Solved svchost.exe using large cpu usage.

July 17, 2016 at 08:10:11
Specs: Windows 7
svchost.exe using 50 to 100% of my cpu in windows 7. Need to find a fix. computer running slow and hot! happened before went away after a bit of fooling around. Computer challenged.
Have run Trend, Malwarebytes and Defender, no help!

message edited by randoh


See More: svchost.exe using large cpu usage.

Report •

✔ Best Answer
July 21, 2016 at 21:33:12
"there are hundreds of updates up until 6-15-2016"
Ok, that will take days using MS servers.

Use this.

http://update7.simplix.info/UpdateP...



#1
July 17, 2016 at 09:10:40
Well, first step would be to find out which service it is. There are many ways to go about it, but I prefer using Process Monitor. You can double-click the svchost in question, and go to the Services tab to see what is running in that process.

How To Ask Questions The Smart Way


Report •

#2
July 17, 2016 at 14:18:08
Lets have a look at this side of things.

Here are the first 2 steps, more steps will be needed, after I see the results of these logs.

Run them in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click Scan
In the results tabs, uncheck anything you don't want to remove.
Click on Cleaning.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[C1 or later].txt as well.
http://i.imgur.com/r3PoAEG.gif

Step 2: Run Malwarebytes Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.org/
http://thisisudax.blogspot.com.au/2...
Download Malwarebytes Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#3
July 17, 2016 at 17:47:41
Most likely it is Windows Update.
"Start Task Manager" > Performance > Resource Monitor > CPU.
Check the (svchost.exe) with the highest CPU load.
The "Associated Handles/Modules" shows program(s) running

During the latest "Patch Tuesday" I also seen svchost.exe (Windows update) running for hours only to come up with a few updates to select. I have had this on previous months.



Report •

Related Solutions

#4
July 17, 2016 at 23:24:33
Most likely, sluc is right.
I had several PCs/Laptops in the past, with exactly the same problem.
Windows-Update was the culprit.

What I have done:
Download and install Microsoft patch KB3138612
Download and install Microsoft patch KB3145739
Download and install Microsoft patch KB3161664

Restart computer.

Worked for me lots of times.

message edited by paulsep


Report •

#5
July 19, 2016 at 07:30:50
Johnw it's been a while happy you are still around. # AdwCleaner v5.201 - Logfile created 19/07/2016 at 10:09:17
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-18.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Paul - PAUL-HP
# Running from : C:\Users\Paul\Downloads\adwcleaner_5.201.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\TubeDimmer
[-] Folder Deleted : C:\ProgramData\db998eb500006e45
[#] Folder Deleted : C:\ProgramData\Application Data\TubeDimmer
[#] Folder Deleted : C:\ProgramData\Application Data\db998eb500006e45
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\AVG SafeGuard toolbar
[-] Folder Deleted : C:\Program Files\Babylon
[-] Folder Deleted : C:\Program Files\DomaIQ Uninstaller

***** [ Files ] *****

[-] File Deleted : C:\ProgramData\uninstaller.exe
[#] File Deleted : C:\ProgramData\Application Data\uninstaller.exe
[-] File Deleted : C:\Windows\SysNative\roboot64.exe

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\BabylonHelper.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\Complitly.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bmiabdepfhhiieiipmeecdmeljggmfee
[-] Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
[-] Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FDFB66C-713B-4201-83A6-5B78AE227B41}
[-] Key Deleted : HKCU\Software\Complitly
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\PCCleaners
[-] Key Deleted : HKCU\Software\simplytech
[-] Key Deleted : HKCU\Software\SlimWare Utilities Inc
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
[-] Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\SimplyGen
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1945250335-4174644849-3491937529-1000\Software\Complitly
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Main [Search Bar]
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Search [Default_Search_URL]
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Search [Search Bar]
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Search [Search Page]
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchURI [(Default)]
[-] Data Restored : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [(Default)]
[-] Value Deleted : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DisplayName]
[-] Value Deleted : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [URL]
[-] Value Deleted : HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [TopResultURLFallback]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\superfish.com

***** [ Web browsers ] *****

[-] [C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [5104 bytes] - [19/07/2016 10:09:17]
C:\AdwCleaner\AdwCleaner[S1].txt - [6796 bytes] - [19/07/2016 10:07:39]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [5250 bytes] ##########


Report •

#6
July 19, 2016 at 07:49:34

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Home Premium x64
Ran by Paul (Administrator) on Tue 07/19/2016 at 10:45:28.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 12

Successfully deleted: C:\ProgramData\Start Menu\Programs\free window registry repair (Folder)
Successfully deleted: C:\Users\Paul\AppData\Local\{27D9775D-853A-4ADF-ABBB-FF1FD8063B5D} (Empty Folder)
Successfully deleted: C:\Users\Paul\AppData\Roaming\nico mak computing (Folder)
Successfully deleted: C:\Users\Paul\Start Menu\Programs\free window registry repair (Folder)
Successfully deleted: C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7AQSBCLP (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ENX42ER7 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J4H7CXTL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P32L3D4L (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7AQSBCLP (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ENX42ER7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J4H7CXTL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P32L3D4L (Temporary Internet Files Folder)

Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{c9ab6446-7efc-47fe-966c-dc54324eff9f} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 07/19/2016 at 10:48:05.16
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#7
July 19, 2016 at 08:13:13
johnw running 100% so everything is very slow!

