BleepingComputer.com: constant echo requests from "Tcpip Kernel Driver"; Google redirected; "GLARM" in registry

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

constant echo requests from "Tcpip Kernel Driver"; Google redirected; "GLARM" in registry I can't stop or find the source of the echo requests.

#16 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 15 February 2012 - 06:28 PM

That's down to your operating system - another tool we can't use.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
nv4_mini.sys
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop


  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it


Post the log in the next reply.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#17 User is offline   ljen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 06-February 12
  • Gender:Male

Posted 16 February 2012 - 12:45 AM

Here it is.
Again, thanks for helping me through all this.
-ljen

OTL logfile created on: 2/15/2012 10:23:05 PM - Run 4
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Documents and Settings\Lowell Jensen\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.08 Mb Total Physical Memory | 378.87 Mb Available Physical Memory | 74.13% Memory free
1.22 Gb Paging File | 1.10 Gb Available in Paging File | 90.04% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = D:\win
Drive C: | 7.81 Gb Total Space | 0.96 Gb Free Space | 12.32% Space Free | Partition Type: NTFS
Drive D: | 38.22 Gb Total Space | 2.26 Gb Free Space | 5.92% Space Free | Partition Type: FAT32
Drive H: | 298.09 Gb Total Space | 275.07 Gb Free Space | 92.28% Space Free | Partition Type: NTFS
Drive S: | 1.88 Gb Total Space | 0.15 Gb Free Space | 8.05% Space Free | Partition Type: FAT
Drive X: | 3.81 Gb Total Space | 3.81 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Computer Name: MAX | User Name: Lowell Jensen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Lowell Jensen\Desktop\OTL.exe (OldTimer Tools)
PRC - D:\win\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
PRC - C:\WINNT\system32\mstask.exe (Microsoft Corporation)
PRC - C:\WINNT\explorer.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\wbem\WinMgmt.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\regsvc.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\stisvc.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\hidserv.exe (Microsoft Corporation)
PRC - D:\win\Kerio Personal Firewall\PERSFW.exe (Kerio Technologies)
PRC - C:\WINNT\system32\tbctray.exe (Voyetra Turtle Beach, Inc.)
PRC - C:\WINNT\system32\ltmsg.exe (LUCENT TECHNOLOGIES)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\RALINK\Common\acAuth.dll ()


========== Win32 Services (SafeList) ==========

SRV - (gusvc) -- File not found
SRV - (!SASCORE) -- D:\win\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SRV - (Schedule) -- C:\WINNT\system32\mstask.exe (Microsoft Corporation)
SRV - (WinMgmt) -- C:\WINNT\system32\wbem\WinMgmt.exe (Microsoft Corporation)
SRV - (dmadmin) -- C:\WINNT\System32\dmadmin.exe (VERITAS Software Corp.)
SRV - (Fax) -- C:\WINNT\system32\FAXSVC.EXE (Microsoft Corporation)
SRV - (RemoteRegistry) -- C:\WINNT\system32\regsvc.exe (Microsoft Corporation)
SRV - (StiSvc) -- C:\WINNT\system32\stisvc.exe (Microsoft Corporation)
SRV - (UtilMan) -- C:\WINNT\system32\utilman.exe (Microsoft Corporation)
SRV - (HidServ) -- C:\WINNT\system32\hidserv.exe (Microsoft Corporation)
SRV - (PersFw) -- D:\win\Kerio Personal Firewall\persfw.exe (Kerio Technologies)


