Solved Browsers Hijacked and MS Office Infection

lshendee · Oct 27, 2014

Hello!

Fiery's assistance in 2013 fixed an infection on my Windows 8 PC. Now hoping to achieve success again but this time with my Dell Latitude laptop, which my ex-boyfriend just returned after a long-term loan.

Dell Latitude 6400 series laptop with Windows 7 Prof, 32-bit, using Chrome and IE. Browsers acting up ... creating proxy servers, redirecting to bogus look-alike sites, prevent me from downloading free ad/malware programs. Finally did so using CD but after the programs scan and remove threats, the same issues begin happening again. After much research and DIY, today the problems are getting worse and now it appears MS Office is corrupted.

Thanks in advance for your help.

Lynne

TwinHeadedEagle · Oct 27, 2014

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
Please attach all report using

button below. Doing this, you make it easier for me to analyze and fix your problem.
Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

lshendee · Oct 30, 2014

Thank you, TwinHeadedEagle. After I ran Farber Recovery I posted the two logs in a reply but now they're not posted anymore? Meanwhile, my son did a restore system on the laptop without asking me so I apologize as the instructions say not to do that or run any programs. Here are the Farber logs:
FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-10-2014
Ran by lynne hendee (administrator) on LYNNEHENDEE-PC on 27-10-2014 12:39:42
Running from C:\Users\lynne hendee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZQTW6VPU
Loaded Profile: lynne hendee (Available profiles: lynne hendee)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
() C:\Program Files\pcmax\pcmax.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(McAfee Inc.) C:\Program Files\McAfee\Raptor\RaptorClient.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ShStatEXE] => C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [243560 2014-01-15] (McAfee, Inc.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKLM\...\Run: [BrowserSafeguard] => "C:\Program Files\Browsersafeguard\BrowserSafeguard.exe"
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\RunOnce: [RaptorClient] => C:\Program Files\McAfee\Raptor\RaptorClient.exe [1517936 2014-10-27] (McAfee Inc.)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1342127618-864138598-3578294600-1000\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKU\S-1-5-21-1342127618-864138598-3578294600-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6692632 2014-10-01] (SUPERAntiSpyware)
HKU\S-1-5-21-1342127618-864138598-3578294600-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-05-06] (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20140504061644.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ssl.binghamton.edu/dana-cached/sc/JuniperSetupClient.cab
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files\Common Files\McAfee\SystemCore
FF Extension: McAfee ScriptScan for Firefox - C:\Program Files\Common Files\McAfee\SystemCore [2014-05-04]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [204320 2014-05-04] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [208416 2014-01-15] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [179600 2014-10-27] (McAfee, Inc.)
R2 pcmaxservice; C:\Program Files\pcmax\pcmax.exe [241344 2014-05-29] ()
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 acpials; C:\Windows\System32\DRIVERS\acpials.sys [7680 2009-07-13] (Microsoft Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-10-27] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-10-01] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [134472 2014-05-04] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [236480 2014-05-04] (McAfee, Inc.)
R3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [66408 2014-05-04] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [575984 2014-10-27] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [94520 2014-10-27] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [213872 2014-05-04] (McAfee, Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U3 mfeavfk01; No ImagePath
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-27 12:39 - 2014-10-27 12:39 - 00000000 ____D () C:\FRST
2014-10-27 10:29 - 2014-10-27 10:46 - 00000000 ____D () C:\Program Files\stinger
2014-10-27 06:51 - 2014-10-27 06:57 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-10-27 06:51 - 2014-10-27 06:52 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-10-27 06:51 - 2014-10-27 06:51 - 00002133 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2014-10-27 06:51 - 2014-10-27 06:51 - 00002121 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-10-27 06:51 - 2014-10-27 06:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2014-10-27 06:51 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2014-10-27 06:47 - 2014-10-27 06:48 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\lynne hendee\Downloads\spybot-2.4.exe
2014-10-27 06:33 - 2014-10-27 12:37 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-10-27 06:33 - 2014-10-27 06:33 - 00001963 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-10-27 06:33 - 2014-10-27 06:33 - 00000000 ____D () C:\Users\lynne hendee\AppData\Roaming\SUPERAntiSpyware.com
