TROJAN:WIN32/Peals.F!plock

My MSE says I have a virus called TROJAN:WIN32/Peals.F!plock.


But when I click the option to remove (or quarantine) it says it did it, but in the window under details it says "Error".

Then a short while later the MSE icon turns red again and says I have that virus back.

Can anybody help get rid of it permanently?

Dave
 

My Computer

DonnaB

Malware Fighter
Member
Hi grasshoppr,

Please download Farbar Recovery Scan Tool and save it to your desktop. <<< Very Important!

Note: You will need to run the version compatible with your system. If you are not sure which version (32 or 64-bit) applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Make sure that FRST is on the desktop of the infected system
  • Right click and choose Run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates a second log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Please post the following logs in your next reply:

FRST.txt
Addition.txt


Thank you,
Donna :)
 

My Computer

Yes!

Sorry it is taking so long, but I am helping a friend over the phone. The problem I posted is actually what he described to me over the phone. So I am trying to get him to read your post and follow your instructions. Unfortunately he was having trouble with the copy/paste instructions which is a process he was just a little rusty on. So I am having him send me the logs as an email attachment and I will copy paste them for him.

Pls wait until we get this all coordinated.
But yes! definitely . . . . . I still need your help.

Thanks

grasshopper
 

My Computer

DonnaB

Malware Fighter
Member
Ok. :)

He is more than welcome to register as a member, unless of course he is close enough to where he could bring the computer to you.
 

My Computer

He lives about 100 miles away. So it would be difficult to get his computer.

He is just unfamiliar with some of the functions and shortcuts of the software. Not from lack of ability, for sure. But just because he has not gotten any real training experience. Everything he knows is from being self-taught.

The problem with that method is that sometimes there are some basic things that can get overlooked because they never come up in the day to day experience of surfing the net. Like how to copy/paste.

Anyway, he's pretty bright and figures things out quickly once someone sort of guides him in the right direction.
The problem is that during the normal course of using a computer there doesn't seem to be anything that lead him to where he had to copy/paste anything, so as accomplished as he is, that little detail was missing.

I have been led to believe that he doesn't want anything to do with signing in and posting on this site or any other for that matter. He's pretty strict in that regard.

We are trying to get you the logs by end of tomorrow (Friday).
 

My Computer

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-04-2015
Ran by dave at 2015-04-22 14:58:41
Running from C:\Users\dave\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM-x32\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (x32 Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{8F473675-D702-45F9-8EBC-342B40C17BF5}) (Version: 3.4.0.25 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{0E543634-7E25-4B8F-8D5B-97880E5E5088}) (Version: 2.0.5.0 - Apple Inc.)
Choice Guard (x32 Version: 1.2.87.0 - Microsoft Corporation) Hidden
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant D850 PCI V.92 Modem (HKLM\...\CNXT_MODEM_PCI_HSF) (Version: 7.74.00 - Conexant)
Consumer In-Home Service Agreement (HKLM-x32\...\{F47C37A4-7189-430A-B81D-739FF8A7A554}) (Version: 2.0.0 - Dell Inc.)
Dell Dock (HKLM\...\{F6CB42B9-F033-4152-8813-FF11DA8E6A78}) (Version: 1.0.0 - Dell)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Getting Started Guide (HKLM-x32\...\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}) (Version: 1.00.0000 - Dell Inc.)
Digital Line Detect (HKLM-x32\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.21 - BVRP Software, Inc)
EPSON NX110 Series Printer Uninstall (HKLM\...\EPSON NX110 Series) (Version: - SEIKO EPSON Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.90 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - Intel Corporation)
iTunes (HKLM\...\{16DDB3D1-5C27-4599-9C63-E583287191CC}) (Version: 10.2.2.12 - Apple Inc.)
Java(TM) 6 Update 13 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416013FF}) (Version: 6.0.130 - Sun Microsystems, Inc.)
Java(TM) 6 Update 39 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216037FF}) (Version: 6.0.390 - Oracle)
Junk Mail filter update (x32 Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Default Manager (HKLM-x32\...\{095B1DCF-5E8B-47EC-9B18-481918A731DB}) (Version: 2.0.69.0 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.7.205.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.31211.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM-x32\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM-x32\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
Modem Diagnostic Tool (HKLM\...\{0335701D-8E28-4A7F-B0EF-312974755BB2}) (Version: 1.0.24.0 - Dell)
MSXML 4.0 SP2 (KB927978) (HKLM-x32\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
OLYMPUS Digital Camera Updater (HKLM-x32\...\{2A9E8F56-C31B-4DBB-BFE2-0F4EC8192355}) (Version: 1.0.3 - OLYMPUS IMAGING CORP.)
OLYMPUS Viewer 2 (HKLM-x32\...\{797808CA-1563-4EA0-A280-1371AC2F2310}) (Version: 1.3.0 - OLYMPUS IMAGING CORP.)
PowerDVD (HKLM-x32\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.1 - Dell)
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5780 - Realtek Semiconductor Corp.)
Roxio Creator DE (HKLM-x32\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.1 - Roxio)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0) (HKLM\...\2C1C2F29FADF39F533CEEE67B90F07A5306A4BDB) (Version: 09/09/2009 1.0.0.0 - OLYMPUS IMAGING CORP.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8050.1202 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{9422C8EA-B0C6-4197-B8FC-DC797658CA00}) (Version: 5.000.818.6 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}) (Version: 14.0.8050.1202 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
WOT for Internet Explorer (HKLM\...\{DCAEC601-735C-41AE-B84F-D792F09FB7D1}) (Version: 12.8.2.0 - WOT Services Oy)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version: - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

