Jump to content


Photo
- - - - -

Port Probing

port porbing zombies Skype botnet

  • This topic is locked This topic is locked
46 replies to this topic

#1 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 09 February 2013 - 04:48 PM

Hi,
A couple of months back i was befriended by a stranger on Skype. McAfee Antivirus software was running on my Windows 7 pc.
While chatting with this person my Antivirus software alerted me that my pc was being probed through various ports.
I immediately closed all contact with this person, but the damage had already been done.
Various ports on my pc get probed from all over the net on a daily basis. +50/daily
Recently i installed Malwarebytes and scanned all my files. It found PUP:Datamangr in the registry and i promptly removed the registry entry and rebooted the pc. i thought i had finally beaten the zombies knocking on my pc ports. McAfee security history files showed no probing for quite a few hours, until it reported that 192.168.1.1 was probingport 49726 and then port 2869. Soon after that the zombies started probing my pcports again. Mind you nothing has happened, but it can be just a matter of time until somehow they get through. Now, 192.168.1.1 is the ip address of my local FIOS router, right?
It seems that there is an undetected beacon program on my pc?
All the incoming ip addresses used in the portprobing seem to be legit business, so i image the true ip addresses are being spoofed?

Can you please help?

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.13.2
Run by Miguel at 16:33:01 on 2013-02-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4004.2343 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\System32\rundll32.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe
C:\Users\Miguel\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
C:\Program Files\mcafee.com\agent\mcagent.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: {2421d847-721c-404f-87b4-bbd2b95d1087} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: SelectionLinksBHO Class: {300BEC06-B743-4D19-86B9-11DC711D7FFB} -
BHO: UnfriendApp: {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\Program Files (x86)\UnfriendApp\IE\common.dll
BHO: SDHelper: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20121005034905.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [MyTomTomSA.exe] "C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe"
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Miguel\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Miguel\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
LSP: C:\windows\System32\EasyRedirect.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://localhost:8888/jde/axctls/jdewebctlsU.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.autopartintl.com/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{042674BB-204D-48A7-83D4-401F348215B0} : DHCPNameServer = 172.6.1.161
TCP: Interfaces\{D3D5CE1E-CD11-4F92-BA67-740500E78CB1} : DHCPNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{D3D5CE1E-CD11-4F92-BA67-740500E78CB1}\94E6E616475623 : DHCPNameServer = 192.168.1.1 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs= c:\progra~3\browse~1\261123~1.78\{61d8b~1\browse~1.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20121005034904.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} - hxxp://javadl-esd.oracle.com/update/1.6.0/jinstall-6u21-windows-i586.cab
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2011-3-13 771096]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2011-3-13 339776]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-7-13 55856]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-7-13 89600]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-10-9 173568]
R2 EasyRedirect;EasyRedirect;C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe [2012-12-22 3575120]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-7-13 13336]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-5 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-5 682344]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-7-13 241016]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-7-13 218320]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\windows\System32\mfevtps.exe [2012-7-13 182312]
R3 cfwids;McAfee Inc. cfwids;C:\windows\System32\drivers\cfwids.sys [2011-3-13 69672]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-7-13 176000]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2012-7-13 317440]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2013-2-5 24176]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2011-3-13 309400]
R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2011-3-13 515528]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-7-13 533096]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2012-10-5 196440]
S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2012-7-13 224704]
S3 mferkdet;McAfee Inc. mferkdet;C:\windows\System32\drivers\mferkdet.sys [2011-3-13 106112]
S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-9-4 25584]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-7-13 250984]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]
.
=============== Created Last 30 ================
.
2013-02-08 23:25:27 -------- d-----r- C:\Program Files (x86)\Skype
2013-02-08 19:28:41 -------- d-----w- C:\Users\Miguel\AppData\Roaming\PhrozenSoft
2013-02-08 19:27:08 95648 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-07 22:21:17 98 ----a-w- C:\windows\DeleteOnReboot.bat
2013-02-05 18:44:39 -------- d-----w- C:\Users\Miguel\AppData\Roaming\Malwarebytes
2013-02-05 18:44:18 -------- d-----w- C:\ProgramData\Malwarebytes
2013-02-05 18:44:16 24176 ----a-w- C:\windows\System32\drivers\mbam.sys
2013-02-05 18:44:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-18 16:47:10 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-01-18 16:47:00 17272 ----a-w- C:\windows\System32\sdnclean64.exe
2013-01-18 16:46:53 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-01-18 16:46:24 -------- d-----w- C:\Users\Miguel\AppData\Local\Programs
.
==================== Find3M ====================
.
2013-02-08 19:27:00 861088 ----a-w- C:\windows\SysWow64\npDeployJava1.dll
2013-02-08 19:27:00 782240 ----a-w- C:\windows\SysWow64\deployJava1.dll
2013-02-08 17:39:55 74096 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-08 17:39:55 697712 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2013-01-17 23:40:23 102248 ----a-w- C:\Users\Miguel\GoToAssistDownloadHelper.exe
2012-12-26 14:55:26 69672 ----a-w- C:\windows\System32\drivers\cfwids.sys
2012-12-26 14:52:44 339776 ----a-w- C:\windows\System32\drivers\mfewfpk.sys
2012-12-26 14:52:34 182312 ----a-w- C:\windows\System32\mfevtps.exe
2012-12-26 14:51:34 10288 ----a-w- C:\windows\System32\drivers\mfeclnk.sys
2012-12-26 14:51:24 106112 ----a-w- C:\windows\System32\drivers\mferkdet.sys
2012-12-26 14:50:48 771096 ----a-w- C:\windows\System32\drivers\mfehidk.sys
2012-12-26 14:49:42 515528 ----a-w- C:\windows\System32\drivers\mfefirek.sys
2012-12-26 14:49:00 309400 ----a-w- C:\windows\System32\drivers\mfeavfk.sys
2012-12-26 14:48:30 178840 ----a-w- C:\windows\System32\drivers\mfeapfk.sys
2012-12-16 17:11:22 46080 ----a-w- C:\windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
2012-12-07 13:20:16 441856 ----a-w- C:\windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\windows\System32\esrb.rs
2012-11-30 05:45:35 362496 ----a-w- C:\windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\windows\System32\ntvdm64.dll
2012-11-30 05:41:07 424448 ----a-w- C:\windows\System32\KernelBase.dll
2012-11-30 04:54:00 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:26:31 3149824 ----a-w- C:\windows\System32\win32k.sys
2012-11-23 03:13:57 68608 ----a-w- C:\windows\System32\taskhost.exe
2012-11-22 20:10:42 539984 ----a-w- C:\windows\System32\EasyRedirect64.dll
2012-11-22 20:10:40 380240 ------w- C:\windows\SysWow64\EasyRedirect.dll
2012-11-22 05:44:23 800768 ----a-w- C:\windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\windows\SysWow64\usp10.dll
2012-11-20 05:48:49 307200 ----a-w- C:\windows\System32\ncrypt.dll
2012-11-20 04:51:09 220160 ----a-w- C:\windows\SysWow64\ncrypt.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
.
============= FINISH: 16:34:13.77 ===============