========== Driver Services (SafeList) ==========

DRV - (rt2870) -- C:\WINNT\system32\drivers\rt2870.sys (Ralink Technology, Corp.)
DRV - (SASDIFSV) -- D:\win\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- D:\win\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (RT80x86) -- C:\WINNT\system32\drivers\rt2860.sys (Ralink Technology, Corp.)
DRV - (Cdralw2k) -- C:\WINNT\System32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (Cdr4_2K) -- C:\WINNT\System32\drivers\cdr4_2k.sys (Sonic Solutions)
DRV - (gameenum) -- C:\WINNT\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (dmboot) -- C:\WINNT\system32\drivers\dmboot.sys (VERITAS Software Corp.)
DRV - (dmio) -- C:\WINNT\System32\drivers\dmio.sys (VERITAS Software Corp.)
DRV - (Parallel) -- C:\WINNT\system32\drivers\parallel.sys (Microsoft Corporation)
DRV - (uhcd) -- C:\WINNT\system32\drivers\uhcd.sys (Microsoft Corporation)
DRV - (EFS) -- C:\WINNT\System32\drivers\efs.sys (Microsoft Corporation)
DRV - (Diskperf) -- C:\WINNT\System32\drivers\diskperf.sys (Microsoft Corporation)
DRV - (dmload) -- C:\WINNT\System32\drivers\dmload.sys (VERITAS Software Corp.)
DRV - (tbcwdm) -- C:\WINNT\system32\drivers\tbcwdm.sys (Voyetra Turtle Beach)
DRV - (tbcspud) -- C:\WINNT\system32\drivers\tbcspud.sys (Voyetra Turtle Beach)
DRV - (fwdrv) -- C:\WINNT\system32\drivers\FWDRV.SYS ()
DRV - (EL90Xbc) -- C:\WINNT\system32\drivers\el90Xbc5.SYS (3Com Corporation)
DRV - (EL90BC) -- C:\WINNT\system32\drivers\el90Xbc5.SYS (3Com Corporation)
DRV - (ltmodem5) -- C:\WINNT\system32\drivers\ltmdmnt.sys (LT)
DRV - (RCA) -- C:\WINNT\system32\drivers\rca.sys (Microsoft Corporation)
DRV - (NetDetect) -- C:\WINNT\system32\drivers\netdtect.sys (Microsoft Corporation)
DRV - (IntelATA) -- C:\WINNT\System32\DRIVERS\intelata.sys (Intel Corporation)
DRV - (idebd) -- C:\WINNT\System32\DRIVERS\idebd.sys (Intel Corporation)
DRV - (cmosa) -- C:\WINNT\System32\drivers\cmosa.sys (Dell Computer Corporation.)
DRV - (cwcspud) Crystal SoundFusion™ -- C:\WINNT\system32\drivers\cwcspud.sys (Microsoft Corporation)
DRV - (scsiscan) -- C:\WINNT\system32\drivers\scsiscan.sys ()
DRV - (Aspi32) -- C:\WINNT\System32\drivers\ASPI32.SYS (Adaptec)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINNT\system32\SHDOCVW.DLL (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "resource:///readme.html"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINNT\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: D:\win\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: D:\win\Picasa2\npPicasa2.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@macromedia.com/FlashPlayer8: C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: d:\win\Microsoft Silverlight\4.0.50524.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\win\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\win\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: D:\win\VLC\npvlc.dll (the VideoLAN Team)
FF - HKCU\Software\MozillaPlugins\@macromedia.com/FlashPlayer8: C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/06/29 14:00:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/05 07:58:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/03 15:56:56 | 000,000,000 | ---D | M]

[2011/12/05 07:58:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lowell Jensen\Application Data\Mozilla\Extensions
[2011/12/05 07:58:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lowell Jensen\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2011/02/11 16:23:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lowell Jensen\Application Data\Mozilla\Extensions-BackupByFirefoxPortable
[2011/02/11 16:23:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lowell Jensen\Application Data\Mozilla\Extensions-BackupByFirefoxPortable\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2012/01/27 21:10:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lowell Jensen\Application Data\Mozilla\Firefox\Profiles\retlmslp.default\extensions
[2012/01/10 21:51:56 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Documents and Settings\Lowell Jensen\Application Data\Mozilla\Firefox\Profiles\retlmslp.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}