Report •

#8
July 19, 2016 at 10:14:04
paulsep already have the three. Trying to get something going with johnw. thanks if you come up with anything else let me know. thanks again!

message edited by randoh


Report •

#9
July 19, 2016 at 12:12:31
Johnw While sitting here I went through task manager again and hit processes again found the problem-ed SVCHOST.EXE then went to services and started shutting things down one at a time. Got to WUASEV WINDOWS NETSVCS shut it down and as near as I can see everything is running fine except Google still running into the 70 to 100% at times. while I Have no idea what WUASEV WINDOWS NETSVCS runs! and how too keep it from starting up after shutdown.

message edited by randoh


Report •

#10
July 19, 2016 at 12:33:24
Well, none of those are actually Windows services. Are you sure you got the name right?

How To Ask Questions The Smart Way


Report •

#11
July 19, 2016 at 13:06:11
As close I can see it's written as wuauserv Windows netsvcs (stop run) I have it stopped. comes back on when rebooted.

Report •

#12
July 19, 2016 at 13:09:08
I checked and can't find anything it effects except CPU usage. How can I keep it turned off?

message edited by randoh


Report •

#13
July 19, 2016 at 13:47:33
"Johnw it's been a while happy you are still around"
Thanks randoh.

"Trying to get something going with johnw"
Time zone difference, I'm here.
http://www.timeanddate.com/worldclo...

Next step.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt)
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

message edited by Johnw


Report •

#14
July 19, 2016 at 14:02:35
Farbar Service Scanner Version: 27-01-2016
Ran by Paul (administrator) on 19-07-2016 at 16:56:30
Running from "C:\Users\Paul\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****


Report •

#15
July 19, 2016 at 14:03:25
Johnw no additional text.

Report •

#16
July 19, 2016 at 14:08:04
Johnw Farbar looks different than pictured

Report •

#17
July 19, 2016 at 14:11:37
You didn't run the correct Farbar as per my post.

You have run > Farbar Service Scanner


Report •

#18
July 19, 2016 at 14:21:45
John Don't know if you read what I found while you were out. Went to task manager again went to offending processes again then services started shutting down files one at a time and found a file named wuasev windows netsvcs stopped it,and the problem went away. Don't know asso. but have run most of my important programs and all run as before. when machine is re-booted it gets turned back on. Don't know how to isolate it until I find if I have any problems. Can't find it on all searches i've tried.

message edited by randoh


Report •

#19
July 19, 2016 at 14:25:20
"John Don't know if you read what I found while you were out"
Yep, first things first, got to get you clean.

No point in trying anything else until we do so..


Report •

#20
July 19, 2016 at 14:32:35
Sorry John 1 minute !

Report •

#21
July 19, 2016 at 14:43:03
Wuauserv, eh? That's Windows Update.
C:\>sc getdisplayname wuauserv
[SC] GetServiceDisplayName SUCCESS
Name = Windows Update

C:\>

There's an update you can try to see if it helps, but you're probably better off waiting for it to do its work and find what patches you need this month. https://support.microsoft.com/en-us...

You can also try clearing the cache, as corruption there can cause high CPU: https://support.microsoft.com/en-us...

How To Ask Questions The Smart Way


Report •

#22
Report •

#23
July 19, 2016 at 14:47:18
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-07-2016
Ran by Paul (administrator) on PAUL-HP (19-07-2016 17:33:11)
Running from C:\Users\Paul\Downloads
Loaded Profiles: Paul (Available Profiles: Paul)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topi...

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSvcHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtWatchDog.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSessionAgent.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar1.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar2.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Common\HPSupportSolutionsFrameworkService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Paul\Downloads\FRST64 (1).exe


==================== Registry (Whitelisted)


Report •

#24
July 19, 2016 at 14:50:41
Upload the logs as per my post #13

The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.


Report •

#25
July 19, 2016 at 14:53:29
Also as per my post #13

Run the program from your Desktop.


Report •

#26
Report •

#27
July 19, 2016 at 15:07:24
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-07-2016
Ran by Paul (administrator) on PAUL-HP (19-07-2016 17:59:22)
Running from C:\Users\Paul\Desktop
Loaded Profiles: Paul (Available Profiles: Paul)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topi...

