Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Both Internet Explorer and Firefox use 100% CPU


  • This topic is locked This topic is locked
22 replies to this topic

#1 hdleng

hdleng

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 21 March 2017 - 10:44 PM

All applications on my PC slowed down drastically.  This did not happen gradually; rather, it was sudden.  I tried having this resolved in a different forum without success: https://www.bleepingcomputer.com/forums/t/641572/delayed-event-sounds-slow-operation-task-manager-cpu-usage/?hl=%2Bhdleng#entry4195509

 

As the title says, both web browsers consume 100% of CPU resources, and they are very slow.

 

Other odd symptoms include delayed system sounds; they are delayed 5 to about 30 seconds from the mouse or other event that triggered them.

 

I have run FRST.exe and attached to output files.

 

Thank you in advance

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:25 AM

Posted 22 March 2017 - 01:21 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: Reimage Protector
I would advice you, uninstall Reimage Protector now.
You can do this via Start > Control Panel > Add Remove Programs (XP) or Start > Control Panel > Programs and Features (Vista / 7 / 8 / 10).

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 hdleng

hdleng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 23 March 2017 - 04:28 AM

Jo, thank you for the help.  I have run SecurityCheck as your directed.  And, I have attached checkup.txt.  I also removed reimage.

 

I will post again after I run Malwarebytes Anti-Rootkit and AdwCleaner.

Attached Files



#4 hdleng

hdleng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 23 March 2017 - 01:17 PM

Jo, in my last post I attached rather than copied and pasted checkuo.txt.  This is the pasted checkup.txt:

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
Norton AntiVirus Online   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 101  
 Java version 32-bit out of Date!
 Mozilla Firefox (52.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Norton AntiVirus Engine 22.9.0.71 NAV.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

 

Malwarebytes Anti-Rootkit found no malware.  This is mbar-log-...txt:

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.03.23.05
  rootkit: v2017.03.11.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Jim :: JIMW7 [administrator]

3/23/2017 2:19:18 AM
mbar-log-2017-03-23 (02-19-18).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 279226
Time elapsed: 25 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

This is AdxCleaner[S0].txt:

 

# AdwCleaner v6.044 - Logfile created 23/03/2017 at 11:05:44
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-23.2 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X86)
# Username : Jim - JIMW7
# Running from : C:\Users\Jim\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found:  swdumon


***** [ Folders ] *****

Folder Found:  C:\Users\Jim\AppData\Local\slimware utilities inc
Folder Found:  C:\Users\Jim\AppData\Local\YSearchUtil
Folder Found:  C:\Users\Jim\AppData\Local\SlimWare Utilities Inc
Folder Found:  C:\Users\Public\Documents\Downloaded Installers
Folder Found:  C:\Program Files\Yahoo!\yset
Folder Found:  C:\Windows\system32\config\systemprofile\AppData\Local\YSearchUtil


***** [ Files ] *****

File Found:  C:\Windows\Reimage.ini
File Found:  C:\Windows\system32\drivers\swdumon.sys


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
Key Found:  HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
Key Found:  HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
Key Found:  HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Reimage
Key Found:  HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\SlimWare Utilities Inc
Key Found:  HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found:  HKCU\Software\Reimage
Key Found:  HKCU\Software\SlimWare Utilities Inc
Key Found:  HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Key Found:  HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.
Key Found:  HKLM\SOFTWARE\Reimage
Key Found:  HKLM\SOFTWARE\SlimWare Utilities Inc
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! SearchSet
Key Found:  HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [2970 Bytes] - [23/03/2017 11:05:44]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3043 Bytes] ##########
 



#5 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:25 AM

Posted 23 March 2017 - 02:05 PM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: How the computer is running now?


***


:step5: FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#6 hdleng

hdleng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 23 March 2017 - 10:19 PM

Jo,  Malwarebytes Anti-Rootkit did not find any malware.  MBAR-log-***.txt:

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.03.23.15
  rootkit: v2017.03.11.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Jim :: JIMW7 [administrator]

3/23/2017 4:07:40 PM
mbar-log-2017-03-23 (16-07-40).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 278933
Time elapsed: 17 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

AdwCleaner[C0].txt:

 

# AdwCleaner v6.044 - Logfile created 23/03/2017 at 18:53:55
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-23.2 [Local]
# Operating System : Windows 7 Ultimate Service Pack 1 (X86)
# Username : Jim - JIMW7
# Running from : C:\Users\Jim\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: swdumon


***** [ Folders ] *****

[-] Folder deleted: C:\Users\Jim\AppData\Local\slimware utilities inc
[-] Folder deleted: C:\Users\Jim\AppData\Local\YSearchUtil
[#] Folder deleted on reboot: C:\Users\Jim\AppData\Local\SlimWare Utilities Inc
[-] Folder deleted: C:\Users\Public\Documents\Downloaded Installers
[-] Folder deleted: C:\Program Files\Yahoo!\yset
[-] Folder deleted: C:\Windows\system32\config\systemprofile\AppData\Local\YSearchUtil


***** [ Files ] *****

[-] File deleted: C:\Windows\Reimage.ini
[-] File deleted: C:\Windows\system32\drivers\swdumon.sys