O1 HOSTS File: ([2000/07/26 10:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] D:\win\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINNT\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe (Voyetra Turtle Beach, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2010/08/25 20:58:07 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINNT\system32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINNT\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINNT\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab (Reg Error: Key error.)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1328142197540 (WUWebControl Class)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38600.9359606481 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} http://fdl.msn.com/zone/datafiles/heartbeat.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.12.15.1 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DAFC3509-64C3-4CD7-8FF5-D6520BF33D51}: DhcpNameServer = 10.12.15.1 8.8.8.8 8.8.4.4
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINNT\system32\INETCOMM.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\URLMON.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\MSHTML.DLL (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINNT\system32\userinit.exe) - C:\WINNT\system32\USERINIT.EXE (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINNT\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINNT\System32\SYSDM.CPL (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (D:\win\SUPERAntiSpyware\SASWINLO.DLL) - D:\win\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINNT\System32\CRYPT32.DLL (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINNT\System32\CRYPTNET.DLL (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINNT\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINNT\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - (wzcdlg.dll) - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O21 - SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - C:\WINNT\system32\netshell.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINNT\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINNT\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINNT\system32\BROWSEUI.DLL (Microsoft Corporation)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: D:\docs\Pictures\Raphael Disputation wallpaper.bmp
O24 - Desktop BackupWallPaper: D:\docs\Pictures\Raphael Disputation wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\win\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINNT\System32\SHELL32.DLL (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINNT\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINNT\System32\SCHANNEL.DLL (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINNT\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINNT\System32\msnsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINNT\System32\ZWebAuth.dll ()
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINNT\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINNT\System32\schannel.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/05 20:08:38 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/11/09 22:13:50 | 000,000,501 | ---- | M] () - S:\autoruns.lnk -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/13 21:00:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lowell Jensen\Desktop\60 day scan
[2012/02/13 20:45:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lowell Jensen\Desktop\30 day scan
[2012/02/13 20:19:28 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lowell Jensen\Desktop\OTL.exe
[2012/02/13 16:37:09 | 002,061,360 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Lowell Jensen\Desktop\TDSSKiller.exe
[2012/02/12 21:28:09 | 004,402,282 | ---- | C] (Swearware) -- C:\Documents and Settings\Lowell Jensen\Desktop\comfix.exe
[2012/02/11 21:15:16 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Lowell Jensen\Desktop\aswMBR.exe
[2012/02/08 21:06:32 | 000,000,000 | ---D | C] -- D:\docs\food
[2012/02/08 20:41:53 | 000,000,000 | ---D | C] -- D:\docs\teaching
[2012/02/06 21:36:18 | 000,000,000 | ---D | C] -- D:\docs\My Pictures
[2012/02/06 21:36:18 | 000,000,000 | ---D | C] -- D:\docs\Lowell
[2012/02/01 18:18:55 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\WINNT\System32\drivers\SBREDrv.sys
[2012/02/01 18:05:17 | 000,000,000 | ---D | C] -- C:\WINNT\Local Settings
[2012/02/01 18:03:14 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/02/01 18:03:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2012/02/01 17:47:24 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- D:\win\hijackthis.exe
[2012/02/01 17:39:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lowell Jensen\Application Data\SUPERAntiSpyware.com
[2012/02/01 17:39:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2012/02/01 17:39:00 | 000,000,000 | ---D | C] -- D:\win\SUPERAntiSpyware
[2012/02/01 17:33:30 | 000,050,688 | ---- | C] (Atribune.org) -- D:\win\ATF-Cleaner.exe
[2012/01/27 18:41:05 | 000,000,000 | ---D | C] -- D:\win\Rootkit Revealer
[2012/01/26 19:16:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lowell Jensen\Application Data\Malwarebytes
[2012/01/26 19:16:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/01/26 19:16:01 | 000,018,800 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2012/01/26 19:16:01 | 000,000,000 | ---D | C] -- D:\win\Malwarebytes
[2012/01/21 14:00:05 | 000,000,000 | ---D | C] -- D:\win\MRU-Blaster
[2012/01/21 11:50:31 | 000,000,000 | ---D | C] -- D:\win\Spybot
[2012/01/21 11:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/01/19 17:55:07 | 000,000,000 | ---D | C] -- D:\docs\Downloads
[2012/01/18 23:25:55 | 000,000,000 | ---D | C] -- D:\docs\seminary
[2012/01/18 23:22:11 | 000,000,000 | ---D | C] -- D:\docs\archive graphics