2014-10-27 06:33 - 2014-10-27 06:33 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-10-27 06:33 - 2014-10-27 06:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2014-10-27 06:13 - 2014-10-27 12:37 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-27 06:12 - 2014-10-27 06:12 - 00001062 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-27 06:12 - 2014-10-27 06:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-27 06:12 - 2014-10-27 06:12 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-27 06:12 - 2014-10-27 06:12 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-27 06:12 - 2014-10-01 11:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-27 06:12 - 2014-10-01 11:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-27 06:12 - 2014-10-01 11:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-26 22:59 - 2014-10-26 22:59 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-10-26 18:15 - 2014-10-06 22:04 - 00331448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-26 18:15 - 2014-09-28 20:41 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-26 18:15 - 2014-09-25 18:46 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-26 18:15 - 2014-09-25 18:46 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-26 18:15 - 2014-09-25 18:43 - 11807232 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-26 18:15 - 2014-09-25 18:32 - 02017280 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-26 18:15 - 2014-09-18 21:44 - 17484800 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-26 18:15 - 2014-09-18 21:25 - 04201472 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-26 18:15 - 2014-09-18 21:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-26 18:15 - 2014-09-18 21:14 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-10-26 18:15 - 2014-09-18 21:02 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-26 18:15 - 2014-09-18 21:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-10-26 18:15 - 2014-09-18 21:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-10-26 18:15 - 2014-09-18 20:59 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-10-26 18:15 - 2014-09-18 20:55 - 02187264 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-26 18:15 - 2014-09-18 20:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-26 18:15 - 2014-09-18 20:53 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-10-26 18:15 - 2014-09-18 20:51 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-26 18:15 - 2014-09-18 20:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-10-26 18:15 - 2014-09-18 20:50 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-10-26 18:15 - 2014-09-18 20:49 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-10-26 18:15 - 2014-09-18 20:44 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-10-26 18:15 - 2014-09-18 20:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-10-26 18:15 - 2014-09-18 20:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-10-26 18:15 - 2014-09-18 20:20 - 00677888 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-26 18:15 - 2014-09-18 20:20 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-26 18:15 - 2014-09-18 20:18 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-10-26 18:15 - 2014-09-18 19:59 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-26 18:15 - 2014-09-18 19:53 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-26 18:15 - 2014-09-18 19:52 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-10-26 18:15 - 2014-09-04 01:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-26 18:13 - 2014-09-12 21:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-26 18:13 - 2014-07-16 21:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-26 18:13 - 2014-07-16 21:39 - 03221504 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-26 18:13 - 2014-07-16 21:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-10-26 18:13 - 2014-07-16 21:39 - 00523264 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-10-26 18:13 - 2014-07-16 21:39 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-26 18:13 - 2014-07-16 21:39 - 00131584 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll
2014-10-26 18:13 - 2014-07-16 21:39 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-26 18:13 - 2014-07-16 21:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-26 18:13 - 2014-07-16 21:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-26 18:13 - 2014-07-16 21:03 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-26 18:13 - 2014-07-16 21:02 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-10-26 18:13 - 2014-06-18 18:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-26 18:13 - 2014-06-18 18:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-26 18:13 - 2014-05-30 03:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-10-26 18:13 - 2014-05-30 03:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-10-26 18:13 - 2014-05-30 03:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-10-26 18:13 - 2014-05-30 03:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-10-26 16:12 - 2014-10-26 17:00 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-26 15:48 - 2014-10-26 16:18 - 00000000 ____D () C:\AdwCleaner
2014-10-26 15:27 - 2014-10-26 15:27 - 00003334 _____ () C:\Users\lynne hendee\Desktop\lynne exe.txt
2014-10-26 15:25 - 2014-10-26 16:16 - 00000948 _____ () C:\Users\lynne hendee\Desktop\Rkill.txt
2014-10-23 09:43 - 2014-10-23 09:44 - 00000000 ____D () C:\Users\lynne hendee\Desktop\CBC-2014 Tuesday
2014-10-21 15:08 - 2014-10-23 23:59 - 00000000 ____D () C:\Users\lynne hendee\Desktop\CBC-2014 Wednesday
2014-10-21 14:59 - 2014-10-21 15:06 - 00000000 ____D () C:\Users\lynne hendee\Desktop\CBC-2014 Sunday
2014-10-21 14:58 - 2014-10-23 09:46 - 00000000 ____D () C:\Users\lynne hendee\Desktop\CONDO 2014 Misc
2014-10-20 10:22 - 2014-10-24 00:19 - 00000000 ____D () C:\Users\lynne hendee\Desktop\CBC-2014 Monday
2014-10-19 17:54 - 2014-10-21 15:01 - 00000000 ____D () C:\Users\lynne hendee\Desktop\CBC-2014 Saturday
2014-10-19 15:52 - 2014-09-25 18:46 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-19 15:51 - 2014-06-18 18:24 - 00081560 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-19 15:12 - 2014-10-19 15:13 - 00000000 ____D () C:\Users\lynne hendee\Desktop\Afton
2014-10-02 20:42 - 2014-10-27 09:22 - 00001073 _____ () C:\Windows\system32\Sierra Budik Oct.lnk
2014-10-02 18:27 - 2014-10-02 18:27 - 00000000 ____D () C:\ProgramData\Hewlett-Packard

