Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I know something bad is here, I just cant figure it out.


  • This topic is locked This topic is locked
11 replies to this topic

#1 deskjockey

deskjockey

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 02 October 2015 - 12:51 PM

I noticed my firewall rules dont look right and I cant figure out what is going on. My other laptop (which is now not working) running Win 7 had very similar rules and I found something called "System Application" running in the DCOM area that I could not stop.

 

Name    Group    Profile    Enabled    Action    Override    Program    Local Address    Remote Address    Protocol    Local Port    Remote Port    Authorized Users    Authorized Computers    Authorized Local Principals    Local User Owner    Application Package    
Wireless Display (TCP-In)    Wireless Display    Private, Public    Yes    Allow    No    %systemroot%\system32\WUDFHost.exe    Any    Any    TCP    Any    Any    Any    Any    NT AUTHORITY\USER MODE DRIVERS    Any    Any    
Windows Reading List    Windows Reading List    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    Microsoft.WindowsReadingList_8wekyb3d8bbwe    
Wi-Fi Direct Spooler Use (In)    Wi-Fi Direct Network Discovery    Public    Yes    Allow    No    %SystemRoot%\system32\spoolsv.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
Wi-Fi Direct Scan Service Use (In)    Wi-Fi Direct Network Discovery    Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
Wi-Fi Direct Network Discovery (In)    Wi-Fi Direct Network Discovery    Public    Yes    Allow    No    %SystemRoot%\system32\dashost.exe    Any    Any    Any    Any    Any    Any    Any    S-1-5-92-3339056971-1291069075-3798698925-2882100687-0    Any    Any    
Store    Store    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    Everyone    winstore_cw5n1h2txyewy    
SonicWALL.MobileConnect    SonicWALL.MobileConnect    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    Everyone    SonicWALL.MobileConnect_cw5n1h2txyewy    
Snapfish    Snapfish    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    AD2F1837.HPConnectedPhotopoweredbySnapfish_v10z8vjag6ke6    
Skype    Skype    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    Microsoft.SkypeApp_kzf8qxf38zg5c    
Remote Assistance (TCP-In)    Remote Assistance    Domain, Private    Yes    Allow    No    %SystemRoot%\system32\msra.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Remote Assistance (SSDP UDP-In)    Remote Assistance    Domain, Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Remote Assistance (SSDP TCP-In)    Remote Assistance    Domain, Private    Yes    Allow    No    System    Any    Local subnet    TCP    2869    Any    Any    Any    Any    Any    Any    
Remote Assistance (RA Server TCP-In)    Remote Assistance    Domain    Yes    Allow    No    %SystemRoot%\system32\raserver.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Remote Assistance (PNRP-In)    Remote Assistance    Domain, Private    Yes    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    3540    Any    Any    Any    Any    Any    Any    
Remote Assistance (DCOM-In)    Remote Assistance    Domain    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Proximity sharing over TCP (TCP sharing-In)    Proximity Sharing    All    Yes    Allow    No    %SystemRoot%\system32\proximityuxhost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Play To UPnP Events (TCP-In)    Play To functionality    Public    Yes    Allow    No    System    Any    PlayTo Renderers    TCP    2869    Any    Any    Any    Any    Any    Any    
Play To streaming server (RTSP-Streaming-In)    Play To functionality    Public    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    PlayTo Renderers    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Play To streaming server (RTSP-Streaming-In)    Play To functionality    Private    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Local subnet    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Play To streaming server (RTSP-Streaming-In)    Play To functionality    Domain    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Any    TCP    23554, 23555, 23556    Any    Any    Any    Any    Any    Any    
Play To streaming server (RTCP-Streaming-In)    Play To functionality    Domain    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Play To streaming server (RTCP-Streaming-In)    Play To functionality    Public    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    PlayTo Renderers    UDP    Any    Any    Any    Any    Any    Any    Any    
Play To streaming server (RTCP-Streaming-In)    Play To functionality    Private    Yes    Allow    No    %SystemRoot%\system32\mdeserver.exe    Any    Local subnet    UDP    Any    Any    Any    Any    Any    Any    Any    
Play To streaming server (HTTP-Streaming-In)    Play To functionality    Domain    Yes    Allow    No    System    Any    Any    TCP    10246    Any    Any    Any    Any    Any    Any    
Play To streaming server (HTTP-Streaming-In)    Play To functionality    Public    Yes    Allow    No    System    Any    PlayTo Renderers    TCP    10246    Any    Any    Any    Any    Any    Any    
Play To streaming server (HTTP-Streaming-In)    Play To functionality    Private    Yes    Allow    No    System    Any    Local subnet    TCP    10246    Any    Any    Any    Any    Any    Any    
Play To SSDP Discovery (UDP-In)    Play To functionality    Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    PlayTo Discovery    Any    Any    Any    Any    Any    Any    
Play To functionality (qWave-UDP-In)    Play To functionality    Private, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    PlayTo Renderers    UDP    2177    Any    Any    Any    Any    Any    Any    
Play To functionality (qWave-TCP-In)    Play To functionality    Private, Public    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    PlayTo Renderers    TCP    2177    Any    Any    Any    Any    Any    Any    
OneNote    OneNote    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    Microsoft.Office.OneNote_8wekyb3d8bbwe    
Network Discovery (WSD-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\dashost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD EventsSecure-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Local subnet    TCP    5358    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD Events-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Local subnet    TCP    5357    Any    Any    Any    Any    Any    Any    
Network Discovery (UPnP-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Local subnet    TCP    2869    Any    Any    Any    Any    Any    Any    
Network Discovery (SSDP-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Network Discovery (Pub-WSD-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Name-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Local subnet    UDP    137    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Datagram-In)    Network Discovery    Private    Yes    Allow    No    System    Any    Local subnet    UDP    138    Any    Any    Any    Any    Any    Any    
Network Discovery (LLMNR-UDP-In)    Network Discovery    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
Microsoft Solitaire Collection    Microsoft Solitaire Collection    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe    
Microsoft SkyDrive        All    Yes    Allow    No    C:\Users\krwood03\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
Microsoft Office Outlook        Private    Yes    Allow    No    C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe    Any    Any    UDP    6004    Any    Any    Any    Any    Any    Any    
Microsoft Mahjong    Microsoft Mahjong    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    Microsoft.MicrosoftMahjong_8wekyb3d8bbwe    
McAfee® Central for HP    McAfee® Central for HP    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    2703103D.McAfeeCentral_4ehj4w4frejdr    
McAfee Shared Service Host        Public    Yes    Allow    No    C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
McAfee Shared Service Host        Public    Yes    Allow    No    C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Mail, Calendar, and People    Mail, Calendar, and People    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    microsoft.windowscommunicationsapps_8wekyb3d8bbwe    
JuniperNetworks.JunosPulseVpn    JuniperNetworks.JunosPulseVpn    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    Everyone    JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy    
Internet Explorer        Private    Yes    Allow    No    C:\program files (x86)\internet explorer\iexplore.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Internet Explorer        Private    Yes    Allow    No    C:\program files (x86)\internet explorer\iexplore.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
HP Socket Service        All    Yes    Allow    No    C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPSOCKSVC.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
HP Device Detection        All    Yes    Allow    No    C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
HP Connected Drive    HP Connected Drive    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    AD2F1837.HPFileViewer_v10z8vjag6ke6    
HP All-in-One Printer Remote    HP All-in-One Printer Remote    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    AD2F1837.HPPrinterControl_v10z8vjag6ke6    
Getting Started with Windows 8    Getting Started with Windows 8    Domain, Private    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    KEITH\krwood03    AD2F1837.GettingStartedwithWindows8_v10z8vjag6ke6    
Firefox (C:\Program Files (x86)\Mozilla Firefox)        Private    Yes    Allow    No    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Firefox (C:\Program Files (x86)\Mozilla Firefox)        Private    Yes    Allow    No    C:\Program Files (x86)\Mozilla Firefox\firefox.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC-EPMAP)    File and Printer Sharing    Private    Yes    Allow    No    Any    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC)    File and Printer Sharing    Private    Yes    Allow    No    %SystemRoot%\system32\spoolsv.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (SMB-In)    File and Printer Sharing    Private    Yes    Allow    No    System    Any    Local subnet    TCP    445    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Session-In)    File and Printer Sharing    Private    Yes    Allow    No    System    Any    Local subnet    TCP    139    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Name-In)    File and Printer Sharing    Private    Yes    Allow    No    System    Any    Local subnet    UDP    137    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Datagram-In)    File and Printer Sharing    Private    Yes    Allow    No    System    Any    Local subnet    UDP    138    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (LLMNR-UDP-In)    File and Printer Sharing    Private    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv6-In)    File and Printer Sharing    Private    Yes    Allow    No    Any    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv4-In)    File and Printer Sharing    Private    Yes    Allow    No    Any    Any    Local subnet    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
f5.vpn.client    f5.vpn.client    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    Everyone    f5.vpn.client_cw5n1h2txyewy    
CyberLink PowerDVD12 Movie Module        All    Yes    Allow    No    C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
CyberLink PowerDVD12 Moovie Live        All    Yes    Allow    No    C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
CyberLink PowerDVD12 Agent        All    Yes    Allow    No    C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
CyberLink PowerDVD12        All    Yes    Allow    No    C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
CyberLink PowerDVD 12 Media Server Service        All    Yes    Allow    No    C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
CyberLink PowerDVD 12 DMREngine        All    Yes    Allow    No    C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
CyberLink PowerDirector        All    Yes    Allow    No    C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE    Any    Any    Any    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Time Exceeded (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Teredo (UDP-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    Edge Traversal    Any    Any    Any    Any    Any    Any    
Core Networking - Router Solicitation (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Router Advertisement (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    fe80::/64    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Parameter Problem (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Packet Too Big (ICMPv6-In)    Core Networking    All    Yes    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Report v2 (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Report (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Query (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Multicast Listener Done (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - IPv6 (IPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    IPv6    Any    Any    Any    Any    Any    Any    Any    
Core Networking - IPHTTPS (TCP-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    TCP    IPHTTPS    Any    Any    Any    Any    Any    Any    