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/15 22:19:42 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lowell Jensen\Desktop\OTL.exe
[2012/02/15 22:14:46 | 000,029,204 | ---- | M] () -- C:\WINNT\System32\nvapps.xml
[2012/02/15 22:14:02 | 535,904,256 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/14 22:07:26 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\SystemLook.exe
[2012/02/14 09:53:05 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/13 16:33:07 | 000,000,113 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\constant echo requests from Tcpip Kernel Driver; Google redirected; GLARM in registry.URL
[2012/02/13 00:12:41 | 000,000,072 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\The carthusian way.URL
[2012/02/12 23:28:32 | 000,000,138 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Message of His Holiness Benedict XVI for Lent 2012.URL
[2012/02/12 21:28:52 | 004,402,282 | ---- | M] (Swearware) -- C:\Documents and Settings\Lowell Jensen\Desktop\comfix.exe
[2012/02/12 19:29:54 | 000,001,635 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\johnnnn.mp3
[2012/02/12 19:29:00 | 000,001,635 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Isaiah.mp3
[2012/02/12 14:16:20 | 027,382,868 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\John_KJV_mp3_complete--audiotreasure_com.zip
[2012/02/11 21:18:32 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Lowell Jensen\Desktop\aswMBR.exe
[2012/02/11 16:59:22 | 002,061,360 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Lowell Jensen\Desktop\TDSSKiller.exe
[2012/02/10 16:31:28 | 000,000,067 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Croatia.URL
[2012/02/08 23:00:19 | 000,000,203 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\teaching.lnk
[2012/02/06 23:17:40 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\ark.zip
[2012/02/06 22:18:27 | 000,000,392 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\firewall log.lnk
[2012/02/06 22:12:42 | 000,008,410 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\firewall_log.zip
[2012/02/06 21:40:30 | 000,002,330 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\attach.zip
[2012/02/06 18:32:38 | 000,018,252 | ---- | M] () -- D:\docs\KeePassDatabase.kdb
[2012/02/03 20:11:01 | 000,000,283 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Application Data\Microsoft\Internet Explorer\Quick Launch\contacts.lnk
[2012/02/03 19:58:08 | 000,002,792 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\.recently-used.xbel
[2012/02/02 19:18:11 | 000,000,410 | ---- | M] () -- C:\WINNT\tasks\Ad-Aware Update (Weekly).job
[2012/02/02 17:49:55 | 000,000,057 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Lavasoft Support Forums.URL
[2012/02/01 18:18:00 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\WINNT\System32\drivers\SBREDrv.sys
[2012/02/01 18:17:50 | 000,000,064 | ---- | M] () -- C:\WINNT\System32\rp_stats.dat
[2012/02/01 18:17:50 | 000,000,044 | ---- | M] () -- C:\WINNT\System32\rp_rules.dat
[2012/02/01 17:47:32 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- D:\win\hijackthis.exe
[2012/02/01 17:27:44 | 000,050,688 | ---- | M] (Atribune.org) -- D:\win\ATF-Cleaner.exe
[2012/01/27 19:01:19 | 000,000,147 | ---- | M] () -- C:\WINNT\winamp.ini
[2012/01/26 19:24:12 | 002,075,392 | ---- | M] () -- C:\WINNT\System32\OTXEKROAEF
[2012/01/21 23:20:08 | 000,148,992 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/20 19:42:51 | 000,001,651 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Application Data\Microsoft\Internet Explorer\Quick Launch\Command Prompt.lnk
[2012/01/20 17:45:10 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Word Templates.lnk
[2012/01/19 17:43:18 | 000,000,211 | ---- | M] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Pictures.lnk
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/14 21:57:43 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\SystemLook.exe
[2012/02/14 09:53:05 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/13 16:33:07 | 000,000,113 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\constant echo requests from Tcpip Kernel Driver; Google redirected; GLARM in registry.URL
[2012/02/13 00:12:41 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\The carthusian way.URL
[2012/02/12 23:28:32 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Message of His Holiness Benedict XVI for Lent 2012.URL
[2012/02/12 19:29:54 | 000,001,635 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\johnnnn.mp3
[2012/02/12 19:28:59 | 000,001,635 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Isaiah.mp3
[2012/02/12 14:11:18 | 027,382,868 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\John_KJV_mp3_complete--audiotreasure_com.zip
[2012/02/12 14:02:13 | 012,613,745 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_09.mp3
[2012/02/12 14:02:11 | 010,141,203 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_08.mp3
[2012/02/12 14:02:10 | 013,868,145 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_07.mp3
[2012/02/12 14:02:08 | 013,092,831 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_06.mp3
[2012/02/12 14:02:07 | 009,474,245 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_05.mp3
[2012/02/12 14:02:06 | 012,458,578 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_04.mp3
[2012/02/12 14:02:04 | 009,555,851 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_03.mp3
[2012/02/12 14:02:03 | 009,897,847 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_02.mp3
[2012/02/12 14:02:03 | 003,055,123 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Orthodoxy_01.mp3
[2012/02/10 16:31:28 | 000,000,067 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Croatia.URL
[2012/02/06 23:17:40 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\ark.zip
[2012/02/06 22:12:42 | 000,008,410 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\firewall_log.zip