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
[-] Key deleted: HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key deleted: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Reimage
[-] Key deleted: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\SlimWare Utilities Inc
[-] Key deleted: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[#] Key deleted on reboot: HKCU\Software\Reimage
[#] Key deleted on reboot: HKCU\Software\SlimWare Utilities Inc
[#] Key deleted on reboot: HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
[-] Key deleted: HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.
[-] Key deleted: HKLM\SOFTWARE\Reimage
[-] Key deleted: HKLM\SOFTWARE\SlimWare Utilities Inc
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! SearchSet
[-] Key deleted: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [3048 Bytes] - [23/03/2017 18:53:55]
C:\AdwCleaner\AdwCleaner[S0].txt - [3122 Bytes] - [23/03/2017 11:05:44]
C:\AdwCleaner\AdwCleaner[S1].txt - [3194 Bytes] - [23/03/2017 18:34:00]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3267 Bytes] ##########

 

JRT.txt:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 7 Ultimate x86
Ran by Jim (Administrator) on Thu 03/23/2017 at 19:04:31.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 72

Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0YM7H1KE (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RW6LFP1 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KDDNWR2 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2W9S4GN6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68ME68KD (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\86YG4NMI (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8PG1PEDK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93282M1Y (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CYNN2L0 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C32LTNNM (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DI1Q308Y (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHHTVZHL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EW9CMY1W (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FM2QARIE (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GXZ5PHOZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HKESH032 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNTV3JVF (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I1SYTFNS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IECACU36 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IEV3D1U7 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITLMGN10 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV6M5X7N (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JRIUE55N (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KF5XZGOB (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZ6HNIY7 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OQC4L8J3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJ1JLHA3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QLB8INIK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RO4VTIO8 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM0PWTDP (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U0Y2SI3U (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYD6NP1R (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL79K7Y6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMS1TDB4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VNJPDUO9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XQ7D0E8N (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0YM7H1KE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1RW6LFP1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KDDNWR2 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2W9S4GN6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68ME68KD (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\86YG4NMI (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8PG1PEDK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93282M1Y (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CYNN2L0 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C32LTNNM (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DI1Q308Y (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHHTVZHL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EW9CMY1W (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FM2QARIE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GXZ5PHOZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HKESH032 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNTV3JVF (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I1SYTFNS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IECACU36 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IEV3D1U7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITLMGN10 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV6M5X7N (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JRIUE55N (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KF5XZGOB (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZ6HNIY7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OQC4L8J3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJ1JLHA3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QLB8INIK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RO4VTIO8 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM0PWTDP (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U0Y2SI3U (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UYD6NP1R (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL79K7Y6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMS1TDB4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VNJPDUO9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XQ7D0E8N (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 03/23/2017 at 19:07:47.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by Jim (23-03-2017 20:09:15)
Running from C:\Users\Jim\Downloads
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) (2016-04-14 02:45:20)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1881147041-2859140212-2274230566-500 - Administrator - Disabled)
Guest (S-1-5-21-1881147041-2859140212-2274230566-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-1881147041-2859140212-2274230566-1002 - Limited - Enabled)
Jim (S-1-5-21-1881147041-2859140212-2274230566-1001 - Administrator - Enabled) => C:\Users\Jim

