migs102006 Posted February 9, 2013 ID:645485 Share Posted February 9, 2013 Hi, A couple of months back i was befriended by a stranger on Skype. McAfee Antivirus software was running on my Windows 7 pc.While chatting with this person my Antivirus software alerted me that my pc was being probed through various ports. I immediately closed all contact with this person, but the damage had already been done. Various ports on my pc get probed from all over the net on a daily basis. +50/dailyRecently i installed Malwarebytes and scanned all my files. It found PUP:Datamangr in the registry and i promptly removed the registry entry and rebooted the pc. i thought i had finally beaten the zombies knocking on my pc ports. McAfee security history files showed no probing for quite a few hours, until it reported that 192.168.1.1 was probing port 49726 and then port 2869. Soon after that the zombies started probing my pcports again. Mind you nothing has happened, but it can be just a matter of time until somehow they get through. Now, 192.168.1.1 is the ip address of my local FIOS router, right? It seems that there is an undetected beacon program on my pc?All the incoming ip addresses used in the port probing seem to be legit business, so i image the true ip addresses are being spoofed?Can you please help?DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.13.2Run by Miguel at 16:33:01 on 2013-02-09Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4004.2343 [GMT -5:00].AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}.============== Running Processes ===============.C:\windows\system32\lsm.exeC:\windows\system32\svchost.exe -k DcomLaunchC:\windows\system32\svchost.exe -k RPCSSC:\windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\windows\system32\svchost.exe -k netsvcsC:\Program Files\IDT\WDM\STacSV64.exeC:\windows\system32\svchost.exe -k LocalServiceC:\windows\system32\svchost.exe -k NetworkServiceC:\windows\system32\WLANExt.exeC:\windows\System32\spoolsv.exeC:\windows\system32\svchost.exe -k LocalServiceNoNetworkC:\windows\System32\svchost.exe -k NetworkServiceC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\IDT\WDM\AESTSr64.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exeC:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exeC:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Windows\system32\mfevtps.exeC:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exeC:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exeC:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXEC:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exeC:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\McAfee\SystemCore\mfefire.exeC:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\windows\system32\taskhost.exeC:\windows\system32\Dwm.exeC:\windows\Explorer.EXEC:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exeC:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exeC:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exeC:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXEC:\windows\system32\SearchIndexer.exeC:\windows\System32\rundll32.exeC:\windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXEC:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXEC:\Windows\System32\igfxtray.exeC:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\DellTPad\Apoint.exeC:\Program Files\IDT\WDM\sttray64.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\windows\system32\wbem\wmiprvse.exeC:\Program Files\DellTPad\ApMsgFwd.exeC:\Program Files\DellTPad\Apntex.exeC:\Program Files\DellTPad\HidFind.exeC:\Program Files (x86)\Dell\Stage Remote\StageRemote.exeC:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exeC:\Users\Miguel\AppData\Roaming\Dropbox\bin\Dropbox.exeC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exeC:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exeC:\Program Files\mcafee.com\agent\mcagent.exeC:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exeC:\Program Files (x86)\iTunes\iTunesHelper.exeC:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exeC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exeC:\Program Files (x86)\Skype\Phone\Skype.exeC:\windows\system32\taskeng.exeC:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\windows\system32\wbem\wmiprvse.exeC:\windows\System32\cscript.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.com/uURLSearchHooks: {2421d847-721c-404f-87b4-bbd2b95d1087} - <orphaned>mWinlogon: Userinit = userinit.exe,BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: SelectionLinksBHO Class: {300BEC06-B743-4D19-86B9-11DC711D7FFB} - BHO: UnfriendApp: {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} - C:\Program Files (x86)\UnfriendApp\IE\common.dllBHO: SDHelper: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dllBHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dllBHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20121005034905.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dlluRun: [MyTomTomSA.exe] "C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe"uRun: [spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autocleanmRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exemRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exemRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkeymRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startupmRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"mRun: [sDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"StartupFolder: C:\Users\Miguel\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Miguel\AppData\Roaming\Dropbox\bin\Dropbox.exemPolicies-Explorer: NoActiveDesktop = dword:1mPolicies-Explorer: NoActiveDesktopChanges = dword:1mPolicies-System: ConsentPromptBehaviorAdmin = dword:5mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dllLSP: C:\windows\System32\EasyRedirect.dll.INFO: HKCU has more than 50 listed domains.If you wish to scan all of them, select the 'Force scan all domains' option..DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cabDPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://localhost:8888/jde/axctls/jdewebctlsU.cabDPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.autopartintl.com/dana-cached/sc/JuniperSetupClient.cabTCP: NameServer = 192.168.1.1 71.242.0.12TCP: Interfaces\{042674BB-204D-48A7-83D4-401F348215B0} : DHCPNameServer = 172.6.1.161TCP: Interfaces\{D3D5CE1E-CD11-4F92-BA67-740500E78CB1} : DHCPNameServer = 192.168.1.1 71.242.0.12TCP: Interfaces\{D3D5CE1E-CD11-4F92-BA67-740500E78CB1}\94E6E616475623 : DHCPNameServer = 192.168.1.1 192.168.1.1Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dllFilter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllNotify: SDWinLogon - SDWinLogon.dllAppInit_DLLs= c:\progra~3\browse~1\261123~1.78\{61d8b~1\browse~1.dllSSODL: WebCheck - <orphaned>mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chromex64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20121005034904.dllx64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllx64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLLx64-Run: [igfxTray] C:\windows\System32\igfxtray.exex64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exex64-Run: [Persistence] C:\windows\System32\igfxpers.exex64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exex64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exex64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exex64-Run: [stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quietx64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startupx64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dllx64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dllx64-DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} - hxxp://javadl-esd.oracle.com/update/1.6.0/jinstall-6u21-windows-i586.cabx64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dllx64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLx64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>x64-Notify: igfxcui - igfxdev.dllx64-SSODL: WebCheck - <orphaned>.