Core Networking - Internet Group Management Protocol (IGMP-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    IGMP    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    546    547    Any    Any    Any    Any    Any    
Core Networking - Dynamic Host Configuration Protocol (DHCP-In)    Core Networking    All    Yes    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    68    67    Any    Any    Any    Any    Any    
Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Core Networking - Destination Unreachable (ICMPv6-In)    Core Networking    All    Yes    Allow    No    System    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
CheckPoint.VPN    CheckPoint.VPN    All    Yes    Allow    No    Any    Any    Any    Any    Any    Any    Any    Any    Any    Everyone    CheckPoint.VPN_cw5n1h2txyewy    
Bonjour Service        Public    Yes    Allow    No    C:\Program Files\Bonjour\mDNSResponder.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Bonjour Service        Public    Yes    Allow    No    C:\Program Files\Bonjour\mDNSResponder.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Bonjour Service        Public    Yes    Allow    No    C:\Program Files (x86)\Bonjour\mDNSResponder.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Bonjour Service        Public    Yes    Allow    No    C:\Program Files (x86)\Bonjour\mDNSResponder.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Wireless Portable Devices (UPnP-In)    Wireless Portable Devices    All    No    Allow    No    System    Any    Local subnet    TCP    2869    Any    Any    Any    Any    Any    Any    
Wireless Portable Devices (SSDP-In)    Wireless Portable Devices    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Windows Remote Management (HTTP-In)    Windows Remote Management    Public    No    Allow    No    System    Any    Local subnet    TCP    5985    Any    Any    Any    Any    Any    Any    
Windows Remote Management (HTTP-In)    Windows Remote Management    Domain, Private    No    Allow    No    System    Any    Any    TCP    5985    Any    Any    Any    Any    Any    Any    
Windows Remote Management - Compatibility Mode (HTTP-In)    Windows Remote Management (Compatibility)    Domain    No    Allow    No    System    Any    Any    TCP    80    Any    Any    Any    Any    Any    Any    
Windows Remote Management - Compatibility Mode (HTTP-In)    Windows Remote Management (Compatibility)    Private, Public    No    Allow    No    System    Any    Local subnet    TCP    80    Any    Any    Any    Any    Any    Any    
Windows Peer to Peer Collaboration Foundation (WSD-In)    Windows Peer to Peer Collaboration Foundation    All    No    Allow    No    %SystemRoot%\system32\p2phost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Windows Peer to Peer Collaboration Foundation (TCP-In)    Windows Peer to Peer Collaboration Foundation    All    No    Allow    No    %SystemRoot%\system32\p2phost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Peer to Peer Collaboration Foundation (SSDP-In)    Windows Peer to Peer Collaboration Foundation    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Windows Peer to Peer Collaboration Foundation (PNRP-In)    Windows Peer to Peer Collaboration Foundation    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    3540    Any    Any    Any    Any    Any    Any    
Windows Media Player x86 (UDP-In)    Windows Media Player    All    No    Allow    No    %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (UPnP-In)    Windows Media Player Network Sharing Service    All    No    Allow    No    System    Any    Local subnet    TCP    2869    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (UDP-In)    Windows Media Player Network Sharing Service    Private, Public    No    Allow    No    %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe    Any    Local subnet    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (UDP-In)    Windows Media Player Network Sharing Service    Domain    No    Allow    No    %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (TCP-In)    Windows Media Player Network Sharing Service    Private, Public    No    Allow    No    %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (TCP-In)    Windows Media Player Network Sharing Service    Domain    No    Allow    No    %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (Streaming-UDP-In)    Windows Media Player Network Sharing Service    Private, Public    No    Allow    No    %PROGRAMFILES%\Windows Media Player\wmplayer.exe    Any    Local subnet    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (Streaming-UDP-In)    Windows Media Player Network Sharing Service    Domain    No    Allow    No    %PROGRAMFILES%\Windows Media Player\wmplayer.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (SSDP-In)    Windows Media Player Network Sharing Service    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (qWave-UDP-In)    Windows Media Player Network Sharing Service    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    2177    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (qWave-UDP-In)    Windows Media Player Network Sharing Service    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    2177    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (qWave-TCP-In)    Windows Media Player Network Sharing Service    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    2177    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (qWave-TCP-In)    Windows Media Player Network Sharing Service    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    2177    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (HTTP-Streaming-In)    Windows Media Player Network Sharing Service    Domain    No    Allow    No    System    Any    Any    TCP    10243    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (HTTP-Streaming-In)    Windows Media Player Network Sharing Service (Internet)    Domain, Private    No    Allow    No    System    Any    Any    TCP    10245    Any    Any    Any    Any    Any    Any    
Windows Media Player Network Sharing Service (HTTP-Streaming-In)    Windows Media Player Network Sharing Service    Private, Public    No    Allow    No    System    Any    Local subnet    TCP    10243    Any    Any    Any    Any    Any    Any    
Windows Media Player (UDP-In)    Windows Media Player    All    No    Allow    No    %ProgramFiles%\Windows Media Player\wmplayer.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (WMI-In)    Windows Management Instrumentation (WMI)    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (WMI-In)    Windows Management Instrumentation (WMI)    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (DCOM-In)    Windows Management Instrumentation (WMI)    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    135    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (DCOM-In)    Windows Management Instrumentation (WMI)    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (ASync-In)    Windows Management Instrumentation (WMI)    Domain    No    Allow    No    %systemroot%\system32\wbem\unsecapp.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Management Instrumentation (ASync-In)    Windows Management Instrumentation (WMI)    Private, Public    No    Allow    No    %systemroot%\system32\wbem\unsecapp.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC-EPMAP)    Windows Firewall Remote Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC-EPMAP)    Windows Firewall Remote Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC)    Windows Firewall Remote Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Firewall Remote Management (RPC)    Windows Firewall Remote Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Windows Collaboration Computer Name Registration Service (SSDP-In)    Windows Collaboration Computer Name Registration Service    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Windows Collaboration Computer Name Registration Service (PNRP-In)    Windows Collaboration Computer Name Registration Service    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    UDP    3540    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (RPC)    Virtual Machine Monitoring    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (NB-Session-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    TCP    139    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (Echo Request - ICMPv6-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (Echo Request - ICMPv4-In)    Virtual Machine Monitoring    All    No    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Virtual Machine Monitoring (DCOM-In)    Virtual Machine Monitoring    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (TCP-In)    TPM Virtual Smart Card Management    Domain    No    Allow    No    %SystemRoot%\system32\RmtTpmVscMgrSvr.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (TCP-In)    TPM Virtual Smart Card Management    Private, Public    No    Allow    No    %SystemRoot%\system32\RmtTpmVscMgrSvr.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (DCOM-In)    TPM Virtual Smart Card Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
TPM Virtual Smart Card Management (DCOM-In)    TPM Virtual Smart Card Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    135    Any    Any    Any    Any    Any    Any    
SNMP Trap Service (UDP In)    SNMP Trap    Domain    No    Allow    No    %SystemRoot%\system32\snmptrap.exe    Any    Any    UDP    162    Any    Any    Any    Any    Any    Any    
SNMP Trap Service (UDP In)    SNMP Trap    Private, Public    No    Allow    No    %SystemRoot%\system32\snmptrap.exe    Any    Local subnet    UDP    162    Any    Any    Any    Any    Any    Any    
Secure Socket Tunneling Protocol (SSTP-In)    Secure Socket Tunneling Protocol    All    No    Allow    No    System    Any    Any    TCP    443    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (PPTP-In)    Routing and Remote Access    All    No    Allow    No    System    Any    Any    TCP    1723    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (L2TP-In)    Routing and Remote Access    All    No    Allow    No    System    Any    Any    UDP    1701    Any    Any    Any    Any    Any    Any    
Routing and Remote Access (GRE-In)    Routing and Remote Access    All    No    Allow    No    System    Any    Any    GRE    Any    Any    Any    Any    Any    Any    Any    
Remote Volume Management (RPC-EPMAP)    Remote Volume Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Volume Management (RPC-EPMAP)    Remote Volume Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service Loader (RPC)    Remote Volume Management    Private, Public    No    Allow    No    %SystemRoot%\system32\vdsldr.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service Loader (RPC)    Remote Volume Management    Domain    No    Allow    No    %SystemRoot%\system32\vdsldr.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service (RPC)    Remote Volume Management    Domain    No    Allow    No    %SystemRoot%\system32\vds.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Volume Management - Virtual Disk Service (RPC)    Remote Volume Management    Private, Public    No    Allow    No    %SystemRoot%\system32\vds.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC-EPMAP)    Remote Service Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC-EPMAP)    Remote Service Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC)    Remote Service Management    Domain    No    Allow    No    %SystemRoot%\system32\services.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Service Management (RPC)    Remote Service Management    Private, Public    No    Allow    No    %SystemRoot%\system32\services.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Service Management (NP-In)    Remote Service Management    Private, Public    No    Allow    No    System    Any    Local subnet    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Service Management (NP-In)    Remote Service Management    Domain    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC-EPMAP)    Remote Scheduled Tasks Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC-EPMAP)    Remote Scheduled Tasks Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC)    Remote Scheduled Tasks Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Scheduled Tasks Management (RPC)    Remote Scheduled Tasks Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Monitor (RPC-EPMAP)    Remote Event Monitor    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Event Monitor (RPC)    Remote Event Monitor    All    No    Allow    No    %SystemRoot%\system32\NetEvtFwdr.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC-EPMAP)    Remote Event Log Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC-EPMAP)    Remote Event Log Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC)    Remote Event Log Management    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (RPC)    Remote Event Log Management    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (NP-In)    Remote Event Log Management    Private, Public    No    Allow    No    System    Any    Local subnet    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Event Log Management (NP-In)    Remote Event Log Management    Domain    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Remote Assistance (TCP-In)    Remote Assistance    Public    No    Allow    No    %SystemRoot%\system32\msra.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Remote Assistance (PNRP-In)    Remote Assistance    Public    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    UDP    3540    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (TCP-In)    Performance Logs and Alerts    Private, Public    No    Allow    No    %systemroot%\system32\plasrv.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (TCP-In)    Performance Logs and Alerts    Domain    No    Allow    No    %systemroot%\system32\plasrv.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (DCOM-In)    Performance Logs and Alerts    Domain    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Any    TCP    135    Any    Any    Any    Any    Any    Any    