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton AntiVirus Online (Enabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton AntiVirus Online (Enabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.02 (HKLM\...\7-Zip) (Version: 16.02 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20070 - Adobe Systems Incorporated)
Arduino (HKLM\...\Arduino) (Version: 1.8.1 - Arduino LLC)
Atmel Driver Files (HKLM\...\{E184F35F-C386-40A4-8744-681FA8DABC1C}) (Version: 7.1.16 - Atmel Corporation)
Atmel LibUSB0 Driver (x86) (HKLM\...\{A5F681F3-D51D-4EAA-A116-7A1497BFAECE}) (Version: 7.0.125 - Atmel)
Atmel Segger USB Drivers (501e) (HKLM\...\{4C9675D0-C21D-40F0-BBD2-F51BFF7CAFE4}) (Version: 7.0.417 - Atmel)
Atmel Software Framework (Version: 7.0.1186 - Atmel) Hidden
Atmel Studio 7.0 (HKLM\...\{9b226216-cf50-48b3-a6e2-3dd5a9b3406d}) (Version: 7.0.1188 - Atmel)
Atmel Studio Development Environment (Version: 7.0.1188 - Atmel) Hidden
Atmel WinDriver (HKLM\...\{FAF2A9D1-33C8-48FF-8FD5-20075A53AB9C}) (Version: 7.0.23 - Atmel)
Atmel WinUSB (HKLM\...\{22D3C72E-42F9-4B0F-B331-E0AA134ADF76}) (Version: 6.2.32 - Atmel)
AVR8 Device Support (Version: 7.0.1188 - Atmel) Hidden
AVR8 Toolchain (Version: 7.0.1185 - Atmel) Hidden
CanoScan LiDE 110 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_cnq2414) (Version:  - )
CenturyLink Installer (HKLM\...\{C96FF998-45BD-411E-9253-B7F2660FE280}) (Version: 1.0 - CenturyLink, Inc.)
CFGSR (HKLM\...\{6BE146B0-2526-461C-9025-6AB23D347009}) (Version: 2.6.1 - PE0FKO)
Dev-C++ 5 beta 9 release (4.9.9.2) (HKLM\...\Dev-C++) (Version:  - )
Dia (remove only) (HKLM\...\Dia) (Version:  - )
HDSDR 2.76 (HKLM\...\{DB200CBD-9E3E-4C72-B711-B46D6817BC51}_is1) (Version:  - DG0JBJ)
Java 8 Update 101 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
KiCad 4.0.4 (HKLM\...\KiCad) (Version: 4.0.4 - KiCad)
Macrium Reflect Free Edition (HKLM\...\MacriumReflect) (Version: 6.3 - Paramount Software (UK) Ltd.)
Macrium Reflect Free Edition (Version: 6.3.1745 - Paramount Software (UK) Ltd.) Hidden
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM\...\{56E962F0-4FB0-3C67-88DB-9EAA6EEFC493}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) (HKLM\...\{D3517C62-68A5-37CF-92F7-93C029A89681}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM\...\{6A0C6700-EA93-372C-8871-DCCF13D160A4}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 SDK (HKLM\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (ENU) (HKLM\...\{290FC320-2F5A-329E-8840-C4193BD7A9EE}) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (HKLM\...\{B941AFB4-8851-33A1-9E72-0C33D463C41C}) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Help Viewer 2.2 (HKLM\...\Microsoft Help Viewer 2.2) (Version: 2.2.23107 - Microsoft Corporation)
Microsoft SQL Server 2014 Management Objects  (HKLM\...\{2774595F-BC2A-4B12-A25B-0C37A37049B0}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2014 (HKLM\...\{718FFB65-F6E4-4D62-861F-ED10ED32C936}) (Version: 12.0.2402.11 - Microsoft Corporation)
Microsoft Visio Professional 2002 SR-1 [English] (HKLM\...\{90510409-6D54-11D4-BEE3-00C04F990354}) (Version: 10.1.2514 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual Studio 2015 Shell (Isolated) (HKLM\...\{d2981c27-a434-4c9a-96c7-0209e97c4eac}) (Version: 14.0.23107.10 - Microsoft Corporation)
Mozilla Firefox 52.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 52.0.1 (x86 en-US)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.0.1.6284 - Mozilla)
Norton AntiVirus Online (HKLM\...\NAV) (Version: 22.9.1.12 - Symantec Corporation)
Notepad++ (32-bit x86) (HKLM\...\Notepad++) (Version: 7.3.2 - Notepad++ Team)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.11.2.66 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.11.2.66 - NVIDIA Corporation)
NVIDIA Performance (HKLM\...\InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}) (Version: 6.5 - NVIDIA Corporation)
NVIDIA System Monitor (HKLM\...\InstallShield_{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}) (Version: 6.5 - NVIDIA Corporation)
NVIDIA System Update (HKLM\...\InstallShield_{65A92AAA-3D05-4C94-9F70-731C05E60C16}) (Version: 3.00 - NVIDIA Corporation)
OpenOffice 4.1.3 (HKLM\...\{EEA30AEB-8BA7-465B-85D4-098BB99733E7}) (Version: 4.13.9783 - Apache Software Foundation)
PE0FKO-USB-Driver version 1.2.6.0 (HKLM\...\{2A21CAD6-AD1A-480A-B25A-18C31B9F46C5}_is1) (Version: 1.2.6.0 - Fred Krom, PE0FKO)
Private Internet Access Support Files (HKLM\...\{7D72DAFF-DCB2-437B-BC22-4B2ABF21462B}) (Version: 1.0.0.0 - Private Internet Access)
Samsung Universal Print Driver 2 (HKLM\...\Samsung Universal Print Driver 2) (Version: 2.50.06.00 - Samsung Electronics Co., Ltd.)
Seagate DiscWizard (HKLM\...\{746CB7B0-0BA2-4445-84EE-A4ABBAD7905E}) (Version: 18.0.6030 - Seagate)
SHIELD Streaming (Version: 7.1.0280 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.11.2.66 - NVIDIA Corporation) Hidden
SoftMaker FreeOffice 2016 (HKLM\...\{8EBB8452-274B-465D-8324-00B0832FBB05}) (Version: 1.0.3780 - SoftMaker Software GmbH)
Update for  (KB2504637) (HKLM\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
Windows Driver Package - libusb-win32 (libusb0) libusb-win32 devices  (11/10/2012 1.2.6.0) (HKLM\...\737F915562B87A47B2022750B3FAFD94F54DDD94) (Version: 11/10/2012 1.2.6.0 - libusb-win32)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{0295691A-D674-4904-805C-BDFE165B4CA0}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\PlanMaker.exe (SoftMaker Software GmbH)
CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{0295691A-D674-4904-805C-BDFE165B7456}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\Presentations.exe (SoftMaker Software GmbH)
CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{0295691A-D674-4904-805C-BDFE165B771B}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\TextMaker.exe (SoftMaker Software GmbH)
CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{30291A01-707C-11d0-B457-4446490043BF}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\TextMaker.exe (SoftMaker Software GmbH)
CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{399254F2-670F-11D1-8092-0080ADB44B5C}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\PlanMaker.exe (SoftMaker Software GmbH)
CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{399254F3-670F-11D1-8092-0080ADB44B5C}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\PlanMaker.exe (SoftMaker Software GmbH)
CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{8a087491-5264-11d4-95F6-00A0CC3CCA14}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\PlanMaker.exe (SoftMaker Software GmbH)
CustomCLSID: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001_Classes\CLSID\{bf608490-5373-11d0-8efb-4446490043bf}\localserver32 -> C:\Program Files\SoftMaker FreeOffice 2016\TextMaker.exe (SoftMaker Software GmbH)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {26DB736F-F0D5-410F-84F9-B5FE770A3581} - System32\Tasks\Norton AntiVirus\Norton AntiVirus Online Error Analyzer => C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\SymErr.exe [2017-02-20] (Symantec Corporation)
Task: {415E86A9-AE02-4795-AB8E-349C966A54BE} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton AntiVirus Online\Upgrade.exe
Task: {78442F2F-DA29-4096-9ACA-3BDDCC0DBB18} - System32\Tasks\{58CC6258-406B-4505-B034-DC78091D92CF} => pcalua.exe -a G:\netsetup.exe -d G:\
Task: {82567004-CD96-4087-BF5F-A6BE1A58494F} - System32\Tasks\Norton AntiVirus\Norton AntiVirus Online Error Processor => C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\SymErr.exe [2017-02-20] (Symantec Corporation)
Task: {BA2988B8-B84E-407A-B302-7D97C82047FD} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {D90D02DE-68ED-4C1A-B761-54DA3574EF87} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\WSCStub.exe [2017-03-16] (Symantec Corporation)
Task: {EA843933-2DD1-4D34-9A06-45781022F553} - System32\Tasks\Private Internet Access Startup => C:\Program Files\pia_manager\pia_manager.exe [2016-05-19] ()
Task: {F86C1A23-2071-440B-B662-E512F1465804} - System32\Tasks\{DEE61F46-24C8-4DE9-BE86-D6C2291FBD8B} => pcalua.exe -a C:\Users\Jim\AppData\Local\Temp\jre-8u101-windows-au.exe -d C:\Windows\system32 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-10-03 17:40 - 2014-04-16 01:22 - 00025600 _____ () C:\Windows\System32\usp02l.dll
2014-09-09 11:00 - 2014-09-09 11:00 - 00023576 _____ () C:\Program Files\Seagate\DiscWizard\ti_managers_proxy_stub.dll
2017-02-12 15:31 - 2017-02-12 15:31 - 00267952 _____ () C:\Program Files\Notepad++\NppShell_06.dll
2016-04-13 20:21 - 2016-04-05 01:06 - 00312376 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\MessageBus.dll
2016-04-13 20:21 - 2016-04-05 01:06 - 00901688 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\libprotobuf.dll
2016-04-13 20:21 - 2016-04-05 01:07 - 03038776 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Poco.dll
2016-04-13 20:21 - 2016-04-05 01:06 - 00222264 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamBase.dll
2016-10-03 17:44 - 2014-11-26 04:07 - 00118576 _____ () C:\Windows\system32\SecUPDUtilSvc.exe
2016-04-13 20:21 - 2016-04-05 01:06 - 02124344 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvMdnsPlugin.dll
2016-04-13 20:21 - 2016-04-05 01:06 - 01609272 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvPortForwardPlugin.dll
2016-04-13 20:21 - 2016-04-05 01:07 - 01504312 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\RtspPlugin.dll
2016-04-13 20:21 - 2016-04-05 01:07 - 00169528 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\RtspServer.dll
2016-04-13 20:21 - 2016-04-05 01:05 - 00033336 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_system-vc120-mt-1_58.dll
2016-04-13 20:21 - 2016-04-05 01:05 - 00751160 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_regex-vc120-mt-1_58.dll
2016-04-13 20:21 - 2016-04-05 01:05 - 00017464 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\icudt53.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:04 - 2009-06-10 14:39 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1 - 205.171.3.25
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupreg: CenturyLinkTouchPointAgent => "C:\Program Files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" /autostart
MSCONFIG\startupreg: NvBackend => "C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe"
MSCONFIG\startupreg: NvCplDaemon => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
MSCONFIG\startupreg: NvMediaCenter => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
MSCONFIG\startupreg: NvSvc => RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
MSCONFIG\startupreg: ShadowPlay => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{949AD075-52C4-44B1-B5CD-F2E7BBB4E0BA}] => (Allow) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{31164139-D4C3-4EC4-AED9-4586573ACEB0}] => (Allow) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{2105E749-F751-4605-B40B-8FE71D54A43C}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{A33BB740-7865-4556-8B85-33367B54FF53}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{2F4C2D04-7A5A-4DC7-AB49-E441C7619847}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{FD504B7C-D091-4E4C-AE9F-6A90CCEB68F0}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
FirewallRules: [{27568523-13CE-497C-B06D-5AE1BED75953}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{058F14BF-57C4-4B34-B134-B3C6FD7EAD10}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{0BCF7F8E-F388-44BE-B7F8-E80B85FB4D2F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{A59710BC-B22A-4E43-8481-5479D268435E}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{A83B20D5-FEC1-4287-B824-C013C1968D95}C:\program files\arduino\java\bin\java.exe] => (Allow) C:\program files\arduino\java\bin\java.exe
FirewallRules: [UDP Query User{43B93181-6F7B-439B-87E0-1B5E5C446388}C:\program files\arduino\java\bin\java.exe] => (Allow) C:\program files\arduino\java\bin\java.exe
FirewallRules: [TCP Query User{9D11E951-F2F1-4D90-9715-8847187D504D}C:\program files\arduino\java\bin\javaw.exe] => (Allow) C:\program files\arduino\java\bin\javaw.exe
FirewallRules: [UDP Query User{8B4F13E0-150C-4CBE-941C-3B26A1D28EC0}C:\program files\arduino\java\bin\javaw.exe] => (Allow) C:\program files\arduino\java\bin\javaw.exe
FirewallRules: [TCP Query User{6CC68763-BA70-486C-B7A3-1F5F8B9DE5AF}C:\program files\arduino\java\bin\javaw.exe] => (Block) C:\program files\arduino\java\bin\javaw.exe
FirewallRules: [UDP Query User{62B4D449-9D0C-4966-B551-ACFA25559A24}C:\program files\arduino\java\bin\javaw.exe] => (Block) C:\program files\arduino\java\bin\javaw.exe
FirewallRules: [{8E70669C-1A84-49A0-81D6-11AD744CE56D}] => (Allow) C:\Program Files\Samsung\Samsung Universal Print Driver 2\PrinterSelector\SUPDApp.exe
FirewallRules: [{1334FD1B-3A05-4C79-BD1F-AB59619734CC}] => (Allow) C:\Program Files\Atmel\Studio\7.0\atbackend\atbackend.exe
FirewallRules: [{72107731-49AF-40A7-AF4D-E3B6ECD987FB}] => (Allow) C:\Program Files\Atmel\Studio\7.0\AtmelStudio.exe