Attached Files



#2 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 10 February 2013 - 04:30 AM

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

Also, please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

In your reply please provide the contents of the following logs:
  • ComboFix.txt.
  • Both MBAR logs.
How is your computer currently running?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 10 February 2013 - 06:45 PM

combofix.txt and mbar log files attached.
Pup: Facetheme virus was detected... (2 registry entries were fixed.)
Your help is greatly appreciated.

Attached Files



#4 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 10 February 2013 - 07:06 PM

No port probing has happened since mbar.exe ran. Cross my fingers.

#5 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 11 February 2013 - 12:36 AM

Good afternoon migs102006,

I am glad to hear it. Please keep any eye open.

In the interim:

Please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#6 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 11 February 2013 - 10:28 AM

Well, i spoke to soon. The zombie port probing has started again.
Should i uninstall Skype on my PC?

#7 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 11 February 2013 - 01:34 PM

Ran adwcleaner. One registry entry was deleted. PC was rebooted, problem with port probing persists.

#8 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 11 February 2013 - 03:34 PM

Good morning migs102006,

Please try uninstalling Skype and see if it makes a difference.

=====

Please download to the Desktop RogueKiller (by tigzy).
  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.

AIn your reply please post the logs from RogueKiller and AdwCleaner.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 11 February 2013 - 04:32 PM

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Miguel [Admin rights]
Mode : Scan -- Date : 02/11/2013 16:21:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 321f5bdb8efb1dddf0a41decc169a0bc
[BSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02112013_02d1621.txt >>
RKreport[1]_S_02112013_02d1621.txt

-----------------------------------------------------------------------------------------------


RogueKiller V8.5.0 [Feb 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Miguel [Admin rights]
Mode : Remove -- Date : 02/11/2013 16:22:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 321f5bdb8efb1dddf0a41decc169a0bc
[BSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_02112013_02d1622.txt >>
RKreport[1]_S_02112013_02d1621.txt ; RKreport[2]_D_02112013_02d1622.txt


-----------------------------------------------------------------------------------------------------------------


RogueKiller V8.5.0 [Feb 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Miguel [Admin rights]
Mode : Remove -- Date : 02/11/2013 16:24:12
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 321f5bdb8efb1dddf0a41decc169a0bc
[BSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_02112013_02d1624.txt >>
RKreport[1]_S_02112013_02d1621.txt ; RKreport[2]_D_02112013_02d1622.txt ; RKreport[3]_D_02112013_02d1624.txt


------------------------------------------------------------------------------------------------------