20-01-2015 10:37:48 Windows Update
21-01-2015 06:47:24 Windows Update
21-01-2015 07:28:03 Windows Update
23-01-2015 15:08:30 Scheduled Checkpoint
25-01-2015 10:53:45 Windows Update
29-01-2015 08:12:40 Windows Update
01-02-2015 21:34:00 Windows Update
04-02-2015 21:47:39 Windows Update
10-02-2015 16:14:17 Windows Update
11-02-2015 21:03:00 Windows Update
14-02-2015 11:47:41 Windows Update
19-02-2015 08:00:12 Windows Update
22-02-2015 12:40:52 Windows Update
25-02-2015 16:41:09 Windows Update
01-03-2015 11:11:20 Windows Update
01-03-2015 11:19:34 Windows Update
05-03-2015 14:10:15 Windows Update
06-03-2015 10:20:29 Scheduled Checkpoint
09-03-2015 21:04:07 Windows Update
11-03-2015 06:20:56 Windows Update
12-03-2015 15:27:54 Windows Update
17-03-2015 11:51:30 Windows Update
20-03-2015 20:17:08 Windows Update
24-03-2015 13:54:31 Windows Update
28-03-2015 12:02:17 Windows Update
02-04-2015 15:13:55 Windows Update
04-04-2015 12:30:05 Scheduled Checkpoint
05-04-2015 19:11:38 Windows Update
09-04-2015 17:10:53 Windows Update
15-04-2015 16:00:58 Windows Update
16-04-2015 03:00:26 Windows Update
19-04-2015 08:55:41 Windows Update
21-04-2015 15:54:51 Scheduled Checkpoint
22-04-2015 14:52:59 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 05:34 - 2006-09-18 14:37 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {62377779-7621-4CF9-A17E-F5FC9541F891} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-04] (Google Inc.)
Task: {66724CD6-243D-40B6-B51A-B61E1EFEE2A7} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe <==== ATTENTION
Task: {7B4D4E60-6925-45EC-8D89-4041255594D1} - System32\Tasks\{E3564B12-944F-4F2D-96DD-FFD74BA12EDB} => C:\Program Files (x86)\Skype\\Phone\Skype.exe [2014-12-11] (Skype Technologies S.A.)
Task: {91A11F37-EF25-41C7-8CC1-3E69FA52560C} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe
Task: {AC0B6118-2F55-412C-AD89-4353594A562B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {AF266DFC-E3B4-4790-8E1F-2AE46806502A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-15] (Adobe Systems Incorporated)
Task: {F096C9A6-2AE4-46A7-8A34-0FA15BB37524} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-04] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2010-12-21 13:47 - 2009-04-11 00:11 - 00732160 _____ () c:\windows\system32\rpcss.dll
2013-04-21 22:44 - 2013-04-21 22:44 - 00087952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2013-04-21 22:44 - 2013-04-21 22:44 - 01242952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2015-04-18 14:20 - 2015-04-13 14:55 - 14980424 _____ () C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.90\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\dave\Local Settings:init
AlternateDataStreams: C:\Users\dave\AppData\Local:init
AlternateDataStreams: C:\Users\dave\AppData\Local\Application Data:init

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, the associated entry will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\Dellwall1.jpg
DNS Servers: 192.168.1.254