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSvcHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtWatchDog.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSessionAgent.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar1.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar2.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Common\HPSupportSolutionsFrameworkService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Paul\Desktop\FRST64 (1).exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1424896 2012-01-07] (IDT, Inc.)
HKLM\...\Run: [SetDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [44880 2011-12-20] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [246264 2015-07-16] (Trend Micro Inc.)
HKLM\...\Run: [Platinum] => C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSessionAgent.exe [1258496 2015-07-16] (Trend Micro Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-04-30] (Intel Corporation)
HKLM-x32\...\Run: [HPQuickWebProxy] => C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe [168504 2011-06-28] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40336 2015-09-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM\...\RunOnce: [NCInstallQueue] => rundll32 netman.dll,ProcessQueue
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{7850B5E1-8099-49FF-B2A9-E64A620FF27B}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Trend Micro Security Toolbar Helper -> {43C6D902-A1C5-45c9-91F6-FD9E90337E18} -> C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ToolbarIE.dll [2015-12-21] (Trend Micro Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Trend Micro Network Filter Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg.dll [2015-07-16] (Trend Micro Inc.)
BHO: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1089\9.1.1089\TmBpIe64.dll [2016-06-15] (Trend Micro Inc.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Trend Micro Security Toolbar Helper -> {43C6D902-A1C5-45c9-91F6-FD9E90337E18} -> C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll [2015-12-21] (Trend Micro Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Trend Micro Network Filter Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg32.dll [2015-07-16] (Trend Micro Inc.)
BHO-x32: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1089\9.1.1089\TmBpIe32.dll [2016-06-15] (Trend Micro Inc.)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Toolbar: HKLM - Trend Micro Security Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ToolbarIE.dll [2015-12-21] (Trend Micro Inc.)
Toolbar: HKLM-x32 - Trend Micro Security Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll [2015-12-21] (Trend Micro Inc.)
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1089\9.1.1089\TmBpIe64.dll [2016-06-15] (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1089\9.1.1089\TmBpIe32.dll [2016-06-15] (Trend Micro Inc.)
Handler: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg.dll [2015-07-16] (Trend Micro Inc.)
Handler-x32: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files\Trend Micro\AMSP\module\20013\3.8.1222\2.0.1084\TmopIEPlg32.dll [2015-07-16] (Trend Micro Inc.)
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ToolbarIE.dll [2015-12-21] (Trend Micro Inc.)
Handler-x32: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll [2015-12-21] (Trend Micro Inc.)
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\plugin\ToolbarIE64\ProToolbarIMRatingActiveX.dll [2015-07-16] (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll [2015-07-16] (Trend Micro Inc.)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-16] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-16] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1207148.dll [2013-12-05] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-26] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2011-04-05] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [tmbepff@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1089\9.1.1089\firefoxextension
FF Extension: Trend Micro BEP Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1089\9.1.1089\firefoxextension [2016-07-16]
FF HKLM-x32\...\Firefox\Extensions: [{38783831-6098-4faa-A9C9-1EE1E343F4D2}] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\firefoxextension => not found
FF HKLM-x32\...\Firefox\Extensions: [tmbepff@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\module\20002\9.1.1089\9.1.1089\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [{22181a4d-af90-4ca3-a569-faed9118d6bc}] - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension
FF Extension: Trend Micro Toolbar - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2016-05-19]
FF HKLM-x32\...\Firefox\Extensions: [{BBB77B49-9FF4-4d5c-8FE2-92B1D6CD696C}] - C:\Program Files\Trend Micro\AMSP\module\20013\FxExt\firefoxextension
FF Extension: Trend Micro Osprey Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20013\FxExt\firefoxextension [2016-07-16]