# AdwCleaner v2.112 - Logfile created 02/11/2013 at 16:31:29
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Miguel - MIGUEL-PC
# Boot Mode : Normal
# Running from : C:\Users\Miguel\Downloads\adwcleaner (2).exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5821 octets] - [07/02/2013 17:20:01]
AdwCleaner[R2].txt - [1505 octets] - [07/02/2013 17:42:30]
AdwCleaner[R3].txt - [1569 octets] - [11/02/2013 12:59:22]
AdwCleaner[R4].txt - [1094 octets] - [11/02/2013 13:07:20]
AdwCleaner[R5].txt - [1154 octets] - [11/02/2013 13:08:06]
AdwCleaner[R6].txt - [966 octets] - [11/02/2013 16:31:29]
AdwCleaner[S1].txt - [5703 octets] - [07/02/2013 17:21:09]
AdwCleaner[S2].txt - [1487 octets] - [11/02/2013 13:02:01]
AdwCleaner[S3].txt - [1215 octets] - [11/02/2013 13:08:21]

########## EOF - C:\AdwCleaner[R6].txt - [1205 octets] ##########

#10 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 12 February 2013 - 12:39 AM

Good afternoon migs102006,

Please download to your Desktop:
  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.
  • Click Change parameters.
  • Make sure you check the box Loaded modules.
  • A window will popup and say Reboot is required. Please click Reboot now.
  • Then click Change parameters again. Check the box Detect TDLFS file system.
  • Click on the Start Scan button.
  • If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue. Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue. Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button.
  • Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply.
    Note: A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).

=====

Also, please download aswMBR by gmer to your Desktop.

  • Please visit this site for instructions on how to run the tool.
  • Once familiar with this tool, double click aswMBR.exe to run it.
  • Click the Scan button to start the scan.
  • Once the scan has completed, please save the aswMBR.txt log to the Desktop and post it in your next reply.

=====

In your reply please post the contents of the following:
  • TDSSKiller log.
  • aswMBR.txt.
Is the probing still occurring?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#11 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 12 February 2013 - 02:59 PM

Hi DarkKnight,
The last probing ocurred around 11 pm last night. That's over 15 hours without being probed.
I did install tdsskiller and it did not report anything unusual.
Will keep you posted.
Regards

#12 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 12 February 2013 - 03:43 PM

Good morning migs102006,

Did you run aswMBR?

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 12 February 2013 - 04:50 PM

I did, after running it for 20 mins+ it gave me a blue screen of death. A bit hesitant to run this utility again unless the zombies start knocking at my door again.
So far 17 hours without a port probe.

#14 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 12 February 2013 - 09:18 PM

Good afternoon migs102006,

Please try this tool in the meantime then.

  • Please download MBRScan and save it to your Desktop.
  • Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on Run as administrator).
  • Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  • When the scan is finished, a log file will appear.
  • Save that log file to your Desktop and post its content in your next reply.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#15 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 14 February 2013 - 10:47 AM

DarkKnight,
The port probing started again.

mbrscan.exe log pasted below.

migs



MBRScan v1.1.1

OS             : Windows 7 Service Pack 1 (64 bit)
PROCESSOR      : Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
BOOT           : Normal Boot
DATE           : 2013/02/14 (ISO 8601) at 10:41:12
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __ST950032 5AS (D005)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : NO
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0 465.8 Go  [Fixed] ==> 7 MBR Code .

MBR_MD5   : 321F5BDB8EFB1DDDF0A41DECC169A0BC
MBR_SHA1  : A47A23920EB39C5052B05F9683FE8FCCE2520AB0

Device\Harddisk0\Partition1 100.0 Mo   0xDE Dell Utility 
Device\Harddisk0\Partition2 19.53 Go   0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition3 446.1 Go   0x07 NTFS / HPFS
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\windows\system32\hal.dll => Invisible on the disk
ADDRESS : 0x0321E000
SIZE    : 292.0 Ko

DRIVER  : C:\windows\system32\kdcom.dll => Invisible on the disk
ADDRESS : 0x00B9B000
SIZE    : 40.0 Ko

DRIVER  : C:\windows\system32\mcupdate_GenuineIntel.dll => Invisible on the disk
ADDRESS : 0x00CCB000
SIZE    : 316.0 Ko

DRIVER  : C:\windows\system32\CLFS.SYS => Invisible on the disk
ADDRESS : 0x00D2E000
SIZE    : 376.0 Ko

DRIVER  : C:\windows\system32\CI.dll => Invisible on the disk
ADDRESS : 0x00C00000
SIZE    : 768.0 Ko

DRIVER  : C:\windows\system32\drivers\Wdf01000.sys => Invisible on the disk
ADDRESS : 0x00EC3000
SIZE    : 776.0 Ko

DRIVER  : C:\windows\system32\drivers\WDFLDR.SYS => Invisible on the disk
ADDRESS : 0x00F85000
SIZE    : 64.0 Ko

DRIVER  : C:\windows\system32\drivers\ACPI.sys => Invisible on the disk
ADDRESS : 0x00F95000
SIZE    : 348.0 Ko