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-4147425092-1161352190-3810661310-500 - Administrator - Disabled)
dave (S-1-5-21-4147425092-1161352190-3810661310-1000 - Administrator - Enabled) => C:\Users\dave
Guest (S-1-5-21-4147425092-1161352190-3810661310-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: 6TO4 Adapter
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Tun Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunmp
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/22/2015 01:42:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/22/2015 01:29:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program chrome.exe version 42.0.2311.90 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 12b0
Start Time: 01d07d3af1412d7e
Termination Time: 7

Error: (04/22/2015 01:27:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program chrome.exe version 42.0.2311.90 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: bb4
Start Time: 01d07d3a15e1b15e
Termination Time: 14

Error: (04/22/2015 01:14:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/22/2015 07:11:22 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2015 09:05:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2015 00:52:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2015 09:18:02 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program AcroRd32.exe version 9.5.5.316 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: f98
Start Time: 01d07c4e4d79f3b7
Termination Time: 0

Error: (04/21/2015 09:05:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/20/2015 08:49:33 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program chrome.exe version 42.0.2311.90 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: b18
Start Time: 01d07be6088bf879
Termination Time: 7


System errors:
=============
Error: (04/22/2015 01:42:08 PM) (Source: Microsoft Antimalware) (EventID: 1119) (User: )
Description: %Trojan:Win32/Peals.F!plock60 has encountered a critical error when taking action on malware or other potentially unwanted software.

For more information please see the following:
%Trojan:Win32/Peals.F!plock603

Name: Trojan:Win32/Peals.F!plock

ID: 2147691764

Severity: %Trojan:Win32/Peals.F!plock600

Category: %Trojan:Win32/Peals.F!plock602

Path: 4.7.0205.02

Detection Origin: 4.7.0205.04

Detection Type: 4.7.0205.08

Detection Source: %Trojan:Win32/Peals.F!plock608

User: {739367E0-0017-40D9-B81F-D873CE37D1AE}9

Process Name: %Trojan:Win32/Peals.F!plock609

Action: {739367E0-0017-40D9-B81F-D873CE37D1AE}1

Action Status: {739367E0-0017-40D9-B81F-D873CE37D1AE}8

Error Code: {739367E0-0017-40D9-B81F-D873CE37D1AE}3

Error description: {739367E0-0017-40D9-B81F-D873CE37D1AE}4

Signature Version: 2015-04-22T20:41:42.911Z1

Engine Version: 2015-04-22T20:41:42.911Z2

Error: (04/22/2015 01:39:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Cryptographic Services%%1053

Error: (04/22/2015 01:39:46 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Cryptographic Services

Error: (04/22/2015 01:39:16 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Remote Access Connection ManagerTelephony%%1053

Error: (04/22/2015 01:39:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Telephony%%1053

Error: (04/22/2015 01:39:16 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Telephony

Error: (04/22/2015 01:38:49 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: 30000Spooler

Error: (04/22/2015 01:38:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Cryptographic Services%%1053

Error: (04/22/2015 01:38:46 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Cryptographic Services

Error: (04/22/2015 01:38:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Cryptographic Services%%1053


Microsoft Office Sessions:
=========================
Error: (04/22/2015 01:42:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/22/2015 01:29:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: chrome.exe42.0.2311.9012b001d07d3af1412d7e7

Error: (04/22/2015 01:27:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: chrome.exe42.0.2311.90bb401d07d3a15e1b15e14

Error: (04/22/2015 01:14:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/22/2015 07:11:22 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2015 09:05:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2015 00:52:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/21/2015 09:18:02 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: AcroRd32.exe9.5.5.316f9801d07c4e4d79f3b70

Error: (04/21/2015 09:05:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/20/2015 08:49:33 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: chrome.exe42.0.2311.90b1801d07be6088bf8797


CodeIntegrity Errors:
===================================
Date: 2015-04-21 15:03:07.291
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 15:03:06.932
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 15:03:06.589
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 15:03:06.229
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 15:03:05.433
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 15:03:05.074
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 15:03:04.731
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 15:03:04.356
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 14:38:59.263
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.

Date: 2015-04-21 14:38:58.920
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
Percentage of memory in use: 53%
Total physical RAM: 4060.14 MB
Available physical RAM: 1905.91 MB
Total Pagefile: 8343.55 MB
Available Pagefile: 6302.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:581.48 GB) (Free:439.91 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:7.94 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 596.2 GB) (Disk ID: 860D70AB)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=14.6 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=581.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================
 

My Computer

DonnaB

Malware Fighter
Member
Ok. That's not going to work. I can view the log in my email notification but it is not displaying correctly on the forum. See if you can delete your post above and attach the file after saving it to the desktop of your computer.
 