==================== Restore Points =========================

23-03-2017 19:04:32 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============

Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/23/2017 11:05:59 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\samsung\samsung universal print driver 2\seinstall\printer\amd64\itdrvpi.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/23/2017 11:05:32 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\arduino\drivers\dpinst-amd64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/23/2017 11:04:40 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files\Microsoft Visual Studio 14.0\Common7\Packages\Debugger\X64\msvsmon.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/22/2017 11:22:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DiscWizard.exe, version: 18.0.0.6030, time stamp: 0x55f846e6
Faulting module name: ole32.dll, version: 6.1.7601.23392, time stamp: 0x56eb2f8f
Exception code: 0xc0000005
Fault offset: 0x0013bd65
Faulting process id: 0x310
Faulting application start time: 0x01d2a38d95fba827
Faulting application path: C:\Program Files\Seagate\DiscWizard\DiscWizard.exe
Faulting module path: C:\Windows\system32\ole32.dll
Report Id: 07794db9-0f91-11e7-9f19-000e7f2bcf2f

Error: (03/22/2017 03:33:10 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\samsung\samsung universal print driver 2\seinstall\printer\amd64\itdrvpi.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/22/2017 03:32:58 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\arduino\drivers\dpinst-amd64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/22/2017 03:32:47 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files\Microsoft Visual Studio 14.0\Common7\Packages\Debugger\X64\msvsmon.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/21/2017 05:38:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: mshtml.dll, version: 8.0.7601.17514, time stamp: 0x4ce7b8f3
Exception code: 0xc0000005
Fault offset: 0x000d9e08
Faulting process id: 0x8ec
Faulting application start time: 0x01d2a2a2655c6ba7
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\System32\mshtml.dll
Report Id: cea3adfd-0e97-11e7-81d7-000e7f2bcf2f

Error: (03/21/2017 12:11:25 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\samsung\samsung universal print driver 2\seinstall\printer\amd64\itdrvpi.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/21/2017 12:11:13 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\arduino\drivers\dpinst-amd64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (03/23/2017 07:05:38 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Norton AntiVirus service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (03/23/2017 06:54:07 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
An instance of the service is already running.

Error: (03/23/2017 06:53:37 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (03/23/2017 06:53:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (03/23/2017 06:53:36 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Streamer Network Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/23/2017 06:53:36 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Update Center Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/23/2017 06:53:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Seagate Scheduler2 Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (03/23/2017 06:53:36 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Samsung UPD Utility Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/23/2017 06:53:36 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Streamer Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/23/2017 06:53:36 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Network Service service terminated unexpectedly.  It has done this 1 time(s).


==================== Memory info ===========================

Processor: Intel® Pentium® 4 CPU 3.00GHz
Percentage of memory in use: 61%
Total physical RAM: 2047.52 MB
Available physical RAM: 789.06 MB
Total Virtual: 4095.04 MB
Available Virtual: 2498.91 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.51 GB) (Free:898.25 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (BackupSys) (Fixed) (Total:97.65 GB) (Free:48.98 GB) NTFS
Drive f: (BackupData) (Fixed) (Total:368.1 GB) (Free:275.32 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: D1984710)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: FE2D5B78)
Partition 1: (Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=368.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017
Ran by Jim (administrator) on JIMW7 (23-03-2017 20:05:54)
Running from C:\Users\Jim\Downloads
Loaded Profiles: Jim (Available Profiles: Jim)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