============= SERVICES / DRIVERS ===============.R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2011-3-13 771096]R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2011-3-13 339776]R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-7-13 55856]R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-7-13 89600]R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]R2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-10-9 173568]R2 EasyRedirect;EasyRedirect;C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe [2012-12-22 3575120]R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-7-13 13336]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-5 398184]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-5 682344]R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304]R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-7-13 241016]R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-7-13 218320]R2 mfevtp;McAfee Validation Trust Protection Service;C:\windows\System32\mfevtps.exe [2012-7-13 182312]R3 cfwids;McAfee Inc. cfwids;C:\windows\System32\drivers\cfwids.sys [2011-3-13 69672]R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-7-13 176000]R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2012-7-13 317440]R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2013-2-5 24176]R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2011-3-13 309400]R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2011-3-13 515528]R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-7-13 533096]R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2012-10-5 196440]S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2012-7-13 224704]S3 mferkdet;McAfee Inc. mferkdet;C:\windows\System32\drivers\mferkdet.sys [2011-3-13 106112]S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0;PCDSRVC{1E208CE0-FB7451FF-06020200}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-9-4 25584]S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-7-13 250984]S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-5 201304].=============== Created Last 30 ================.2013-02-08 23:25:27 -------- d-----r- C:\Program Files (x86)\Skype2013-02-08 19:28:41 -------- d-----w- C:\Users\Miguel\AppData\Roaming\PhrozenSoft2013-02-08 19:27:08 95648 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll2013-02-07 22:21:17 98 ----a-w- C:\windows\DeleteOnReboot.bat2013-02-05 18:44:39 -------- d-----w- C:\Users\Miguel\AppData\Roaming\Malwarebytes2013-02-05 18:44:18 -------- d-----w- C:\ProgramData\Malwarebytes2013-02-05 18:44:16 24176 ----a-w- C:\windows\System32\drivers\mbam.sys2013-02-05 18:44:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2013-01-18 16:47:10 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy2013-01-18 16:47:00 17272 ----a-w- C:\windows\System32\sdnclean64.exe2013-01-18 16:46:53 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 22013-01-18 16:46:24 -------- d-----w- C:\Users\Miguel\AppData\Local\Programs.==================== Find3M ====================.2013-02-08 19:27:00 861088 ----a-w- C:\windows\SysWow64\npDeployJava1.dll2013-02-08 19:27:00 782240 ----a-w- C:\windows\SysWow64\deployJava1.dll2013-02-08 17:39:55 74096 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-02-08 17:39:55 697712 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe2013-01-17 23:40:23 102248 ----a-w- C:\Users\Miguel\GoToAssistDownloadHelper.exe2012-12-26 14:55:26 69672 ----a-w- C:\windows\System32\drivers\cfwids.sys2012-12-26 14:52:44 339776 ----a-w- C:\windows\System32\drivers\mfewfpk.sys2012-12-26 14:52:34 182312 ----a-w- C:\windows\System32\mfevtps.exe2012-12-26 14:51:34 10288 ----a-w- C:\windows\System32\drivers\mfeclnk.sys2012-12-26 14:51:24 106112 ----a-w- C:\windows\System32\drivers\mferkdet.sys2012-12-26 14:50:48 771096 ----a-w- C:\windows\System32\drivers\mfehidk.sys2012-12-26 14:49:42 515528 ----a-w- C:\windows\System32\drivers\mfefirek.sys2012-12-26 14:49:00 309400 ----a-w- C:\windows\System32\drivers\mfeavfk.sys2012-12-26 14:48:30 178840 ----a-w- C:\windows\System32\drivers\mfeapfk.sys2012-12-16 17:11:22 46080 ----a-w- C:\windows\System32\atmlib.dll2012-12-16 14:45:03 367616 ----a-w- C:\windows\System32\atmfd.dll2012-12-16 14:13:28 295424 ----a-w- C:\windows\SysWow64\atmfd.dll2012-12-16 14:13:20 34304 ----a-w- C:\windows\SysWow64\atmlib.dll2012-12-07 13:20:16 441856 ----a-w- C:\windows\System32\Wpc.dll2012-12-07 13:15:31 2746368 ----a-w- C:\windows\System32\gameux.dll2012-12-07 12:26:17 308736 ----a-w- C:\windows\SysWow64\Wpc.dll2012-12-07 12:20:43 2576384 ----a-w- C:\windows\SysWow64\gameux.dll2012-12-07 11:20:04 30720 ----a-w- C:\windows\System32\usk.rs2012-12-07 11:20:03 43520 ----a-w- C:\windows\System32\csrr.rs2012-12-07 11:20:03 23552 ----a-w- C:\windows\System32\oflc.rs2012-12-07 11:20:01 45568 ----a-w- C:\windows\System32\oflc-nz.rs2012-12-07 11:20:01 44544 ----a-w- C:\windows\System32\pegibbfc.rs2012-12-07 11:20:01 20480 ----a-w- C:\windows\System32\pegi-fi.rs2012-12-07 11:20:00 20480 ----a-w- C:\windows\System32\pegi-pt.rs2012-12-07 11:19:59 20480 ----a-w- C:\windows\System32\pegi.rs2012-12-07 11:19:58 46592 ----a-w- C:\windows\System32\fpb.rs2012-12-07 11:19:57 40960 ----a-w- C:\windows\System32\cob-au.rs2012-12-07 11:19:57 21504 ----a-w- C:\windows\System32\grb.rs2012-12-07 11:19:57 15360 ----a-w- C:\windows\System32\djctq.rs2012-12-07 11:19:56 55296 ----a-w- C:\windows\System32\cero.rs2012-12-07 11:19:55 51712 ----a-w- C:\windows\System32\esrb.rs2012-11-30 05:45:35 362496 ----a-w- C:\windows\System32\wow64win.dll2012-11-30 05:45:35 243200 ----a-w- C:\windows\System32\wow64.dll2012-11-30 05:45:35 13312 ----a-w- C:\windows\System32\wow64cpu.dll2012-11-30 05:45:14 215040 ----a-w- C:\windows\System32\winsrv.dll2012-11-30 05:43:12 16384 ----a-w- C:\windows\System32\ntvdm64.dll2012-11-30 05:41:07 424448 ----a-w- C:\windows\System32\KernelBase.dll2012-11-30 04:54:00 5120 ----a-w- C:\windows\SysWow64\wow32.dll2012-11-30 04:53:59 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll2012-11-30 03:23:48 338432 ----a-w- C:\windows\System32\conhost.exe2012-11-30 02:44:06 25600 ----a-w- C:\windows\SysWow64\setup16.exe2012-11-30 02:44:04 7680 ----a-w- C:\windows\SysWow64\instnm.exe2012-11-30 02:44:04 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll2012-11-30 02:44:03 2048 ----a-w- C:\windows\SysWow64\user.exe2012-11-30 02:38:59 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll2012-11-30 02:38:59 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll2012-11-30 02:38:59 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll2012-11-30 02:38:59 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll2012-11-23 03:26:31 3149824 ----a-w- C:\windows\System32\win32k.sys2012-11-23 03:13:57 68608 ----a-w- C:\windows\System32\taskhost.exe2012-11-22 20:10:42 539984 ----a-w- C:\windows\System32\EasyRedirect64.dll2012-11-22 20:10:40 380240 ------w- C:\windows\SysWow64\EasyRedirect.dll2012-11-22 05:44:23 800768 ----a-w- C:\windows\System32\usp10.dll2012-11-22 04:45:03 626688 ----a-w- C:\windows\SysWow64\usp10.dll2012-11-20 05:48:49 307200 ----a-w- C:\windows\System32\ncrypt.dll2012-11-20 04:51:09 220160 ----a-w- C:\windows\SysWow64\ncrypt.dll2012-11-14 06:11:44 2312704 ----a-w- C:\windows\System32\jscript9.dll2012-11-14 06:04:11 1392128 ----a-w- C:\windows\System32\wininet.dll2012-11-14 06:02:49 1494528 ----a-w- C:\windows\System32\inetcpl.cpl2012-11-14 05:57:46 599040 ----a-w- C:\windows\System32\vbscript.dll2012-11-14 05:57:35 173056 ----a-w- C:\windows\System32\ieUnatt.exe2012-11-14 05:52:40 2382848 ----a-w- C:\windows\System32\mshtml.tlb2012-11-14 02:09:22 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll2012-11-14 01:58:15 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl2012-11-14 01:57:37 1129472 ----a-w- C:\windows\SysWow64\wininet.dll2012-11-14 01:49:25 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe2012-11-14 01:48:27 420864 ----a-w- C:\windows\SysWow64\vbscript.dll2012-11-14 01:44:42 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb.============= FINISH: 16:34:13.77 ===============attach.zip Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 10, 2013 ID:645632 Share Posted February 10, 2013 I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:http://www.bleepingcomputer.com/combofix/how-to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).Please go here to see a list of programs that need to be disabled.**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.****Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**Please include the C:\ComboFix.txt in your next reply for further review.=====Also, please download Malwarebytes Anti-Rootkit here.Unzip the contents to a folder on the Desktop.Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).Follow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Please post the two logs produced.Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.=====In your reply please provide the contents of the following logs:ComboFix.txt.Both MBAR logs.How is your computer currently running? Link to post Share on other sites More sharing options...
