54).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 233267
Time elapsed: 40 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtuurr.dll.vir (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP4\A0001156.dll (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP4\A0001168.dll (Trojan.VirTool) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/4/2010 12:54:46 AM
mbam-log-2010-05-04 (00-54-46).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 232970
Time elapsed: 38 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
BTW I went to a different mirror site "cnet" it had a version 1.46. I deleted the original Malwarebytes and reinstalled using the newer version. That one updated and is cuurently running. I will post the log after it completees.
 
ok last time that I will post before your response. I guess i needed to read the prior post because it was the updated version1.46. Anyway, the last scan came up emty as well.
 
I deleted all of the Norton AV files. I also went in and deleted all of the symantec files that I could find and ran a Regestry cleaner for anything that I missed. Here is the last tdskiller log. tell me what you think.

I will need another anti Virus program, but I want one that doesn't useso much of my system resources. not sure what I am going to use right now. Anyway if you want anything else let me know. And Thanks I really appreciate it. I thought that I was going to have to re-install windows to get rid of it.


23:04:01:500 3008 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:04:01:500 3008 ================================================================================
23:04:01:500 3008 SystemInfo:

23:04:01:500 3008 OS Version: 5.1.2600 ServicePack: 2.0
23:04:01:500 3008 Product type: Workstation
23:04:01:500 3008 ComputerName: BILLSR
23:04:01:500 3008 UserName: Owner
23:04:01:500 3008 Windows directory: C:\WINDOWS
23:04:01:500 3008 Processor architecture: Intel x86
23:04:01:500 3008 Number of processors: 1
23:04:01:500 3008 Page size: 0x1000
23:04:01:515 3008 Boot type: Normal boot
23:04:01:515 3008 ================================================================================
23:04:01:515 3008 UnloadDriverW: NtUnloadDriver error 2
23:04:01:515 3008 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:04:01:531 3008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:04:01:531 3008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:04:01:531 3008 wfopen_ex: Trying to KLMD file open
23:04:01:531 3008 wfopen_ex: File opened ok (Flags 2)
23:04:01:531 3008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:04:01:531 3008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:04:01:531 3008 wfopen_ex: Trying to KLMD file open
23:04:01:531 3008 wfopen_ex: File opened ok (Flags 2)
23:04:01:531 3008 Initialize success
23:04:01:531 3008
23:04:01:531 3008 Scanning Services ...
23:04:01:828 3008 Raw services enum returned 352 services
23:04:01:828 3008
23:04:01:828 3008 Scanning Kernel memory ...
23:04:01:828 3008 Devices to scan: 5
23:04:01:828 3008
23:04:01:828 3008 Driver Name: Disk
23:04:01:828 3008 IRP_MJ_CREATE : F74CDC30
23:04:01:828 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:828 3008 IRP_MJ_CLOSE : F74CDC30
23:04:01:828 3008 IRP_MJ_READ : F74C7D9B
23:04:01:828 3008 IRP_MJ_WRITE : F74C7D9B
23:04:01:828 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:828 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:828 3008 IRP_MJ_FLUSH_BUFFERS : F74C8366
23:04:01:828 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:828 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:828 3008 IRP_MJ_DEVICE_CONTROL : F74C844D
23:04:01:828 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
23:04:01:828 3008 IRP_MJ_SHUTDOWN : F74C8366
23:04:01:828 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:828 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:828 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:828 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:828 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:828 3008 IRP_MJ_POWER : F74C9EF3
23:04:01:828 3008 IRP_MJ_SYSTEM_CONTROL : F74CEA24
23:04:01:828 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:828 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:828 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:843 3008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:04:01:843 3008
23:04:01:843 3008 Driver Name: USBSTOR
23:04:01:843 3008 IRP_MJ_CREATE : F77AC218
23:04:01:843 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:843 3008 IRP_MJ_CLOSE : F77AC218
23:04:01:843 3008 IRP_MJ_READ : F77AC23C
23:04:01:843 3008 IRP_MJ_WRITE : F77AC23C