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-27 12:40 - 2014-05-03 19:25 - 01837223 _____ () C:\Windows\WindowsUpdate.log
2014-10-27 12:36 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-27 12:36 - 2009-07-14 00:39 - 00038310 _____ () C:\Windows\setupact.log
2014-10-27 10:36 - 2009-07-14 00:34 - 00013792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-27 10:36 - 2009-07-14 00:34 - 00013792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-27 10:30 - 2014-05-04 09:16 - 00575984 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2014-10-27 10:30 - 2014-05-04 09:16 - 00094520 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mferkdet.sys
2014-10-27 10:30 - 2014-05-04 09:15 - 00179600 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2014-10-27 10:30 - 2014-05-03 19:40 - 00778834 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-27 10:29 - 2014-05-04 09:14 - 00000000 ____D () C:\Program Files\McAfee
2014-10-27 10:29 - 2011-06-20 16:39 - 00000000 ____D () C:\Quarantine
2014-10-27 10:23 - 2014-05-04 09:24 - 00000000 ____D () C:\Users\lynne hendee\AppData\Local\Google
2014-10-27 10:23 - 2014-05-04 09:24 - 00000000 ____D () C:\Program Files\Google
2014-10-27 10:07 - 2014-06-21 10:22 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-27 07:11 - 2014-05-04 09:28 - 00033310 _____ () C:\Windows\PFRO.log
2014-10-27 06:24 - 2014-07-01 16:12 - 00000000 ____D () C:\Program Files\Bench
2014-10-27 06:24 - 2009-07-14 03:50 - 00000000 ____D () C:\Windows\CSC
2014-10-27 06:23 - 2014-06-22 17:50 - 00000000 ____D () C:\temp
2014-10-27 05:40 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-10-27 05:27 - 2009-07-14 00:33 - 00434200 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-26 21:12 - 2014-05-04 18:37 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-26 21:08 - 2014-05-04 18:37 - 100290944 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-26 18:07 - 2014-05-03 19:41 - 00000000 ____D () C:\Users\lynne hendee
2014-10-26 18:06 - 2014-06-21 10:27 - 00000396 __RSH () C:\ProgramData\ntuser.pol
2014-10-26 18:06 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-10-26 18:05 - 2014-06-22 15:40 - 00000000 ____D () C:\Program Files\Bonjour
2014-10-26 17:01 - 2009-07-14 03:50 - 00000000 ____D () C:\Program Files\Windows Journal
2014-10-26 17:01 - 2009-07-14 00:52 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2014-10-26 17:01 - 2009-07-14 00:52 - 00000000 ____D () C:\Program Files\Windows Sidebar
2014-10-26 17:01 - 2009-07-14 00:52 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2014-10-26 17:01 - 2009-07-14 00:52 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2014-10-26 17:01 - 2009-07-14 00:52 - 00000000 ____D () C:\Program Files\Windows Defender
2014-10-26 17:01 - 2009-07-14 00:52 - 00000000 ____D () C:\Program Files\DVD Maker
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 __RSD () C:\Windows\Media
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 __RHD () C:\Users\Public\Libraries
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 ___RD () C:\Users\Public
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
2014-10-26 17:01 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\L2Schemas
2014-10-26 17:00 - 2014-07-01 20:43 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-10-26 17:00 - 2014-06-22 18:11 - 00000000 ____D () C:\Program Files\iTunes
2014-10-26 17:00 - 2014-06-22 16:56 - 00000000 ____D () C:\Program Files\QuickTime
2014-10-26 17:00 - 2014-06-22 16:55 - 00000000 ____D () C:\Program Files\Sharepod
2014-10-26 17:00 - 2014-06-21 10:08 - 00000000 ____D () C:\Program Files\pcmax
2014-10-26 17:00 - 2014-06-20 18:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint
2014-10-26 17:00 - 2014-06-20 18:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2014-10-26 17:00 - 2014-05-04 09:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-10-26 17:00 - 2014-05-03 19:41 - 00000000 ___RD () C:\Users\lynne hendee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-10-26 17:00 - 2014-05-03 19:41 - 00000000 ___RD () C:\Users\lynne hendee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-26 17:00 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\AppCompat
2014-10-26 17:00 - 2009-07-13 22:37 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-10-26 16:59 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\registration
2014-10-02 15:53 - 2014-05-03 16:59 - 00231568 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

