migs102006

Port Probing

47 posts in this topic

Hi,

A couple of months back i was befriended by a stranger on Skype. McAfee Antivirus software was running on my Windows 7 pc.

While chatting with this person my Antivirus software alerted me that my pc was being probed through various ports.

I immediately closed all contact with this person, but the damage had already been done.

Various ports on my pc get probed from all over the net on a daily basis. +50/daily

Recently i installed Malwarebytes and scanned all my files. It found PUP:Datamangr in the registry and i promptly removed the registry entry and rebooted the pc. i thought i had finally beaten the zombies knocking on my pc ports. McAfee security history files showed no probing for quite a few hours, until it reported that 192.168.1.1 was probing port 49726 and then port 2869. Soon after that the zombies started probing my pcports again. Mind you nothing has happened, but it can be just a matter of time until somehow they get through. Now, 192.168.1.1 is the ip address of my local FIOS router, right?

It seems that there is an undetected beacon program on my pc?

All the incoming ip addresses used in the port probing seem to be legit business, so i image the true ip addresses are being spoofed?

Can you please help?

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.13.2

Run by Miguel at 16:33:01 on 2013-02-09

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4004.2343 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

.

============== Running Processes ===============

.

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\WLANExt.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\windows\System32\svchost.exe -k NetworkService

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\IDT\WDM\AESTSr64.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe

C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\windows\system32\SearchIndexer.exe

C:\windows\System32\rundll32.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE

C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

C:\Windows\System32\igfxtray.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe

C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe

C:\Users\Miguel\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe

C:\Program Files\mcafee.com\agent\mcagent.exe

C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\windows\system32\taskeng.exe

C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: {2421d847-721c-404f-87b4-bbd2b95d1087} - <orphaned>

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: SelectionLinksBHO Class: {300BEC06-B743-4D19-86B9-11DC711D7FFB} -

BHO: UnfriendApp: {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\Program Files (x86)\UnfriendApp\IE\common.dll

BHO: SDHelper: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20121005034905.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [MyTomTomSA.exe] "C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe"

uRun: [spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean

mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun: [sDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\Users\Miguel\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Miguel\AppData\Roaming\Dropbox\bin\Dropbox.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll

LSP: C:\windows\System32\EasyRedirect.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab

DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://localhost:8888/jde/axctls/jdewebctlsU.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.autopartintl.com/dana-cached/sc/JuniperSetupClient.cab

TCP: NameServer = 192.168.1.1 71.242.0.12

TCP: Interfaces\{042674BB-204D-48A7-83D4-401F348215B0} : DHCPNameServer = 172.6.1.161

TCP: Interfaces\{D3D5CE1E-CD11-4F92-BA67-740500E78CB1} : DHCPNameServer = 192.168.1.1 71.242.0.12

TCP: Interfaces\{D3D5CE1E-CD11-4F92-BA67-740500E78CB1}\94E6E616475623 : DHCPNameServer = 192.168.1.1 192.168.1.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

Notify: SDWinLogon - SDWinLogon.dll

AppInit_DLLs= c:\progra~3\browse~1\261123~1.78\{61d8b~1\browse~1.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20121005034904.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-Run: [igfxTray] C:\windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\windows\System32\igfxpers.exe

x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe

x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe

x64-Run: [stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet

x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} - hxxp://javadl-esd.oracle.com/update/1.6.0/jinstall-6u21-windows-i586.cab

x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2011-3-13 771096]

R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2011-3-13 339776]

R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-7-13 55856]

R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-7-13 89600]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]

R2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-10-9 173568]

R2 EasyRedirect;EasyRedirect;C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe [2012-12-22 3575120]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-7-13 13336]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-5 398184]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-5 682344]

R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]

R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]

R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]

R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-7-13 241016]

R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-7-13 218320]

R2 mfevtp;McAfee Validation Trust Protection Service;C:\windows\System32\mfevtps.exe [2012-7-13 182312]

R3 cfwids;McAfee Inc. cfwids;C:\windows\System32\drivers\cfwids.sys [2011-3-13 69672]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-7-13 176000]

R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2012-7-13 317440]

R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2013-2-5 24176]

R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2011-3-13 309400]

R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2011-3-13 515528]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-7-13 533096]

R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]

R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]

R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]

R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2012-10-5 196440]

S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2012-7-13 224704]

S3 mferkdet;McAfee Inc. mferkdet;C:\windows\System32\drivers\mferkdet.sys [2011-3-13 106112]

S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-9-4 25584]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-7-13 250984]

S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]

.

=============== Created Last 30 ================

.

2013-02-08 23:25:27 -------- d-----r- C:\Program Files (x86)\Skype

2013-02-08 19:28:41 -------- d-----w- C:\Users\Miguel\AppData\Roaming\PhrozenSoft

2013-02-08 19:27:08 95648 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-02-07 22:21:17 98 ----a-w- C:\windows\DeleteOnReboot.bat

2013-02-05 18:44:39 -------- d-----w- C:\Users\Miguel\AppData\Roaming\Malwarebytes

2013-02-05 18:44:18 -------- d-----w- C:\ProgramData\Malwarebytes

2013-02-05 18:44:16 24176 ----a-w- C:\windows\System32\drivers\mbam.sys

2013-02-05 18:44:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-01-18 16:47:10 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2013-01-18 16:47:00 17272 ----a-w- C:\windows\System32\sdnclean64.exe

2013-01-18 16:46:53 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2

2013-01-18 16:46:24 -------- d-----w- C:\Users\Miguel\AppData\Local\Programs

.

==================== Find3M ====================

.