DRIVER  : C:\windows\system32\drivers\WMILIB.SYS => Invisible on the disk
ADDRESS : 0x00FEC000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\system32\drivers\msisadrv.sys => Invisible on the disk
ADDRESS : 0x00FF5000
SIZE    : 40.0 Ko

DRIVER  : C:\windows\system32\drivers\pci.sys => Invisible on the disk
ADDRESS : 0x00E00000
SIZE    : 204.0 Ko

DRIVER  : C:\windows\system32\drivers\vdrvroot.sys => Invisible on the disk
ADDRESS : 0x00E33000
SIZE    : 52.0 Ko

DRIVER  : C:\windows\System32\drivers\partmgr.sys => Invisible on the disk
ADDRESS : 0x00E40000
SIZE    : 84.0 Ko

DRIVER  : C:\windows\system32\drivers\compbatt.sys => Invisible on the disk
ADDRESS : 0x00E55000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\system32\drivers\BATTC.SYS => Invisible on the disk
ADDRESS : 0x00E5E000
SIZE    : 48.0 Ko

DRIVER  : C:\windows\system32\drivers\volmgr.sys => Invisible on the disk
ADDRESS : 0x00E6A000
SIZE    : 84.0 Ko

DRIVER  : C:\windows\System32\drivers\volmgrx.sys => Invisible on the disk
ADDRESS : 0x00D8C000
SIZE    : 368.0 Ko

DRIVER  : C:\windows\System32\drivers\mountmgr.sys => Invisible on the disk
ADDRESS : 0x00E7F000
SIZE    : 104.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\iaStor.sys => Invisible on the disk
ADDRESS : 0x0109F000
SIZE    : 1.33 Mo

DRIVER  : C:\windows\system32\drivers\atapi.sys => Invisible on the disk
ADDRESS : 0x011F3000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\system32\drivers\ataport.SYS => Invisible on the disk
ADDRESS : 0x01000000
SIZE    : 168.0 Ko

DRIVER  : C:\windows\system32\drivers\msahci.sys => Invisible on the disk
ADDRESS : 0x0102A000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\system32\drivers\PCIIDEX.SYS => Invisible on the disk
ADDRESS : 0x01035000
SIZE    : 64.0 Ko

DRIVER  : C:\windows\system32\drivers\amdxata.sys => Invisible on the disk
ADDRESS : 0x01045000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\system32\drivers\fltmgr.sys => Invisible on the disk
ADDRESS : 0x01050000
SIZE    : 304.0 Ko

DRIVER  : C:\windows\system32\drivers\fileinfo.sys => Invisible on the disk
ADDRESS : 0x00E99000
SIZE    : 80.0 Ko

DRIVER  : C:\windows\system32\drivers\mfehidk.sys => Invisible on the disk
ADDRESS : 0x01264000
SIZE    : 744.0 Ko

DRIVER  : C:\windows\System32\Drivers\PxHlpa64.sys => Invisible on the disk
ADDRESS : 0x0131E000
SIZE    : 52.0 Ko

DRIVER  : C:\windows\System32\Drivers\Ntfs.sys => Invisible on the disk
ADDRESS : 0x0142C000
SIZE    : 1.64 Mo

DRIVER  : C:\windows\System32\Drivers\msrpc.sys => Invisible on the disk
ADDRESS : 0x0132B000
SIZE    : 376.0 Ko

DRIVER  : C:\windows\System32\Drivers\ksecdd.sys => Invisible on the disk
ADDRESS : 0x015CF000
SIZE    : 108.0 Ko

DRIVER  : C:\windows\System32\Drivers\cng.sys => Invisible on the disk
ADDRESS : 0x01389000
SIZE    : 456.0 Ko

DRIVER  : C:\windows\System32\drivers\pcw.sys => Invisible on the disk
ADDRESS : 0x015EA000
SIZE    : 68.0 Ko

DRIVER  : C:\windows\System32\Drivers\Fs_Rec.sys => Invisible on the disk
ADDRESS : 0x01400000
SIZE    : 40.0 Ko

DRIVER  : C:\windows\system32\drivers\ndis.sys => Invisible on the disk
ADDRESS : 0x016F5000
SIZE    : 968.0 Ko

DRIVER  : C:\windows\system32\drivers\NETIO.SYS => Invisible on the disk
ADDRESS : 0x01600000
SIZE    : 384.0 Ko

DRIVER  : C:\windows\System32\Drivers\ksecpkg.sys => Invisible on the disk
ADDRESS : 0x01660000
SIZE    : 168.0 Ko

DRIVER  : C:\windows\System32\drivers\tcpip.sys => Invisible on the disk
ADDRESS : 0x01800000
SIZE    : 2.00 Mo

DRIVER  : C:\windows\System32\drivers\fwpkclnt.sys => Invisible on the disk
ADDRESS : 0x0168A000
SIZE    : 292.0 Ko