Performance Logs and Alerts (DCOM-In)    Performance Logs and Alerts    Private, Public    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Local subnet    TCP    135    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD-In)    Network Discovery    Domain, Public    No    Allow    No    %SystemRoot%\system32\dashost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD-In)    Network Discovery    Domain, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD EventsSecure-In)    Network Discovery    Domain    No    Allow    No    System    Any    Any    TCP    5358    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD EventsSecure-In)    Network Discovery    Public    No    Allow    No    System    Any    Local subnet    TCP    5358    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD Events-In)    Network Discovery    Public    No    Allow    No    System    Any    Local subnet    TCP    5357    Any    Any    Any    Any    Any    Any    
Network Discovery (WSD Events-In)    Network Discovery    Domain    No    Allow    No    System    Any    Any    TCP    5357    Any    Any    Any    Any    Any    Any    
Network Discovery (UPnP-In)    Network Discovery    Public    No    Allow    No    System    Any    Local subnet    TCP    2869    Any    Any    Any    Any    Any    Any    
Network Discovery (UPnP-In)    Network Discovery    Domain    No    Allow    No    System    Any    Any    TCP    2869    Any    Any    Any    Any    Any    Any    
Network Discovery (SSDP-In)    Network Discovery    Domain, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Network Discovery (Pub-WSD-In)    Network Discovery    Domain, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Name-In)    Network Discovery    Domain    No    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Name-In)    Network Discovery    Public    No    Allow    No    System    Any    Local subnet    UDP    137    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Datagram-In)    Network Discovery    Public    No    Allow    No    System    Any    Local subnet    UDP    138    Any    Any    Any    Any    Any    Any    
Network Discovery (NB-Datagram-In)    Network Discovery    Domain    No    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
Network Discovery (LLMNR-UDP-In)    Network Discovery    Domain, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
Netlogon Service Authz (RPC)    Netlogon Service    All    No    Allow    No    %SystemRoot%\System32\lsass.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Netlogon Service (NP-In)    Netlogon Service    All    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
Media Center Extenders - XSP (TCP-In)    Media Center Extenders    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    3390    Any    Any    Any    Any    Any    Any    
Media Center Extenders - WMDRM-ND/RTP/RTCP (UDP-In)    Media Center Extenders    All    No    Allow    No    %SystemRoot%\ehome\ehshell.exe    Any    Local subnet    UDP    7777, 7778, 7779, 7780, 7781, 5004, 5005, 50004, 50005, 50006, 50007, 50008, 50009, 50010, 50011, 50012, 50013    Any    Any    Any    Any    Any    Any    
Media Center Extenders - SSDP (UDP-In)    Media Center Extenders    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    1900    Any    Any    Any    Any    Any    Any    
Media Center Extenders - RTSP (TCP-In)    Media Center Extenders    All    No    Allow    No    %SystemRoot%\ehome\ehshell.exe    Any    Local subnet    TCP    554, 8554, 8555, 8556, 8557, 8558    Any    Any    Any    Any    Any    Any    
Media Center Extenders - qWave (UDP-In)    Media Center Extenders    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    2177    Any    Any    Any    Any    Any    Any    
Media Center Extenders - qWave (TCP-In)    Media Center Extenders    All    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    2177    Any    Any    Any    Any    Any    Any    
Media Center Extenders - Media Streaming (TCP-In)    Media Center Extenders    All    No    Allow    No    System    Any    Local subnet    TCP    2869    Any    Any    Any    Any    Any    Any    
Media Center Extenders - HTTP Streaming (TCP-In)    Media Center Extenders    All    No    Allow    No    System    Any    Local subnet    TCP    10244    Any    Any    Any    Any    Any    Any    
iSCSI Service (TCP-In)    iSCSI Service    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
iSCSI Service (TCP-In)    iSCSI Service    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Inbound Rule for Remote Shutdown (TCP-In)    Remote Shutdown    All    No    Allow    No    %systemroot%\system32\wininit.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Inbound Rule for Remote Shutdown (RPC-EP-In)    Remote Shutdown    All    No    Allow    No    %systemroot%\system32\wininit.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
HomeGroup In (PNRP)    HomeGroup    Private    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Local subnet    UDP    3540    Any    Any    Any    Any    Any    Any    
HomeGroup In    HomeGroup    Private    No    Allow    No    %systemroot%\system32\svchost.exe    Any    Local subnet    TCP    3587    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC-EPMAP)    File and Printer Sharing    Public    No    Allow    No    Any    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC-EPMAP)    File and Printer Sharing    Domain    No    Allow    No    Any    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC)    File and Printer Sharing    Public    No    Allow    No    %SystemRoot%\system32\spoolsv.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Spooler Service - RPC)    File and Printer Sharing    Domain    No    Allow    No    %SystemRoot%\system32\spoolsv.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (SMB-In)    File and Printer Sharing    Domain    No    Allow    No    System    Any    Any    TCP    445    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (SMB-In)    File and Printer Sharing    Public    No    Allow    No    System    Any    Local subnet    TCP    445    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Session-In)    File and Printer Sharing    Domain    No    Allow    No    System    Any    Any    TCP    139    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Session-In)    File and Printer Sharing    Public    No    Allow    No    System    Any    Local subnet    TCP    139    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Name-In)    File and Printer Sharing    Domain    No    Allow    No    System    Any    Any    UDP    137    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Name-In)    File and Printer Sharing    Public    No    Allow    No    System    Any    Local subnet    UDP    137    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Datagram-In)    File and Printer Sharing    Public    No    Allow    No    System    Any    Local subnet    UDP    138    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (NB-Datagram-In)    File and Printer Sharing    Domain    No    Allow    No    System    Any    Any    UDP    138    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (LLMNR-UDP-In)    File and Printer Sharing    Domain, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    UDP    5355    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv6-In)    File and Printer Sharing    Public    No    Allow    No    Any    Any    Local subnet    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv6-In)    File and Printer Sharing    Domain    No    Allow    No    Any    Any    Any    ICMPv6    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv4-In)    File and Printer Sharing    Domain    No    Allow    No    Any    Any    Any    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
File and Printer Sharing (Echo Request - ICMPv4-In)    File and Printer Sharing    Public    No    Allow    No    Any    Any    Local subnet    ICMPv4    Any    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (TCP-In)    Distributed Transaction Coordinator    Domain    No    Allow    No    %SystemRoot%\system32\msdtc.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (TCP-In)    Distributed Transaction Coordinator    Private, Public    No    Allow    No    %SystemRoot%\system32\msdtc.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC-EPMAP)    Distributed Transaction Coordinator    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC-EPMAP)    Distributed Transaction Coordinator    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Endpoint Mapper    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC)    Distributed Transaction Coordinator    Private, Public    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Local subnet    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Distributed Transaction Coordinator (RPC)    Distributed Transaction Coordinator    Domain    No    Allow    No    %SystemRoot%\system32\svchost.exe    Any    Any    TCP    RPC Dynamic Ports    Any    Any    Any    Any    Any    Any    
Connect to a Network Projector (WSD-In)    Connect to a Network Projector    All    No    Allow    No    %SystemRoot%\system32\netproj.exe    Any    Local subnet    UDP    3702    Any    Any    Any    Any    Any    Any    
Connect to a Network Projector (WSD EventsSecure-In)    Connect to a Network Projector    Domain    No    Allow    No    System    Any    Any    TCP    5358    Any    Any    Any    Any    Any    Any    
Connect to a Network Projector (WSD EventsSecure-In)    Connect to a Network Projector    Private, Public    No    Allow    No    System    Any    Local subnet    TCP    5358    Any    Any    Any    Any    Any    Any    
Connect to a Network Projector (WSD Events-In)    Connect to a Network Projector    Private, Public    No    Allow    No    System    Any    Local subnet    TCP    5357    Any    Any    Any    Any    Any    Any    
Connect to a Network Projector (WSD Events-In)    Connect to a Network Projector    Domain    No    Allow    No    System    Any    Any    TCP    5357    Any    Any    Any    Any    Any    Any    
Connect to a Network Projector (TCP-In)    Connect to a Network Projector    Private, Public    No    Allow    No    %SystemRoot%\system32\netproj.exe    Any    Local subnet    TCP    Any    Any    Any    Any    Any    Any    Any    
Connect to a Network Projector (TCP-In)    Connect to a Network Projector    Domain    No    Allow    No    %SystemRoot%\system32\netproj.exe    Any    Any    TCP    Any    Any    Any    Any    Any    Any    Any    
 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:30-09-2015
Ran by krwood03 (administrator) on KEITH (02-10-2015 13:29:13)
Running from C:\Users\krwood03\Desktop
Loaded Profiles: krwood03 (Available Profiles: krwood03 & Administrator)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(Intel Corporation) C:\WINDOWS\System32\igfxCUIService.exe
(Hewlett-Packard Company) C:\WINDOWS\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Microsoft Corporation) C:\WINDOWS\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Mindspark) C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39barsvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Intel Corporation) C:\WINDOWS\System32\igfxHK.exe
(Intel Corporation) C:\WINDOWS\System32\igfxEM.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(%CFullName%) C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Microsoft Corporation) C:\WINDOWS\System32\GWX\GWX.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Microsoft Corporation) C:\WINDOWS\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\WINDOWS\System32\SkyDrive.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\csisyncclient.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7642328 2015-02-05] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2811120 2014-03-13] (Synaptics Incorporated)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe [653576 2015-06-29] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [127528 2015-07-08] (Hewlett-Packard Company)
HKLM-x32\...\Run: [MapsGalaxy EPM Support] => C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39medint.exe [11600 2015-09-10] (Mindspark)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\...\RunOnce: [Application Restart #5] => C:\Users\krwood03\AppData\Local\Pokki\Engine\HostAppService.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-resources --disable- (the data entry has 577 more characters).
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\...\RunOnce: [Application Restart #3] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [506104 2015-07-02] (Hewlett-Packard)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ISCTSystray.lnk [2014-05-12]
ShortcutTarget: ISCTSystray.lnk -> C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe (Intel Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{0CE05F3A-1FD2-4878-BB6A-BE2259A74FD3}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{DD02F8B3-A3D8-44B9-9E18-9B80FA8CAFA7}: [DhcpNameServer] 40.20.1.201 40.20.1.202