[2012/02/06 21:40:30 | 000,002,330 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\attach.zip
[2012/02/03 19:58:08 | 000,002,792 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\.recently-used.xbel
[2012/02/02 17:49:55 | 000,000,057 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\Lavasoft Support Forums.URL
[2012/02/01 18:17:50 | 000,000,064 | ---- | C] () -- C:\WINNT\System32\rp_stats.dat
[2012/02/01 18:17:50 | 000,000,044 | ---- | C] () -- C:\WINNT\System32\rp_rules.dat
[2012/02/01 18:14:47 | 000,000,410 | ---- | C] () -- C:\WINNT\tasks\Ad-Aware Update (Weekly).job
[2012/01/26 19:25:41 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Desktop\firewall log.lnk
[2012/01/26 19:21:44 | 002,075,392 | ---- | C] () -- C:\WINNT\System32\OTXEKROAEF
[2012/01/18 23:43:14 | 000,319,492 | ---- | C] () -- D:\docs\high school.7z
[2012/01/18 23:42:52 | 022,361,855 | ---- | C] () -- D:\docs\healthy environments formation and catechesis program.7z
[2012/01/18 23:38:30 | 267,572,428 | ---- | C] () -- D:\docs\archive teaching.7z
[2012/01/18 23:34:08 | 267,307,016 | ---- | C] () -- D:\docs\archive GCS.7z
[2011/12/05 07:58:17 | 000,000,000 | ---- | C] () -- C:\WINNT\nsreg.dat
[2011/03/31 20:08:44 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_3c8.dat
[2011/02/08 21:24:58 | 000,000,048 | ---- | C] () -- D:\win\MapSetToolKit.cfg
[2011/02/07 21:49:09 | 000,133,120 | ---- | C] () -- D:\win\MapSetToolKit.exe
[2011/01/22 22:34:51 | 000,102,912 | ---- | C] () -- C:\WINNT\System32\drivers\FWDRV.SYS
[2010/09/19 13:00:25 | 000,000,090 | ---- | C] () -- C:\WINNT\OB1.INI
[2010/06/30 08:22:23 | 000,094,608 | -H-- | C] () -- C:\WINNT\System32\mlfcache.dat
[2009/05/30 23:48:04 | 000,010,576 | ---- | C] () -- C:\WINNT\System32\drivers\scsiscan.sys
[2008/04/03 22:43:03 | 000,000,543 | ---- | C] () -- C:\WINNT\pareq30.ini
[2008/04/03 22:41:19 | 000,000,459 | ---- | C] () -- C:\WINNT\epp22.ini
[2008/04/03 22:41:16 | 000,000,462 | ---- | C] () -- C:\WINNT\graeq22.ini
[2008/04/03 21:50:39 | 000,093,004 | R--- | C] () -- D:\win\ball attractor program.exe
[2008/04/03 21:50:39 | 000,077,824 | ---- | C] () -- D:\win\smoke sim.exe
[2006/11/16 18:05:23 | 000,000,000 | ---- | C] () -- C:\WINNT\FXMPlay.INI
[2006/09/29 19:07:24 | 000,001,022 | ---- | C] () -- C:\WINNT\fractalx.INI
[2006/09/27 20:35:47 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Application Data\usb.dat.bin
[2006/09/11 21:28:47 | 000,000,174 | ---- | C] () -- C:\WINNT\IGPRO.ini
[2006/07/20 16:52:43 | 000,006,550 | ---- | C] () -- C:\WINNT\jautoexp.dat
[2006/06/11 09:01:24 | 000,000,051 | ---- | C] () -- C:\WINNT\tone.ini
[2006/05/26 15:05:48 | 000,000,062 | ---- | C] () -- C:\WINNT\dgnet007.ini
[2006/05/20 10:55:20 | 000,000,043 | ---- | C] () -- C:\WINNT\ENCGAMES.INI
[2006/05/18 11:52:11 | 000,152,064 | ---- | C] () -- C:\WINNT\snap.dat
[2006/05/10 14:31:09 | 000,036,972 | ---- | C] () -- C:\WINNT\System32\ActPanel.dll
[2006/02/15 15:09:36 | 000,003,732 | ---- | C] () -- C:\WINNT\cdplayer.ini
[2006/01/24 14:53:01 | 000,016,973 | ---- | C] () -- C:\WINNT\System32\ZWebAuth.dll
[2005/11/18 18:39:50 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/11/07 13:10:22 | 000,000,000 | ---- | C] () -- C:\WINNT\iPlayer.INI
[2005/11/02 22:11:28 | 000,000,000 | ---- | C] () -- C:\WINNT\JDSecure20.INI
[2005/10/06 12:50:28 | 000,011,616 | R--- | C] () -- C:\WINNT\System32\drivers\SECDRV.SYS
[2005/10/02 12:06:43 | 000,148,992 | ---- | C] () -- C:\Documents and Settings\Lowell Jensen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/09/09 13:54:15 | 000,099,965 | ---- | C] () -- C:\WINNT\UninstallFirefox.exe
[2005/09/09 13:54:00 | 000,005,675 | ---- | C] () -- C:\WINNT\mozver.dat
[2005/09/06 22:14:20 | 000,010,541 | ---- | C] () -- C:\WINNT\ePrompter.ini
[2005/09/06 17:08:22 | 000,000,147 | ---- | C] () -- C:\WINNT\winamp.ini
[2005/09/06 15:53:33 | 000,000,836 | ---- | C] () -- C:\WINNT\ODBC.INI
[2005/09/06 15:23:34 | 000,000,230 | ---- | C] () -- C:\WINNT\WinInit.INI
[2005/09/05 21:09:36 | 000,005,632 | ---- | C] () -- C:\WINNT\System32\CNMVS45.DLL
[2005/09/05 20:06:41 | 000,015,012 | ---- | C] () -- C:\WINNT\System32\emptyregdb.dat
[2005/09/05 15:27:32 | 000,004,254 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2005/09/05 15:26:41 | 000,429,392 | ---- | C] () -- C:\WINNT\System32\FNTCACHE.DAT
[2005/07/20 18:07:00 | 000,540,672 | ---- | C] () -- C:\WINNT\System32\nvhwvid.dll
[2004/05/20 11:33:07 | 000,208,440 | ---- | C] () -- D:\win\tone generator.exe
[2003/09/15 15:52:04 | 000,001,624 | ---- | C] () -- D:\win\active desktop html.html
[2000/07/26 10:00:00 | 000,673,088 | ---- | C] () -- C:\WINNT\System32\mlang.dat
[2000/07/26 10:00:00 | 000,380,630 | ---- | C] () -- C:\WINNT\System32\perfh009.dat
[2000/07/26 10:00:00 | 000,272,492 | ---- | C] () -- C:\WINNT\System32\perfi009.dat
[2000/07/26 10:00:00 | 000,217,359 | ---- | C] () -- C:\WINNT\System32\dssec.dat
[2000/07/26 10:00:00 | 000,178,144 | ---- | C] () -- C:\WINNT\System32\Q259545.EXE
[2000/07/26 10:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2000/07/26 10:00:00 | 000,056,304 | ---- | C] () -- C:\WINNT\System32\perfc009.dat
[2000/07/26 10:00:00 | 000,046,258 | ---- | C] () -- C:\WINNT\System32\mib.bin
[2000/07/26 10:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2000/07/26 10:00:00 | 000,028,270 | ---- | C] () -- C:\WINNT\System32\perfd009.dat
[2000/07/26 10:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2000/07/26 10:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[2000/07/26 10:00:00 | 000,000,741 | ---- | C] () -- C:\WINNT\System32\noise.dat
[2000/07/26 10:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[1999/09/25 03:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 03:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== LOP Check ==========