DRIVER  : C:\windows\system32\drivers\mfewfpk.sys => Invisible on the disk
ADDRESS : 0x01200000
SIZE    : 324.0 Ko

DRIVER  : C:\windows\system32\drivers\volsnap.sys => Invisible on the disk
ADDRESS : 0x01A8E000
SIZE    : 304.0 Ko

DRIVER  : C:\windows\System32\Drivers\spldr.sys => Invisible on the disk
ADDRESS : 0x01ADA000
SIZE    : 32.0 Ko

DRIVER  : C:\windows\System32\drivers\rdyboost.sys => Invisible on the disk
ADDRESS : 0x01AE2000
SIZE    : 232.0 Ko

DRIVER  : C:\windows\System32\Drivers\mup.sys => Invisible on the disk
ADDRESS : 0x01B1C000
SIZE    : 72.0 Ko

DRIVER  : C:\windows\System32\drivers\hwpolicy.sys => Invisible on the disk
ADDRESS : 0x01B2E000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\System32\DRIVERS\fvevol.sys => Invisible on the disk
ADDRESS : 0x01B37000
SIZE    : 232.0 Ko

DRIVER  : C:\windows\system32\drivers\disk.sys => Invisible on the disk
ADDRESS : 0x01B71000
SIZE    : 88.0 Ko

DRIVER  : C:\windows\system32\drivers\CLASSPNP.SYS => Invisible on the disk
ADDRESS : 0x01B87000
SIZE    : 192.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\cdrom.sys => Invisible on the disk
ADDRESS : 0x03E13000
SIZE    : 168.0 Ko

DRIVER  : C:\windows\System32\Drivers\Null.SYS => Invisible on the disk
ADDRESS : 0x03E3D000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\System32\Drivers\Beep.SYS => Invisible on the disk
ADDRESS : 0x03E46000
SIZE    : 28.0 Ko

DRIVER  : C:\windows\System32\drivers\vga.sys => Invisible on the disk
ADDRESS : 0x03E4D000
SIZE    : 56.0 Ko

DRIVER  : C:\windows\System32\drivers\VIDEOPRT.SYS => Invisible on the disk
ADDRESS : 0x03E5B000
SIZE    : 148.0 Ko

DRIVER  : C:\windows\System32\drivers\watchdog.sys => Invisible on the disk
ADDRESS : 0x03E80000
SIZE    : 64.0 Ko

DRIVER  : C:\windows\System32\DRIVERS\RDPCDD.sys => Invisible on the disk
ADDRESS : 0x03E90000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\system32\drivers\rdpencdd.sys => Invisible on the disk
ADDRESS : 0x03E99000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\system32\drivers\rdprefmp.sys => Invisible on the disk
ADDRESS : 0x03EA2000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\System32\Drivers\Msfs.SYS => Invisible on the disk
ADDRESS : 0x01BC5000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\System32\Drivers\Npfs.SYS => Invisible on the disk
ADDRESS : 0x01BD0000
SIZE    : 68.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\tdx.sys => Invisible on the disk
ADDRESS : 0x01A00000
SIZE    : 136.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\TDI.SYS => Invisible on the disk
ADDRESS : 0x01A22000
SIZE    : 52.0 Ko

DRIVER  : C:\windows\System32\DRIVERS\netbt.sys => Invisible on the disk
ADDRESS : 0x01A2F000
SIZE    : 276.0 Ko

DRIVER  : C:\windows\system32\drivers\afd.sys => Invisible on the disk
ADDRESS : 0x02ED2000
SIZE    : 548.0 Ko

DRIVER  : C:\windows\system32\drivers\ws2ifsl.sys => Invisible on the disk
ADDRESS : 0x02F5B000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\wfplwf.sys => Invisible on the disk
ADDRESS : 0x02F66000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\pacer.sys => Invisible on the disk
ADDRESS : 0x02F6F000
SIZE    : 152.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\vwififlt.sys => Invisible on the disk
ADDRESS : 0x02F95000
SIZE    : 88.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\netbios.sys => Invisible on the disk
ADDRESS : 0x02FAB000
SIZE    : 60.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\wanarp.sys => Invisible on the disk
ADDRESS : 0x02FBA000
SIZE    : 108.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\termdd.sys => Invisible on the disk
ADDRESS : 0x02FD5000
SIZE    : 80.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\rdbss.sys => Invisible on the disk
ADDRESS : 0x02E00000
SIZE    : 324.0 Ko

DRIVER  : C:\windows\system32\drivers\nsiproxy.sys => Invisible on the disk
ADDRESS : 0x02E51000
SIZE    : 48.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\mssmbios.sys => Invisible on the disk
ADDRESS : 0x02E5D000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\System32\drivers\discache.sys => Invisible on the disk
ADDRESS : 0x02E68000
SIZE    : 60.0 Ko