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://my.xfinity.com/?cid=mtmh10172014
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://js.redirect.hp.com/jumpstation?bd=all&c=143&locale=ww_ww&pf=cnnb&s=ieHPtab&tp=iehome
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\Software\Microsoft\Internet Explorer\Main,DisableRequiresActiveXPrompt = xfinity.comcast.net
URLSearchHook: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 - (No Name) - {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll (Mindspark)
SearchScopes: HKLM -> {DF0AB96E-7792-4FAD-89BC-A1EC2F7B16EC} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = hxxp://search.tb.ask.com/search/GGmain.jhtml?p2=^UX^xdm423^S13981^us&si=245051_US-G-GDD1&ptb=F390C1C5-564E-4161-973A-6F4BD65F203B&ind=2015091618&n=781bdba2&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 -> {DF0AB96E-7792-4FAD-89BC-A1EC2F7B16EC} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> DefaultScope {0C8AE71D-2FA9-11E5-8282-6CC2175D75AF} URL = hxxp://search.homepage-web.com/?src=omnibox&partner=hp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.dregol.com/results.php?f=4&q={searchTerms}&a=drg_omxmedia_15_23&cd=2XzuyEtN2Y1L1QzuzytDyEzzzy0AyCyDtAzz0DyCyC0C0DzztN0D0Tzu0StCtByDtBtN1L2XzutAtFtCtDtFtCtDtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyDyCtDyEtDyD0A0AtGtDtByDzytGzzyBzztBtGyBzytA0FtGyCtCzz0EtCyDtDyC0EyD0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyB0DyCzz0E0E0CtG0B0C0B0EtGyEtByBtAtGzytA0DtCtG0BtC0EtAyByDyEyEyDtDtCzz2QtN0A0LzuyE&cr=1950964926&ir=
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {0C8AE71D-2FA9-11E5-8282-6CC2175D75AF} URL = hxxp://search.homepage-web.com/?src=omnibox&partner=hp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = hxxp://search.tb.ask.com/search/GGmain.jhtml?p2=^UX^xdm423^S13981^us&si=245051_US-G-GDD1&ptb=F390C1C5-564E-4161-973A-6F4BD65F203B&ind=2015091618&n=781bdba2&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {DF0AB96E-7792-4FAD-89BC-A1EC2F7B16EC} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-07-14] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Toolbar BHO -> {1e91a655-bb4b-4693-a05e-2edebc4c9d89} -> C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
BHO-x32: Search Assistant BHO -> {71c1d63a-c944-428a-a5bd-ba513190e5d2} -> C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll [2015-09-10] (Mindspark)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-03-04] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Toolbar: HKLM-x32 - MapsGalaxy - {364ea597-e728-4ce4-bb4a-ed846ef47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
Toolbar: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> MapsGalaxy - {364EA597-E728-4CE4-BB4A-ED846EF47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
DPF: HKLM-x32 {03C0000A-CF6D-4EF4-A2D6-376622318018} hxxp://dashboard.revoamerica.com/OCX/WatSearCtrl.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\krwood03\AppData\Roaming\Mozilla\Firefox\Profiles\smbh5rr2.default
FF NetworkProxy: "type", 0
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-10-22] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-05] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [firefox@bho.com] - C:\Program Files\Hewlett-Packard\SimplePass\FFBHOExt
FF Extension: HP SimplePass - C:\Program Files\Hewlett-Packard\SimplePass\FFBHOExt [2015-02-05]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [fidikogfgleiaefnjbmnjaplmgknppkg] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2765496 2015-07-14] (Microsoft Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-01-27] (WildTangent)
R2 HPWMISVC; c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe [602888 2015-06-29] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-11-08] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [315376 2015-02-05] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-12-10] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [200168 2013-12-04] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
R2 MapsGalaxy_39Service; C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39barsvc.exe [89424 2015-09-10] (Mindspark)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [124928 2015-07-02] (Softex Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2015-02-05] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [190704 2014-03-13] (Synaptics Incorporated)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-04-02] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [21408 2013-08-13] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [21920 2013-08-13] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [29088 2013-08-13] ()
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-08-13] ()
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [506072 2015-09-03] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3379416 2014-03-22] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2014-03-13] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-03-13] (Synaptics Incorporated)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30384 2015-06-23] (HP Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-02 13:29 - 2015-10-02 13:29 - 00018195 _____ C:\Users\krwood03\Desktop\FRST.txt
2015-10-02 13:28 - 2015-10-02 13:29 - 00000000 ____D C:\FRST
2015-10-02 13:28 - 2015-10-02 13:28 - 02192384 _____ (Farbar) C:\Users\krwood03\Desktop\FRST64.exe
2015-10-01 20:43 - 2015-10-01 20:43 - 00029696 _____ (Gibson Research Corp.) C:\Users\krwood03\Downloads\DCOMbob.exe
2015-09-30 20:17 - 2015-09-30 20:23 - 00000000 ____D C:\Users\krwood03\AppData\Local\Mozilla
2015-09-30 20:17 - 2015-09-30 20:17 - 00001182 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-09-30 20:17 - 2015-09-30 20:17 - 00001170 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-09-30 20:17 - 2015-09-30 20:17 - 00000000 ____D C:\Users\krwood03\AppData\Roaming\Mozilla
2015-09-30 20:17 - 2015-09-30 20:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-09-30 20:16 - 2015-09-30 20:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-09-30 20:15 - 2015-09-30 20:15 - 00243672 _____ C:\Users\krwood03\Desktop\Firefox Setup Stub 41.0.1.exe
2015-09-30 20:14 - 2015-09-30 20:14 - 00243672 _____ C:\Users\krwood03\Downloads\Firefox Setup Stub 41.0.1.exe
2015-09-30 08:21 - 2015-09-30 08:21 - 00045871 _____ C:\Users\krwood03\Downloads\ref=oh_aui_pi_o08_.htm
2015-09-27 21:27 - 2015-09-27 21:27 - 00879992 _____ C:\WINDOWS\Minidump\092715-54468-01.dmp
2015-09-16 19:45 - 2015-09-16 19:45 - 01006768 _____ C:\WINDOWS\Minidump\091615-32625-01.dmp
2015-09-16 18:38 - 2015-09-16 18:39 - 00000000 ____D C:\Users\krwood03\AppData\Local\MapsGalaxy_39
2015-09-16 18:38 - 2015-09-16 18:38 - 00000000 ____D C:\Program Files (x86)\MapsGalaxy_39
2015-09-15 16:08 - 2015-09-15 16:08 - 00000273 _____ C:\Users\krwood03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pokki Menu.lnk
2015-09-08 16:22 - 2015-09-02 22:18 - 02531400 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml6.dll
2015-09-08 16:22 - 2015-09-02 22:17 - 01903848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml6.dll
2015-09-08 16:22 - 2015-09-02 14:48 - 02345472 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml3.dll
2015-09-08 16:22 - 2015-09-02 13:09 - 01556992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml3.dll
2015-09-08 16:22 - 2015-08-26 22:48 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-09-08 16:22 - 2015-08-26 14:00 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-09-08 16:22 - 2015-08-26 14:00 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-09-08 16:22 - 2015-08-26 14:00 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-09-08 16:22 - 2015-08-26 14:00 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-09-08 16:22 - 2015-08-26 10:46 - 03705344 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-09-08 16:22 - 2015-08-26 10:29 - 02240512 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-09-08 16:22 - 2015-08-26 10:27 - 00891904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-09-08 16:22 - 2015-08-26 10:27 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-09-08 16:22 - 2015-08-26 10:26 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-09-08 16:22 - 2015-08-26 10:26 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-09-08 16:22 - 2015-08-26 10:26 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-09-08 16:22 - 2015-08-22 14:19 - 25188352 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-09-08 16:22 - 2015-08-22 13:35 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-09-08 16:22 - 2015-08-22 13:34 - 00585216 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-09-08 16:22 - 2015-08-22 13:22 - 19856384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-09-08 16:22 - 2015-08-22 13:21 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-09-08 16:22 - 2015-08-22 13:20 - 05923840 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-09-08 16:22 - 2015-08-22 12:55 - 00504832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-09-08 16:22 - 2015-08-22 12:50 - 02279424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-09-08 16:22 - 2015-08-22 12:50 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-09-08 16:22 - 2015-08-22 12:45 - 00665600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-09-08 16:22 - 2015-08-22 12:44 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-09-08 16:22 - 2015-08-22 12:41 - 14451712 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-09-08 16:22 - 2015-08-22 12:41 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-09-08 16:22 - 2015-08-22 12:41 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-09-08 16:22 - 2015-08-22 12:41 - 00374784 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-09-08 16:22 - 2015-08-22 12:39 - 02126336 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-09-08 16:22 - 2015-08-22 12:28 - 04520448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-09-08 16:22 - 2015-08-22 12:26 - 02427392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-09-08 16:22 - 2015-08-22 12:23 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-09-08 16:22 - 2015-08-22 12:22 - 12857344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-09-08 16:22 - 2015-08-22 12:20 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-09-08 16:22 - 2015-08-22 12:18 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-09-08 16:22 - 2015-08-22 12:18 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-09-08 16:22 - 2015-08-22 12:18 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-09-08 16:22 - 2015-08-22 12:14 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-09-08 16:22 - 2015-08-22 12:01 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-09-08 16:22 - 2015-08-22 12:00 - 01951232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-09-08 16:22 - 2015-08-22 11:56 - 01310720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-09-08 16:22 - 2015-08-22 11:55 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-09-08 16:22 - 2015-07-30 13:18 - 00268288 _____ (Microsoft Corporation) C:\WINDOWS\system32\InkEd.dll
2015-09-08 16:22 - 2015-07-30 12:22 - 00230912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InkEd.dll
2015-09-08 16:22 - 2015-07-22 10:19 - 00041984 _____ (Microsoft Corporation) C:\WINDOWS\system32\UtcResources.dll
2015-09-08 16:22 - 2015-07-22 09:52 - 01633792 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
2015-09-08 16:22 - 2015-07-17 10:15 - 00951296 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll
2015-09-08 16:22 - 2015-07-17 10:10 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll
2015-09-08 16:22 - 2015-07-03 17:51 - 01380056 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2015-09-08 16:22 - 2015-07-03 10:00 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2015-09-08 16:22 - 2015-06-27 07:47 - 00118616 _____ (Microsoft Corporation) C:\WINDOWS\system32\consent.exe
2015-09-08 16:21 - 2015-09-01 22:56 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-09-08 16:21 - 2015-09-01 22:55 - 00358912 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2015-09-08 16:21 - 2015-09-01 22:50 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2015-09-08 16:21 - 2015-09-01 22:17 - 00301568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2015-09-08 16:21 - 2015-09-01 22:13 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2015-09-08 16:21 - 2015-08-03 17:15 - 00074928 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidapi.dll
2015-09-08 16:21 - 2015-08-03 17:15 - 00065600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\appidapi.dll
2015-09-08 16:21 - 2015-08-01 10:22 - 00039936 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidsvc.dll
2015-09-08 16:21 - 2015-07-31 23:47 - 00229376 _____ (Microsoft Corporation) C:\WINDOWS\system32\schtasks.exe
2015-09-08 16:21 - 2015-07-31 23:45 - 00182784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schtasks.exe
2015-09-08 16:21 - 2015-07-31 23:38 - 01265152 _____ (Microsoft Corporation) C:\WINDOWS\system32\schedsvc.dll
2015-09-08 16:21 - 2015-07-31 23:37 - 00468992 _____ (Microsoft Corporation) C:\WINDOWS\system32\taskeng.exe
2015-09-08 16:21 - 2015-07-31 23:37 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\taskeng.exe
2015-09-08 16:21 - 2015-07-22 10:34 - 02775552 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2015-09-08 16:21 - 2015-07-22 10:33 - 01728000 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Immersive.dll
2015-09-08 16:21 - 2015-07-22 10:25 - 02461184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2015-09-08 16:21 - 2015-07-22 10:25 - 01546752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Immersive.dll
2015-09-08 16:21 - 2015-07-18 14:31 - 00194048 _____ (Microsoft Corporation) C:\WINDOWS\system32\shacct.dll
2015-09-08 16:21 - 2015-07-18 14:29 - 00655872 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSync.dll
2015-09-08 16:21 - 2015-07-18 14:29 - 00148480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shacct.dll
2015-09-08 16:21 - 2015-07-18 14:27 - 00520192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSync.dll
2015-09-08 16:21 - 2015-07-13 23:27 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\tzsync.exe
2015-09-08 16:21 - 2015-07-13 15:10 - 00411455 _____ C:\WINDOWS\system32\ApnDatabase.xml
2015-09-08 16:21 - 2015-07-09 12:14 - 00228864 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-09-08 16:21 - 2015-06-19 13:07 - 02819072 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers.dll
2015-09-04 20:06 - 2015-09-04 20:06 - 00042551 _____ C:\Users\krwood03\Downloads\unknown (1)
2015-09-04 19:25 - 2015-09-04 19:25 - 00042551 _____ C:\Users\krwood03\Downloads\unknown
2015-09-03 14:42 - 2015-09-03 14:42 - 00000000 ____D C:\WINDOWS\SysWOW64\sda
2015-09-03 14:41 - 2015-09-03 14:41 - 09890008 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\SysWOW64\RsCRIcon.dll
2015-09-03 14:41 - 2015-09-03 14:41 - 00506072 _____ (Realsil Semiconductor Corporation) C:\WINDOWS\system32\Drivers\RtsPer.sys
2015-09-03 14:41 - 2015-09-03 14:41 - 00359128 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\Drivers\RtsPStor.sys
2015-09-03 14:41 - 2015-09-03 14:41 - 00332504 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\Drivers\RtsUVStor.sys
2015-09-03 14:41 - 2015-09-03 14:41 - 00313048 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\Drivers\RtsBaStor.sys
2015-09-03 14:41 - 2015-09-03 14:41 - 00294104 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\Drivers\RtsP2Stor.sys
2015-09-03 14:41 - 2015-09-03 14:41 - 00272600 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\Drivers\RtsUStor.sys
2015-09-02 12:33 - 2015-09-02 12:33 - 00211668 _____ C:\Users\krwood03\Downloads\Re SBA Loan Update.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-02 13:22 - 2014-10-01 20:58 - 01183346 _____ C:\WINDOWS\WindowsUpdate.log
2015-10-02 13:02 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-10-02 12:49 - 2015-06-06 13:49 - 00000316 _____ C:\WINDOWS\Tasks\Run_dregol.job
2015-10-01 20:44 - 2014-03-18 05:53 - 00958356 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-10-01 20:43 - 2013-08-22 10:46 - 00060068 _____ C:\WINDOWS\setupact.log
2015-10-01 20:42 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-10-01 18:16 - 2014-10-02 19:52 - 00000052 _____ C:\WINDOWS\SysWOW64\DOErrors.log
2015-10-01 08:08 - 2014-10-01 21:09 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1283070196-2774340731-1875930287-1001
2015-09-30 20:12 - 2014-10-08 21:47 - 00000000 ____D C:\Users\krwood03\AppData\Local\CrashDumps
2015-09-29 19:45 - 2014-09-26 15:36 - 00000000 ___DO C:\Users\krwood03\OneDrive
2015-09-29 16:07 - 2015-07-14 19:53 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-29 13:51 - 2015-08-30 19:09 - 00003176 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForkrwood03
2015-09-29 13:51 - 2015-08-30 19:09 - 00000356 _____ C:\WINDOWS\Tasks\HPCeeScheduleForkrwood03.job
2015-09-29 13:48 - 2014-07-10 14:26 - 00000000 ____D C:\Users\krwood03\Documents\Youcam
2015-09-28 21:37 - 2013-08-22 10:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-09-27 21:27 - 2014-10-02 10:58 - 790938735 _____ C:\WINDOWS\MEMORY.DMP
2015-09-27 21:27 - 2014-10-02 10:58 - 00000000 ____D C:\WINDOWS\Minidump
2015-09-27 19:31 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\rescache
2015-09-27 17:45 - 2013-08-22 11:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-09-16 18:41 - 2014-10-01 20:55 - 00000000 ____D C:\Users\krwood03
2015-09-15 16:02 - 2015-07-14 19:53 - 00003890 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-15 16:02 - 2015-07-14 19:53 - 00003654 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-15 16:02 - 2015-07-14 19:53 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-14 21:37 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-09-14 21:18 - 2014-10-16 23:38 - 00812008 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-09-14 21:18 - 2014-10-16 23:38 - 00178152 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-09-14 16:40 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2015-09-10 17:39 - 2013-08-22 10:44 - 00491624 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-09-09 21:55 - 2014-03-18 05:38 - 00000000 ____D C:\Program Files\Windows Journal
2015-09-09 21:55 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2015-09-09 21:54 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\SysWOW64\inetsrv
2015-09-09 21:54 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2015-09-09 19:54 - 2014-10-04 21:38 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-09-04 20:05 - 2014-07-10 14:23 - 00000000 ____D C:\Users\krwood03\AppData\Local\Packages
2015-09-03 14:41 - 2014-05-12 23:26 - 00000000 ____D C:\Program Files (x86)\Realtek
2015-09-03 14:41 - 2014-03-31 21:07 - 00000000 ____D C:\SWSetup