2013-02-08 19:27:00 861088 ----a-w- C:\windows\SysWow64\npDeployJava1.dll

2013-02-08 19:27:00 782240 ----a-w- C:\windows\SysWow64\deployJava1.dll

2013-02-08 17:39:55 74096 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-02-08 17:39:55 697712 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe

2013-01-17 23:40:23 102248 ----a-w- C:\Users\Miguel\GoToAssistDownloadHelper.exe

2012-12-26 14:55:26 69672 ----a-w- C:\windows\System32\drivers\cfwids.sys

2012-12-26 14:52:44 339776 ----a-w- C:\windows\System32\drivers\mfewfpk.sys

2012-12-26 14:52:34 182312 ----a-w- C:\windows\System32\mfevtps.exe

2012-12-26 14:51:34 10288 ----a-w- C:\windows\System32\drivers\mfeclnk.sys

2012-12-26 14:51:24 106112 ----a-w- C:\windows\System32\drivers\mferkdet.sys

2012-12-26 14:50:48 771096 ----a-w- C:\windows\System32\drivers\mfehidk.sys

2012-12-26 14:49:42 515528 ----a-w- C:\windows\System32\drivers\mfefirek.sys

2012-12-26 14:49:00 309400 ----a-w- C:\windows\System32\drivers\mfeavfk.sys

2012-12-26 14:48:30 178840 ----a-w- C:\windows\System32\drivers\mfeapfk.sys

2012-12-16 17:11:22 46080 ----a-w- C:\windows\System32\atmlib.dll

2012-12-16 14:45:03 367616 ----a-w- C:\windows\System32\atmfd.dll

2012-12-16 14:13:28 295424 ----a-w- C:\windows\SysWow64\atmfd.dll

2012-12-16 14:13:20 34304 ----a-w- C:\windows\SysWow64\atmlib.dll

2012-12-07 13:20:16 441856 ----a-w- C:\windows\System32\Wpc.dll

2012-12-07 13:15:31 2746368 ----a-w- C:\windows\System32\gameux.dll

2012-12-07 12:26:17 308736 ----a-w- C:\windows\SysWow64\Wpc.dll

2012-12-07 12:20:43 2576384 ----a-w- C:\windows\SysWow64\gameux.dll

2012-12-07 11:20:04 30720 ----a-w- C:\windows\System32\usk.rs

2012-12-07 11:20:03 43520 ----a-w- C:\windows\System32\csrr.rs

2012-12-07 11:20:03 23552 ----a-w- C:\windows\System32\oflc.rs

2012-12-07 11:20:01 45568 ----a-w- C:\windows\System32\oflc-nz.rs

2012-12-07 11:20:01 44544 ----a-w- C:\windows\System32\pegibbfc.rs

2012-12-07 11:20:01 20480 ----a-w- C:\windows\System32\pegi-fi.rs

2012-12-07 11:20:00 20480 ----a-w- C:\windows\System32\pegi-pt.rs

2012-12-07 11:19:59 20480 ----a-w- C:\windows\System32\pegi.rs

2012-12-07 11:19:58 46592 ----a-w- C:\windows\System32\fpb.rs

2012-12-07 11:19:57 40960 ----a-w- C:\windows\System32\cob-au.rs

2012-12-07 11:19:57 21504 ----a-w- C:\windows\System32\grb.rs

2012-12-07 11:19:57 15360 ----a-w- C:\windows\System32\djctq.rs

2012-12-07 11:19:56 55296 ----a-w- C:\windows\System32\cero.rs

2012-12-07 11:19:55 51712 ----a-w- C:\windows\System32\esrb.rs

2012-11-30 05:45:35 362496 ----a-w- C:\windows\System32\wow64win.dll

2012-11-30 05:45:35 243200 ----a-w- C:\windows\System32\wow64.dll

2012-11-30 05:45:35 13312 ----a-w- C:\windows\System32\wow64cpu.dll

2012-11-30 05:45:14 215040 ----a-w- C:\windows\System32\winsrv.dll

2012-11-30 05:43:12 16384 ----a-w- C:\windows\System32\ntvdm64.dll

2012-11-30 05:41:07 424448 ----a-w- C:\windows\System32\KernelBase.dll

2012-11-30 04:54:00 5120 ----a-w- C:\windows\SysWow64\wow32.dll

2012-11-30 04:53:59 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll

2012-11-30 03:23:48 338432 ----a-w- C:\windows\System32\conhost.exe

2012-11-30 02:44:06 25600 ----a-w- C:\windows\SysWow64\setup16.exe

2012-11-30 02:44:04 7680 ----a-w- C:\windows\SysWow64\instnm.exe

2012-11-30 02:44:04 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll

2012-11-30 02:44:03 2048 ----a-w- C:\windows\SysWow64\user.exe

2012-11-30 02:38:59 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-11-30 02:38:59 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-30 02:38:59 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-11-30 02:38:59 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-11-23 03:26:31 3149824 ----a-w- C:\windows\System32\win32k.sys

2012-11-23 03:13:57 68608 ----a-w- C:\windows\System32\taskhost.exe

2012-11-22 20:10:42 539984 ----a-w- C:\windows\System32\EasyRedirect64.dll

2012-11-22 20:10:40 380240 ------w- C:\windows\SysWow64\EasyRedirect.dll

2012-11-22 05:44:23 800768 ----a-w- C:\windows\System32\usp10.dll

2012-11-22 04:45:03 626688 ----a-w- C:\windows\SysWow64\usp10.dll

2012-11-20 05:48:49 307200 ----a-w- C:\windows\System32\ncrypt.dll

2012-11-20 04:51:09 220160 ----a-w- C:\windows\SysWow64\ncrypt.dll

2012-11-14 06:11:44 2312704 ----a-w- C:\windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\windows\System32\ieUnatt.exe

2012-11-14 05:52:40 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2012-11-14 02:09:22 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- C:\windows\SysWow64\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

.

============= FINISH: 16:34:13.77 ===============

attach.zip

Share this post


Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

Also, please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

In your reply please provide the contents of the following logs:

  • ComboFix.txt.
  • Both MBAR logs.

How is your computer currently running?

Share this post


Link to post
Share on other sites

Good afternoon migs102006,

I am glad to hear it. Please keep any eye open.

In the interim:

Please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

Share this post


Link to post
Share on other sites

Well, i spoke to soon. The zombie port probing has started again.

Should i uninstall Skype on my PC?

Share this post


Link to post
Share on other sites

Ran adwcleaner. One registry entry was deleted. PC was rebooted, problem with port probing persists.

Share this post


Link to post
Share on other sites

Good morning migs102006,

Please try uninstalling Skype and see if it makes a difference.