[2006/09/16 10:37:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MathReader
[2010/07/06 23:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2011/04/18 21:47:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/11/16 17:18:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\avidemux
[2010/07/08 12:33:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\corz
[2006/10/12 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\fltk.org
[2010/08/30 20:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\FreeCAD
[2011/01/18 20:50:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\GARMIN
[2012/01/11 20:15:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\gtk-2.0
[2006/01/26 07:54:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\ICAClient
[2011/05/09 19:43:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\ImgBurn
[2010/06/29 22:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\IrfanView
[2010/09/20 20:59:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\K-Meleon
[2006/09/16 10:37:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\MathReader
[2009/01/03 12:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\OpenOffice.org
[2012/02/13 00:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lowell Jensen\Application Data\WinFF
[2012/02/02 19:18:11 | 000,000,410 | ---- | M] () -- C:\WINNT\Tasks\Ad-Aware Update (Weekly).job
[2010/10/14 21:28:21 | 000,000,884 | ---- | M] () -- C:\WINNT\Tasks\flash backup.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: AGP440.SYS >
[2005/09/05 22:12:26 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp4.cab:AGP440.sys
[2005/09/05 22:12:26 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp4.cab:AGP440.sys
[2003/06/19 12:05:04 | 000,021,008 | ---- | M] (Microsoft Corporation) MD5=CDDB71A90077C93BEA5C72507F0B1394 -- C:\WINNT\ServicePackFiles\i386\agp440.sys
[2003/06/19 12:05:04 | 000,021,008 | ---- | M] (Microsoft Corporation) MD5=CDDB71A90077C93BEA5C72507F0B1394 -- C:\WINNT\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2005/09/05 22:12:26 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp4.cab:atapi.sys
[2005/09/05 22:12:26 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp4.cab:atapi.sys
[2003/06/19 12:05:04 | 000,086,672 | ---- | M] (Microsoft Corporation) MD5=8C718AA8C77041B3285D55A0CE980867 -- C:\WINNT\ServicePackFiles\i386\atapi.sys
[2003/06/19 12:05:04 | 000,086,672 | ---- | M] (Microsoft Corporation) MD5=8C718AA8C77041B3285D55A0CE980867 -- C:\WINNT\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2003/06/19 12:05:04 | 000,047,888 | ---- | M] (Microsoft Corporation) MD5=5738D5804F61A1D30D86FA24DEE56E0C -- C:\WINNT\$NtUpdateRollupPackUninstall$\eventlog.dll
[2003/06/19 12:05:04 | 000,047,888 | ---- | M] (Microsoft Corporation) MD5=5738D5804F61A1D30D86FA24DEE56E0C -- C:\WINNT\ServicePackFiles\i386\eventlog.dll
[2005/04/08 04:54:32 | 000,049,424 | ---- | M] (Microsoft Corporation) MD5=E7F03344AE103B02135C20112B557051 -- C:\WINNT\system32\dllcache\EVENTLOG.DLL
[2005/04/08 04:54:32 | 000,049,424 | ---- | M] (Microsoft Corporation) MD5=E7F03344AE103B02135C20112B557051 -- C:\WINNT\system32\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2003/06/19 12:05:04 | 000,371,984 | ---- | M] (Microsoft Corporation) MD5=11B91C26925F56F577089FF88AA0BEC0 -- C:\WINNT\$NtUpdateRollupPackUninstall$\netlogon.dll
[2003/06/19 12:05:04 | 000,371,984 | ---- | M] (Microsoft Corporation) MD5=11B91C26925F56F577089FF88AA0BEC0 -- C:\WINNT\ServicePackFiles\i386\netlogon.dll
[2005/04/08 04:54:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\system32\dllcache\NETLOGON.DLL
[2005/04/08 04:54:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\system32\NETLOGON.DLL