==================== Files in the root of some directories =======

2015-06-10 20:49 - 2015-07-24 18:49 - 0000203 _____ () C:\Users\krwood03\AppData\Roaming\WB.CFG

Some files in TEMP:
====================
C:\Users\krwood03\AppData\Local\Temp\Extract.exe
C:\Users\krwood03\AppData\Local\Temp\oct1792.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\oct8712.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\octBC25.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\SP67263.exe
C:\Users\krwood03\AppData\Local\Temp\SP67280.exe
C:\Users\krwood03\AppData\Local\Temp\SP68055.exe
C:\Users\krwood03\AppData\Local\Temp\SP68117.exe
C:\Users\krwood03\AppData\Local\Temp\SP68120.exe
C:\Users\krwood03\AppData\Local\Temp\SP68630.exe
C:\Users\krwood03\AppData\Local\Temp\SP69393.exe
C:\Users\krwood03\AppData\Local\Temp\SP69401.exe
C:\Users\krwood03\AppData\Local\Temp\SP69404.exe
C:\Users\krwood03\AppData\Local\Temp\SP69559.exe
C:\Users\krwood03\AppData\Local\Temp\SP69617.exe
C:\Users\krwood03\AppData\Local\Temp\SP69618.exe
C:\Users\krwood03\AppData\Local\Temp\SP69718.exe
C:\Users\krwood03\AppData\Local\Temp\SP70271.exe
C:\Users\krwood03\AppData\Local\Temp\SP70439.exe
C:\Users\krwood03\AppData\Local\Temp\SP70781.exe
C:\Users\krwood03\AppData\Local\Temp\SP70794.exe
C:\Users\krwood03\AppData\Local\Temp\SP70821.exe
C:\Users\krwood03\AppData\Local\Temp\SP70822.exe
C:\Users\krwood03\AppData\Local\Temp\SP70823.exe
C:\Users\krwood03\AppData\Local\Temp\SP71156.exe
C:\Users\krwood03\AppData\Local\Temp\SP71716.exe
C:\Users\krwood03\AppData\Local\Temp\SP71729.exe
C:\Users\krwood03\AppData\Local\Temp\SP71811.exe
C:\Users\krwood03\AppData\Local\Temp\SP71829.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-09-27 17:43

==================== End of FRST.txt ============================

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 03 October 2015 - 09:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold using the Add/Remove Programs applet.
{b}MapsGalaxy Internet Explorer Toolbar{/b} (HKLM-x32\...\MapsGalaxy_39bar Uninstall Internet Explorer) (Version: - Mindspark Interactive Network) <==== ATTENTION
Run_Dregol (HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\...\Run_Dregol) (Version: - Run_Dregol) <==== ATTENTION