Chrome:
=======
CHR HomePage: Profile 2 -> hxxp://www.armstrongmywire.com/
CHR StartupUrls: Profile 2 -> "hxxp://www.armstrongmywire.com/"
CHR Profile: C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-20]
CHR Extension: (Google Docs) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-20]
CHR Extension: (Google Drive) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-20]
CHR Extension: (No Name) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2016-04-20]
CHR Extension: (YouTube) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-20]
CHR Extension: (Google Sheets) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-20]
CHR Extension: (Google Docs Offline) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-20]
CHR Extension: (No Name) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf [2016-04-20]
CHR Extension: (Gmail) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-20]
CHR Profile: C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2
CHR Extension: (Google Slides) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-12]
CHR Extension: (Google Docs) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-12]
CHR Extension: (Google Drive) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-31]
CHR Extension: (YouTube) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-06]
CHR Extension: (Google Search) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-31]
CHR Extension: (Google Sheets) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-12]
CHR Extension: (Google Docs Offline) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-12]
CHR Extension: (Gmail) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [amhlacfinnaffmhfohbpecabbjfhkdji] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [amhlacfinnaffmhfohbpecabbjfhkdji] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [dflinnddekagfkncpgojoppgnppfkbkj] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.) [File not signed]
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [93184 2014-08-21] (Hewlett-Packard Company) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89864 2014-12-11] (Hewlett-Packard Company)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2372096 2011-02-18] (Realsil Microelectronics Inc.) [File not signed]
R2 Platinum Host Service; C:\Program Files\Trend Micro\Titanium\plugin\Pt\PtSvcHost.exe [1137664 2015-07-16] (Trend Micro Inc.)
R2 Unchecky; C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe [254904 2016-03-22] (RaMMicHaeL)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 netr28x; C:\Windows\System32\DRIVERS\netr28x.sys [2473616 2014-12-10] (MediaTek Inc.)
R3 Sftfs; C:\Windows\System32\DRIVERS\Sftfswin7.sys [767648 2014-10-08] (Microsoft Corporation)
R3 Sftplay; C:\Windows\System32\DRIVERS\Sftplaywin7.sys [273576 2014-10-08] (Microsoft Corporation)
R3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirwin7.sys [29864 2014-10-08] (Microsoft Corporation)
R3 Sftvol; C:\Windows\System32\DRIVERS\Sftvolwin7.sys [23208 2014-10-08] (Microsoft Corporation)
R1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [133424 2015-11-23] (Trend Micro Inc.)
R0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [324912 2015-11-23] (Trend Micro Inc.)
R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [59712 2015-06-11] (Trend Micro Inc.)
R3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [116576 2015-06-08] (Trend Micro Inc.)
R1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [99632 2015-11-23] (Trend Micro Inc.)
R3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [416608 2015-05-28] (Trend Micro Inc.)
R1 tmumh; C:\Windows\System32\DRIVERS\TMUMH.sys [91536 2015-06-28] (Trend Micro Inc.)
R2 tmusa; C:\Windows\System32\DRIVERS\tmusa.sys [124752 2015-12-09] (Trend Micro Inc.)
U2 TMAgent; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-19 17:57 - 2016-07-19 17:59 - 00021217 _____ C:\Users\Paul\Desktop\FRST.txt
2016-07-19 17:29 - 2016-07-19 17:59 - 00000000 ____D C:\FRST
2016-07-19 17:27 - 2016-07-19 17:27 - 02391552 _____ (Farbar) C:\Users\Paul\Desktop\FRST64 (1).exe
2016-07-19 12:56 - 2016-07-19 12:56 - 00000000 ____D C:\d038c670b0d42bdc48
2016-07-19 12:38 - 2016-07-19 12:38 - 00000000 ____D C:\ae8c258e14204ac273d5f05f258092
2016-07-19 11:49 - 2016-07-19 11:49 - 00000000 ____D C:\b8f000ad25ce87ac85
2016-07-19 10:48 - 2016-07-19 10:48 - 00002656 _____ C:\Users\Paul\Desktop\JRT.txt
2016-07-19 09:50 - 2016-07-19 09:50 - 01610560 _____ (Malwarebytes) C:\Users\Paul\Desktop\JRT.exe
2016-07-19 09:36 - 2016-07-19 10:09 - 00000000 ____D C:\AdwCleaner
2016-07-19 09:35 - 2016-07-19 09:36 - 03712064 _____ C:\Users\Paul\Downloads\adwcleaner_5.201.exe
2016-07-17 17:54 - 2016-07-17 17:54 - 00000000 ____D C:\Users\Paul\AppData\Roaming\{90140011-0066-0409-0000-0000000FF1CE}
2016-07-17 17:54 - 2016-07-17 17:54 - 00000000 ____D C:\ProgramData\Virtualized Applications
2016-07-16 22:22 - 2016-07-16 22:22 - 06079168 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-19 17:55 - 2013-08-22 21:22 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-19 17:22 - 2012-12-01 20:57 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-07-19 15:34 - 2009-07-14 00:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-07-19 15:34 - 2009-07-14 00:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-07-19 14:47 - 2013-08-22 21:22 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-19 14:47 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-07-19 14:03 - 2016-05-19 18:58 - 00000010 _____ C:\Users\Paul\AppData\Local\sponge.last.runtime.cache
2016-07-19 09:32 - 2011-12-10 09:55 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{9DCDAA43-4F9B-4971-8790-77169522014B}
2016-07-17 20:37 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-07-17 20:36 - 2015-02-06 16:40 - 00000000 ____D C:\Windows\Minidump
2016-07-17 20:36 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\Msdtc
2016-07-17 18:23 - 2013-09-30 18:51 - 00000000 ____D C:\Users\Paul\AppData\Roaming\SoftGrid Client
2016-07-17 17:54 - 2013-09-30 18:51 - 00000000 ____D C:\Users\Paul\AppData\Local\SoftGrid Client
2016-07-17 17:42 - 2016-05-11 14:56 - 00000179 _____ C:\Users\Paul\Documents\Meds 8-1-16.txt
2016-07-17 17:04 - 2011-12-22 18:18 - 00000000 ____D C:\Users\Paul\AppData\Local\CrashDumps
2016-07-17 17:04 - 2009-07-14 01:08 - 00032636 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-07-17 16:47 - 2011-12-10 09:44 - 00000000 ____D C:\Users\Paul
2016-07-16 22:22 - 2012-12-01 20:57 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-07-16 22:22 - 2012-12-01 20:57 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-07-16 22:22 - 2011-07-16 01:37 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-07-16 22:20 - 2009-07-14 01:13 - 00799060 _____ C:\Windows\system32\PerfStringBackup.INI
2016-07-16 22:15 - 2012-12-01 20:57 - 00000000 ____D C:\Windows\system32\Macromed
2016-07-16 22:15 - 2011-12-22 18:11 - 00000000 ____D C:\ProgramData\Trend Micro
2016-07-16 22:15 - 2011-12-10 09:45 - 00000000 ____D C:\Users\Paul\AppData\Local\Hewlett-Packard
2016-07-16 22:15 - 2011-07-16 01:37 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-07-16 22:15 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2016-07-16 21:25 - 2011-12-25 15:55 - 00000328 _____ C:\Windows\Tasks\HPCeeScheduleForPaul.job
2016-07-16 20:23 - 2014-12-24 20:45 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-07-16 20:21 - 2011-12-25 15:55 - 00003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForPaul
2016-07-02 20:07 - 2015-04-21 18:27 - 00000000 ___RD C:\#All Music
2016-06-29 16:18 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2016-06-29 13:54 - 2016-05-19 17:09 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-22 13:57 - 2013-08-22 21:23 - 00002155 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