migs102006 Posted February 10, 2013 Author ID:645886 Share Posted February 10, 2013 combofix.txt and mbar log files attached.Pup: Facetheme virus was detected... (2 registry entries were fixed.)Your help is greatly appreciated.ComboFix.txtmbar-log-2013-02-10 (18-37-30).txtsystem-log.txt Link to post Share on other sites More sharing options...
migs102006 Posted February 11, 2013 Author ID:645892 Share Posted February 11, 2013 No port probing has happened since mbar.exe ran. Cross my fingers. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 11, 2013 ID:645967 Share Posted February 11, 2013 Good afternoon migs102006,I am glad to hear it. Please keep any eye open.In the interim:Please download AdwCleaner by Xplode onto your Desktop.Double click on AdwCleaner.exe to run the tool.Click on Search.A logfile will automatically open after the scan has finished.Please post the content of that logfile in your reply.You can find the logfile at C:\AdwCleaner[R1].txt as well. Link to post Share on other sites More sharing options...
migs102006 Posted February 11, 2013 Author ID:646083 Share Posted February 11, 2013 Well, i spoke to soon. The zombie port probing has started again. Should i uninstall Skype on my PC? Link to post Share on other sites More sharing options...
migs102006 Posted February 11, 2013 Author ID:646150 Share Posted February 11, 2013 Ran adwcleaner. One registry entry was deleted. PC was rebooted, problem with port probing persists. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 11, 2013 ID:646179 Share Posted February 11, 2013 Good morning migs102006,Please try uninstalling Skype and see if it makes a difference.=====Please download to the Desktop RogueKiller (by tigzy).Please quit all programs.Start RogueKiller.exe.Wait until Prescan has finished.Click on Scan.Click on Report and copy/paste the contents of the report in your next reply.AIn your reply please post the logs from RogueKiller and AdwCleaner. Link to post Share on other sites More sharing options...
migs102006 Posted February 11, 2013 Author ID:646206 Share Posted February 11, 2013 RogueKiller V8.5.0 [Feb 9 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Miguel [Admin rights]Mode : Scan -- Date : 02/11/2013 16:21:15| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 6 ¤¤¤[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\windows\system32\drivers\etc\hosts127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST9500325AS +++++--- User ---[MBR] 321f5bdb8efb1dddf0a41decc169a0bc[bSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1]_S_02112013_02d1621.txt >>RKreport[1]_S_02112013_02d1621.txt-----------------------------------------------------------------------------------------------RogueKiller V8.5.0 [Feb 9 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Miguel [Admin rights]Mode : Remove -- Date : 02/11/2013 16:22:15| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 5 ¤¤¤[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\windows\system32\drivers\etc\hosts127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST9500325AS +++++--- User ---[MBR] 321f5bdb8efb1dddf0a41decc169a0bc[bSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[2]_D_02112013_02d1622.txt >>RKreport[1]_S_02112013_02d1621.txt ; RKreport[2]_D_02112013_02d1622.txt-----------------------------------------------------------------------------------------------------------------RogueKiller V8.5.0 [Feb 9 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Miguel [Admin rights]Mode : Remove -- Date : 02/11/2013 16:24:12| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\windows\system32\drivers\etc\hosts127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST9500325AS +++++--- User ---[MBR] 321f5bdb8efb1dddf0a41decc169a0bc[bSP] 0dc0ad562a367e136649b9aeae6865c3 : Windows 7/8 MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 20000 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41166848 | Size: 456838 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[3]_D_02112013_02d1624.txt >>RKreport[1]_S_02112013_02d1621.txt ; RKreport[2]_D_02112013_02d1622.txt ; RKreport[3]_D_02112013_02d1624.txt------------------------------------------------------------------------------------------------------# AdwCleaner v2.112 - Logfile created 02/11/2013 at 16:31:29# Updated 10/02/2013 by Xplode# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)# User : Miguel - MIGUEL-PC# Boot Mode : Normal# Running from : C:\Users\Miguel\Downloads\adwcleaner (2).exe# Option [search]***** [services] ********** [Files / Folders] ********** [Registry] ********** [internet Browsers] *****-\\ Internet Explorer v9.0.8112.16457[OK] Registry is clean.-\\ Google Chrome v24.0.1312.57File : C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\Preferences[OK] File is clean.*************************AdwCleaner[R1].txt - [5821 octets] - [07/02/2013 17:20:01]AdwCleaner[R2].txt - [1505 octets] - [07/02/2013 17:42:30]AdwCleaner[R3].txt - [1569 octets] - [11/02/2013 12:59:22]AdwCleaner[R4].txt - [1094 octets] - [11/02/2013 13:07:20]AdwCleaner[R5].txt - [1154 octets] - [11/02/2013 13:08:06]AdwCleaner[R6].txt - [966 octets] - [11/02/2013 16:31:29]AdwCleaner[s1].txt - [5703 octets] - [07/02/2013 17:21:09]AdwCleaner[s2].txt - [1487 octets] - [11/02/2013 13:02:01]AdwCleaner[s3].txt - [1215 octets] - [11/02/2013 13:08:21]########## EOF - C:\AdwCleaner[R6].txt - [1205 octets] ########## Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 12, 2013 ID:646393 Share Posted February 12, 2013 Good afternoon migs102006,Please download to your Desktop:TDSSKiller.zip from here and extract it (right click on it => "Extract here").>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.Click Change parameters.Make sure you check the box Loaded modules.A window will popup and say Reboot is required. Please click Reboot now.Then click Change parameters again. Check the box Detect TDLFS file system.Click on the Start Scan button.If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. If you are asked to reboot the computer to complete the process, click on the Reboot Now button.Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply.Note: A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). =====Also, please download aswMBR by gmer to your Desktop.Please visit this site for instructions on how to run the tool.Once familiar with this tool, double click aswMBR.exe to run it.Click the Scan button to start the scan.Once the scan has completed, please save the aswMBR.txt log to the Desktop and post it in your next reply.=====In your reply please post the contents of the following:TDSSKiller log.aswMBR.txt.Is the probing still occurring? Link to post Share on other sites More sharing options...