My Computer

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-04-2015
Ran by dave (administrator) on DAVE-PC on 22-04-2015 18:40:35
Running from C:\Users\dave\Desktop
Loaded Profiles: dave (Available profiles: dave)
Platform: Windows Vista (TM) Home Premium Service Pack 2 (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Alcatel-Lucent) C:\Program Files (x86)\Common Files\Motive\pcCMService.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\pcCMService.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [6963744 2009-03-04] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] => C:\Program Files\Realtek\Audio\HDA\Skytel.exe
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM-x32\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128296 2008-05-23] (CyberLink Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [250192 2009-04-24] (Microsoft Corporation)
HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [421160 2011-04-14] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\...\Run: [EPSON NX110 Series] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFBA.EXE [223232 2008-09-26] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\...\Run: [731C174AC52A506918168B6EF4F6B9556AD48452._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [812872 2015-04-13] (Google Inc.)
HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\...\Run: [PennyBee] => C:\Users\dave\AppData\Local\PennyBee\PennyBeeW.exe
HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\...\Run: [WMPNSCFG] => C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil64_16_0_0_305_ActiveX.exe -update activex
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2009-07-22]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2009-07-22]
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = msn
HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = msn
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> DefaultScope {B0B39825-EDE9-4871-B8E3-5B41F0855369} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggbc_14_49_other_na01&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyEtDtA0AzytCyEzyzyyD0BtN0D0Tzu0StCtDyBtCtN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2SyB0D0EzyzyyC0FzytG0EyCyBzytG0AyEyB0EtG0ByB0BtCtGyB0F0D0D0C0D0D0F0AtCtDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzyzyyC0C0FtCtBtGtCzytB0AtGyEyB0EzytG0B0CtC0AtG0C0EyE0DyDtBtCyDyEyCyC0C2Q&cr=492562483&ir=
SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> {B0B39825-EDE9-4871-B8E3-5B41F0855369} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggbc_14_49_other_na01&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyEtDtA0AzytCyEzyzyyD0BtN0D0Tzu0StCtDyBtCtN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2SyB0D0EzyzyyC0FzytG0EyCyBzytG0AyEyB0EtG0ByB0BtCtGyB0F0D0D0C0D0D0F0AtCtDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzyzyyC0C0FtCtBtGtCzytB0AtGyEyB0EzytG0B0CtC0AtG0C0EyE0DyDtBtCyDyEyCyC0C2Q&cr=492562483&ir=
SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = https://www.google.com/search?q={searchTerms}
BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL No File
BHO: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files\WOT\WOT.dll [2012-08-02] ()
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-22] (Sun Microsystems, Inc.)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll [2013-01-15] (Sun Microsystems, Inc.)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17] (Microsoft Corporation)
Toolbar: HKLM - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
Toolbar: HKLM-x32 - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll No File
Toolbar: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
DPF: HKLM-x32 {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller64.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll [2008-12-02] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll [2008-12-02] (Microsoft Corporation)
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2011-04-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_39 -> C:\Windows\SysWOW64\npdeployJava1.dll [2013-01-15] (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll [2013-01-15] (Sun Microsystems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll [2014-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8051.1204 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2008-12-04] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: @Motive.com/NpMotive,version=1.0 -> C:\Program Files (x86)\Common Files\Motive\npMotive.dll [2010-04-30] (Alcatel-Lucent)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-24]
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK

Chrome:
=======
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3326235&octid=EB_ORIGINAL_CTID&ISID=M761BEBB4-9A5D-4CEB-8EC0-8E10B8CE36CC&SearchSource=55&CUI=&UM=6&UP=SP61BB1358-C5E5-4C13-9A3E-ACD76727AAA2&SSPV=
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_ggbc_14_49_other_na01&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyEtDtA0AzytCyEzyzyyD0BtN0D0Tzu0StCtDyBtCtN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2SyB0D0EzyzyyC0FzytG0EyCyBzytG0AyEyB0EtG0ByB0BtCtGyB0F0D0D0C0D0D0F0AtCtDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzyzyyC0C0FtCtBtGtCzytB0AtGyEyB0EzytG0B0CtC0AtG0C0EyE0DyDtBtCyDyEyCyC0C2Q&cr=492562483&ir="
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (V9.0 Flixtor 1.1) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\bldlebdchfchnclgjhehlijjdeagejfh [2014-07-31]
CHR Extension: (Bookmark Manager) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-18]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 DcomLaunch; C:\Windows\system32\rpcss.dll [732160 2009-04-11] () [File not signed]
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2008-12-18] (Stardock Corporation) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
R2 pcCMService; C:\Program Files (x86)\Common Files\Motive\pcCMService.exe [361472 2012-07-06] (Alcatel-Lucent) [File not signed]
R2 pcCMService64; C:\Program Files\Common Files\Motive\pcCMService.exe [441344 2012-07-06] (Alcatel-Lucent) [File not signed]
R2 RpcSs; C:\Windows\system32\rpcss.dll [732160 2009-04-11] () [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [56528 2014-11-19] (NetFilterSDK.com)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== Three Months Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-22 14:58 - 2015-04-22 18:40 - 00015640 _____ () C:\Users\dave\Desktop\FRST.txt
2015-04-22 14:58 - 2015-04-22 14:58 - 00026336 _____ () C:\Users\dave\Desktop\Addition.txt
2015-04-21 13:14 - 2015-04-22 18:40 - 00000000 ____D () C:\FRST
2015-04-21 13:12 - 2015-04-21 13:12 - 02099712 _____ (Farbar) C:\Users\dave\Desktop\FRST64.exe
2015-04-21 12:59 - 2015-04-21 12:59 - 00000000 _____ () C:\Users\dave\Sti_Trace.log
2015-04-20 19:07 - 2015-04-20 19:07 - 00000053 _____ () C:\Users\dave\Desktop\Windows Vista Forums.url
2015-04-19 18:11 - 2015-04-19 18:11 - 532281938 _____ () C:\Users\dave\Desktop\myregistrybackup.reg
2015-04-16 03:14 - 2015-03-04 19:25 - 00304128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2015-04-16 03:14 - 2015-03-04 18:58 - 00390144 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-04-16 03:13 - 2015-03-13 19:22 - 01585248 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-04-16 03:13 - 2015-03-13 19:22 - 01168080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-04-16 03:13 - 2015-03-12 18:44 - 04691384 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-04-16 03:13 - 2015-03-12 18:44 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-04-16 03:13 - 2015-03-12 18:44 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-04-16 03:13 - 2015-03-12 18:30 - 00301568 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-04-16 03:13 - 2015-03-12 18:30 - 00234496 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-04-16 03:13 - 2015-03-12 18:30 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-04-16 03:13 - 2015-03-12 18:30 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-04-16 03:13 - 2015-03-12 17:08 - 00026112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-04-16 03:13 - 2015-03-12 17:08 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-04-16 03:13 - 2015-03-12 17:08 - 00002560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-04-16 03:09 - 2015-04-16 03:09 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-04-16 03:09 - 2015-04-16 03:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-04-16 03:02 - 2015-03-04 19:23 - 00057344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\clfsw32.dll
2015-04-16 03:02 - 2015-03-04 19:14 - 00360384 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2015-04-16 03:02 - 2015-03-04 18:58 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\clfsw32.dll
2015-04-16 03:01 - 2015-03-08 18:01 - 01249280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2015-04-16 03:01 - 2015-03-08 17:40 - 01869824 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-04-15 15:53 - 2015-03-09 17:31 - 17882112 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-04-15 15:53 - 2015-03-09 17:19 - 02339840 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-04-15 15:53 - 2015-03-09 17:19 - 00448512 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-04-15 15:53 - 2015-03-09 17:18 - 10931200 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-04-15 15:53 - 2015-03-09 17:14 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-04-15 15:53 - 2015-03-09 17:14 - 01388032 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-04-15 15:53 - 2015-03-09 17:13 - 02157568 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-04-15 15:53 - 2015-03-09 17:13 - 01494016 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-04-15 15:53 - 2015-03-09 17:13 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-04-15 15:53 - 2015-03-09 17:13 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-04-15 15:53 - 2015-03-09 17:13 - 00598528 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-04-15 15:53 - 2015-03-09 17:13 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-04-15 15:53 - 2015-03-09 17:13 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-04-15 15:53 - 2015-03-09 17:13 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-04-15 15:53 - 2015-03-09 17:12 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-04-15 15:53 - 2015-03-09 17:12 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-04-15 15:53 - 2015-03-09 17:12 - 00282112 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-04-15 15:53 - 2015-03-09 17:12 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-04-15 15:53 - 2015-03-09 17:12 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-04-15 15:53 - 2015-03-09 17:12 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-04-15 15:53 - 2015-03-09 17:12 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-04-15 15:53 - 2015-03-09 17:12 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-04-15 15:53 - 2015-03-09 16:06 - 12377600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-04-15 15:53 - 2015-03-09 16:03 - 00367104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-04-15 15:53 - 2015-03-09 16:02 - 01810944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-04-15 15:53 - 2015-03-09 16:00 - 09747968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-04-15 