=====

Please download to the Desktop RogueKiller (by tigzy).

  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.

AIn your reply please post the logs from RogueKiller and AdwCleaner.

Share this post


Link to post
Share on other sites

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Miguel [Admin rights]

Mode : Scan -- Date : 02/11/2013 16:21:15

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++

--- User ---

[MBR] 321f5bdb8efb1dddf0a41decc169a0bc

[bSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02112013_02d1621.txt >>

RKreport[1]_S_02112013_02d1621.txt

-----------------------------------------------------------------------------------------------

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Miguel [Admin rights]

Mode : Remove -- Date : 02/11/2013 16:22:15

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++

--- User ---

[MBR] 321f5bdb8efb1dddf0a41decc169a0bc

[bSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_02112013_02d1622.txt >>

RKreport[1]_S_02112013_02d1621.txt ; RKreport[2]_D_02112013_02d1622.txt

-----------------------------------------------------------------------------------------------------------------

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Miguel [Admin rights]

Mode : Remove -- Date : 02/11/2013 16:24:12

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++

--- User ---

[MBR] 321f5bdb8efb1dddf0a41decc169a0bc

[bSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3]_D_02112013_02d1624.txt >>

RKreport[1]_S_02112013_02d1621.txt ; RKreport[2]_D_02112013_02d1622.txt ; RKreport[3]_D_02112013_02d1624.txt

------------------------------------------------------------------------------------------------------

# AdwCleaner v2.112 - Logfile created 02/11/2013 at 16:31:29

# Updated 10/02/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Miguel - MIGUEL-PC

# Boot Mode : Normal

# Running from : C:\Users\Miguel\Downloads\adwcleaner (2).exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5821 octets] - [07/02/2013 17:20:01]

AdwCleaner[R2].txt - [1505 octets] - [07/02/2013 17:42:30]

AdwCleaner[R3].txt - [1569 octets] - [11/02/2013 12:59:22]

AdwCleaner[R4].txt - [1094 octets] - [11/02/2013 13:07:20]

AdwCleaner[R5].txt - [1154 octets] - [11/02/2013 13:08:06]

AdwCleaner[R6].txt - [966 octets] - [11/02/2013 16:31:29]

AdwCleaner[s1].txt - [5703 octets] - [07/02/2013 17:21:09]

AdwCleaner[s2].txt - [1487 octets] - [11/02/2013 13:02:01]

AdwCleaner[s3].txt - [1215 octets] - [11/02/2013 13:08:21]

########## EOF - C:\AdwCleaner[R6].txt - [1205 octets] ##########

Share this post


Link to post
Share on other sites

Good afternoon migs102006,

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click Change parameters.
  • Make sure you check the box Loaded modules.
  • A window will popup and say Reboot is required. Please click Reboot now.
  • Then click Change parameters again. Check the box Detect TDLFS file system.
  • Click on the Start Scan button.
  • If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue. tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue. tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button.
  • Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply.
    Note: A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).

=====

Also, please download aswMBR by gmer to your Desktop.

  • Please visit this site for instructions on how to run the tool.
  • Once familiar with this tool, double click aswMBR.exe to run it.
  • Click the Scan button to start the scan.
  • Once the scan has completed, please save the aswMBR.txt log to the Desktop and post it in your next reply.

=====

In your reply please post the contents of the following:

  • TDSSKiller log.
  • aswMBR.txt.

Is the probing still occurring?

Share this post


Link to post
Share on other sites

Hi DarkKnight,

The last probing ocurred around 11 pm last night. That's over 15 hours without being probed.

I did install tdsskiller and it did not report anything unusual.

Will keep you posted.

Regards

Share this post


Link to post
Share on other sites

Good morning migs102006,

Did you run aswMBR?

Share this post


Link to post
Share on other sites

I did, after running it for 20 mins+ it gave me a blue screen of death. A bit hesitant to run this utility again unless the zombies start knocking at my door again.

So far 17 hours without a port probe.

Share this post


Link to post
Share on other sites

Good afternoon migs102006,

Please try this tool in the meantime then.

  • Please download MBRScan and save it to your Desktop.
  • Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on Run as administrator).
  • Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  • When the scan is finished, a log file will appear.
  • Save that log file to your Desktop and post its content in your next reply.

Share this post


Link to post
Share on other sites

DarkKnight,

The port probing started again.

mbrscan.exe log pasted below.

migs


MBRScan v1.1.1

OS : Windows 7 Service Pack 1 (64 bit)
PROCESSOR : Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
BOOT : Normal Boot
DATE : 2013/02/14 (ISO 8601) at 10:41:12
________________________________________________________________________________

DISK : Device\Harddisk0\DR0 __ST950032 5AS (D005)
BUS_TYPE : (0x03) P-ATA
USE_PIO : NO
MAX_TRANSFER : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0 465.8 Go [Fixed] ==> 7 MBR Code .

MBR_MD5 : 321F5BDB8EFB1DDDF0A41DECC169A0BC
MBR_SHA1 : A47A23920EB39C5052B05F9683FE8FCCE2520AB0

Device\Harddisk0\Partition1 100.0 Mo 0xDE Dell Utility
Device\Harddisk0\Partition2 19.53 Go 0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition3 446.1 Go 0x07 NTFS / HPFS
________________________________________________________________________________

############################### Additional scan ################################

DRIVER : C:\windows\system32\hal.dll => Invisible on the disk
ADDRESS : 0x0321E000
SIZE : 292.0 Ko

DRIVER : C:\windows\system32\kdcom.dll => Invisible on the disk
ADDRESS : 0x00B9B000
SIZE : 40.0 Ko

DRIVER : C:\windows\system32\mcupdate_GenuineIntel.dll => Invisible on the disk
ADDRESS : 0x00CCB000
SIZE : 316.0 Ko

DRIVER : C:\windows\system32\CLFS.SYS => Invisible on the disk
ADDRESS : 0x00D2E000
SIZE : 376.0 Ko

DRIVER : C:\windows\system32\CI.dll => Invisible on the disk
ADDRESS : 0x00C00000
SIZE : 768.0 Ko