migs102006 Posted February 12, 2013 Author ID:646625 Share Posted February 12, 2013 Hi DarkKnight,The last probing ocurred around 11 pm last night. That's over 15 hours without being probed. I did install tdsskiller and it did not report anything unusual.Will keep you posted.Regards Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 12, 2013 ID:646637 Share Posted February 12, 2013 Good morning migs102006,Did you run aswMBR? Link to post Share on other sites More sharing options...
migs102006 Posted February 12, 2013 Author ID:646648 Share Posted February 12, 2013 I did, after running it for 20 mins+ it gave me a blue screen of death. A bit hesitant to run this utility again unless the zombies start knocking at my door again. So far 17 hours without a port probe. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 13, 2013 ID:646707 Share Posted February 13, 2013 Good afternoon migs102006,Please try this tool in the meantime then.Please download MBRScan and save it to your Desktop.Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on Run as administrator).Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.When the scan is finished, a log file will appear.Save that log file to your Desktop and post its content in your next reply. Link to post Share on other sites More sharing options...
migs102006 Posted February 14, 2013 Author ID:647105 Share Posted February 14, 2013 DarkKnight,The port probing started again.mbrscan.exe log pasted below.migsMBRScan v1.1.1OS : Windows 7 Service Pack 1 (64 bit)PROCESSOR : Intel64 Family 6 Model 42 Stepping 7, GenuineIntelBOOT : Normal BootDATE : 2013/02/14 (ISO 8601) at 10:41:12________________________________________________________________________________DISK : Device\Harddisk0\DR0 __ST950032 5AS (D005)BUS_TYPE : (0x03) P-ATAUSE_PIO : NOMAX_TRANSFER : 128 KbALIGNMENT_MASK : word aligned________________________________________________________________________________Device\Harddisk0\DR0 465.8 Go [Fixed] ==> 7 MBR Code .MBR_MD5 : 321F5BDB8EFB1DDDF0A41DECC169A0BCMBR_SHA1 : A47A23920EB39C5052B05F9683FE8FCCE2520AB0Device\Harddisk0\Partition1 100.0 Mo 0xDE Dell Utility Device\Harddisk0\Partition2 19.53 Go 0x07 NTFS / HPFS __ BOOTABLE __Device\Harddisk0\Partition3 446.1 Go 0x07 NTFS / HPFS________________________________________________________________________________############################### Additional scan ################################DRIVER : C:\windows\system32\hal.dll => Invisible on the diskADDRESS : 0x0321E000SIZE : 292.0 KoDRIVER : C:\windows\system32\kdcom.dll => Invisible on the diskADDRESS : 0x00B9B000SIZE : 40.0 KoDRIVER : C:\windows\system32\mcupdate_GenuineIntel.dll => Invisible on the diskADDRESS : 0x00CCB000SIZE : 316.0 KoDRIVER : C:\windows\system32\CLFS.SYS => Invisible on the diskADDRESS : 0x00D2E000SIZE : 376.0 KoDRIVER : C:\windows\system32\CI.dll => Invisible on the diskADDRESS : 0x00C00000SIZE : 768.0 KoDRIVER : C:\windows\system32\drivers\Wdf01000.sys => Invisible on the diskADDRESS : 0x00EC3000SIZE : 776.0 KoDRIVER : C:\windows\system32\drivers\WDFLDR.SYS => Invisible on the diskADDRESS : 0x00F85000SIZE : 64.0 KoDRIVER : C:\windows\system32\drivers\ACPI.sys => Invisible on the diskADDRESS : 0x00F95000SIZE : 348.0 KoDRIVER : C:\windows\system32\drivers\WMILIB.SYS => Invisible on the diskADDRESS : 0x00FEC000SIZE : 36.0 KoDRIVER : C:\windows\system32\drivers\msisadrv.sys => Invisible on the diskADDRESS : 0x00FF5000SIZE : 40.0 KoDRIVER : C:\windows\system32\drivers\pci.sys => Invisible on the diskADDRESS : 0x00E00000SIZE : 204.0 KoDRIVER : C:\windows\system32\drivers\vdrvroot.sys => Invisible on the diskADDRESS : 0x00E33000SIZE : 52.0 KoDRIVER : C:\windows\System32\drivers\partmgr.sys => Invisible on the diskADDRESS : 0x00E40000SIZE : 84.0 KoDRIVER : C:\windows\system32\drivers\compbatt.sys => Invisible on the diskADDRESS : 0x00E55000SIZE : 36.0 KoDRIVER : C:\windows\system32\drivers\BATTC.SYS => Invisible on the diskADDRESS : 0x00E5E000SIZE : 48.0 KoDRIVER : C:\windows\system32\drivers\volmgr.sys => Invisible on the diskADDRESS : 0x00E6A000SIZE : 84.0 KoDRIVER : C:\windows\System32\drivers\volmgrx.sys => Invisible on the diskADDRESS : 0x00D8C000SIZE : 368.0 KoDRIVER : C:\windows\System32\drivers\mountmgr.sys => Invisible on the diskADDRESS : 0x00E7F000SIZE : 104.0 KoDRIVER : C:\windows\system32\DRIVERS\iaStor.sys => Invisible on the diskADDRESS : 0x0109F000SIZE : 1.33 MoDRIVER : C:\windows\system32\drivers\atapi.sys => Invisible on the diskADDRESS : 0x011F3000SIZE : 36.0 KoDRIVER : C:\windows\system32\drivers\ataport.SYS => Invisible on the diskADDRESS : 0x01000000SIZE : 168.0 KoDRIVER : C:\windows\system32\drivers\msahci.sys => Invisible on the diskADDRESS : 0x0102A000SIZE : 44.0 KoDRIVER : C:\windows\system32\drivers\PCIIDEX.SYS => Invisible on the diskADDRESS : 0x01035000SIZE : 64.0 KoDRIVER : C:\windows\system32\drivers\amdxata.sys => Invisible on the diskADDRESS : 0x01045000SIZE : 44.0 KoDRIVER : C:\windows\system32\drivers\fltmgr.sys => Invisible on the diskADDRESS : 0x01050000SIZE : 304.0 KoDRIVER : C:\windows\system32\drivers\fileinfo.sys => Invisible on the diskADDRESS : 0x00E99000SIZE : 80.0 KoDRIVER : C:\windows\system32\drivers\mfehidk.sys => Invisible on the diskADDRESS : 