========================================================

C:\FRST\ReflectDL.exe => Win32/Suweezy? - moved successfully

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Paramount Software UK Ltd) C:\Program Files\Macrium\Common\MacriumService.exe
(NVIDIA) C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
() C:\Windows\System32\SecUPDUtilSvc.exe
(Seagate) C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
(NVIDIA) C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
(NVIDIA) C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\nav.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\nav.exe
(Mozilla Corporation) C:\Program Files\mozilla firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DiscWizardMonitor.exe] => C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe [5589976 2015-09-15] (Seagate)
HKLM\...\Run: [AcronisTibMounterMonitor] => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [691056 2015-07-20] (Acronis International GmbH)
HKLM\...\Run: [Seagate Scheduler2 Service] => C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe [400360 2015-09-15] (Seagate)
HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\...\MountPoints2: G - G:\setup.exe /AUTORUN
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2016-04-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\buShell.dll [2017-03-16] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\buShell.dll [2017-03-16] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\buShell.dll [2017-03-16] (Symantec Corporation)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files\Seagate\DiscWizard\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files\Seagate\DiscWizard\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files\Seagate\DiscWizard\tishell.dll [2014-09-09] (Acronis)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
Tcpip\..\Interfaces\{BFF2D202-6964-422E-A356-88C204A9D1D9}: [DhcpNameServer] 192.168.0.1 205.171.3.25