< MD5 for: NV4_MINI.SYS >
[2005/07/20 18:07:00 | 003,198,368 | ---- | M] (NVIDIA Corporation) MD5=7FE3F1721856365C882DAE13F3600223 -- C:\WINNT\system32\drivers\nv4_mini.sys

< MD5 for: SCECLI.DLL >
[2005/01/12 12:39:44 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=6FCCE1622E75C7DC46509F7EC4B314A3 -- C:\WINNT\system32\dllcache\scecli.dll
[2005/01/12 12:39:44 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=6FCCE1622E75C7DC46509F7EC4B314A3 -- C:\WINNT\system32\scecli.dll
[2003/06/19 12:05:04 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=FF11B32A906D75CD96957B66E318DAD0 -- C:\WINNT\$NtUpdateRollupPackUninstall$\scecli.dll
[2003/06/19 12:05:04 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=FF11B32A906D75CD96957B66E318DAD0 -- C:\WINNT\ServicePackFiles\i386\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 8792 bytes -> C:\WINNT\Firefox Wallpaper.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 5832 bytes -> C:\WINNT\Soap Bubbles.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 3864 bytes -> C:\WINNT\Prairie Wind.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 3840 bytes -> C:\WINNT\Santa Fe Stucco.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 2980 bytes -> C:\WINNT\System32\setup.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 2724 bytes -> C:\WINNT\winnt256.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DE406C3E
@Alternate Data Stream - 1256 bytes -> C:\WINNT\System32\ntimage.gif:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F64C164