DRIVER : C:\windows\system32\drivers\Wdf01000.sys => Invisible on the disk
ADDRESS : 0x00EC3000
SIZE : 776.0 Ko

DRIVER : C:\windows\system32\drivers\WDFLDR.SYS => Invisible on the disk
ADDRESS : 0x00F85000
SIZE : 64.0 Ko

DRIVER : C:\windows\system32\drivers\ACPI.sys => Invisible on the disk
ADDRESS : 0x00F95000
SIZE : 348.0 Ko

DRIVER : C:\windows\system32\drivers\WMILIB.SYS => Invisible on the disk
ADDRESS : 0x00FEC000
SIZE : 36.0 Ko

DRIVER : C:\windows\system32\drivers\msisadrv.sys => Invisible on the disk
ADDRESS : 0x00FF5000
SIZE : 40.0 Ko

DRIVER : C:\windows\system32\drivers\pci.sys => Invisible on the disk
ADDRESS : 0x00E00000
SIZE : 204.0 Ko

DRIVER : C:\windows\system32\drivers\vdrvroot.sys => Invisible on the disk
ADDRESS : 0x00E33000
SIZE : 52.0 Ko

DRIVER : C:\windows\System32\drivers\partmgr.sys => Invisible on the disk
ADDRESS : 0x00E40000
SIZE : 84.0 Ko

DRIVER : C:\windows\system32\drivers\compbatt.sys => Invisible on the disk
ADDRESS : 0x00E55000
SIZE : 36.0 Ko

DRIVER : C:\windows\system32\drivers\BATTC.SYS => Invisible on the disk
ADDRESS : 0x00E5E000
SIZE : 48.0 Ko

DRIVER : C:\windows\system32\drivers\volmgr.sys => Invisible on the disk
ADDRESS : 0x00E6A000
SIZE : 84.0 Ko

DRIVER : C:\windows\System32\drivers\volmgrx.sys => Invisible on the disk
ADDRESS : 0x00D8C000
SIZE : 368.0 Ko

DRIVER : C:\windows\System32\drivers\mountmgr.sys => Invisible on the disk
ADDRESS : 0x00E7F000
SIZE : 104.0 Ko

DRIVER : C:\windows\system32\DRIVERS\iaStor.sys => Invisible on the disk
ADDRESS : 0x0109F000
SIZE : 1.33 Mo

DRIVER : C:\windows\system32\drivers\atapi.sys => Invisible on the disk
ADDRESS : 0x011F3000
SIZE : 36.0 Ko

DRIVER : C:\windows\system32\drivers\ataport.SYS => Invisible on the disk
ADDRESS : 0x01000000
SIZE : 168.0 Ko

DRIVER : C:\windows\system32\drivers\msahci.sys => Invisible on the disk
ADDRESS : 0x0102A000
SIZE : 44.0 Ko

DRIVER : C:\windows\system32\drivers\PCIIDEX.SYS => Invisible on the disk
ADDRESS : 0x01035000
SIZE : 64.0 Ko

DRIVER : C:\windows\system32\drivers\amdxata.sys => Invisible on the disk
ADDRESS : 0x01045000
SIZE : 44.0 Ko

DRIVER : C:\windows\system32\drivers\fltmgr.sys => Invisible on the disk
ADDRESS : 0x01050000
SIZE : 304.0 Ko

DRIVER : C:\windows\system32\drivers\fileinfo.sys => Invisible on the disk
ADDRESS : 0x00E99000
SIZE : 80.0 Ko

DRIVER : C:\windows\system32\drivers\mfehidk.sys => Invisible on the disk
ADDRESS : 0x01264000
SIZE : 744.0 Ko

DRIVER : C:\windows\System32\Drivers\PxHlpa64.sys => Invisible on the disk
ADDRESS : 0x0131E000
SIZE : 52.0 Ko

DRIVER : C:\windows\System32\Drivers\Ntfs.sys => Invisible on the disk
ADDRESS : 0x0142C000
SIZE : 1.64 Mo

DRIVER : C:\windows\System32\Drivers\msrpc.sys => Invisible on the disk
ADDRESS : 0x0132B000
SIZE : 376.0 Ko

DRIVER : C:\windows\System32\Drivers\ksecdd.sys => Invisible on the disk
ADDRESS : 0x015CF000
SIZE : 108.0 Ko

DRIVER : C:\windows\System32\Drivers\cng.sys => Invisible on the disk
ADDRESS : 0x01389000
SIZE : 456.0 Ko

DRIVER : C:\windows\System32\drivers\pcw.sys => Invisible on the disk
ADDRESS : 0x015EA000
SIZE : 68.0 Ko

DRIVER : C:\windows\System32\Drivers\Fs_Rec.sys => Invisible on the disk
ADDRESS : 0x01400000
SIZE : 40.0 Ko

DRIVER : C:\windows\system32\drivers\ndis.sys => Invisible on the disk
ADDRESS : 0x016F5000
SIZE : 968.0 Ko

DRIVER : C:\windows\system32\drivers\NETIO.SYS => Invisible on the disk
ADDRESS : 0x01600000
SIZE : 384.0 Ko

DRIVER : C:\windows\System32\Drivers\ksecpkg.sys => Invisible on the disk
ADDRESS : 0x01660000
SIZE : 168.0 Ko

DRIVER : C:\windows\System32\drivers\tcpip.sys => Invisible on the disk
ADDRESS : 0x01800000
SIZE : 2.00 Mo

DRIVER : C:\windows\System32\drivers\fwpkclnt.sys => Invisible on the disk
ADDRESS : 0x0168A000
SIZE : 292.0 Ko

DRIVER : C:\windows\system32\drivers\mfewfpk.sys => Invisible on the disk
ADDRESS : 0x01200000
SIZE : 324.0 Ko

DRIVER : C:\windows\system32\drivers\volsnap.sys => Invisible on the disk
ADDRESS : 0x01A8E000
SIZE : 304.0 Ko

DRIVER : C:\windows\System32\Drivers\spldr.sys => Invisible on the disk
ADDRESS : 0x01ADA000
SIZE : 32.0 Ko