Some content of TEMP:
====================
C:\Users\lynne hendee\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-26 13:40

==================== End Of Log ============================

Addition:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 27-10-2014
Ran by lynne hendee at 2014-10-27 12:40:30
Running from C:\Users\lynne hendee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZQTW6VPU
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee VirusScan Enterprise (Enabled - Out of date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AS: McAfee VirusScan Enterprise Antispyware Module (Enabled - Out of date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 11 ActiveX (HKLM\...\{41042E28-CCA1-4147-869F-9E928B38F04C}) (Version: 11.9.900.170 - Adobe Systems Incorporated)
Apple Application Support (HKLM\...\{D9DAD0FF-495A-472B-9F10-BAE430A26682}) (Version: 3.0.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{18D47FA1-0440-48D3-A7E0-DA09537FF471}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
iTunes (HKLM\...\{0718A90E-93AA-49AF-A4FE-0165ACD91DF0}) (Version: 11.2.2.3 - Apple Inc.)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee VirusScan Enterprise (HKLM\...\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}) (Version: 8.8.04001 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Office 15 Click-to-Run Licensing Component (Version: 15.0.4615.1002 - Microsoft Corporation) Hidden
QuickTime (HKLM\...\{0E64B098-8018-4256-BA23-C316A43AD9B0}) (Version: 7.72.80.56 - Apple Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1158 - SUPERAntiSpyware.com)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

26-10-2014 20:49:45 Restore Operation
27-10-2014 01:07:40 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2265C572-8F0B-4A22-B697-EB4FE3BB8FA4} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {278C5644-EB38-4901-B001-6D01223E4A4B} - System32\Tasks\APSnotifierPP2 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {49911141-7F2A-49B8-94BF-EEBA74DD249E} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {634F8FE9-AC45-40D3-8B03-239CC13251EE} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
Task: {63660AAB-370F-49D3-82ED-88DA9891A312} - System32\Tasks\APSnotifierPP3 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {7709C9A5-1640-4B87-AB08-1CECB574839A} - System32\Tasks\{23DD838D-BE16-D6A9-5391-70BC47ABEF1A} => C:\Windows\system32\vrvnrz.dll/s "C:\Windows\system32\vrvnrz.dll"
Task: {AAD5FAD1-AF3E-4A0F-BF71-4F85954233BA} - System32\Tasks\APSnotifierPP1 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {B49AA1AA-6C66-4B0A-AB1F-FE4A66CD40CA} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-06-21] (Adobe Systems Incorporated)
Task: {D1FDCF56-FAA7-4111-9062-E4E589D7D64D} - System32\Tasks\pcreg => C:\Program Files\pcmax\service.exe [2014-05-29] () <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2014-04-23 16:05 - 2014-04-23 16:05 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-04-23 16:04 - 2014-04-23 16:04 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-05-29 07:16 - 2014-05-29 07:16 - 00241344 _____ () C:\Program Files\pcmax\pcmax.exe
2014-10-27 06:51 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-10-27 06:51 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-10-27 06:51 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-10-27 06:51 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-10-27 06:51 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-1342127618-864138598-3578294600-500 - Administrator - Disabled)
Guest (S-1-5-21-1342127618-864138598-3578294600-501 - Administrator - Disabled)
HomeGroupUser$ (S-1-5-21-1342127618-864138598-3578294600-1002 - Administrator - Enabled)
lynne hendee (S-1-5-21-1342127618-864138598-3578294600-1000 - Administrator - Enabled) => C:\Users\lynne hendee