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Mindspark) C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39barsvc.exe
HKLM-x32\...\Run: [MapsGalaxy EPM Support] => C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39medint.exe [11600 2015-09-10] (Mindspark)
URLSearchHook: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 - (No Name) - {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll (Mindspark)
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> DefaultScope {0C8AE71D-2FA9-11E5-8282-6CC2175D75AF} URL = hxxp://search.homepage-web.com/?src=omnibox&partner=hp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.dregol.com/results.php?f=4&q={searchTerms}&a=drg_omxmedia_15_23&cd=2XzuyEtN2Y1L1QzuzytDyEzzzy0AyCyDtAzz0DyCyC0C0DzztN0D0Tzu0StCtByDtBtN1L2XzutAtFtCtDtFtCtDtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyDyCtDyEtDyD0A0AtGtDtByDzytGzzyBzztBtGyBzytA0FtGyCtCzz0EtCyDtDyC0EyD0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyB0DyCzz0E0E0CtG0B0C0B0EtGyEtByBtAtGzytA0DtCtG0BtC0EtAyByDyEyEyDtDtCzz2QtN0A0LzuyE&cr=1950964926&ir=
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {0C8AE71D-2FA9-11E5-8282-6CC2175D75AF} URL = hxxp://search.homepage-web.com/?src=omnibox&partner=hp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = hxxp://search.tb.ask.com/search/GGmain.jhtml?p2=^UX^xdm423^S13981^us&si=245051_US-G-GDD1&ptb=F390C1C5-564E-4161-973A-6F4BD65F203B&ind=2015091618&n=781bdba2&psa=&st=sb&searchfor={searchTerms}
BHO-x32: Toolbar BHO -> {1e91a655-bb4b-4693-a05e-2edebc4c9d89} -> C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
BHO-x32: Search Assistant BHO -> {71c1d63a-c944-428a-a5bd-ba513190e5d2} -> C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll [2015-09-10] (Mindspark)
Toolbar: HKLM-x32 - MapsGalaxy - {364ea597-e728-4ce4-bb4a-ed846ef47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
Toolbar: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> MapsGalaxy - {364EA597-E728-4CE4-BB4A-ED846EF47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
CHR HKLM-x32\...\Chrome\Extension: [fidikogfgleiaefnjbmnjaplmgknppkg] - hxxps://clients2.google.com/service/update2/crx
R2 MapsGalaxy_39Service; C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39barsvc.exe [89424 2015-09-10] (Mindspark)
C:\Program Files (x86)\MapsGalaxy_39
C:\Users\krwood03\AppData\Local\Temp\Extract.exe
C:\Users\krwood03\AppData\Local\Temp\oct1792.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\oct8712.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\octBC25.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\SP67263.exe
C:\Users\krwood03\AppData\Local\Temp\SP67280.exe
C:\Users\krwood03\AppData\Local\Temp\SP68055.exe
C:\Users\krwood03\AppData\Local\Temp\SP68117.exe
C:\Users\krwood03\AppData\Local\Temp\SP68120.exe
C:\Users\krwood03\AppData\Local\Temp\SP68630.exe
C:\Users\krwood03\AppData\Local\Temp\SP69393.exe
C:\Users\krwood03\AppData\Local\Temp\SP69401.exe
C:\Users\krwood03\AppData\Local\Temp\SP69404.exe
C:\Users\krwood03\AppData\Local\Temp\SP69559.exe
C:\Users\krwood03\AppData\Local\Temp\SP69617.exe
C:\Users\krwood03\AppData\Local\Temp\SP69618.exe
C:\Users\krwood03\AppData\Local\Temp\SP69718.exe
C:\Users\krwood03\AppData\Local\Temp\SP70271.exe
C:\Users\krwood03\AppData\Local\Temp\SP70439.exe
C:\Users\krwood03\AppData\Local\Temp\SP70781.exe
C:\Users\krwood03\AppData\Local\Temp\SP70794.exe
C:\Users\krwood03\AppData\Local\Temp\SP70821.exe
C:\Users\krwood03\AppData\Local\Temp\SP70822.exe
C:\Users\krwood03\AppData\Local\Temp\SP70823.exe
C:\Users\krwood03\AppData\Local\Temp\SP71156.exe
C:\Users\krwood03\AppData\Local\Temp\SP71716.exe
C:\Users\krwood03\AppData\Local\Temp\SP71729.exe
C:\Users\krwood03\AppData\Local\Temp\SP71811.exe
C:\Users\krwood03\AppData\Local\Temp\SP71829.exe
Task: {0D8A891D-890C-4808-84D8-2F436AB14653} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {1274336E-AB06-46B6-A48C-0671C5557CC6} - \Microsoft\Windows\TaskScheduler\Maintenance Configurator -> No File <==== ATTENTION
Task: {1687544D-7247-4F5A-965A-A6E920E55278} - \Microsoft\Windows\TaskScheduler\Manual Maintenance -> No File <==== ATTENTION
Task: {38D04DE8-61ED-45B9-B6F4-B39439D26137} - System32\Tasks\Run_dregol => C:\Users\krwood03\AppData\Roaming\Run_dregol\UpdateProc\UpdateTask.exe [2015-06-06] () <==== ATTENTION
Task: {6F02587F-8A2B-4552-97F6-DEEF229E335B} - \Microsoft\Windows\TaskScheduler\Idle Maintenance -> No File <==== ATTENTION
Task: {B7992938-01F1-4F40-A0EC-0D23D2F0F152} - \Microsoft\Windows\TaskScheduler\Regular Maintenance -> No File <==== ATTENTION
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - \Microsoft\Windows\SettingSync\BackupTask -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Run_dregol.job => C:\Users\krwood03\AppData\Roaming\RUN_DR~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How is the computer running now?

#3 deskjockey

deskjockey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 03 October 2015 - 11:49 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:03-10-2015
Ran by krwood03 (2015-10-03 11:32:55) Run:1
Running from C:\Users\krwood03\Desktop
Loaded Profiles: krwood03 (Available Profiles: krwood03 & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Mindspark) C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39barsvc.exe
HKLM-x32\...\Run: [MapsGalaxy EPM Support] => C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39medint.exe [11600 2015-09-10] (Mindspark)
URLSearchHook: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 - (No Name) - {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll (Mindspark)
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> DefaultScope {0C8AE71D-2FA9-11E5-8282-6CC2175D75AF} URL = hxxp://search.homepage-web.com/?src=omnibox&partner=hp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.dregol.com/results.php?f=4&q={searchTerms}&a=drg_omxmedia_15_23&cd=2XzuyEtN2Y1L1QzuzytDyEzzzy0AyCyDtAzz0DyCyC0C0DzztN0D0Tzu0StCtByDtBtN1L2XzutAtFtCtDtFtCtDtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyDyCtDyEtDyD0A0AtGtDtByDzytGzzyBzztBtGyBzytA0FtGyCtCzz0EtCyDtDyC0EyD0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyB0DyCzz0E0E0CtG0B0C0B0EtGyEtByBtAtGzytA0DtCtG0BtC0EtAyByDyEyEyDtDtCzz2QtN0A0LzuyE&cr=1950964926&ir=
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {0C8AE71D-2FA9-11E5-8282-6CC2175D75AF} URL = hxxp://search.homepage-web.com/?src=omnibox&partner=hp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = hxxp://search.tb.ask.com/search/GGmain.jhtml?p2=^UX^xdm423^S13981^us&si=245051_US-G-GDD1&ptb=F390C1C5-564E-4161-973A-6F4BD65F203B&ind=2015091618&n=781bdba2&psa=&st=sb&searchfor={searchTerms}
BHO-x32: Toolbar BHO -> {1e91a655-bb4b-4693-a05e-2edebc4c9d89} -> C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
BHO-x32: Search Assistant BHO -> {71c1d63a-c944-428a-a5bd-ba513190e5d2} -> C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll [2015-09-10] (Mindspark)
Toolbar: HKLM-x32 - MapsGalaxy - {364ea597-e728-4ce4-bb4a-ed846ef47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
Toolbar: HKU\S-1-5-21-1283070196-2774340731-1875930287-1001 -> MapsGalaxy - {364EA597-E728-4CE4-BB4A-ED846EF47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll [2015-09-10] (Mindspark)
CHR HKLM-x32\...\Chrome\Extension: [fidikogfgleiaefnjbmnjaplmgknppkg] - hxxps://clients2.google.com/service/update2/crx
R2 MapsGalaxy_39Service; C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39barsvc.exe [89424 2015-09-10] (Mindspark)
C:\Program Files (x86)\MapsGalaxy_39
C:\Users\krwood03\AppData\Local\Temp\Extract.exe
C:\Users\krwood03\AppData\Local\Temp\oct1792.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\oct8712.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\octBC25.tmp.exe
C:\Users\krwood03\AppData\Local\Temp\SP67263.exe
C:\Users\krwood03\AppData\Local\Temp\SP67280.exe
C:\Users\krwood03\AppData\Local\Temp\SP68055.exe
C:\Users\krwood03\AppData\Local\Temp\SP68117.exe
C:\Users\krwood03\AppData\Local\Temp\SP68120.exe
C:\Users\krwood03\AppData\Local\Temp\SP68630.exe
C:\Users\krwood03\AppData\Local\Temp\SP69393.exe
C:\Users\krwood03\AppData\Local\Temp\SP69401.exe
C:\Users\krwood03\AppData\Local\Temp\SP69404.exe
C:\Users\krwood03\AppData\Local\Temp\SP69559.exe
C:\Users\krwood03\AppData\Local\Temp\SP69617.exe
C:\Users\krwood03\AppData\Local\Temp\SP69618.exe
C:\Users\krwood03\AppData\Local\Temp\SP69718.exe
C:\Users\krwood03\AppData\Local\Temp\SP70271.exe
C:\Users\krwood03\AppData\Local\Temp\SP70439.exe
C:\Users\krwood03\AppData\Local\Temp\SP70781.exe
C:\Users\krwood03\AppData\Local\Temp\SP70794.exe
C:\Users\krwood03\AppData\Local\Temp\SP70821.exe
C:\Users\krwood03\AppData\Local\Temp\SP70822.exe
C:\Users\krwood03\AppData\Local\Temp\SP70823.exe
C:\Users\krwood03\AppData\Local\Temp\SP71156.exe
C:\Users\krwood03\AppData\Local\Temp\SP71716.exe
C:\Users\krwood03\AppData\Local\Temp\SP71729.exe
C:\Users\krwood03\AppData\Local\Temp\SP71811.exe
C:\Users\krwood03\AppData\Local\Temp\SP71829.exe
Task: {0D8A891D-890C-4808-84D8-2F436AB14653} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {1274336E-AB06-46B6-A48C-0671C5557CC6} - \Microsoft\Windows\TaskScheduler\Maintenance Configurator -> No File <==== ATTENTION
Task: {1687544D-7247-4F5A-965A-A6E920E55278} - \Microsoft\Windows\TaskScheduler\Manual Maintenance -> No File <==== ATTENTION
Task: {38D04DE8-61ED-45B9-B6F4-B39439D26137} - System32\Tasks\Run_dregol => C:\Users\krwood03\AppData\Roaming\Run_dregol\UpdateProc\UpdateTask.exe [2015-06-06] () <==== ATTENTION
Task: {6F02587F-8A2B-4552-97F6-DEEF229E335B} - \Microsoft\Windows\TaskScheduler\Idle Maintenance -> No File <==== ATTENTION
Task: {B7992938-01F1-4F40-A0EC-0D23D2F0F152} - \Microsoft\Windows\TaskScheduler\Regular Maintenance -> No File <==== ATTENTION
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - \Microsoft\Windows\SettingSync\BackupTask -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Run_dregol.job => C:\Users\krwood03\AppData\Roaming\RUN_DR~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39barsvc.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\MapsGalaxy EPM Support => value not found.
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{26842a09-ffa8-4e2c-ae12-0c80f01c3295} => value not found.
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0C8AE71D-2FA9-11E5-8282-6CC2175D75AF}" => key removed successfully
HKCR\CLSID\{0C8AE71D-2FA9-11E5-8282-6CC2175D75AF} => key not found.
"HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}" => key removed successfully
HKCR\CLSID\{b0441a0e-a49a-4e16-afc1-74ecced1921f} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1e91a655-bb4b-4693-a05e-2edebc4c9d89} => key not found.
HKCR\Wow6432Node\CLSID\{1e91a655-bb4b-4693-a05e-2edebc4c9d89} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71c1d63a-c944-428a-a5bd-ba513190e5d2} => key not found.
HKCR\Wow6432Node\CLSID\{71c1d63a-c944-428a-a5bd-ba513190e5d2} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{364ea597-e728-4ce4-bb4a-ed846ef47970} => value not found.
HKCR\Wow6432Node\CLSID\{364ea597-e728-4ce4-bb4a-ed846ef47970} => key not found.
HKU\S-1-5-21-1283070196-2774340731-1875930287-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{364EA597-E728-4CE4-BB4A-ED846EF47970} => value not found.
HKCR\CLSID\{364EA597-E728-4CE4-BB4A-ED846EF47970} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fidikogfgleiaefnjbmnjaplmgknppkg" => key removed successfully
MapsGalaxy_39Service => service not found.
C:\Program Files (x86)\MapsGalaxy_39 => moved successfully
C:\Users\krwood03\AppData\Local\Temp\Extract.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\oct1792.tmp.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\oct8712.tmp.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\octBC25.tmp.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP67263.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP67280.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP68055.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP68117.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP68120.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP68630.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP69393.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP69401.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP69404.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP69559.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP69617.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP69618.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP69718.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP70271.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP70439.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP70781.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP70794.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP70821.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP70822.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP70823.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP71156.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP71716.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP71729.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP71811.exe => moved successfully
C:\Users\krwood03\AppData\Local\Temp\SP71829.exe => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0D8A891D-890C-4808-84D8-2F436AB14653}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0D8A891D-890C-4808-84D8-2F436AB14653}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1274336E-AB06-46B6-A48C-0671C5557CC6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1274336E-AB06-46B6-A48C-0671C5557CC6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TaskScheduler\Maintenance Configurator" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1687544D-7247-4F5A-965A-A6E920E55278}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1687544D-7247-4F5A-965A-A6E920E55278}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TaskScheduler\Manual Maintenance" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{38D04DE8-61ED-45B9-B6F4-B39439D26137}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{38D04DE8-61ED-45B9-B6F4-B39439D26137}" => key removed successfully
C:\WINDOWS\System32\Tasks\Run_dregol => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Run_dregol" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F02587F-8A2B-4552-97F6-DEEF229E335B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F02587F-8A2B-4552-97F6-DEEF229E335B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TaskScheduler\Idle Maintenance" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B7992938-01F1-4F40-A0EC-0D23D2F0F152}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7992938-01F1-4F40-A0EC-0D23D2F0F152}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\TaskScheduler\Regular Maintenance" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CFD7C21A-808B-487B-A6EC-8A10E44E8360}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CFD7C21A-808B-487B-A6EC-8A10E44E8360}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SettingSync\BackupTask" => key removed successfully
C:\WINDOWS\Tasks\Run_dregol.job => moved successfully
EmptyTemp: => 1 GB temporary data Removed.