< End of report >

#18 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 16 February 2012 - 09:51 PM

I'm still not finding anything. The obvious reason is that as the redirections stopped the malware has been eradicated. There may be something calling but your firewall is not letting it in.

Please download TCPView

When the log comes up click Save and save the file to your desktop and attach the file to your next reply
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#19 User is offline   ljen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 06-February 12
  • Gender:Male

Posted 21 February 2012 - 09:09 AM

Hi m0le,
Apologies for the delayed reply; I've been away from my computer. TCPView won't run. It gives the message:
The procedure entry point FlushTraceA could not be located in the dynamic link library ADVAPI32.dll.

When I run Tcpvcon in that download, it momentarily flashes a command prompt window, but no more.

-ljen

#20 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 21 February 2012 - 09:39 PM

I believe that is another tool we can scratch off. :whistle:

I also think that you have dealt with GLARM. I am unable to find anything relating to this and the comparobjdb and eventobjhid do look like legitimate terms (event object hidden) but could easily not be.

Quote

I searched my computer and registry for ezpapersolutions.com, and somewhere I found the string "GLARM" (without quotes). In the registry at
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
I deleted the key:
smiMapEnum
containing:
rundll32.exe "C:\Documents and Settings\Lowell Jensen\Local Settings\Application Data\HandlerGLARM\smiMapEnum.dll",compatobjdb eventobjhid
because I had never seen "HandlerGLARM" before and was sure it didn't belong in \Run. Then I searched the registry for the strings smiMapEnum, compatobjdb, eventobjhid, Camstudio (the program I suspected), and GLARM, but I found nothing.


I think your actions above have removed the trace of the files. Camstudio is not coming up on any malware database I have access to either.

I don't think you are infected now and may never have been but I can't check this as none of the tools I have that provide this information seem to work on your server.

Are there any current symptoms on the machine?
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#21 User is offline   ljen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 06-February 12
  • Gender:Male

Posted 21 February 2012 - 10:53 PM

ha.. Too bad they're not working.

I'm glad to hear that the infection is gone. My current symptoms are these three:
1. repeated incoming calls on my firewall (a few lines are pasted below),
1,[21/Feb/2012 19:56:37] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 19:56:37] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 19:56:37] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 19:59:07] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 20:01:37] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 20:01:37] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 20:01:37] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 20:04:07] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 20:04:07] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver
1,[21/Feb/2012 20:04:07] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo Request, 10.12.15.1->localhost, Owner: Tcpip Kernel Driver

2. Process Explorer shows a small amount of I/O activity (16.2 KB: 1 read and 4 writes per second) from C:\WINNT\system32\services.exe. I didn't notice it doing this before.
3. When I check "Options/Replace Task Manager" in Process Explorer, the next time I boot it goes back to the default Windows Task Manager. It never did that before, though it's not the end of the world. Just weird.

Are these suspicious?

This post has been edited by ljen: 21 February 2012 - 10:54 PM

#22 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 22 February 2012 - 09:02 PM

There's nothing malware-related with the second and third points. The first point regarding the firewall block is not an unusual request according to the information I could find and the IP address resolves to a legitimate block of numbers. The Kerio firewall does seem to be prone to this behaviour and nowhere can I find anything that says this a malicious block.

I would post the problem to Kerio's own forum for advice.

I hope that's been of some use to you.

I will close this topic in five days. Feel free to PM me after this if you wish to.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#23 User is offline   ljen 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 06-February 12
  • Gender:Male

Posted 22 February 2012 - 09:40 PM

m0le,
Thank you for looking into all of this! I appreciate your time. I'll post it to Kerio's forum, but I'm glad most of all to know that nothing malicious is happening anymore.
-ljen

#24 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 23 February 2012 - 07:16 PM

If you get an answer I would like it if you could PM me and let me know.

Good luck :)
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#25 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 27 February 2012 - 07:36 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users