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Broadcom USH
Description: Broadcom USH
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (10/27/2014 09:52:07 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL; Description = Removed Microsoft Office Professional Plus 2010; Error = 0x8007043c).

Error: (10/27/2014 09:05:56 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL; Description = Removed Microsoft Office Professional Plus 2010; Error = 0x8007043c).

Error: (10/27/2014 09:03:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL; Description = Removed Microsoft Office Professional Plus 2010; Error = 0x8007043c).

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80070005, Access is denied.
.

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x80070005, Access is denied.
]

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80070005, Access is denied.
.

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x80070005, Access is denied.
]

Error: (10/27/2014 06:26:04 AM) (Source: MsiInstaller) (EventID: 10015) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Object already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (10/26/2014 06:26:04 PM) (Source: MsiInstaller) (EventID: 10015) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Object already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (10/26/2014 04:26:01 PM) (Source: MsiInstaller) (EventID: 10015) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Object already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)

System errors:
=============
Error: (10/27/2014 00:37:16 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147467259

Error: (10/27/2014 00:37:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147467259

Error: (10/27/2014 00:36:23 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147467259

Error: (10/27/2014 10:31:08 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the mfevtp service.

Error: (10/27/2014 10:29:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Spybot-S&D 2 Scanner Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (10/27/2014 10:29:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Spybot-S&D 2 Updating Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (10/27/2014 10:29:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Spybot-S&D 2 Security Center Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (10/27/2014 10:29:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Software Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (10/27/2014 10:27:45 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147467259

Error: (10/27/2014 10:27:45 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147467259

Microsoft Office Sessions:
=========================
Error: (10/27/2014 09:52:07 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLLRemoved Microsoft Office Professional Plus 20100x8007043c

Error: (10/27/2014 09:05:56 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLLRemoved Microsoft Office Professional Plus 20100x8007043c

Error: (10/27/2014 09:03:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLLRemoved Microsoft Office Professional Plus 20100x8007043c

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 8193) (User: )
Description: CoCreateInstance0x80070005, Access is denied.

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 13) (User: )
Description: {4e14fba2-2e22-11d1-9964-00c04fbbb345}CEventSystem0x80070005, Access is denied.

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 8193) (User: )
Description: CoCreateInstance0x80070005, Access is denied.

Error: (10/27/2014 07:10:27 AM) (Source: VSS) (EventID: 13) (User: )
Description: {4e14fba2-2e22-11d1-9964-00c04fbbb345}CEventSystem0x80070005, Access is denied.

Error: (10/27/2014 06:26:04 AM) (Source: MsiInstaller) (EventID: 10015) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Object already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (10/26/2014 06:26:04 PM) (Source: MsiInstaller) (EventID: 10015) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Object already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (10/26/2014 04:26:01 PM) (Source: MsiInstaller) (EventID: 10015) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Object already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)

==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU T9550 @ 2.66GHz
Percentage of memory in use: 43%
Total physical RAM: 3535.9 MB
Available physical RAM: 1997.75 MB
Total Pagefile: 7070.09 MB
Available Pagefile: 5521.74 MB
Total Virtual: 2047.88 MB
Available Virtual: 1913.97 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:74.37 GB) (Free:25.65 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: A42D04A3)
Partition 1: (Not Active) - (Size=157 MB) - (Type=DE)
Partition 2: (Active) - (Size=74.4 GB) - (Type=07 NTFS)

==================== End Of Log ============================

TwinHeadedEagle · Oct 30, 2014

Please attach all reports. Thanks!

lshendee · Oct 30, 2014

Attaching original reports from Farber.