The system needed a reboot..

==== End of Fixlog 11:35:05 ====

 

# AdwCleaner v5.009 - Logfile created 03/10/2015 at 11:51:10
# Updated 27/09/2015 by Xplode
# Database : 2015-09-30.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : krwood03 - KEITH
# Running from : C:\Users\krwood03\Desktop\Maleware apps\adwcleaner_5.009.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\krwood03\AppData\Local\pokki

***** [ Files ] *****

[-] File Deleted : C:\Users\krwood03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pokki Menu.lnk

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : Pokki
[-] Task Deleted : Pokki
[-] Task Deleted : YCMServiceAgent

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Classes\pokki
[-] Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
[-] Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
[-] Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
[-] Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_34e8f5c0c9e5744bf2cdb514283762dd0524776b
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_Start_Menu
[-] Key Deleted : HKCU\Software\Pokki
[-] Key Deleted : HKCU\Software\PRODUCTSETUP
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki
[!] Key Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_Start_Menu
[!] Key Not Deleted : [x64] HKCU\Software\Pokki
[!] Key Not Deleted : [x64] HKCU\Software\PRODUCTSETUP
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}

***** [ Web browsers ] *****

[-] [C:\Users\krwood03\AppData\Local\Chromium\User Data\Default\Web Data] [Search Provider] Deleted : dregol
[-] [C:\Users\krwood03\AppData\Local\Chromium\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www.dregol.com/?f=1&a=drg_omxmedia_15_23&cd=2XzuyEtN2Y1L1QzuzytDyEzzzy0AyCyDtAzz0DyCyC0C0DzztN0D0Tzu0StCtByDtBtN1L2XzutAtFtCtDtFtCtDtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyDyCtDyEtDyD0A0AtGtDtByDzytGzzyBzztBtGyBzytA0FtGyCtCzz0EtCyDtDyC0EyD0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyB0DyCzz0E0E0CtG0B0C0B0EtGyEtByBtAtGzytA0DtCtG0BtC0EtAyByDyEyEyDtDtCzz2QtN0A0LzuyE&cr=1950964926&ir=&uref=chmm
[-] [C:\Users\krwood03\AppData\Local\Chromium\User Data\Default\Secure Preferences] [Homepage] Deleted : hxxp://www.dregol.com/?f=1&a=drg_omxmedia_15_23&cd=2XzuyEtN2Y1L1QzuzytDyEzzzy0AyCyDtAzz0DyCyC0C0DzztN0D0Tzu0StCtByDtBtN1L2XzutAtFtCtDtFtCtDtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyDyCtDyEtDyD0A0AtGtDtByDzytGzzyBzztBtGyBzytA0FtGyCtCzz0EtCyDtDyC0EyD0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyB0DyCzz0E0E0CtG0B0C0B0EtGyEtByBtAtGzytA0DtCtG0BtC0EtAyByDyEyEyDtDtCzz2QtN0A0LzuyE&cr=1950964926&ir=&uref=chmm

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2994 bytes] ##########
 

After the PC restarted from AwdCleaner I opened IE11 to reset and clean the cache.  When I opened it the default page was MSN. I reset IE11 and cleaned the cache however i did not see the banner at the bottom of IE asking me to restart the PC as was shown on refreshyourcache.com.  I pressed Ctrl+f5 to force refresh the cache as the webpage indicated and the browser was unable to connect to the website.  I waited a minute, tried again and had the same result.  I manually restarted my PC and the former home URL was back.  I took a look the IE security settings. I would anticipate that using protected mode would be a default setting howwever it is unchecked.  I looked at my firewall rules and they are also the same as before even after resetting them to default.

 

i have screenshots of IE sec settings, firewall rules and an odd looking network screen (my wifi network was listed a bunch of times) but unsure of how to add them.

 

Your thoughts?

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 03 October 2015 - 01:33 PM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
resetieproxy; ---> resets proxies in IE browser
skipfix-iedefaults;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

How is it now?

#5 deskjockey

deskjockey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 03 October 2015 - 03:46 PM

Hello Nasdaq

 

First of let me apologize for not thanking you in my first post. I really appreciate your assistance with this. Next time I will have my cup of coffee BEFORE I post on the forums. :)

 

I dont see any changes nor improvements to IE, my firewall after running the Zoek tool.

 

What I did find:

 

1 - In the notification area icons window I see a program listed called mod_frst.exe listed in addition to FRST64.exe. Is this normal?

 

2 - In the action center, I opened up archived messages and found the following message with a notification that this message was hidden from the action center. The date listed was from 10/1/2014. I placed a checkmark in the virus protection box which was unchecked in the messages section. A couple of days ago this was not there.

PWS:Win32/Zbot malware was found on your PC

Windows found and removed PWS:Win32/Zbot from your PC. PWS:Win32/Zbot is malware that is designed to steal passwords

Important

We strongly recommend that you change all passwords immediately for websites that require a password, especially online banking websites and other sites that store personal info.

 

3 - I turned on hidden files and I see 2 files labeled desktop.ini on my desktop. The contents are as follows.