DRIVER : C:\windows\System32\drivers\rdyboost.sys => Invisible on the disk
ADDRESS : 0x01AE2000
SIZE : 232.0 Ko

DRIVER : C:\windows\System32\Drivers\mup.sys => Invisible on the disk
ADDRESS : 0x01B1C000
SIZE : 72.0 Ko

DRIVER : C:\windows\System32\drivers\hwpolicy.sys => Invisible on the disk
ADDRESS : 0x01B2E000
SIZE : 36.0 Ko

DRIVER : C:\windows\System32\DRIVERS\fvevol.sys => Invisible on the disk
ADDRESS : 0x01B37000
SIZE : 232.0 Ko

DRIVER : C:\windows\system32\drivers\disk.sys => Invisible on the disk
ADDRESS : 0x01B71000
SIZE : 88.0 Ko

DRIVER : C:\windows\system32\drivers\CLASSPNP.SYS => Invisible on the disk
ADDRESS : 0x01B87000
SIZE : 192.0 Ko

DRIVER : C:\windows\system32\DRIVERS\cdrom.sys => Invisible on the disk
ADDRESS : 0x03E13000
SIZE : 168.0 Ko

DRIVER : C:\windows\System32\Drivers\Null.SYS => Invisible on the disk
ADDRESS : 0x03E3D000
SIZE : 36.0 Ko

DRIVER : C:\windows\System32\Drivers\Beep.SYS => Invisible on the disk
ADDRESS : 0x03E46000
SIZE : 28.0 Ko

DRIVER : C:\windows\System32\drivers\vga.sys => Invisible on the disk
ADDRESS : 0x03E4D000
SIZE : 56.0 Ko

DRIVER : C:\windows\System32\drivers\VIDEOPRT.SYS => Invisible on the disk
ADDRESS : 0x03E5B000
SIZE : 148.0 Ko

DRIVER : C:\windows\System32\drivers\watchdog.sys => Invisible on the disk
ADDRESS : 0x03E80000
SIZE : 64.0 Ko

DRIVER : C:\windows\System32\DRIVERS\RDPCDD.sys => Invisible on the disk
ADDRESS : 0x03E90000
SIZE : 36.0 Ko

DRIVER : C:\windows\system32\drivers\rdpencdd.sys => Invisible on the disk
ADDRESS : 0x03E99000
SIZE : 36.0 Ko

DRIVER : C:\windows\system32\drivers\rdprefmp.sys => Invisible on the disk
ADDRESS : 0x03EA2000
SIZE : 36.0 Ko

DRIVER : C:\windows\System32\Drivers\Msfs.SYS => Invisible on the disk
ADDRESS : 0x01BC5000
SIZE : 44.0 Ko

DRIVER : C:\windows\System32\Drivers\Npfs.SYS => Invisible on the disk
ADDRESS : 0x01BD0000
SIZE : 68.0 Ko

DRIVER : C:\windows\system32\DRIVERS\tdx.sys => Invisible on the disk
ADDRESS : 0x01A00000
SIZE : 136.0 Ko

DRIVER : C:\windows\system32\DRIVERS\TDI.SYS => Invisible on the disk
ADDRESS : 0x01A22000
SIZE : 52.0 Ko

DRIVER : C:\windows\System32\DRIVERS\netbt.sys => Invisible on the disk
ADDRESS : 0x01A2F000
SIZE : 276.0 Ko

DRIVER : C:\windows\system32\drivers\afd.sys => Invisible on the disk
ADDRESS : 0x02ED2000
SIZE : 548.0 Ko

DRIVER : C:\windows\system32\drivers\ws2ifsl.sys => Invisible on the disk
ADDRESS : 0x02F5B000
SIZE : 44.0 Ko

DRIVER : C:\windows\system32\DRIVERS\wfplwf.sys => Invisible on the disk
ADDRESS : 0x02F66000
SIZE : 36.0 Ko

DRIVER : C:\windows\system32\DRIVERS\pacer.sys => Invisible on the disk
ADDRESS : 0x02F6F000
SIZE : 152.0 Ko

DRIVER : C:\windows\system32\DRIVERS\vwififlt.sys => Invisible on the disk
ADDRESS : 0x02F95000
SIZE : 88.0 Ko

DRIVER : C:\windows\system32\DRIVERS\netbios.sys => Invisible on the disk
ADDRESS : 0x02FAB000
SIZE : 60.0 Ko

DRIVER : C:\windows\system32\DRIVERS\wanarp.sys => Invisible on the disk
ADDRESS : 0x02FBA000
SIZE : 108.0 Ko

DRIVER : C:\windows\system32\DRIVERS\termdd.sys => Invisible on the disk
ADDRESS : 0x02FD5000
SIZE : 80.0 Ko

DRIVER : C:\windows\system32\DRIVERS\rdbss.sys => Invisible on the disk
ADDRESS : 0x02E00000
SIZE : 324.0 Ko

DRIVER : C:\windows\system32\drivers\nsiproxy.sys => Invisible on the disk
ADDRESS : 0x02E51000
SIZE : 48.0 Ko

DRIVER : C:\windows\system32\DRIVERS\mssmbios.sys => Invisible on the disk
ADDRESS : 0x02E5D000
SIZE : 44.0 Ko

DRIVER : C:\windows\System32\drivers\discache.sys => Invisible on the disk
ADDRESS : 0x02E68000
SIZE : 60.0 Ko

DRIVER : C:\windows\System32\Drivers\dfsc.sys => Invisible on the disk
ADDRESS : 0x02E77000
SIZE : 120.0 Ko

DRIVER : C:\windows\system32\DRIVERS\blbdrive.sys => Invisible on the disk
ADDRESS : 0x02E95000
SIZE : 68.0 Ko

DRIVER : C:\windows\system32\DRIVERS\tunnel.sys => Invisible on the disk
ADDRESS : 0x02EA6000
SIZE : 152.0 Ko

DRIVER : C:\windows\system32\DRIVERS\igdkmd64.sys => Invisible on the disk
ADDRESS : 0x04A37000
SIZE : 11.70 Mo