TwinHeadedEagle · Oct 31, 2014

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on

icon and select

Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

Right-click on

icon and select

Run as Administrator to start the tool.
Follow the prompts and click Scan.
When finished, please click Clean.
Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

Install the progam and select update.
Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
Click the Scan tab, choose Threat Scan is checked and click Scan Now.
If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
Upon completion of the scan (or after the reboot), click the History tab.
Click Application Logs and double-click the Scan Log.
At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

lshendee · Nov 2, 2014

Had to run all three programs from a thumbdrive onto the affected laptop. During last portion of mbar scan, window appeared saying it stopped working. I saved the details and am attaching.

lshendee · Nov 2, 2014

Okay, ran the MBAR again and it went through fine. Attaching the log.

TwinHeadedEagle · Nov 2, 2014

Good. How is your PC now?

lshendee · Nov 2, 2014

Attempted to open a website on IE and received "proxy server isn't responding ... check your proxy settings ... make sure your firewall settings ...". This is what the laptop was initially doing early on, then all the other problems started.

TwinHeadedEagle · Nov 3, 2014

Read this how to disable proxy:

http://en.kioskea.net/faq/7921-web-browsers-how-to-disable-the-proxy

lshendee · Nov 3, 2014

Thanks TwinHeadedEagle I had followed those same instructions tp uncheck "Use a proxy server for your LAN..." prior to seeking help on this forum. More issues arose from that point on so in a way I feel like I'm back at square one. However, I did just try to uncheck those boxes again as per the link you provided, but as soon as I do so then Apply and close out - it rechecks itself. I'll try ZHP Cleaner and report back with results - crossing my fingers. Many thanks for your continued help.

lshendee · Nov 3, 2014

Hi there - downloaded and ran each of the Alternative Methods: zhpdiag & zhpcleaner had no English lang option so ran them as best as I could. After scans, there were no "Clean" or "Delete" buttons or images. Attaching logs except for one that couldn't be opened. Downloaded and ran Prescan - 1/2 way through I confirmed when it asked if I wanted to delete proxy ... scan finished, auto rebooted the laptop, but nothing was fixed. Attaching log. Downloaded RogueKiller but during the "WebBrowser" scan - IE automatically opens to go to Adlice website, at which point I get the Proxy Server error message. Can't even find a log. Long day at work so feeling a bit hopeless. Hope you've had some cheery clients to make up for my woes. )o: Tomorrow's a new day. Good night!

TwinHeadedEagle · Nov 4, 2014

Let's try with this:

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on

icon and select

Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

lshendee · Nov 4, 2014

Attaching Fixlog.txt. Still getting proxy server message. Perhaps I'm not executing the process correctly? This is what I do:
1. Download FRST app from web. Locate it in my Download file and Send To my thumbdrive.
2. Open your fixlist file and save as (same) to thumbdrive.
3. Insert thumbdrive into infected laptop. Open files and drag both the app and the fixlist to its desktop.
4. Run FRST as administrator; it reboots; I save the fixlist to my thumbdrive and attach to my reply.

lshendee · Nov 4, 2014

correction:
4. I save the fixlog to my thumbdrive and attach to reply.

lshendee · Nov 4, 2014

This may not be important, but after the laptop reboots the fixlist is missing from the desktop.

TwinHeadedEagle · Nov 4, 2014

Can you see what proxy address it is pointing to?

lshendee · Nov 5, 2014

How do I find the proxy address? Long number in error message is: 127.0.0.1:3128 (in IE). Chrome's error msg. has no number. On IE, there's an option to "Fix Connection Problems" but I don't dare since proxy issues began the downward spiral after I got the laptop back from my ex. Thanks for your help.

lshendee · Nov 5, 2014

In IE URL address: http://go.microsoft.com/fwlink/?Linkid=211221
In Chrome: just the web address I had typed (www.bleepingcomputer.com)

Solved Browsers Hijacked and MS Office Infection

New Member

Level 41

New Member

Level 41

New Member

Attachments

Level 41

Attachments

New Member

Attachments

New Member

Attachments

Level 41

New Member

Level 41

New Member

New Member

Attachments

Level 41

Attachments

New Member

Attachments

New Member

New Member

Level 41

New Member

New Member

Similar threads