DRIVER  : C:\windows\System32\Drivers\dfsc.sys => Invisible on the disk
ADDRESS : 0x02E77000
SIZE    : 120.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\blbdrive.sys => Invisible on the disk
ADDRESS : 0x02E95000
SIZE    : 68.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\tunnel.sys => Invisible on the disk
ADDRESS : 0x02EA6000
SIZE    : 152.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\igdkmd64.sys => Invisible on the disk
ADDRESS : 0x04A37000
SIZE    : 11.70 Mo

DRIVER  : C:\windows\System32\drivers\dxgkrnl.sys => Invisible on the disk
ADDRESS : 0x03C64000
SIZE    : 976.0 Ko

DRIVER  : C:\windows\System32\drivers\dxgmms1.sys => Invisible on the disk
ADDRESS : 0x03D58000
SIZE    : 280.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\HECIx64.sys => Invisible on the disk
ADDRESS : 0x03D9E000
SIZE    : 68.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\usbehci.sys => Invisible on the disk
ADDRESS : 0x03DAF000
SIZE    : 68.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\USBPORT.SYS => Invisible on the disk
ADDRESS : 0x03C00000
SIZE    : 344.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\HDAudBus.sys => Invisible on the disk
ADDRESS : 0x03DC0000
SIZE    : 144.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\Rt64win7.sys => Invisible on the disk
ADDRESS : 0x042BD000
SIZE    : 528.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\bcmwl664.sys => Invisible on the disk
ADDRESS : 0x05899000
SIZE    : 4.51 Mo

DRIVER  : C:\windows\system32\DRIVERS\vwifibus.sys => Invisible on the disk
ADDRESS : 0x05D1C000
SIZE    : 52.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\i8042prt.sys => Invisible on the disk
ADDRESS : 0x05D29000
SIZE    : 120.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\Apfiltr.sys => Invisible on the disk
ADDRESS : 0x05D47000
SIZE    : 368.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\mouclass.sys => Invisible on the disk
ADDRESS : 0x05DA3000
SIZE    : 60.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\kbdclass.sys => Invisible on the disk
ADDRESS : 0x05DB2000
SIZE    : 60.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\GEARAspiWDM.sys => Invisible on the disk
ADDRESS : 0x05DC1000
SIZE    : 28.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\intelppm.sys => Invisible on the disk
ADDRESS : 0x05DC8000
SIZE    : 88.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\CmBatt.sys => Invisible on the disk
ADDRESS : 0x05DDE000
SIZE    : 20.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\wmiacpi.sys => Invisible on the disk
ADDRESS : 0x05DE3000
SIZE    : 36.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\CompositeBus.sys => Invisible on the disk
ADDRESS : 0x05DEC000
SIZE    : 64.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\dsNcAdpt.sys => Invisible on the disk
ADDRESS : 0x05800000
SIZE    : 52.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\AgileVpn.sys => Invisible on the disk
ADDRESS : 0x0580D000
SIZE    : 88.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\rasl2tp.sys => Invisible on the disk
ADDRESS : 0x05823000
SIZE    : 144.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\ndistapi.sys => Invisible on the disk
ADDRESS : 0x05847000
SIZE    : 48.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\ndiswan.sys => Invisible on the disk
ADDRESS : 0x05853000
SIZE    : 188.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\raspppoe.sys => Invisible on the disk
ADDRESS : 0x04341000
SIZE    : 108.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\raspptp.sys => Invisible on the disk
ADDRESS : 0x0435C000
SIZE    : 132.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\rassstp.sys => Invisible on the disk
ADDRESS : 0x0437D000
SIZE    : 104.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\swenum.sys => Invisible on the disk
ADDRESS : 0x05882000
SIZE    : 8.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\ks.sys => Invisible on the disk
ADDRESS : 0x04397000
SIZE    : 268.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\umbus.sys => Invisible on the disk
ADDRESS : 0x05884000
SIZE    : 72.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\usbhub.sys => Invisible on the disk
ADDRESS : 0x04200000
SIZE    : 360.0 Ko

DRIVER  : C:\windows\System32\Drivers\NDProxy.SYS => Invisible on the disk
ADDRESS : 0x0425A000
SIZE    : 84.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\stwrt64.sys => Invisible on the disk
ADDRESS : 0x0624C000
SIZE    : 532.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\portcls.sys => Invisible on the disk
ADDRESS : 0x062D1000
SIZE    : 244.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\drmk.sys => Invisible on the disk
ADDRESS : 0x0630E000
SIZE    : 136.0 Ko

DRIVER  : C:\windows\system32\drivers\ksthunk.sys => Invisible on the disk
ADDRESS : 0x06330000
SIZE    : 24.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\IntcDAud.sys => Invisible on the disk
ADDRESS : 0x06336000
SIZE    : 332.0 Ko

DRIVER  : C:\windows\system32\drivers\mfeavfk.sys => Invisible on the disk
ADDRESS : 0x06389000
SIZE    : 296.0 Ko