DRIVER : C:\windows\System32\drivers\dxgkrnl.sys => Invisible on the disk
ADDRESS : 0x03C64000
SIZE : 976.0 Ko

DRIVER : C:\windows\System32\drivers\dxgmms1.sys => Invisible on the disk
ADDRESS : 0x03D58000
SIZE : 280.0 Ko

DRIVER : C:\windows\system32\DRIVERS\HECIx64.sys => Invisible on the disk
ADDRESS : 0x03D9E000
SIZE : 68.0 Ko

DRIVER : C:\windows\system32\DRIVERS\usbehci.sys => Invisible on the disk
ADDRESS : 0x03DAF000
SIZE : 68.0 Ko

DRIVER : C:\windows\system32\DRIVERS\USBPORT.SYS => Invisible on the disk
ADDRESS : 0x03C00000
SIZE : 344.0 Ko

DRIVER : C:\windows\system32\DRIVERS\HDAudBus.sys => Invisible on the disk
ADDRESS : 0x03DC0000
SIZE : 144.0 Ko

DRIVER : C:\windows\system32\DRIVERS\Rt64win7.sys => Invisible on the disk
ADDRESS : 0x042BD000
SIZE : 528.0 Ko

DRIVER : C:\windows\system32\DRIVERS\bcmwl664.sys => Invisible on the disk
ADDRESS : 0x05899000
SIZE : 4.51 Mo

DRIVER : C:\windows\system32\DRIVERS\vwifibus.sys => Invisible on the disk
ADDRESS : 0x05D1C000
SIZE : 52.0 Ko

DRIVER : C:\windows\system32\DRIVERS\i8042prt.sys => Invisible on the disk
ADDRESS : 0x05D29000
SIZE : 120.0 Ko

DRIVER : C:\windows\system32\DRIVERS\Apfiltr.sys => Invisible on the disk
ADDRESS : 0x05D47000
SIZE : 368.0 Ko

DRIVER : C:\windows\system32\DRIVERS\mouclass.sys => Invisible on the disk
ADDRESS : 0x05DA3000
SIZE : 60.0 Ko

DRIVER : C:\windows\system32\DRIVERS\kbdclass.sys => Invisible on the disk
ADDRESS : 0x05DB2000
SIZE : 60.0 Ko

DRIVER : C:\windows\system32\DRIVERS\GEARAspiWDM.sys => Invisible on the disk
ADDRESS : 0x05DC1000
SIZE : 28.0 Ko

DRIVER : C:\windows\system32\DRIVERS\intelppm.sys => Invisible on the disk
ADDRESS : 0x05DC8000
SIZE : 88.0 Ko

DRIVER : C:\windows\system32\DRIVERS\CmBatt.sys => Invisible on the disk
ADDRESS : 0x05DDE000
SIZE : 20.0 Ko

DRIVER : C:\windows\system32\DRIVERS\wmiacpi.sys => Invisible on the disk
ADDRESS : 0x05DE3000
SIZE : 36.0 Ko

DRIVER : C:\windows\system32\DRIVERS\CompositeBus.sys => Invisible on the disk
ADDRESS : 0x05DEC000
SIZE : 64.0 Ko

DRIVER : C:\windows\system32\DRIVERS\dsNcAdpt.sys => Invisible on the disk
ADDRESS : 0x05800000
SIZE : 52.0 Ko

DRIVER : C:\windows\system32\DRIVERS\AgileVpn.sys => Invisible on the disk
ADDRESS : 0x0580D000
SIZE : 88.0 Ko

DRIVER : C:\windows\system32\DRIVERS\rasl2tp.sys => Invisible on the disk
ADDRESS : 0x05823000
SIZE : 144.0 Ko

DRIVER : C:\windows\system32\DRIVERS\ndistapi.sys => Invisible on the disk
ADDRESS : 0x05847000
SIZE : 48.0 Ko

DRIVER : C:\windows\system32\DRIVERS\ndiswan.sys => Invisible on the disk
ADDRESS : 0x05853000
SIZE : 188.0 Ko

DRIVER : C:\windows\system32\DRIVERS\raspppoe.sys => Invisible on the disk
ADDRESS : 0x04341000
SIZE : 108.0 Ko

DRIVER : C:\windows\system32\DRIVERS\raspptp.sys => Invisible on the disk
ADDRESS : 0x0435C000
SIZE : 132.0 Ko

DRIVER : C:\windows\system32\DRIVERS\rassstp.sys => Invisible on the disk
ADDRESS : 0x0437D000
SIZE : 104.0 Ko

DRIVER : C:\windows\system32\DRIVERS\swenum.sys => Invisible on the disk
ADDRESS : 0x05882000
SIZE : 8.0 Ko

DRIVER : C:\windows\system32\DRIVERS\ks.sys => Invisible on the disk
ADDRESS : 0x04397000
SIZE : 268.0 Ko

DRIVER : C:\windows\system32\DRIVERS\umbus.sys => Invisible on the disk
ADDRESS : 0x05884000
SIZE : 72.0 Ko

DRIVER : C:\windows\system32\DRIVERS\usbhub.sys => Invisible on the disk
ADDRESS : 0x04200000
SIZE : 360.0 Ko

DRIVER : C:\windows\System32\Drivers\NDProxy.SYS => Invisible on the disk
ADDRESS : 0x0425A000
SIZE : 84.0 Ko

DRIVER : C:\windows\system32\DRIVERS\stwrt64.sys => Invisible on the disk
ADDRESS : 0x0624C000
SIZE : 532.0 Ko

DRIVER : C:\windows\system32\DRIVERS\portcls.sys => Invisible on the disk
ADDRESS : 0x062D1000
SIZE : 244.0 Ko

DRIVER : C:\windows\system32\DRIVERS\drmk.sys => Invisible on the disk
ADDRESS : 0x0630E000
SIZE : 136.0 Ko

DRIVER : C:\windows\system32\drivers\ksthunk.sys => Invisible on the disk
ADDRESS : 0x06330000
SIZE : 24.0 Ko

DRIVER : C:\windows\system32\DRIVERS\IntcDAud.sys => Invisible on the disk
ADDRESS : 0x06336000
SIZE : 332.0 Ko