==================== Files in the root of some directories =======

2014-04-04 12:41 - 2014-04-04 12:51 - 4977710 _____ () C:\Program Files (x86)\DirectoryListPrintProEN.zip
2015-04-03 13:06 - 2015-03-25 18:42 - 21621248 _____ () C:\Program Files (x86)\SoulseekQt.exe
2012-12-20 19:40 - 2012-06-13 10:23 - 0893560 _____ (Complitly ) C:\Program Files (x86)\Common Files\AutoCompletePro.exe
2013-03-03 15:06 - 2013-03-03 15:06 - 0000288 _____ () C:\Users\Paul\AppData\Roaming\.backup.dm
2013-12-03 21:09 - 2013-12-03 21:09 - 0000036 _____ () C:\Users\Paul\AppData\Local\housecall.guid.cache
2013-03-08 00:08 - 2015-02-17 14:51 - 0007608 _____ () C:\Users\Paul\AppData\Local\Resmon.ResmonCfg
2015-01-18 17:47 - 2015-01-18 17:47 - 0032448 _____ () C:\Users\Paul\AppData\Local\soulseek-client.dat.1421617657897
2015-01-18 18:58 - 2015-01-18 18:58 - 0032448 _____ () C:\Users\Paul\AppData\Local\soulseek-client.dat.1421621931442
2015-01-21 01:07 - 2015-01-21 01:07 - 0032448 _____ () C:\Users\Paul\AppData\Local\soulseek-client.dat.1421816827147
2016-05-19 18:58 - 2016-07-19 14:03 - 0000010 _____ () C:\Users\Paul\AppData\Local\sponge.last.runtime.cache

Some files in TEMP:
====================
C:\Users\Paul\AppData\Local\Temp\libeay32.dll
C:\Users\Paul\AppData\Local\Temp\msvcr120.dll
C:\Users\Paul\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-29 16:07

=


Report •

#28
July 19, 2016 at 15:12:15
Upload the 2nd log as requested, post on the forum is not complete > FRST.txt
Doubleclick on it to open & make sure it is the correct one.

It is Not FRST.exe


Report •

#29
July 19, 2016 at 15:23:57
I'am at a lost. Sent frst and additional. were should I go from here

message edited by randoh


Report •

#30
July 19, 2016 at 15:25:31
"I'am at a lost. Sent fst and additional. were should I go from here"
You have sent additional twice.

Report •

#31
July 19, 2016 at 15:26:00
telling me if I repost so on

Report •

#32
July 19, 2016 at 15:32:03
johnw I'm going to run Farbar again

Report •

#33
July 19, 2016 at 15:54:15
I get the feeling my last response has been lost in this hunt for malware.

How To Ask Questions The Smart Way

message edited by Razor2.3


Report •

#34
Report •

#35
July 19, 2016 at 15:56:38
Ok, got them, back in about 1/2 an hour, in the meantime.

Turn off Auto updates.