0x01264000SIZE : 744.0 KoDRIVER : C:\windows\System32\Drivers\PxHlpa64.sys => Invisible on the diskADDRESS : 0x0131E000SIZE : 52.0 KoDRIVER : C:\windows\System32\Drivers\Ntfs.sys => Invisible on the diskADDRESS : 0x0142C000SIZE : 1.64 MoDRIVER : C:\windows\System32\Drivers\msrpc.sys => Invisible on the diskADDRESS : 0x0132B000SIZE : 376.0 KoDRIVER : C:\windows\System32\Drivers\ksecdd.sys => Invisible on the diskADDRESS : 0x015CF000SIZE : 108.0 KoDRIVER : C:\windows\System32\Drivers\cng.sys => Invisible on the diskADDRESS : 0x01389000SIZE : 456.0 KoDRIVER : C:\windows\System32\drivers\pcw.sys => Invisible on the diskADDRESS : 0x015EA000SIZE : 68.0 KoDRIVER : C:\windows\System32\Drivers\Fs_Rec.sys => Invisible on the diskADDRESS : 0x01400000SIZE : 40.0 KoDRIVER : C:\windows\system32\drivers\ndis.sys => Invisible on the diskADDRESS : 0x016F5000SIZE : 968.0 KoDRIVER : C:\windows\system32\drivers\NETIO.SYS => Invisible on the diskADDRESS : 0x01600000SIZE : 384.0 KoDRIVER : C:\windows\System32\Drivers\ksecpkg.sys => Invisible on the diskADDRESS : 0x01660000SIZE : 168.0 KoDRIVER : C:\windows\System32\drivers\tcpip.sys => Invisible on the diskADDRESS : 0x01800000SIZE : 2.00 MoDRIVER : C:\windows\System32\drivers\fwpkclnt.sys => Invisible on the diskADDRESS : 0x0168A000SIZE : 292.0 KoDRIVER : C:\windows\system32\drivers\mfewfpk.sys => Invisible on the diskADDRESS : 0x01200000SIZE : 324.0 KoDRIVER : C:\windows\system32\drivers\volsnap.sys => Invisible on the diskADDRESS : 0x01A8E000SIZE : 304.0 KoDRIVER : C:\windows\System32\Drivers\spldr.sys => Invisible on the diskADDRESS : 0x01ADA000SIZE : 32.0 KoDRIVER : C:\windows\System32\drivers\rdyboost.sys => Invisible on the diskADDRESS : 0x01AE2000SIZE : 232.0 KoDRIVER : C:\windows\System32\Drivers\mup.sys => Invisible on the diskADDRESS : 0x01B1C000SIZE : 72.0 KoDRIVER : C:\windows\System32\drivers\hwpolicy.sys => Invisible on the diskADDRESS : 0x01B2E000SIZE : 36.0 KoDRIVER : C:\windows\System32\DRIVERS\fvevol.sys => Invisible on the diskADDRESS : 0x01B37000SIZE : 232.0 KoDRIVER : C:\windows\system32\drivers\disk.sys => Invisible on the diskADDRESS : 0x01B71000SIZE : 88.0 KoDRIVER : C:\windows\system32\drivers\CLASSPNP.SYS => Invisible on the diskADDRESS : 0x01B87000SIZE : 192.0 KoDRIVER : C:\windows\system32\DRIVERS\cdrom.sys => Invisible on the diskADDRESS : 0x03E13000SIZE : 168.0 KoDRIVER : C:\windows\System32\Drivers\Null.SYS => Invisible on the diskADDRESS : 0x03E3D000SIZE : 36.0 KoDRIVER : C:\windows\System32\Drivers\Beep.SYS => Invisible on the diskADDRESS : 0x03E46000SIZE : 28.0 KoDRIVER : C:\windows\System32\drivers\vga.sys => Invisible on the diskADDRESS : 0x03E4D000SIZE : 56.0 KoDRIVER : C:\windows\System32\drivers\VIDEOPRT.SYS => Invisible on the diskADDRESS : 0x03E5B000SIZE : 148.0 KoDRIVER : C:\windows\System32\drivers\watchdog.sys => Invisible on the diskADDRESS : 0x03E80000SIZE : 64.0 KoDRIVER : C:\windows\System32\DRIVERS\RDPCDD.sys => Invisible on the diskADDRESS : 0x03E90000SIZE : 36.0 KoDRIVER : C:\windows\system32\drivers\rdpencdd.sys => Invisible on the diskADDRESS : 0x03E99000SIZE : 36.0 KoDRIVER : C:\windows\system32\drivers\rdprefmp.sys => Invisible on the diskADDRESS : 0x03EA2000SIZE : 36.0 KoDRIVER : C:\windows\System32\Drivers\Msfs.SYS => Invisible on the diskADDRESS : 0x01BC5000SIZE : 44.0 KoDRIVER : C:\windows\System32\Drivers\Npfs.SYS => Invisible on the diskADDRESS : 0x01BD0000SIZE : 68.0 KoDRIVER : C:\windows\system32\DRIVERS\tdx.sys => Invisible on the diskADDRESS : 0x01A00000SIZE : 136.0 KoDRIVER : C:\windows\system32\DRIVERS\TDI.SYS => Invisible on the diskADDRESS : 0x01A22000SIZE : 52.0 KoDRIVER : C:\windows\System32\DRIVERS\netbt.sys => Invisible on the diskADDRESS : 0x01A2F000SIZE : 276.0 KoDRIVER : C:\windows\system32\drivers\afd.sys => Invisible on the diskADDRESS : 0x02ED2000SIZE : 548.0 KoDRIVER : C:\windows\system32\drivers\ws2ifsl.sys => Invisible on the diskADDRESS : 0x02F5B000SIZE : 44.0 KoDRIVER : C:\windows\system32\DRIVERS\wfplwf.sys => Invisible on the diskADDRESS : 0x02F66000SIZE : 36.0 KoDRIVER : C:\windows\system32\DRIVERS\pacer.sys => Invisible on the diskADDRESS : 0x02F6F000SIZE : 152.0 KoDRIVER : C:\windows\system32\DRIVERS\vwififlt.sys => Invisible on the diskADDRESS : 0x02F95000SIZE : 88.0 KoDRIVER : C:\windows\system32\DRIVERS\netbios.sys => Invisible on the diskADDRESS : 0x02FAB000SIZE : 60.0 KoDRIVER : C:\windows\system32\DRIVERS\wanarp.sys => Invisible on the diskADDRESS : 0x02FBA000SIZE : 108.0 KoDRIVER : C:\windows\system32\DRIVERS\termdd.sys => Invisible on the diskADDRESS : 0x02FD5000SIZE : 80.0 KoDRIVER : C:\windows\system32\DRIVERS\rdbss.sys => Invisible on the diskADDRESS : 0x02E00000SIZE : 324.0 KoDRIVER : C:\windows\system32\drivers\nsiproxy.sys => Invisible on the diskADDRESS : 0x02E51000SIZE : 48.0 KoDRIVER : C:\windows\system32\DRIVERS\mssmbios.sys => Invisible on the diskADDRESS : 0x02E5D000SIZE : 44.0 KoDRIVER : C:\windows\System32\drivers\discache.sys => Invisible on the diskADDRESS : 0x02E68000SIZE : 60.0 KoDRIVER : C:\windows\System32\Drivers\dfsc.sys => Invisible on the diskADDRESS : 0x02E77000SIZE : 120.0 KoDRIVER : C:\windows\system32\DRIVERS\blbdrive.sys => Invisible on the diskADDRESS : 0x02E95000SIZE : 68.0 KoDRIVER : C:\windows\system32\DRIVERS\tunnel.sys => Invisible on the diskADDRESS : 0x02EA6000SIZE : 152.0 KoDRIVER : C:\windows\system32\DRIVERS\igdkmd64.sys => Invisible on the diskADDRESS : 0x04A37000SIZE : 11.70 MoDRIVER : C:\windows\System32\drivers\dxgkrnl.sys => Invisible on the diskADDRESS : 0x03C64000SIZE : 976.0 KoDRIVER : C:\windows\System32\drivers\dxgmms1.sys => Invisible on the diskADDRESS : 0x03D58000SIZE : 280.0 KoDRIVER : C:\windows\system32\DRIVERS\HECIx64.sys => Invisible on the diskADDRESS : 0x03D9E000SIZE : 68.0 KoDRIVER : C:\windows\system32\DRIVERS\usbehci.sys => Invisible on the diskADDRESS : 0x03DAF000SIZE : 68.0 KoDRIVER : C:\windows\system32\DRIVERS\USBPORT.SYS => Invisible on the diskADDRESS : 0x03C00000SIZE : 344.0 KoDRIVER : C:\windows\system32\DRIVERS\HDAudBus.sys => Invisible on the diskADDRESS : 0x03DC0000SIZE : 144.0 KoDRIVER : C:\windows\system32\DRIVERS\Rt64win7.sys => Invisible on the diskADDRESS : 0x042BD000SIZE : 528.0 KoDRIVER : C:\windows\system32\DRIVERS\bcmwl664.sys => Invisible on the diskADDRESS : 0x05899000SIZE : 4.51 MoDRIVER : C:\windows\system32\DRIVERS\vwifibus.sys => Invisible on the diskADDRESS : 0x05D1C000SIZE : 52.0 KoDRIVER : C:\windows\system32\DRIVERS\i8042prt.sys => Invisible on the diskADDRESS : 0x05D29000SIZE : 120.0 KoDRIVER : C:\windows\system32\DRIVERS\Apfiltr.sys => Invisible on the diskADDRESS : 0x05D47000SIZE : 368.0 KoDRIVER : C:\windows\system32\DRIVERS\mouclass.sys => Invisible on the diskADDRESS : 0x05DA3000SIZE : 60.0 KoDRIVER : C:\windows\system32\DRIVERS\kbdclass.sys => Invisible on the diskADDRESS : 0x05DB2000SIZE : 60.0 KoDRIVER : C:\windows\system32\DRIVERS\GEARAspiWDM.sys => Invisible on the diskADDRESS : 0x05DC1000SIZE : 28.0 KoDRIVER : C:\windows\system32\DRIVERS\intelppm.sys => Invisible on the diskADDRESS : 0x05DC8000SIZE : 88.0 KoDRIVER : C:\windows\system32\DRIVERS\CmBatt.sys => Invisible on the diskADDRESS : 0x05DDE000SIZE : 20.0 KoDRIVER : C:\windows\system32\DRIVERS\wmiacpi.sys => Invisible on the diskADDRESS : 0x05DE3000SIZE : 36.0 KoDRIVER : C:\windows\system32\DRIVERS\CompositeBus.sys => Invisible on the diskADDRESS : 0x05DEC000SIZE : 64.0 KoDRIVER : C:\windows\system32\DRIVERS\dsNcAdpt.sys => Invisible on the diskADDRESS : 0x05800000SIZE : 52.0 KoDRIVER : C:\windows\system32\DRIVERS\AgileVpn.sys => Invisible on the diskADDRESS : 0x0580D000SIZE : 88.0 KoDRIVER : C:\windows\system32\DRIVERS\rasl2tp.sys => Invisible on the diskADDRESS : 0x05823000SIZE : 144.0 KoDRIVER : C:\windows\system32\DRIVERS\ndistapi.sys => Invisible on the diskADDRESS : 0x05847000SIZE : 48.0 KoDRIVER : C:\windows\system32\DRIVERS\ndiswan.sys => Invisible on the diskADDRESS : 0x05853000SIZE : 188.0 KoDRIVER : C:\windows\system32\DRIVERS\raspppoe.sys => Invisible on the diskADDRESS : 0x04341000SIZE : 108.0 KoDRIVER : C:\windows\system32\DRIVERS\raspptp.sys => Invisible on the diskADDRESS : 0x0435C000SIZE : 132.0 KoDRIVER : C:\windows\system32\DRIVERS\rassstp.sys => Invisible on the diskADDRESS : 0x0437D000SIZE : 104.0 KoDRIVER : C:\windows\system32\DRIVERS\swenum.sys => Invisible on the diskADDRESS : 0x05882000SIZE : 8.0 KoDRIVER : C:\windows\system32\DRIVERS\ks.sys => Invisible on the diskADDRESS : 0x04397000SIZE : 268.0 KoDRIVER : C:\windows\system32\DRIVERS\umbus.sys => Invisible on the diskADDRESS : 0x05884000SIZE : 72.0 KoDRIVER : C:\windows\system32\DRIVERS\usbhub.sys => Invisible on the diskADDRESS : 0x04200000SIZE : 360.0 KoDRIVER : C:\windows\System32\Drivers\NDProxy.SYS => Invisible on the diskADDRESS : 0x0425A000SIZE : 84.0 KoDRIVER : C:\windows\system32\DRIVERS\stwrt64.sys => Invisible on the diskADDRESS : 0x0624C000SIZE : 532.0 KoDRIVER : C:\windows\system32\DRIVERS\portcls.sys => Invisible on the diskADDRESS : 0x062D1000SIZE : 244.0 KoDRIVER : C:\windows\system32\DRIVERS\drmk.sys => Invisible on the diskADDRESS : 0x0630E000SIZE : 136.0 KoDRIVER : C:\windows\system32\drivers\ksthunk.sys => Invisible on the diskADDRESS : 0x06330000SIZE : 24.0 KoDRIVER : C:\windows\system32\DRIVERS\IntcDAud.sys => Invisible on the diskADDRESS : 0x06336000SIZE : 332.0 KoDRIVER : C:\windows\system32\drivers\mfeavfk.sys => Invisible on the diskADDRESS : 0x06389000SIZE : 296.0 KoDRIVER : C:\windows\system32\drivers\mfefirek.sys => Invisible on the diskADDRESS : 0x0685C000SIZE : 496.0 KoDRIVER : C:\windows\system32\DRIVERS\usbccgp.sys => Invisible on the diskADDRESS : 0x068D8000SIZE : 116.0 KoDRIVER : C:\windows\system32\DRIVERS\USBD.SYS => Invisible on the diskADDRESS : 0x068F5000SIZE : 8.0 KoDRIVER : C:\windows\System32\Drivers\usbvideo.sys => Invisible on the diskADDRESS : 0x068F7000SIZE : 184.0 KoDRIVER : C:\windows\system32\DRIVERS\CtClsFlt.sys => Invisible on the diskADDRESS : 0x06925000SIZE : 172.0 KoDRIVER : C:\windows\System32\Drivers\crashdmp.sys => Invisible on the diskADDRESS : 0x06950000SIZE : 56.0 KoDRIVER : C:\windows\System32\Drivers\dump_iaStor.sys => Invisible on the diskADDRESS : 0x03EAB000SIZE : 1.33 MoDRIVER : C:\windows\System32\Drivers\dump_dumpfve.sys => Invisible on the diskADDRESS : 0x0695E000SIZE : 76.0 KoDRIVER : C:\windows\System32\win32k.sys => Invisible on the diskADDRESS : 0x00050000SIZE : 3.09 MoDRIVER : C:\windows\System32\drivers\Dxapi.sys => Invisible on the diskADDRESS : 0x06971000SIZE : 48.0 