DRIVER  : C:\windows\system32\drivers\mfefirek.sys => Invisible on the disk
ADDRESS : 0x0685C000
SIZE    : 496.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\usbccgp.sys => Invisible on the disk
ADDRESS : 0x068D8000
SIZE    : 116.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\USBD.SYS => Invisible on the disk
ADDRESS : 0x068F5000
SIZE    : 8.0 Ko

DRIVER  : C:\windows\System32\Drivers\usbvideo.sys => Invisible on the disk
ADDRESS : 0x068F7000
SIZE    : 184.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\CtClsFlt.sys => Invisible on the disk
ADDRESS : 0x06925000
SIZE    : 172.0 Ko

DRIVER  : C:\windows\System32\Drivers\crashdmp.sys => Invisible on the disk
ADDRESS : 0x06950000
SIZE    : 56.0 Ko

DRIVER  : C:\windows\System32\Drivers\dump_iaStor.sys => Invisible on the disk
ADDRESS : 0x03EAB000
SIZE    : 1.33 Mo

DRIVER  : C:\windows\System32\Drivers\dump_dumpfve.sys => Invisible on the disk
ADDRESS : 0x0695E000
SIZE    : 76.0 Ko

DRIVER  : C:\windows\System32\win32k.sys => Invisible on the disk
ADDRESS : 0x00050000
SIZE    : 3.09 Mo

DRIVER  : C:\windows\System32\drivers\Dxapi.sys => Invisible on the disk
ADDRESS : 0x06971000
SIZE    : 48.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\monitor.sys => Invisible on the disk
ADDRESS : 0x0697D000
SIZE    : 56.0 Ko

DRIVER  : C:\windows\System32\TSDDD.dll => Invisible on the disk
ADDRESS : 0x00520000
SIZE    : 40.0 Ko

DRIVER  : C:\windows\System32\cdd.dll => Invisible on the disk
ADDRESS : 0x007C0000
SIZE    : 156.0 Ko

DRIVER  : C:\windows\system32\drivers\luafv.sys => Invisible on the disk
ADDRESS : 0x0698B000
SIZE    : 140.0 Ko

DRIVER  : C:\windows\system32\drivers\mbam.sys => Invisible on the disk
ADDRESS : 0x069AE000
SIZE    : 40.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\Sftvollh.sys => Invisible on the disk
ADDRESS : 0x069B8000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\system32\drivers\WudfPf.sys => Invisible on the disk
ADDRESS : 0x069C3000
SIZE    : 100.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\lltdio.sys => Invisible on the disk
ADDRESS : 0x069DC000
SIZE    : 84.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\nwifi.sys => Invisible on the disk
ADDRESS : 0x06800000
SIZE    : 332.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\ndisuio.sys => Invisible on the disk
ADDRESS : 0x063D3000
SIZE    : 76.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\rspndr.sys => Invisible on the disk
ADDRESS : 0x063E6000
SIZE    : 96.0 Ko

DRIVER  : C:\windows\system32\drivers\HTTP.sys => Invisible on the disk
ADDRESS : 0x02CE2000
SIZE    : 804.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\bowser.sys => Invisible on the disk
ADDRESS : 0x02DAB000
SIZE    : 120.0 Ko

DRIVER  : C:\windows\System32\drivers\mpsdrv.sys => Invisible on the disk
ADDRESS : 0x02DC9000
SIZE    : 96.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\mrxsmb.sys => Invisible on the disk
ADDRESS : 0x02C00000
SIZE    : 180.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\mrxsmb10.sys => Invisible on the disk
ADDRESS : 0x02C2D000
SIZE    : 312.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\mrxsmb20.sys => Invisible on the disk
ADDRESS : 0x02C7B000
SIZE    : 144.0 Ko

DRIVER  : C:\windows\system32\drivers\peauth.sys => Invisible on the disk
ADDRESS : 0x0644B000
SIZE    : 664.0 Ko

DRIVER  : C:\windows\System32\Drivers\secdrv.SYS => Invisible on the disk
ADDRESS : 0x064F1000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\Sftfslh.sys => Invisible on the disk
ADDRESS : 0x064FC000
SIZE    : 772.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\Sftplaylh.sys => Invisible on the disk
ADDRESS : 0x0426F000
SIZE    : 308.0 Ko

DRIVER  : C:\windows\System32\DRIVERS\srvnet.sys => Invisible on the disk
ADDRESS : 0x065BD000
SIZE    : 196.0 Ko

DRIVER  : C:\windows\System32\drivers\tcpipreg.sys => Invisible on the disk
ADDRESS : 0x065EE000
SIZE    : 72.0 Ko

DRIVER  : C:\windows\System32\DRIVERS\srv2.sys => Invisible on the disk
ADDRESS : 0x0782B000
SIZE    : 420.0 Ko