Internet Explorer:
==================
HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\coIEPlg.dll [2017-03-16] (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_101\bin\ssv.dll [2016-10-03] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-10-03] (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\coIEPlg.dll [2017-03-16] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\coIEPlg.dll [2017-03-16] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\pkmcdo.dll [2001-01-21] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\m8djcp2l.default-1482032896170 [2017-03-23]
FF Homepage: Mozilla\Firefox\Profiles\m8djcp2l.default-1482032896170 -> hxxps://www.yahoo.com/
FF Session Restore: Mozilla\Firefox\Profiles\m8djcp2l.default-1482032896170 -> is enabled.
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_22.5.2.15\coFFAddon
FF Extension: (Norton Security Toolbar) - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_22.5.2.15\coFFAddon [2017-03-23]
FF Plugin: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-10-03] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-10-03] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\Exts\Chrome.crx [2017-03-23]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [931384 2016-04-05] (NVIDIA Corporation)
R2 MacriumService; C:\Program Files\Macrium\Common\MacriumService.exe [3125408 2017-02-25] (Paramount Software UK Ltd)
R2 NAV; C:\Program Files\Norton AntiVirus\Engine\22.9.1.12\NAV.exe [288512 2017-03-16] (Symantec Corporation)
R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [191080 2010-03-22] (NVIDIA)
R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1881144 2016-04-05] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [2906168 2016-04-05] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2018360 2016-04-05] (NVIDIA Corporation)
R2 SamsungUPDUtilSvc; C:\Windows\system32\SecUPDUtilSvc.exe [118576 2014-11-26] ()
R2 SgtSch2Svc; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [846864 2015-09-15] (Seagate)
R2 UpdateCenterService; C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe [195176 2009-11-06] (NVIDIA)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 atmelwindrvr; C:\Windows\System32\drivers\atmelwindrvr.sys [227528 2015-08-12] (Jungo Connectivity)
R1 BHDrvx86; C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\BASHDefs\20170317.001\BHDrvx86.sys [1334424 2017-03-03] (Symantec Corporation)
R1 ccSet_NAV; C:\Windows\system32\drivers\NAV\1609010.00C\ccSetx86.sys [137888 2017-02-20] (Symantec Corporation)
S3 CH341SER; C:\Windows\System32\Drivers\CH341SER.SYS [41472 2015-01-26] (www.winchiphead.com)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [388768 2017-01-25] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [124576 2017-01-25] (Symantec Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [214304 2017-03-22] (Acronis International GmbH)
R1 IDSVix86; C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\IPSDefs\20170323.001\IDSvix86.sys [798928 2017-03-02] (Symantec Corporation)
S3 libusb0; C:\Windows\System32\DRIVERS\libusb0.sys [42592 2014-02-06] (hxxp://libusb-win32.sourceforge.net)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [27192 2016-04-05] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [50752 2016-03-21] (NVIDIA Corporation)
R0 pssnap; C:\Windows\System32\DRIVERS\pssnap.sys [16016 2015-10-12] (Windows ® Win 7 DDK provider)
R3 SRTSP; C:\Windows\System32\Drivers\NAV\1609010.00C\SRTSP.SYS [624288 2017-03-16] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NAV\1609010.00C\SRTSPX.SYS [41112 2017-03-16] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\NAV\1609010.00C\SYMEFASI.SYS [1348256 2017-02-20] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [89296 2017-02-28] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NAV\1609010.00C\Ironx86.SYS [232600 2017-02-20] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NAV\1609010.00C\SYMNETS.SYS [423640 2017-02-20] (Symantec Corporation)
R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [23040 2016-05-19] (The OpenVPN Project)
R2 tib; C:\Windows\System32\DRIVERS\tib.sys [685160 2017-03-22] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [184136 2017-03-22] (Acronis International GmbH)
R3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [204320 2014-01-28] (Jungo Connectivity)
S3 WirelessKeyboardFilter; C:\Windows\System32\DRIVERS\WirelessKeyboardFilter.sys [44776 2016-03-29] (Microsoft Corporation)
S3 NAVENG; \??\C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160812.008\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160812.008\NAVEX15.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-23 19:07 - 2017-03-23 19:07 - 00012293 _____ C:\Users\Jim\Desktop\JRT.txt
2017-03-23 18:59 - 2017-03-23 18:59 - 01663904 _____ (Malwarebytes) C:\Users\Jim\Desktop\JRT.exe
2017-03-23 18:58 - 2017-03-23 18:58 - 00003346 _____ C:\Users\Jim\Desktop\AdwCleaner[C0].txt
2017-03-23 11:00 - 2017-03-23 18:53 - 00000000 ____D C:\AdwCleaner
2017-03-23 10:57 - 2017-03-23 10:57 - 04031440 _____ C:\Users\Jim\Desktop\AdwCleaner.exe
2017-03-23 02:19 - 2017-03-23 02:19 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-23 02:18 - 2017-03-23 18:50 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-03-23 02:18 - 2017-03-23 16:07 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-23 02:17 - 2017-03-23 18:50 - 00000000 ____D C:\Users\Jim\Desktop\mbar
2017-03-23 02:17 - 2017-03-23 16:06 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-03-23 02:16 - 2017-03-23 02:16 - 00001279 _____ C:\Users\Jim\Desktop\antirootkit.txt
2017-03-23 02:13 - 2017-03-23 02:13 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Jim\Desktop\mbar-1.09.3.1001.exe
2017-03-23 01:50 - 2017-03-23 01:50 - 00852798 _____ C:\Users\Jim\Desktop\SecurityCheck.exe
2017-03-22 23:30 - 2017-03-22 23:30 - 00139377 _____ C:\Users\Jim\Documents\Easterntimes Tech Mouse.pdf
2017-03-22 21:26 - 2017-03-22 21:26 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Seagate
2017-03-22 21:25 - 2017-03-22 21:26 - 00000000 ____D C:\ProgramData\Seagate
2017-03-22 21:25 - 2017-03-22 21:25 - 00685160 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tib.sys
2017-03-22 21:25 - 2017-03-22 21:25 - 00214304 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\file_tracker.sys
2017-03-22 21:25 - 2017-03-22 21:25 - 00208672 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\snapman.sys
2017-03-22 21:25 - 2017-03-22 21:25 - 00184136 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tib_mounter.sys
2017-03-22 21:25 - 2017-03-22 21:25 - 00098592 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\fltsrv.sys
2017-03-22 21:25 - 2017-03-22 21:25 - 00001192 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Seagate DiscWizard.lnk
2017-03-22 21:25 - 2017-03-22 21:25 - 00001180 _____ C:\Users\Public\Desktop\Seagate DiscWizard.lnk
2017-03-22 21:25 - 2017-03-22 21:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Seagate