 

file 1 -
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
[LocalizedFileNames]
WildTangent Games App - hp.lnk=@C:\PROGRA~2\WILDTA~1\TOUCHP~1\hp\MUILink.exe,-105
 

file 2 -
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

 

 

Zoek.exe v5.0.0.1 Updated 30-09-2015
Tool run by krwood03 on Sat 10/03/2015 at 15:34:04.01.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\krwood03\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

10/3/2015 3:35:29 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Users\krwood03\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\krwood03\AppData\Local\EmieSiteList deleted successfully
C:\Users\krwood03\AppData\Local\EmieUserList deleted successfully
C:\Users\krwood03\AppData\Local\PackageStaging deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1283070196-2774340731-1875930287-1001\Software\Microsoft\Internet Explorer\SearchScopes\{DF0AB96E-7792-4FAD-89BC-A1EC2F7B16EC} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{DF0AB96E-7792-4FAD-89BC-A1EC2F7B16EC} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DF0AB96E-7792-4FAD-89BC-A1EC2F7B16EC} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Users\Public\Pokki deleted
C:\Users\krwood03\AppData\Roaming\WB.CFG deleted
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Start Menu.lnk deleted
C:\PROGRA~3\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE} deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Default\AppData\Local\Pokki deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\krwood03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk deleted
C:\Users\krwood03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Menu.lnk deleted
C:\WINDOWS\SysNative\config\systemprofile\Searches deleted
"C:\windows\Installer\2a7bd.msi" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\krwood03\AppData\Roaming\Mozilla\Firefox\Profiles\smbh5rr2.default
user_pref("browser.search.defaultenginename.US", "Google");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"firefox@bho.com"="C:\Program Files\Hewlett-Packard\SimplePass\FFBHOExt" [08/30/2015 06:52 PM]

==== Firefox Extensions ======================

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\krwood03\AppData\Roaming\Mozilla\Firefox\Profiles\smbh5rr2.default
18CF51689186AEB9D1D149AEB0E92D03    - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL -    Microsoft Office 2013
0C0C5C207121C7A78414A8250E8E099A    - C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll -    Shockwave for Director / Shockwave for Director


==== Chromium Look ======================


Chrome Hotword Shared Module - krwood03\AppData\Local\Chromium\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://my.xfinity.com/?cid=mtmh10172014"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://my.xfinity.com/?cid=mtmh10172014"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
{c9ab6446-7efc-47fe-966c-dc54324eff9f} Bing  Url="http://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=HPNTDFJS"

==== shortcuts on Users Desktops ======================

C:\Users\krwood03\Desktop\Naviextras Toolbox.lnk - C:\Program Files (x86)\Naviextras\Toolbox\toolbox.exe

==== shortcuts on All Users Desktop ======================

C:\Users\Public\Desktop\Adobe Reader XI.lnk - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
C:\Users\Public\Desktop\Connected Drive.lnk - C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe C:\system.sav\util\HPCDDesktopIcon.exe
C:\Users\Public\Desktop\Connected Music.lnk - C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe C:\system.sav\util\HPCM\HPCMDesktopIcon.exe
C:\Users\Public\Desktop\Connected Photo.lnk - C:\system.sav\util\HPCPDesktopIcon.exe
C:\Users\Public\Desktop\Evernote.lnk - C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
C:\Users\Public\Desktop\HP Smart Friend.lnk -  
C:\Users\Public\Desktop\Mozilla Firefox.lnk - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Public\Desktop\Pinger.lnk - C:\Program Files (x86)\Pinger\Pinger.exe
C:\Users\Public\Desktop\Snapfish.lnk - C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe http://www.snapfish.com/hp_notebook_desktopicon_2014_us
C:\Users\Public\Desktop\WildTangent Games App - hp.lnk - C:\Program Files (x86)\WildTangent Games\App\GameConsole-wt.exe /src desktop /dp hpcnb2c14

==== shortcuts in Users Start Menu ======================

C:\Users\krwood03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FarmVille 2.lnk - C:\Users\krwood03\AppData\Local\Pokki\Engine\ServiceHostApp.exe  /OPEN"34e8f5c0c9e5744bf2cdb514283762dd0524776b"
C:\Users\krwood03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Naviextras\Naviextras Toolbox.lnk - C:\Program Files (x86)\Naviextras\Toolbox\toolbox.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Naviextras\Uninstall Toolbox.lnk - C:\Program Files (x86)\Naviextras\Toolbox\uninst.exe

==== shortcuts in All Users Start Menu ======================

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk - C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-AB0000000001}\SC_Reader.ico
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth.lnk - C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Music, Photos and Videos\CyberLink Power Media Player 12.lnk - C:\Program Files (x86)\CyberLink\PowerDVD12\PDVDLaunchPolicy.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security and Protection\HP SimplePass.lnk - C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe

==== shortcuts in Quick Launch ======================

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -  
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -  
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\HP SimplePass.lnk - C:\Program Files (x86)\Hewlett-Packard\SimplePass\HPSmplPass.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk - C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -  
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -  
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AmazonShopping.lnk - C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe http://www.amazon.com/gp/bit/amazonbookmark.html?tag=hp2-desktop-us-20&partner=HP
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Connected Drive.lnk - C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe C:\system.sav\util\HPCDDesktopIcon.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Dregol.lnk - C:\Users\krwood03\AppData\Local\Chromium\Application\chrome.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk -  
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\HP Utility Center.lnk - C:\Program Files\Hewlett-Packard\HP Utility Center\HPUC.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk - C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows.Defender.lnk -  

==== shortcuts After Repair ======================

C:\Users\Public\Desktop\Snapfish.lnk - C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe
C:\Users\krwood03\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AmazonShopping.lnk - C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe

==== Reset IE Proxy ======================

Value(s) before fix:
"ProxyEnable"=dword:00000000

Value(s) after fix:
"ProxyEnable"=dword:00000000

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2C0D8C2E79C150C439A9B5310AEF56C5 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E2C8D0C2-1C97-4C05-939A-5B13A0FE655C} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\2C0D8C2E79C150C439A9B5310AEF56C5 deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\krwood03\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\krwood03\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\krwood03\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\krwood03\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\krwood03\AppData\Local\Mozilla\Firefox\Profiles\smbh5rr2.default\Cache emptied successfully
C:\Users\krwood03\AppData\Local\Mozilla\Firefox\Profiles\smbh5rr2.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\krwood03\AppData\Local\Chromium\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=29 folders=88 79663390 bytes)

==== Empty Temp Folders ======================

C:\Users\Administrator\AppData\Local\Temp emptied successfully
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\krwood03\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\krwood03\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Sat 10/03/2015 at 15:50:28.12 ======================
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 04 October 2015 - 07:26 AM

2 files desktop.ini on my desktop.

These files are managed by the operating systems. You should find an .ini file in each of your folders.
Nothing to worry about.

===

Execute this.
How to Clean the Notification Area Icon Cache in Windows 7 & Windows 8
http://www.7tutorials.com/how-clean-notification-area-icon-cache

===

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

Let me know in a few words what problem you are having with IE and the Firewall.

#7 deskjockey

deskjockey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 04 October 2015 - 09:07 AM

Another family member needs to use the pc.  I will respond to your IE and firewall questions when they are done.  here is the output of the service scanner.

 

Farbar Service Scanner Version: 26-07-2015
Ran by krwood03 (administrator) on 04-10-2015 at 09:23:33
Running from "C:\Users\krwood03\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



#8 deskjockey

deskjockey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 05 October 2015 - 10:16 AM

The firewall rules are not the default set of rules.There are advanced rules that appears to allow remote access into my pc. My pc is used for email, web surfing, etc. I am not using VPN or anything advanced like that.

 

https://goo.gl/photos/3KWiyk73ybu9KpGR6

https://goo.gl/photos/9ZqFZ7AuQHcMVssq6

 

IE has popups and is really slow. FF, which i just installed a few days ago, is also having similiar issues. Using Proc Explorer I found dll files that ie is using that can not be certified by a trusted root authority.  screenshot below.

 

https://goo.gl/photos/gQPmRiBsQVv9kZHv8

 

I also found an HPSA_service.exe process that is running and the certificates were explictly revoked by the issuer for 2 dll files.

 

https://goo.gl/photos/wqnStWGhFkTkDrNE8

 

I tried adding them as images to the post but they showed as broken links. I am using google photos, if there is a prefered hosting site to use, please let me know.  I am still waiting for an imageshack validation email.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 05 October 2015 - 01:39 PM

These are you FirewallRules.

Using the Farbar tool we can remove any one you wish. Just telll me which.

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{F7BF58EE-1B2C-4BD9-BF4B-DD2981911D1F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{1007B9DD-02E0-4593-AEF6-9CB63C367710}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{CCD389FE-20E9-4752-88EE-5B5DB0431C10}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{FE2953DA-6E9D-4598-BD5D-FB61A254F9F9}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{107F9A16-C07B-4EE3-A5A7-B09E8AF26695}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{37F1371A-AD65-4883-9FD7-B1B1AB2DE6F0}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{370F0F31-744D-4019-A02D-E351D39F00A0}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{B98F13E9-011F-4F78-B4AE-9EC7D133187C}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{D73E7E02-FFCC-4E15-93D3-E692B291F80E}] => (Allow) C:\Users\krwood03\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [TCP Query User{91C93343-8965-481C-8CC8-DDD2C8F0DA44}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [UDP Query User{DB573BE7-944A-4696-9940-879830BF55B7}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe
FirewallRules: [{D02C198B-6D5C-4B0F-9950-68BA39F73F8C}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPSOCKSVC.exe
FirewallRules: [{7EE4D4CE-B3E6-429A-906E-8379814CE4EC}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{19210EF8-3712-4C49-B5B2-FFD7C8A877D2}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
FirewallRules: [{4C23B309-D751-41A5-BA13-AD72095F7C7C}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{2F3EBB80-FB55-423E-B1EF-F63501B6D605}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe
FirewallRules: [{100469DA-86D0-4131-B881-D196BF9440C6}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{82DB3BBC-997F-4E87-A0E2-2C8E8347DB49}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{1B0F607C-6D56-4166-A269-6F161456F91B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{CAA0B938-EE3F-44ED-AA3F-04879E4034E6}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{CFF23C1B-BAFB-4621-900E-79730ADE9124}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe



#10 deskjockey

deskjockey
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 06 October 2015 - 12:04 PM

Hi Nasdaq,

 

I would like to reset my firewall to use the default set of firewall rules from Microsoft. I have tried to reset this via the Windows Firewall menu, however, no changes are made.  I think my "default" firewall rules have been modified to always make my PC vulnerable to what malware/trojan/virus is on my system.

 

What do you make of the screenshots that I posted of IE using DLL files that cant be verified by a trusted root authority? Why are they allowed to be used by IE? Has my root certificate system somehow been modified to allow certificates that can NOT be verified by a trusted root authority (or expliciatly revoked as in the HPSA screenshot) to be used? How can I verify that my "trusted" root certificate system has not been compromised?

 

Thank you for your assistance.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 06 October 2015 - 01:17 PM

Have you seen this page?

How to Restore Default Windows Firewall Settings in Windows 7 and Windows 8
http://www.sevenforums.com/tutorials/525-windows-firewall-restore-default-settings.html

To answer you questions I cannot help. It's not caused by malware not my forte.

You may find an answer in the Firewall Software and Hardware
http://www.bleepingcomputer.com/forums/f/222/firewall-software-and-hardware/

Start a new topic if you do not find what you are looking for.

I will leave this topic open for 6 days if you need to return please do.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:36 PM

Posted 12 October 2015 - 08:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users