Disable Windows 7 / Vista From Downloading Automatic Updates
http://www.addictivetips.com/window...


Report •

#36
July 19, 2016 at 16:06:52
OK Johnw updates turned off

Report •

#37
July 19, 2016 at 16:17:54
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {306B69B9-6555-4275-BBC2-C80DCCD6F928} - System32\Tasks\{B2723BC9-6711-4BA2-BB5B-43AF3106FE80} => Chrome.exe hxxp://ui.skype.com/ui/0/5.3.0.111.324/en/abandoninstall?page=tsMain&installinfo=google-toolbar:notoffered;notincluded,google-chrome:notoffered;disabled
Task: {B8B4A8C2-BEB6-499D-9D1A-D39245B88E5C} - System32\Tasks\{284176E7-4B91-4ECA-9665-C1A1EA43E39E} => Chrome.exe hxxp://ui.skype.com/ui/0/5.3.0.111.324/en/abandoninstall?page=tsOptions&installinfo=google-toolbar:notoffered;notincluded,google-chrome:notoffered;disabled
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF HKLM-x32\...\Firefox\Extensions: [{38783831-6098-4faa-A9C9-1EE1E343F4D2}] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\firefoxextension => not found
CHR Extension: (No Name) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2016-04-20]
CHR Extension: (No Name) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf [2016-04-20]
CHR HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [amhlacfinnaffmhfohbpecabbjfhkdji] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [amhlacfinnaffmhfohbpecabbjfhkdji] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [dflinnddekagfkncpgojoppgnppfkbkj] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
U2 TMAgent; no ImagePath

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

message edited by Johnw


Report •

#38
July 19, 2016 at 16:20:21
The file wuauserv windows netsvcs (as I think you already know) runs windows update. For Sure!

message edited by randoh


Report •

#39
July 19, 2016 at 16:23:49
"(as I think you already know)"
Yep.

Report •

#40
July 19, 2016 at 16:31:15
I thought so as soon as I realized it, I could see where you were going (a bit like chess) but I'm still dumb as a stump!

message edited by randoh


Report •

#41
July 19, 2016 at 16:45:59
Don't forget post #37

Report •

#42
July 19, 2016 at 17:41:10
Johnw i'm so sorry!
I'm having a problem with instability. #37, cannot get to notepad to save blue portion.
can I have your input.

message edited by randoh


Report •

#43
July 19, 2016 at 19:16:05
Notepad location windows 7
https://www.google.com.au/webhp?hl=...

http://www.digitalcitizen.life/begi...


Report •

#44
July 19, 2016 at 19:53:43
Johnw Thanks for the help but no good still runing from 50 to 100%, had to shut trend down to run FRST. Will not start back up. If you have any more ideas let me know. with respect Randoh. Thank Much!

message edited by randoh


Report •

#45
July 19, 2016 at 20:03:21
Try a reboot, otherwise no idea, other than you are doing something wrong.

Report •

#46
July 19, 2016 at 22:48:51
Johnw ran Windows Update Diagnostic. Found update error 0x80070003(2016-07-20-t-01-31_36A. can not recieve any more updates but don't have to worry about high CPU problems. Doesn't try to download anymore. OK Johnw thanks for all of your time. Maybe it's an opening for new things.

Report •

#47
July 19, 2016 at 23:06:01
Thought you had gone to bed.

"Doesn't try to download anymore"
It was probably trying to download W10.

Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
Tool will create an report for you (C:\DelFix.txt)


Report •

#48
July 20, 2016 at 12:32:59
Johnw sorry up very late last night. Johnw went to windows update fix software,says I needed windows update 80244019 of course impossible
Thinking you gave up on me after that notepad deal,(by the way it would not copy to desktop because an * was in the file) everything went down hill from there. trend micro was turned off because the software I was running was seen as a threat. The machine got very unstable and I broke down and replaced everything with backup. I sure would not blame you if you walked (ran) away. So i'm back to square one. CPU started high run % again when I started it up.

message edited by randoh


Report •

#49
July 20, 2016 at 12:38:19
Had to turn off wuau serv netsvcs just to have enough cpu to write without being choppy.

Report •

#50
July 20, 2016 at 14:43:05
# DelFix v1.013 - Logfile created 20/07/2016 at 17:41:24
# Updated 17/04/2016 by Xplode
# Username : Paul - PAUL-HP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\Users\Paul\Downloads\AdwCleaner.exe
Deleted : C:\Users\Paul\Downloads\FRST64.exe
Deleted : C:\Users\Paul\Downloads\JRT.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...


New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


Report •

#51
July 20, 2016 at 15:24:04
Hey randoh, I gave a link about resetting Windows Update back in response #21, and I'm still waiting on a response about that.