23:04:01:843 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:843 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:843 3008 IRP_MJ_FLUSH_BUFFERS : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:843 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:843 3008 IRP_MJ_DEVICE_CONTROL : F77AC180
23:04:01:843 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77A79E6
23:04:01:843 3008 IRP_MJ_SHUTDOWN : 804F3418
23:04:01:843 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:843 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:843 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:843 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:843 3008 IRP_MJ_POWER : F77AB5F0
23:04:01:843 3008 IRP_MJ_SYSTEM_CONTROL : F77A9A6E
23:04:01:843 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:843 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:859 3008 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:04:01:859 3008
23:04:01:859 3008 Driver Name: Disk
23:04:01:859 3008 IRP_MJ_CREATE : F74CDC30
23:04:01:859 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:859 3008 IRP_MJ_CLOSE : F74CDC30
23:04:01:859 3008 IRP_MJ_READ : F74C7D9B
23:04:01:859 3008 IRP_MJ_WRITE : F74C7D9B
23:04:01:859 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:859 3008 IRP_MJ_FLUSH_BUFFERS : F74C8366
23:04:01:859 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_DEVICE_CONTROL : F74C844D
23:04:01:859 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
23:04:01:859 3008 IRP_MJ_SHUTDOWN : F74C8366
23:04:01:859 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:859 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_POWER : F74C9EF3
23:04:01:859 3008 IRP_MJ_SYSTEM_CONTROL : F74CEA24
23:04:01:859 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:859 3008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:04:01:859 3008
23:04:01:859 3008 Driver Name: Disk
23:04:01:859 3008 IRP_MJ_CREATE : F74CDC30
23:04:01:859 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:859 3008 IRP_MJ_CLOSE : F74CDC30
23:04:01:859 3008 IRP_MJ_READ : F74C7D9B
23:04:01:859 3008 IRP_MJ_WRITE : F74C7D9B
23:04:01:859 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:859 3008 IRP_MJ_FLUSH_BUFFERS : F74C8366
23:04:01:859 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_DEVICE_CONTROL : F74C844D
23:04:01:859 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
23:04:01:859 3008 IRP_MJ_SHUTDOWN : F74C8366
23:04:01:859 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:859 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_POWER : F74C9EF3
23:04:01:859 3008 IRP_MJ_SYSTEM_CONTROL : F74CEA24
23:04:01:859 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:859 3008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:04:01:859 3008
23:04:01:859 3008 Driver Name: atapi
23:04:01:859 3008 IRP_MJ_CREATE : F731A572
23:04:01:859 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:859 3008 IRP_MJ_CLOSE : F731A572
23:04:01:859 3008 IRP_MJ_READ : 804F3418
23:04:01:859 3008 IRP_MJ_WRITE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:859 3008 IRP_MJ_FLUSH_BUFFERS : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_DEVICE_CONTROL : F731A592
23:04:01:859 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73167B4
23:04:01:859 3008 IRP_MJ_SHUTDOWN : 804F3418
23:04:01:859 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:859 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_POWER : F731A5BC
23:04:01:859 3008 IRP_MJ_SYSTEM_CONTROL : F7321164
23:04:01:859 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:890 3008 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
23:04:01:890 3008
23:04:01:890 3008 Completed
23:04:01:890 3008
23:04:01:890 3008 Results:
23:04:01:890 3008 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:01:890 3008 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:01:890 3008 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:01:890 3008
23:04:01:890 3008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:04:01:890 3008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:04:01:890 3008 KLMD(ARK) unloaded successfully
 
That log looks ok to me. Norton to heavy on the systems resources? You ran the uninstaller in the add/remove programs panel? there are several free AV you can chose from. I will post back.
 
I am interested in Viper AV with anti spy and firewall, along with their counter spy program. The best that I can find out is that it has a fairly small footprint on your system memory and still manages to catch 92% of the crap live. I know that free is a price that I really like, but my kids get on my machine and go places that i don't allow. I am interested in what you post. I have several computers that my kids can't touch, business and laptop. neither of which ever goes places that have high risk, but do open a lot of e-mail.
 
You must log in or register to reply here.
Back
Top