DRIVER : C:\windows\system32\drivers\mfeavfk.sys => Invisible on the disk
ADDRESS : 0x06389000
SIZE : 296.0 Ko

DRIVER : C:\windows\system32\drivers\mfefirek.sys => Invisible on the disk
ADDRESS : 0x0685C000
SIZE : 496.0 Ko

DRIVER : C:\windows\system32\DRIVERS\usbccgp.sys => Invisible on the disk
ADDRESS : 0x068D8000
SIZE : 116.0 Ko

DRIVER : C:\windows\system32\DRIVERS\USBD.SYS => Invisible on the disk
ADDRESS : 0x068F5000
SIZE : 8.0 Ko

DRIVER : C:\windows\System32\Drivers\usbvideo.sys => Invisible on the disk
ADDRESS : 0x068F7000
SIZE : 184.0 Ko

DRIVER : C:\windows\system32\DRIVERS\CtClsFlt.sys => Invisible on the disk
ADDRESS : 0x06925000
SIZE : 172.0 Ko

DRIVER : C:\windows\System32\Drivers\crashdmp.sys => Invisible on the disk
ADDRESS : 0x06950000
SIZE : 56.0 Ko

DRIVER : C:\windows\System32\Drivers\dump_iaStor.sys => Invisible on the disk
ADDRESS : 0x03EAB000
SIZE : 1.33 Mo

DRIVER : C:\windows\System32\Drivers\dump_dumpfve.sys => Invisible on the disk
ADDRESS : 0x0695E000
SIZE : 76.0 Ko

DRIVER : C:\windows\System32\win32k.sys => Invisible on the disk
ADDRESS : 0x00050000
SIZE : 3.09 Mo

DRIVER : C:\windows\System32\drivers\Dxapi.sys => Invisible on the disk
ADDRESS : 0x06971000
SIZE : 48.0 Ko

DRIVER : C:\windows\system32\DRIVERS\monitor.sys => Invisible on the disk
ADDRESS : 0x0697D000
SIZE : 56.0 Ko

DRIVER : C:\windows\System32\TSDDD.dll => Invisible on the disk
ADDRESS : 0x00520000
SIZE : 40.0 Ko

DRIVER : C:\windows\System32\cdd.dll => Invisible on the disk
ADDRESS : 0x007C0000
SIZE : 156.0 Ko

DRIVER : C:\windows\system32\drivers\luafv.sys => Invisible on the disk
ADDRESS : 0x0698B000
SIZE : 140.0 Ko

DRIVER : C:\windows\system32\drivers\mbam.sys => Invisible on the disk
ADDRESS : 0x069AE000
SIZE : 40.0 Ko

DRIVER : C:\windows\system32\DRIVERS\Sftvollh.sys => Invisible on the disk
ADDRESS : 0x069B8000
SIZE : 44.0 Ko

DRIVER : C:\windows\system32\drivers\WudfPf.sys => Invisible on the disk
ADDRESS : 0x069C3000
SIZE : 100.0 Ko

DRIVER : C:\windows\system32\DRIVERS\lltdio.sys => Invisible on the disk
ADDRESS : 0x069DC000
SIZE : 84.0 Ko

DRIVER : C:\windows\system32\DRIVERS\nwifi.sys => Invisible on the disk
ADDRESS : 0x06800000
SIZE : 332.0 Ko

DRIVER : C:\windows\system32\DRIVERS\ndisuio.sys => Invisible on the disk
ADDRESS : 0x063D3000
SIZE : 76.0 Ko

DRIVER : C:\windows\system32\DRIVERS\rspndr.sys => Invisible on the disk
ADDRESS : 0x063E6000
SIZE : 96.0 Ko

DRIVER : C:\windows\system32\drivers\HTTP.sys => Invisible on the disk
ADDRESS : 0x02CE2000
SIZE : 804.0 Ko

DRIVER : C:\windows\system32\DRIVERS\bowser.sys => Invisible on the disk
ADDRESS : 0x02DAB000
SIZE : 120.0 Ko

DRIVER : C:\windows\System32\drivers\mpsdrv.sys => Invisible on the disk
ADDRESS : 0x02DC9000
SIZE : 96.0 Ko

DRIVER : C:\windows\system32\DRIVERS\mrxsmb.sys => Invisible on the disk
ADDRESS : 0x02C00000
SIZE : 180.0 Ko

DRIVER : C:\windows\system32\DRIVERS\mrxsmb10.sys => Invisible on the disk
ADDRESS : 0x02C2D000
SIZE : 312.0 Ko

DRIVER : C:\windows\system32\DRIVERS\mrxsmb20.sys => Invisible on the disk
ADDRESS : 0x02C7B000
SIZE : 144.0 Ko

DRIVER : C:\windows\system32\drivers\peauth.sys => Invisible on the disk
ADDRESS : 0x0644B000
SIZE : 664.0 Ko

DRIVER : C:\windows\System32\Drivers\secdrv.SYS => Invisible on the disk
ADDRESS : 0x064F1000
SIZE : 44.0 Ko

DRIVER : C:\windows\system32\DRIVERS\Sftfslh.sys => Invisible on the disk
ADDRESS : 0x064FC000
SIZE : 772.0 Ko

DRIVER : C:\windows\system32\DRIVERS\Sftplaylh.sys => Invisible on the disk
ADDRESS : 0x0426F000
SIZE : 308.0 Ko

DRIVER : C:\windows\System32\DRIVERS\srvnet.sys => Invisible on the disk
ADDRESS : 0x065BD000
SIZE : 196.0 Ko

DRIVER : C:\windows\System32\drivers\tcpipreg.sys => Invisible on the disk
ADDRESS : 0x065EE000
SIZE : 72.0 Ko

DRIVER : C:\windows\System32\DRIVERS\srv2.sys => Invisible on the disk
ADDRESS : 0x0782B000
SIZE : 420.0 Ko

DRIVER : C:\windows\System32\DRIVERS\srv.sys => Invisible on the disk
ADDRESS : 0x07894000
SIZE : 608.0 Ko

DRIVER : C:\windows\system32\DRIVERS\Sftredirlh.sys => Invisible on the disk
ADDRESS : 0x0792C000
SIZE : 44.0 Ko