How To Ask Questions The Smart Way


Report •

#52
July 20, 2016 at 17:01:25
Razor2.3 sorry I was busy making Johnw crazy and missed your post. Can you walk me through this (older not real computer savvy.)

message edited by randoh


Report •

#53
July 20, 2016 at 18:27:26
Razor2.3 Windows update diagnostic. Windows update error 0x80070003(2016-07-20-t-51-32P

Report •

#54
July 20, 2016 at 18:57:24
Razor2.3 Microsoft gives the run around when I try to get download on first
sight.

Report •

#55
July 20, 2016 at 22:21:45
The second link is more important, the one dealing with resetting the Windows Update components. If that doesn't work, you're in for a lot of work, depending on how many missing files Windows Update is complaining about.

How To Ask Questions The Smart Way


Report •

#56
July 21, 2016 at 07:38:21
Razor2.3 before I messed up with Johnw I think he had a good idea of what was going on down in. Thanks for passing on your help.

Report •

#57
July 21, 2016 at 07:57:09
Johnw I do have faith you can help me out here. I'm sorry for my anxiousness and stupidity. I follow you a bit and know you stay pretty busy, but down the road would you try to help me again I promise I will follow your instructions and not wonder off. It's a good thing you do for strangers. Johnw if not thanks again.

message edited by randoh


Report •

#58
Report •

#59
July 21, 2016 at 18:32:13
Johnw so happy you aFix result of Farbar Recovery Scan Tool (x64) Version: 20-07-2016
Ran by Paul (2016-07-21 21:27:01) Run:1
Running from C:\Users\Paul\Desktop
Loaded Profiles: Paul (Available Profiles: Paul)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {306B69B9-6555-4275-BBC2-C80DCCD6F928} - System32\Tasks\{B2723BC9-6711-4BA2-BB5B-43AF3106FE80} => Chrome.exe hxxp://ui.skype.com/ui/0/5.3.0.111.324/en/abandoninstall?page=tsMain&installinfo=google-toolbar:notoffered;notincluded,google-chrome:notoffered;disabled
Task: {B8B4A8C2-BEB6-499D-9D1A-D39245B88E5C} - System32\Tasks\{284176E7-4B91-4ECA-9665-C1A1EA43E39E} => Chrome.exe hxxp://ui.skype.com/ui/0/5.3.0.111.324/en/abandoninstall?page=tsOptions&installinfo=google-toolbar:notoffered;notincluded,google-chrome:notoffered;disabled
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF HKLM-x32\...\Firefox\Extensions: [{38783831-6098-4faa-A9C9-1EE1E343F4D2}] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\firefoxextension => not found
CHR Extension: (No Name) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2016-04-20]
CHR Extension: (No Name) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf [2016-04-20]
CHR HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [amhlacfinnaffmhfohbpecabbjfhkdji] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [amhlacfinnaffmhfohbpecabbjfhkdji] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [dflinnddekagfkncpgojoppgnppfkbkj] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
U2 TMAgent; no ImagePath
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{306B69B9-6555-4275-BBC2-C80DCCD6F928}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{306B69B9-6555-4275-BBC2-C80DCCD6F928}" => key removed successfully
C:\Windows\System32\Tasks\{B2723BC9-6711-4BA2-BB5B-43AF3106FE80} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{B2723BC9-6711-4BA2-BB5B-43AF3106FE80}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B8B4A8C2-BEB6-499D-9D1A-D39245B88E5C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B8B4A8C2-BEB6-499D-9D1A-D39245B88E5C}" => key removed successfully
C:\Windows\System32\Tasks\{284176E7-4B91-4ECA-9665-C1A1EA43E39E} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{284176E7-4B91-4ECA-9665-C1A1EA43E39E}" => key removed successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{38783831-6098-4faa-A9C9-1EE1E343F4D2} => value removed successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn => moved successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf => moved successfully
"HKU\S-1-5-21-1945250335-4174644849-3491937529-1000\SOFTWARE\Google\Chrome\Extensions\amhlacfinnaffmhfohbpecabbjfhkdji" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\amhlacfinnaffmhfohbpecabbjfhkdji" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dflinnddekagfkncpgojoppgnppfkbkj" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf" => key removed successfully
Amsp => service removed successfully
TMAgent => service removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18662853 B
Java, Flash, Steam htmlcache => 708 B
Windows/system/drivers => 5768467 B
Edge => 0 B
Chrome => 858929156 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 1142744 B
LocalService => 0 B
NetworkService => 63718 B
Paul => 24369354 B

RecycleBin => 2130464 B
EmptyTemp: => 876.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:27:28 ====ccepted my apology.


Report •

#60
July 21, 2016 at 18:37:35
A new restore point was created plus a lot of things known and not known to me.

message edited by randoh


Report •

#61
July 21, 2016 at 18:40:54
Perfect.

Now some Windows update questions.