15:53 - 2015-03-09 15:57 - 01139200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-04-15 15:53 - 2015-03-09 15:57 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-04-15 15:53 - 2015-03-09 15:56 - 01803264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-04-15 15:53 - 2015-03-09 15:56 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-04-15 15:53 - 2015-03-09 15:56 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-04-15 15:53 - 2015-03-09 15:56 - 00421376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-04-15 15:53 - 2015-03-09 15:56 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2015-04-15 15:53 - 2015-03-09 15:56 - 00065024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-04-15 15:53 - 2015-03-09 15:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-04-15 15:53 - 2015-03-09 15:55 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-04-15 15:53 - 2015-03-09 15:55 - 00353792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-04-15 15:53 - 2015-03-09 15:55 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-04-15 15:53 - 2015-03-09 15:55 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-04-15 15:53 - 2015-03-09 15:55 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-04-15 15:53 - 2015-03-09 15:55 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-04-15 15:53 - 2015-03-09 15:55 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2015-04-15 15:53 - 2015-03-09 15:55 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2015-04-15 15:53 - 2015-03-09 15:55 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2015-03-12 15:40 - 2015-02-19 19:03 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-03-12 15:40 - 2015-02-19 18:44 - 00048128 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-03-12 15:40 - 2015-02-19 17:39 - 00372224 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-03-12 15:40 - 2015-02-19 17:28 - 00296960 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-03-11 06:49 - 2014-10-12 18:12 - 02264064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2015-03-11 06:49 - 2014-10-12 17:56 - 03137536 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-03-11 06:48 - 2015-01-28 18:35 - 00975360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-03-11 06:48 - 2015-01-28 18:33 - 01209856 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-03-11 06:47 - 2015-02-25 17:31 - 02792960 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-03-11 06:47 - 2015-01-20 19:02 - 00807936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2015-03-11 06:47 - 2015-01-20 18:42 - 01040896 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-03-11 06:46 - 2015-02-17 19:02 - 11587584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-03-11 06:46 - 2015-02-17 18:42 - 12899840 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-03-11 06:30 - 2015-01-28 18:35 - 00369664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2015-03-11 06:30 - 2015-01-28 18:33 - 00449024 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2015-03-11 06:29 - 2015-01-08 18:41 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-03-11 06:29 - 2015-01-08 17:29 - 00075264 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-03-11 06:23 - 2015-03-05 21:01 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-03-11 06:23 - 2015-03-05 20:35 - 00347136 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-24 14:34 - 2015-04-20 06:36 - 00000468 _____ () C:\Users\dave\Desktop\Oceanside, CA 10 Day Weather Forecast - weather.com.website
2015-02-11 21:35 - 2014-12-07 18:59 - 00306176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-02-11 21:35 - 2014-12-07 18:37 - 00399360 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-11 21:34 - 2014-11-25 19:05 - 00564224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-02-11 21:34 - 2014-11-25 18:42 - 00847360 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-11 21:29 - 2015-01-14 23:53 - 00077312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-02-11 21:29 - 2015-01-14 21:08 - 00516536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-04 12:23 - 2015-02-04 12:23 - 00875688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr120_clr0400.dll
2015-02-04 12:13 - 2015-02-04 12:13 - 00869536 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-22 18:38 - 2014-09-05 19:56 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-22 18:19 - 2014-12-04 15:08 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-22 18:11 - 2009-07-22 15:42 - 01809422 _____ () C:\Windows\WindowsUpdate.log
2015-04-22 18:08 - 2014-12-04 15:08 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-22 18:08 - 2006-11-02 08:42 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-22 18:08 - 2006-11-02 08:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-22 18:08 - 2006-11-02 08:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-22 16:34 - 2006-11-02 08:42 - 00032546 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-22 15:57 - 2013-08-24 06:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-22 13:28 - 2012-04-21 15:43 - 00000489 _____ () C:\Users\dave\Desktop\ESPN.com.website
2015-04-21 21:29 - 2011-09-14 14:05 - 00003678 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{09130A64-EC41-4E6D-B01F-A3CA201FD816}
2015-04-21 12:59 - 2010-12-20 10:32 - 00000000 ____D () C:\Users\dave
2015-04-16 19:21 - 2010-12-30 16:25 - 00007052 _____ () C:\Users\dave\AppData\Local\d3d9caps.dat
2015-04-16 03:11 - 2014-02-26 14:55 - 00752894 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-04-16 03:10 - 2006-11-02 05:46 - 00752894 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-16 03:09 - 2014-06-28 13:46 - 00001890 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-04-16 03:09 - 2013-08-16 06:42 - 00000000 ____D () C:\Windows\system32\MRT
2015-04-16 03:09 - 2010-12-20 14:42 - 00000000 ____D () C:\ProgramData\Skype
2015-04-16 03:02 - 2006-11-02 05:35 - 128913832 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-04-15 15:57 - 2013-08-24 06:24 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-04-15 15:57 - 2013-08-24 06:24 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-15 15:57 - 2013-08-24 06:24 - 00003682 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-04-14 15:19 - 2013-04-27 12:45 - 00000488 _____ () C:\Users\dave\Desktop\San Diego Chargers.website
2015-04-03 05:54 - 2013-12-15 21:51 - 00000552 _____ () C:\Users\dave\Desktop\5-Day Forecast for Oceanside, California - FastWeather.com.website
2015-03-24 21:21 - 2013-12-15 21:49 - 00000550 _____ () C:\Users\dave\Desktop\Oceanside Weather Forecasts Maps News - Yahoo! Weather.website