DRIVER : C:\windows\system32\drivers\cfwids.sys => Invisible on the disk
ADDRESS : 0x07937000
SIZE : 64.0 Ko

DRIVER : C:\windows\System32\Drivers\fastfat.SYS => Invisible on the disk
ADDRESS : 0x07947000
SIZE : 216.0 Ko

DRIVER : C:\windows\system32\DRIVERS\asyncmac.sys => Invisible on the disk
ADDRESS : 0x079BD000
SIZE : 44.0 Ko

DRIVER : C:\windows\system32\drivers\HipShieldK.sys => Invisible on the disk
ADDRESS : 0x079C8000
SIZE : 184.0 Ko

DRIVER : C:\windows\system32\drivers\mfeapfk.sys => Invisible on the disk
ADDRESS : 0x07800000
SIZE : 168.0 Ko

DRIVER : C:\windows\System32\smss.exe => Invisible on the disk
ADDRESS : 0x484D0000
SIZE : 128.0 Ko

SystemStartOptions : NOEXECUTE=OPTIN

________________________________________________________________________________

_______MBR \Device\Harddisk0\DR0

0x00000000 33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3À.м.|.À.ؾ.|¿.
0x00000010 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .¹..üó¤Ph..Ëû¹..
0x00000020 BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 ½¾..~..|......Å.
0x00000030 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 âñÍ..V.UÆF..ÆF..
0x00000040 B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 ´A»ªUÍ.]r..ûUªu.
0x00000050 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ÷Á..t.þF.f`.~..t
0x00000060 26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....f.v.h..h.
0x00000070 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h..´B.V..ôÍ.
0x00000080 9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ..Ä..ë.¸..».|.V.
0x00000090 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE .v..N..n.Í.fas.þ
0x000000A0 4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 N.u..~......².ë.
0x000000B0 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55 U2ä.V.Í.]ë..>þ}U
0x000000C0 AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 ªun.v.è..u.ú°Ñæd
0x000000D0 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75 è..°ßæ`è|.°.ædèu
0x000000E0 00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 .û¸.»Í.f#Àu;f.ûT
0x000000F0 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00 CPAu2.ù..r,fh.».
0x00000100 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 .fh....fh....fSf
0x00000110 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66 SfUfh....fh.|..f
0x00000120 61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD ah...Í.Z2öê.|..Í
0x00000130 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4 ..·.ë..¶.ë..µ.2ä
0x00000140 05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD ....ð¬<.t.»..´.Í
0x00000150 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8 .ëòôëý+Éädë.$.àø
0x00000160 24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 $.ÃInvalid parti
0x00000170 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 tion table.Error
0x00000180 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 loading operati
0x00000190 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E ng system.Missin
0x000001A0 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst
0x000001B0 65 6D 00 00 00 63 7B 9A 77 8F 55 8C 00 00 00 20 em...c{.w.U....
0x000001C0 21 00 DE DF 13 0C 00 08 00 00 00 20 03 00 80 DF !.Þß....... ...ß
0x000001D0 14 0C 07 FE FF FF 00 28 03 00 00 00 71 02 00 FE ...þ...(....q..þ
0x000001E0 FF FF 07 FE FF FF 00 28 74 02 30 30 C4 37 00 00 ...þ...(t.00Ä7..
0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

Share this post


Link to post
Share on other sites

Hey migs102006,

  • Please re-run MBRScan.
  • Click Dump.
  • Once you have selected your MBR code, please click Dump Selected MBR (if there are multiple codes please do this for each of them).

Share this post


Link to post
Share on other sites

Hi DarkKnight,

I was 'not permitted' to upload the dump*.mbr files to your site when i tried attaching the files to this email.

migs102006

Share this post


Link to post
Share on other sites

Hello migs102006,

Please upload it to a file sharing site, like mega upload, and provide me with a link.

Share this post


Link to post
Share on other sites

Hello migs102006,

Thank you. Well that came up clean.

I am not familiar with the McAfee Firewall; are you able to block certain IP addresses?

If so, please block this one: 192.168.1.1

And see if the probing continues.

Share this post


Link to post
Share on other sites

The McAfee firewall blocks all incoming network traffic that tries to communicate through various ports.

The message i get is:

"The pc 192.168.1.1 tried to access your system port TCP port 52832,

If you want to allow this traffic either trust the IP address or open the port in the systems services in Firewall.

The source ip address is your own gateway. The source ip address is your own DNS server. The source ip address is your own DHCP server.

The source ip address is in your own local network."

192.168.* is a default internal IP address that the Verizon FIOS router assigns to all devices attached to one's router.

192.168.1.1 happens to be my own pc and there are no other pcs in the local network.

Shortly after a program on my own pc probes one of the ports, other pcs somehow detect this or are alerted and start probing my pc through other ports.

Share this post


Link to post
Share on other sites

Hello migs102006,

Do you live in a college or are you in a business? It could be your ISP or similar just checking that you aren't making a server.

How long have you been observing this for?

Share this post


Link to post
Share on other sites

Have my own IT business. Do some e-trade from home.(That's the scary part, as i fear a keystroke recording program).

Ten years away from retirement... :-)

Observed this since 10/2/12.

McAfee detected on that day:

Cookie-Yieldmanager

Cookie-Imrworldwide

Cookie-Doubleclick

Cookie-Atdmt

Cookie-Eyeblaster

Cookie-2O7

Cookie-Realmedia

Cookie-Zedo

Cookie-Burst

Cookie-Casalemedia

Cookie-Insightexpress

Cookie Mediaplex

Then McAfee blocked a hacker from exploiting buffer-overflow on Internet Explorer and buffer-overflow on Acrobat Reader.

10 days after on 11/15 my pc started being probed.

I am writing to you after about 2,500 port probes.

I have contacted McAfee and they tell me the anti-virus software is working as designed since it blocks all incoming port probes.

I have contacted Verizon and they don't have a clue.

migs102006

Share this post


Link to post
Share on other sites

Hello migs102006,

OK.

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your Desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress).
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in Safe Mode.

-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.