Is Windows auto updates still turned off?

When you manually check for updates, give me SS of every message you see.


Report •

#62
July 21, 2016 at 18:54:23
yes check for updates green bar just keeps running nothing so far.
check for updates started off with big red X

message edited by randoh


Report •

#63
July 21, 2016 at 18:57:29
Leave it running, MS have put W7 updates on their slowest server, it can take hours.

Report •

#64
July 21, 2016 at 18:59:19
OK will be watching.

Report •

#65
July 21, 2016 at 19:02:29
Johnw get any sleep? Is it cold down there. 95* here well today. Went to my sisters in the mountain 10* cooler.

message edited by randoh


Report •

#66
July 21, 2016 at 19:25:36
I've been using Trend Micro Max, Windows Defender, and Malwarebytes (which you put me on to at the end of last year). I use all three a lot not just now and then. it's like nothing can save you any more. I guess it will just get worse!

message edited by randoh


Report •

#67
July 21, 2016 at 19:30:58
John what's SS mean?

Report •

#68
July 21, 2016 at 19:39:09
most recent check for updates never.
updates were installed never
At flag 2 important messages
Click to see antispyware programs and turn on Trend Micro Maximum

Report •

#69
July 21, 2016 at 21:10:25
"John what's SS mean?"
Screenshots.

"updates were installed never"
Is that true?.
Did you click on > Check for updates?
http://fs5.directupload.net/images/...
Give me an SS of what it finds.

"Is it cold down there"
Not too bad, we never get snow, even frost is very rare, had a lot of hail last week.
http://www.timeanddate.com/worldclo...


Report •

#70
July 21, 2016 at 21:13:26
"I use all three a lot not just now and then. it's like nothing can save you any more. I guess it will just get worse!"
It is up to the USER to be vigilant. Google everything/suspicious you don't understand, before you click.

message edited by Johnw


Report •

#71
July 21, 2016 at 21:27:22
Johnw there are hundreds of updates up until 6-15-2016 all or most security updates. I stopped automatic updates when I started getting the unwanted KB3035583 Windows 10 update boxes. then I choose to see what was available and updating myself. maybe not such a good idea, but I can't stand being nagged.

Report •

#72
July 21, 2016 at 21:32:44
I noticed I wasn't getting the updates as usual, what do they call it on (Update Tuesday) I should have known something was wrong at that time.

message edited by randoh


Report •

#73
July 21, 2016 at 21:33:12
✔ Best Answer
"there are hundreds of updates up until 6-15-2016"
Ok, that will take days using MS servers.

Use this.

http://update7.simplix.info/UpdateP...


Report •

#74
July 21, 2016 at 21:38:50
Got it Johnw what now.

Report •

#75
July 21, 2016 at 21:46:29
"Got it Johnw what now"
Run it.

Report •

#76
July 21, 2016 at 21:47:18
Johnw I know I had gotten more after that I stay up on updates just about every time I turn this machine on. Just the last few weeks there have been none. I don't know where the others went!

message edited by randoh


Report •

#77
July 21, 2016 at 21:52:54
"I don't know where the others went!"
You are not making any sense, you just told me, there are hundreds available for download.

Run Simplix & it will only install what is needed.


Report •

#78
July 21, 2016 at 21:54:40
Jownw just looked for hidden updates the folder is empty I had 100's hidden. how can they all be gone. what would do that?

Report •

#79
July 21, 2016 at 22:05:08
"what would do that?"
No idea.

Report •

#80
July 21, 2016 at 22:10:05
Johnw 29 updates are loading.

message edited by randoh


Report •

#81
July 22, 2016 at 00:02:10
Johnw I knew if there was someone out there that could help me it was you. Thank you for accepting my apology. After a few fixes between Malwarebytes and Trend I had to replace both to get them to work, conflict between the two! Johnw if you see my name out there again asking for help please don't avoid me because I'm an ass. Everything looks back to normal. try it out a few times before I create a backup. Johnw it was fun for the most part thanks so much. CPU back to normal. Big cool down.

message edited by randoh


Report •

#82
July 22, 2016 at 00:14:44
"try it out a few times before I create a backup"
This is one of the tools I run on all comps I get for fixing.

Run Kaspersky Cleaner ( To install, Right click the .exe & select > Run as Administrator )
http://www.softpedia.com/get/Antivi...
http://free.kaspersky.com/


Report •

#83
July 23, 2016 at 10:04:58
Johnw been putting my machine to the test for a bit now. Just wanted you to know how pleased I am for what you did to help me. Again much thanks.

Report •

#84
July 23, 2016 at 15:35:15
"Again much thanks"
YW randoh.

Report •

#85
August 20, 2016 at 23:28:41
see the steps here, this helped me.
http://appuals.com/high-cpu-usage-b...

Report •

Ask Question