==================== Files in the root of some directories =======

2014-11-16 10:42 - 2014-11-16 10:42 - 6000640 _____ () C:\Program Files (x86)\GUT4DD2.tmp
2010-12-30 16:25 - 2015-04-16 19:21 - 0007052 _____ () C:\Users\dave\AppData\Local\d3d9caps.dat
2011-08-01 20:17 - 2014-09-18 07:09 - 0018944 _____ () C:\Users\dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-27 12:47 - 2014-07-27 12:49 - 0437440 _____ () C:\Users\dave\AppData\Local\dd_vcredistMSI3629.txt
2014-07-27 12:47 - 2014-07-27 12:49 - 0021870 _____ () C:\Users\dave\AppData\Local\dd_vcredistUI3629.txt
2010-12-20 14:47 - 2010-12-20 14:47 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

Some content of TEMP:
====================
C:\Users\dave\AppData\Local\Temp\4891uninstall.exe
C:\Users\dave\AppData\Local\Temp\ICReinstall_OpenofficeSetup.exe
C:\Users\dave\AppData\Local\Temp\InstallFlashPlayer.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll
[2010-12-21 13:47] - [2009-04-11 00:11] - 0732160 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\rpcss.dll No Company Name <===== ATTENTION!

ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-22 18:14

==================== End Of Log ============================
 

My Computer

DonnaB

Malware Fighter
Member
Perfect! As you can see, the logs are quite big and might take some time to review.

Ask him if he is having any issues with advertising type sounds in the background. Looks like we might have a patched file. Anything else in the way of symptoms will help as well.

Thank you.
 

My Computer

Okay. Will do.

It's getting late here in Los Angeles.
Going to bed now.
Will check back in the morning.

Thank you, sincerely, for your kind attention to this matter.

g
 

My Computer

DonnaB

Malware Fighter
Member
Sounds good. Getting a bit late here in Illinois as well. I'll have a fix for you tomorrow.

And you're welcome. :)
 

My Computer

DonnaB

Malware Fighter
Member
Hi grasshopper,

After further investigation, the nasty that has invaded your friends computer is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute more malicious files.

If the infected computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect it from the Internet until your system is cleaned. ALL passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you will need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified as soon as possible due to the possibility of the security breach.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

Because your computer was compromised please read the following links:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When should I re-format? How should I reinstall?


Next:

FRST fix to remove malicious file

If he chooses not to reinstall, please follow the instructions below:

  • Open notepad (Start orb > type notepad into Start Search > chose notepad from list.
  • Please copy the entire contents from start to end from the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
    Code:
    start
    createrestorepoint:
    closeprocesses:
    HKU\S-1-5-21-4147425092-1161352190-3810661310-1000\...\Run: [PennyBee] => C:\Users\dave\AppData\Local\PennyBee\PennyBeeW.exe
     C:\Users\dave\AppData\Local\PennyBee
    SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
    SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> DefaultScope {B0B39825-EDE9-4871-B8E3-5B41F0855369} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggbc_14_49_other_na01&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyEtDtA0AzytCyEzyzyyD0BtN0D0Tzu0StCtDyBtCtN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2SyB0D0EzyzyyC0FzytG0EyCyBzytG0AyEyB0EtG0ByB0BtCtGyB0F0D0D0C0D0D0F0AtCtDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzyzyyC0C0FtCtBtGtCzytB0AtGyEyB0EzytG0B0CtC0AtG0C0EyE0DyDtBtCyDyEyCyC0C2Q&cr=492562483&ir=
    SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> {B0B39825-EDE9-4871-B8E3-5B41F0855369} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggbc_14_49_other_na01&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyEtDtA0AzytCyEzyzyyD0BtN0D0Tzu0StCtDyBtCtN1L2XzutAtFyCtFtCtDtFtCtDtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2SyB0D0EzyzyyC0FzytG0EyCyBzytG0AyEyB0EtG0ByB0BtCtGyB0F0D0D0C0D0D0F0AtCtDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzyzyyC0C0FtCtBtGtCzytB0AtGyEyB0EzytG0B0CtC0AtG0C0EyE0DyDtBtCyDyEyCyC0C2Q&cr=492562483&ir=
    SearchScopes: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = https://www.google.com/search?q={searchTerms}
    BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL No File
    BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
    Toolbar: HKU\S-1-5-21-4147425092-1161352190-3810661310-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
    S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
    S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
    S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
    S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
    S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
    Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
    Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
    Task: {66724CD6-243D-40B6-B51A-B61E1EFEE2A7} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe <==== ATTENTION
    C:\Program Files (x86)\Optimizer Pro
    emptytemp:
    end
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you will find in the same location as FRST. Please post it to your reply.


Next:

Uninstall programs

We are going to have to uninstall then reinstall Google Chrome since there is no easy way to fix the damage that was done by the infection. Please do the following:

Go to Start > Control Panel > Programs and Features and look for the following programs to uninstall.

Java(TM) 6 Update 13
Java(TM) 6 Update 39
Google Chrome
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.)
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.)


Just Right click and choose remove/uninstall.

You can get a fresh copy of Google Chrome from >>here<<


Next:

Rescan with FRST

I need to see fresh logs. Please have him do the following:

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Under Optional Scan place a checkmark in the box for Addition.txt to ensure it creates that 2nd log.
  • Press Scan button.
  • Please attach both logs in your next reply.

In your next reply, please provide the following logs:


Fixlog.txt
FRST64.txt
Addition.txt


Thank you,
Donna :)
 

My Computer

DonnaB

Malware Fighter
Member
This being a fairly new trojan with little documentation by expert researchers, the following is what I found:

The spread of Trojan:Win32/Peals.F!plock virus is through porn, ad sites, spam email and unknown free programs. When it slips into your computer, it starts to change the default system settings as well as registry keys so as to steadily stay in your computer as long as possible. There will be a lot of pop-up ads and websites, which interrupts your work greatly. What’s worse, the virus makers are enabled by the Trojan horse infection to make the entrance to your computer furtively. You personal information can be stolen and your activities in the infected computer are monitored by someone you do not know.

1. It has the ability to download additional components and other infections in the target computer in order to fully complete its penetration.
2. It is able to cause system crash and destroy some of your programs in the infected computer.
3. It facilitates the virus makers to intrude your computer remotely without letting you know.
4. It is capable of collecting your browsing history and other private data.

I am still researching the trojan to find the extent of damage that is caused. The computer really needs to be disconnected from the internet to prevent remote access by the creators of this trojan and to isolate it to that one computer, though this is not possible since he is an hour away and you can't get physical access to the computer to disconnect and transfer files via USB till the initial infection has been cleansed.

Only thing that can prevent this from happening in the future is educate the user with safe computing skills. Following are a couple sites I refer people to to educate them a bit on safe computing:

"So how did I get infected in the first place?" by Tony Klein and updated by Corrine
How Malware Spreads - How did I get infected by quietman7
How to prevent Malware: by miekemoes
 

My Computer

I can help him transfer his files by phone instructions.
He wants to know if any of the files might be contaminated so that when we restore them on the formatted disk, it might get reinfected.

g
 

My Computer

DonnaB

Malware Fighter
Member
I just want to take this chance to let you know how very much I appreciate all you are doing.

Thanks, Donna

g
You're welcome grasshopper. (I just love your username. You're probably too young to remember the TV series Kung Fu with David Carradine. >> One of may favorites from my days of yore :) )

I think it's a bit too late now for him to transfer the files now if he has ran the fix. By formatted disk, you mean external hard drive, right? Before I turn you loose, I'll have him install a program that will prevent the spread of infection by usb port.
 

My Computer

Top