KoDRIVER : C:\windows\system32\DRIVERS\monitor.sys => Invisible on the diskADDRESS : 0x0697D000SIZE : 56.0 KoDRIVER : C:\windows\System32\TSDDD.dll => Invisible on the diskADDRESS : 0x00520000SIZE : 40.0 KoDRIVER : C:\windows\System32\cdd.dll => Invisible on the diskADDRESS : 0x007C0000SIZE : 156.0 KoDRIVER : C:\windows\system32\drivers\luafv.sys => Invisible on the diskADDRESS : 0x0698B000SIZE : 140.0 KoDRIVER : C:\windows\system32\drivers\mbam.sys => Invisible on the diskADDRESS : 0x069AE000SIZE : 40.0 KoDRIVER : C:\windows\system32\DRIVERS\Sftvollh.sys => Invisible on the diskADDRESS : 0x069B8000SIZE : 44.0 KoDRIVER : C:\windows\system32\drivers\WudfPf.sys => Invisible on the diskADDRESS : 0x069C3000SIZE : 100.0 KoDRIVER : C:\windows\system32\DRIVERS\lltdio.sys => Invisible on the diskADDRESS : 0x069DC000SIZE : 84.0 KoDRIVER : C:\windows\system32\DRIVERS\nwifi.sys => Invisible on the diskADDRESS : 0x06800000SIZE : 332.0 KoDRIVER : C:\windows\system32\DRIVERS\ndisuio.sys => Invisible on the diskADDRESS : 0x063D3000SIZE : 76.0 KoDRIVER : C:\windows\system32\DRIVERS\rspndr.sys => Invisible on the diskADDRESS : 0x063E6000SIZE : 96.0 KoDRIVER : C:\windows\system32\drivers\HTTP.sys => Invisible on the diskADDRESS : 0x02CE2000SIZE : 804.0 KoDRIVER : C:\windows\system32\DRIVERS\bowser.sys => Invisible on the diskADDRESS : 0x02DAB000SIZE : 120.0 KoDRIVER : C:\windows\System32\drivers\mpsdrv.sys => Invisible on the diskADDRESS : 0x02DC9000SIZE : 96.0 KoDRIVER : C:\windows\system32\DRIVERS\mrxsmb.sys => Invisible on the diskADDRESS : 0x02C00000SIZE : 180.0 KoDRIVER : C:\windows\system32\DRIVERS\mrxsmb10.sys => Invisible on the diskADDRESS : 0x02C2D000SIZE : 312.0 KoDRIVER : C:\windows\system32\DRIVERS\mrxsmb20.sys => Invisible on the diskADDRESS : 0x02C7B000SIZE : 144.0 KoDRIVER : C:\windows\system32\drivers\peauth.sys => Invisible on the diskADDRESS : 0x0644B000SIZE : 664.0 KoDRIVER : C:\windows\System32\Drivers\secdrv.SYS => Invisible on the diskADDRESS : 0x064F1000SIZE : 44.0 KoDRIVER : C:\windows\system32\DRIVERS\Sftfslh.sys => Invisible on the diskADDRESS : 0x064FC000SIZE : 772.0 KoDRIVER : C:\windows\system32\DRIVERS\Sftplaylh.sys => Invisible on the diskADDRESS : 0x0426F000SIZE : 308.0 KoDRIVER : C:\windows\System32\DRIVERS\srvnet.sys => Invisible on the diskADDRESS : 0x065BD000SIZE : 196.0 KoDRIVER : C:\windows\System32\drivers\tcpipreg.sys => Invisible on the diskADDRESS : 0x065EE000SIZE : 72.0 KoDRIVER : C:\windows\System32\DRIVERS\srv2.sys => Invisible on the diskADDRESS : 0x0782B000SIZE : 420.0 KoDRIVER : C:\windows\System32\DRIVERS\srv.sys => Invisible on the diskADDRESS : 0x07894000SIZE : 608.0 KoDRIVER : C:\windows\system32\DRIVERS\Sftredirlh.sys => Invisible on the diskADDRESS : 0x0792C000SIZE : 44.0 KoDRIVER : C:\windows\system32\drivers\cfwids.sys => Invisible on the diskADDRESS : 0x07937000SIZE : 64.0 KoDRIVER : C:\windows\System32\Drivers\fastfat.SYS => Invisible on the diskADDRESS : 0x07947000SIZE : 216.0 KoDRIVER : C:\windows\system32\DRIVERS\asyncmac.sys => Invisible on the diskADDRESS : 0x079BD000SIZE : 44.0 KoDRIVER : C:\windows\system32\drivers\HipShieldK.sys => Invisible on the diskADDRESS : 0x079C8000SIZE : 184.0 KoDRIVER : C:\windows\system32\drivers\mfeapfk.sys => Invisible on the diskADDRESS : 0x07800000SIZE : 168.0 KoDRIVER : C:\windows\System32\smss.exe => Invisible on the diskADDRESS : 0x484D0000SIZE : 128.0 KoSystemStartOptions : NOEXECUTE=OPTIN_______________________________________________________________________________________MBR \Device\Harddisk0\DR0 0x00000000 33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3À.м.|.À.ؾ.|¿.0x00000010 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .¹..üó¤Ph..Ëû¹..0x00000020 BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 ½¾..~..|......Å.0x00000030 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 âñÍ..V.UÆF..ÆF..0x00000040 B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 ´A»ªUÍ.]r..ûUªu.0x00000050 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ÷Á..t.þF.f`.~..t0x00000060 26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....f.v.h..h.0x00000070 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h..´B.V..ôÍ.0x00000080 9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ..Ä..ë.¸..».|.V.0x00000090 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE .v..N..n.Í.fas.þ0x000000A0 4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 N.u..~......².ë.0x000000B0 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55 U2ä.V.Í.]ë..>þ}U0x000000C0 AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 ªun.v.è..u.ú°Ñæd0x000000D0 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75 è..°ßæ`è|.°.ædèu0x000000E0 00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 .û¸.»Í.f#Àu;f.ûT0x000000F0 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00 CPAu2.ù..r,fh.».0x00000100 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 .fh....fh....fSf0x00000110 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66 SfUfh....fh.|..f0x00000120 61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD ah...Í.Z2öê.|..Í0x00000130 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4 ..·.ë..¶.ë..µ.2ä0x00000140 05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD ....ð¬<.t.»..´.Í0x00000150 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8 .ëòôëý+Éädë.$.àø0x00000160 24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 $.ÃInvalid parti0x00000170 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 tion table.Error0x00000180 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 loading operati0x00000190 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E ng system.Missin0x000001A0 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst0x000001B0 65 6D 00 00 00 63 7B 9A 77 8F 55 8C 00 00 00 20 em...c{.w.U.... 0x000001C0 21 00 DE DF 13 0C 00 08 00 00 00 20 03 00 80 DF !.Þß....... ...ß0x000001D0 14 0C 07 FE FF FF 00 28 03 00 00 00 71 02 00 FE ...þ...(....q..þ0x000001E0 FF FF 07 FE FF FF 00 28 74 02 30 30 C4 37 00 00 ...þ...(t.00Ä7..0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 14, 2013 ID:647171 Share Posted February 14, 2013 Hey migs102006,Please re-run MBRScan.Click Dump.Once you have selected your MBR code, please click Dump Selected MBR (if there are multiple codes please do this for each of them). Link to post Share on other sites More sharing options...
migs102006 Posted February 14, 2013 Author ID:647197 Share Posted February 14, 2013 Hi DarkKnight,I was 'not permitted' to upload the dump*.mbr files to your site when i tried attaching the files to this email.migs102006 Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 15, 2013 ID:647267 Share Posted February 15, 2013 Hello migs102006,Please upload it to a file sharing site, like mega upload, and provide me with a link. Link to post Share on other sites More sharing options...
migs102006 Posted February 15, 2013 Author ID:647454 Share Posted February 15, 2013 mega upload website has been closed by the FBI. Fraud investigation...Dropbox link below.https://www.dropbox.com/sh/4obwb86hp8jj7ae/D2c6jB8T1G Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 15, 2013 ID:647563 Share Posted February 15, 2013 Hello migs102006,Thank you. Well that came up clean.I am not familiar with the McAfee Firewall; are you able to block certain IP addresses?If so, please block this one: 192.168.1.1And see if the probing continues. Link to post Share on other sites More sharing options...
migs102006 Posted February 15, 2013 Author ID:647600 Share Posted February 15, 2013 The McAfee firewall blocks all incoming network traffic that tries to communicate through various ports.The message i get is:"The pc 192.168.1.1 tried to access your system port TCP port 52832, If you want to allow this traffic either trust the IP address or open the port in the systems services in Firewall.The source ip address is your own gateway. The source ip address is your own DNS server. The source ip address is your own DHCP server. The source ip address is in your own local network."192.168.* is a default internal IP address that the Verizon FIOS router assigns to all devices attached to one's router.192.168.1.1 happens to be my own pc and there are no other pcs in the local network.Shortly after a program on my own pc probes one of the ports, other pcs somehow detect this or are alerted and start probing my pc through other ports. Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 15, 2013 ID:647608 Share Posted February 15, 2013 Hello migs102006,Do you live in a college or are you in a business? It could be your ISP or similar just checking that you aren't making a server.How long have you been observing this for? Link to post Share on other sites More sharing options...
migs102006 Posted February 16, 2013 Author ID:647631 Share Posted February 16, 2013 Have my own IT business. Do some e-trade from home.(That's the scary part, as i fear a keystroke recording program).Ten years away from retirement... :-)Observed this since 10/2/12. McAfee detected on that day:Cookie-YieldmanagerCookie-ImrworldwideCookie-DoubleclickCookie-AtdmtCookie-EyeblasterCookie-2O7Cookie-RealmediaCookie-ZedoCookie-BurstCookie-CasalemediaCookie-InsightexpressCookie MediaplexThen McAfee blocked a hacker from exploiting buffer-overflow on Internet Explorer and buffer-overflow on Acrobat Reader.10 days after on 11/15 my pc started being probed.I am writing to you after about 2,500 port probes.I have contacted McAfee and they tell me the anti-virus software is working as designed since it blocks all incoming port probes.I have contacted Verizon and they don't have a clue.migs102006 Link to post Share on other sites More sharing options...
TheDarkKnight Posted February 16, 2013 ID:647734 Share Posted February 16, 2013 Hello migs102006,OK.Please download GMER from one of the following locations and save it to your Desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your Desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress).If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.-- If you encounter any problems, try running GMER in Safe Mode.-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning. Link to post Share on other sites More sharing options...
migs102006 Posted February 16, 2013 Author ID:647835 Share Posted February 16, 2013 Hi DarkKnight,gmer.log contents file attached. Contents were too long to paste.migs102006gmer.log Link to post Share on other sites More sharing options...
Recommended Posts