DRIVER  : C:\windows\System32\DRIVERS\srv.sys => Invisible on the disk
ADDRESS : 0x07894000
SIZE    : 608.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\Sftredirlh.sys => Invisible on the disk
ADDRESS : 0x0792C000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\system32\drivers\cfwids.sys => Invisible on the disk
ADDRESS : 0x07937000
SIZE    : 64.0 Ko

DRIVER  : C:\windows\System32\Drivers\fastfat.SYS => Invisible on the disk
ADDRESS : 0x07947000
SIZE    : 216.0 Ko

DRIVER  : C:\windows\system32\DRIVERS\asyncmac.sys => Invisible on the disk
ADDRESS : 0x079BD000
SIZE    : 44.0 Ko

DRIVER  : C:\windows\system32\drivers\HipShieldK.sys => Invisible on the disk
ADDRESS : 0x079C8000
SIZE    : 184.0 Ko

DRIVER  : C:\windows\system32\drivers\mfeapfk.sys => Invisible on the disk
ADDRESS : 0x07800000
SIZE    : 168.0 Ko

DRIVER  : C:\windows\System32\smss.exe => Invisible on the disk
ADDRESS : 0x484D0000
SIZE    : 128.0 Ko

SystemStartOptions :  NOEXECUTE=OPTIN

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00   3À.м.|.À.ؾ.|¿.
0x00000010   06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00   .¹..üó¤Ph..Ëû¹..
0x00000020   BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10   ½¾..~..|......Å.
0x00000030   E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00   âñÍ..V.UÆF..ÆF..
0x00000040   B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09   ´A»ªUÍ.]r..ûUªu.
0x00000050   F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74   ÷Á..t.þF.f`.~..t
0x00000060   26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00   &fh....f.v.h..h.
0x00000070   7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13   |h..h..´B.V..ôÍ.
0x00000080   9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00   ..Ä..ë.¸..».|.V.
0x00000090   8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE   .v..N..n.Í.fas.þ
0x000000A0   4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84   N.u..~......².ë.
0x000000B0   55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55   U2ä.V.Í.]ë..>þ}U
0x000000C0   AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64   ªun.v.è..u.ú°Ñæd
0x000000D0   E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75   è..°ßæ`è|.°.ædèu
0x000000E0   00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54   .û¸.»Í.f#Àu;f.ûT
0x000000F0   43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00   CPAu2.ù..r,fh.».
0x00000100   00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66   .fh....fh....fSf
0x00000110   53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66   SfUfh....fh.|..f
0x00000120   61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD   ah...Í.Z2öê.|..Í
0x00000130   18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4   ..·.ë..¶.ë..µ.2ä
0x00000140   05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD   ....ð¬<.t.»..´.Í
0x00000150   10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8   .ëòôëý+Éädë.$.àø
0x00000160   24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69   $.ÃInvalid parti
0x00000170   74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72   tion table.Error
0x00000180   20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69    loading operati
0x00000190   6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E   ng system.Missin
0x000001A0   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst
0x000001B0   65 6D 00 00 00 63 7B 9A 77 8F 55 8C 00 00 00 20   em...c{.w.U.... 
0x000001C0   21 00 DE DF 13 0C 00 08 00 00 00 20 03 00 80 DF   !.Þß....... ...ß
0x000001D0   14 0C 07 FE FF FF 00 28 03 00 00 00 71 02 00 FE   ...þ...(....q..þ
0x000001E0   FF FF 07 FE FF FF 00 28 74 02 30 30 C4 37 00 00   ...þ...(t.00Ä7..
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª


#16 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 14 February 2013 - 03:31 PM

Hey migs102006,

  • Please re-run MBRScan.
  • Click Dump.
  • Once you have selected your MBR code, please click Dump Selected MBR (if there are multiple codes please do this for each of them).

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#17 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 14 February 2013 - 06:19 PM

Hi DarkKnight,

I was 'not permitted' to upload the dump*.mbr files to your site when i tried attaching the files to this email.

migs102006

#18 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 15 February 2013 - 03:31 AM

Hello migs102006,

Please upload it to a file sharing site, like mega upload, and provide me with a link.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#19 migs102006

migs102006

    New Member

  • Members
  • Pip
  • 26 posts

Posted 15 February 2013 - 11:06 AM

mega upload website has been closed by the FBI. Fraud investigation...
Dropbox link below.

https://www.dropbox....j7ae/D2c6jB8T1G

#20 TheDarkKnight

TheDarkKnight

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 1,126 posts
  • Gender:Male
  • Location:Gotham City
  • Interests:Malware Hunting, sport and of course listening to music ^_^

Posted 15 February 2013 - 04:47 PM

Hello migs102006,

Thank you. Well that came up clean.

I am not familiar with the McAfee Firewall; are you able to block certain IP addresses?

If so, please block this one: 192.168.1.1

And see if the probing continues.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image






Also tagged with one or more of these keywords: port, porbing, zombies, Skype, botnet

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users