2017-03-22 21:25 - 2017-03-22 21:25 - 00000000 ____D C:\Program Files\Common Files\Acronis
2017-03-22 21:24 - 2017-03-22 21:25 - 00000000 ____D C:\Program Files\Common Files\Seagate
2017-03-22 21:24 - 2017-03-22 21:24 - 00000000 ____D C:\Program Files\Seagate
2017-03-22 21:12 - 2017-03-22 21:14 - 287919712 _____ (Seagate) C:\Users\Jim\Downloads\DiscWizardSetup-1806030.en.exe
2017-03-22 16:02 - 2017-03-22 16:06 - 00000000 ____D C:\Users\Jim\Documents\Reflect
2017-03-22 15:47 - 2017-03-22 15:47 - 00001966 _____ C:\Users\Public\Desktop\Reflect.lnk
2017-03-22 15:47 - 2017-03-22 15:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Macrium
2017-03-22 15:47 - 2017-03-22 15:47 - 00000000 ____D C:\Program Files\Macrium
2017-03-22 15:45 - 2017-03-22 15:58 - 00000000 ____D C:\ProgramData\Macrium
2017-03-22 15:45 - 2017-03-22 15:45 - 00000000 ____D C:\Users\Jim\Desktop\Macrium
2017-03-22 15:38 - 2017-03-22 15:38 - 00000000 ____D C:\Windows\xxclone.arc
2017-03-21 20:14 - 2017-03-21 20:16 - 00028972 _____ C:\Users\Jim\Downloads\Addition.txt
2017-03-21 20:07 - 2017-03-23 20:07 - 00012162 _____ C:\Users\Jim\Downloads\FRST.txt
2017-03-21 20:07 - 2017-03-23 20:05 - 00000000 ____D C:\FRST
2017-03-21 19:59 - 2017-03-21 20:06 - 01766912 _____ (Farbar) C:\Users\Jim\Downloads\FRST.exe
2017-03-19 12:24 - 2017-03-19 12:24 - 00000000 ____D C:\Users\Jim\AppData\LocalLow\Temp
2017-03-19 02:41 - 2017-03-19 02:42 - 00000000 ____D C:\Users\Jim\Documents\Amateur Radio
2017-03-09 03:17 - 2017-03-09 03:18 - 00000000 ____D C:\Users\Jim\Documents\Preprocessor
2017-03-09 03:11 - 2017-03-09 03:11 - 01098403 _____ C:\Users\Jim\Downloads\chaos-pp.tar.gz
2017-03-08 11:17 - 2017-03-08 11:17 - 32243088 _____ (Microsoft Corporation) C:\Users\Jim\Downloads\EIE11_EN-US_WOL_WIN7.EXE
2017-03-06 03:10 - 2015-12-20 11:45 - 02745856 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2017-03-06 03:10 - 2015-12-20 11:45 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2017-03-06 03:10 - 2015-12-20 09:16 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2017-03-06 03:10 - 2015-07-16 12:12 - 06131200 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2017-03-06 03:10 - 2015-07-16 12:12 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2017-03-06 03:10 - 2015-07-16 12:12 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2017-03-06 03:10 - 2015-07-16 08:14 - 00355840 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2017-03-06 03:10 - 2014-12-11 10:47 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2017-03-05 21:49 - 2017-03-06 16:41 - 00000000 ____D C:\Users\Jim\Documents\Arduino
2017-03-05 21:42 - 2017-03-05 21:45 - 00000000 ____D C:\Program Files\Arduino
2017-03-05 21:27 - 2017-03-06 16:45 - 00000000 ____D C:\Users\Jim\Documents\Atmel Studio
2017-03-05 21:00 - 2017-03-05 21:00 - 00001155 _____ C:\Users\Public\Desktop\Atmel Studio 7.0.lnk
2017-03-05 21:00 - 2017-03-05 21:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Atmel Studio 7.0
2017-03-05 20:45 - 2017-03-05 20:45 - 00000000 ____D C:\Program Files\Atmel
2017-03-05 18:41 - 2017-03-05 18:41 - 00000000 ____D C:\Windows\system32\appmgmt
2017-03-05 16:16 - 2017-03-05 16:16 - 02514576 _____ (Atmel) C:\Users\Jim\Downloads\as-installer-7.0.1188-web.exe
2017-03-04 21:03 - 2013-10-01 17:42 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2017-03-04 21:03 - 2013-10-01 17:32 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2017-03-04 21:03 - 2013-10-01 17:30 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2017-03-04 21:03 - 2013-10-01 17:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2017-03-04 21:03 - 2013-10-01 17:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2017-03-04 21:03 - 2013-10-01 16:45 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2017-03-04 21:03 - 2013-10-01 15:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2017-03-04 21:03 - 2012-08-23 07:44 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2017-03-04 21:03 - 2012-08-23 04:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
2017-03-04 21:00 - 2015-12-16 11:43 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\kbdgeoqw.dll
2017-03-04 21:00 - 2015-12-16 11:43 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZEL.DLL
2017-03-04 21:00 - 2015-12-16 11:43 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZE.DLL
2017-03-04 21:00 - 2015-08-05 10:40 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll
2017-03-04 21:00 - 2015-08-05 09:58 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2017-03-04 20:59 - 2017-02-02 09:18 - 00071400 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-03-04 20:59 - 2017-02-02 09:14 - 00971776 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-03-04 20:59 - 2017-02-02 07:06 - 00505344 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-03-04 20:59 - 2016-12-31 08:36 - 01331200 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-03-04 20:59 - 2016-12-31 08:36 - 00442368 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-03-04 20:59 - 2016-12-31 08:36 - 00270848 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-03-04 20:59 - 2016-12-31 08:36 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-03-04 20:59 - 2016-12-31 08:36 - 00183808 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-03-04 20:59 - 2016-12-31 08:36 - 00104960 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-03-04 01:19 - 2017-03-04 01:19 - 00001214 _____ C:\Users\Jim\Documents\my_c_preproc.h
2017-03-04 00:57 - 2017-03-04 00:57 - 00048411 _____ C:\Users\Public\Documents\C Preprocessor tricks, tips, and idioms · pfultz2_Cloak Wiki · GitHub.htm
2017-03-04 00:57 - 2017-03-04 00:57 - 00000000 ____D C:\Users\Public\Documents\C Preprocessor tricks, tips, and idioms · pfultz2_Cloak Wiki · GitHub_files
2017-03-03 20:15 - 2017-03-03 20:15 - 00000000 ____D C:\Users\Public\Documents\libpp-master
2017-03-03 20:06 - 2017-03-03 20:07 - 00000000 ____D C:\Users\Public\Documents\p99-master
2017-03-02 20:27 - 2017-03-02 20:27 - 04102739 _____ C:\Users\Public\Documents\arduinoinlineassembly.pdf
2017-02-22 17:22 - 2017-02-22 18:24 - 00000000 ____D C:\GLproject
2017-02-22 17:21 - 2017-02-22 17:12 - 00221184 _____ C:\Windows\system32\glut32.dll
2017-02-21 23:45 - 2017-02-22 08:28 - 00000126 _____ C:\Users\Jim\Desktop\HelloWorld.cpp
2017-02-21 23:31 - 2017-02-22 17:10 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Dev-Cpp
2017-02-21 23:30 - 2017-02-21 23:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bloodshed Dev-C++
2017-02-21 23:28 - 2017-02-21 23:30 - 00000000 ____D C:\Dev-Cpp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-23 20:07 - 2016-09-28 20:36 - 00000000 ____D C:\Temp
2017-03-23 19:08 - 2016-12-30 21:16 - 00000000 ____D C:\Users\Jim\AppData\LocalLow\Mozilla
2017-03-23 19:03 - 2009-07-13 21:34 - 00013760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-23 19:03 - 2009-07-13 21:34 - 00013760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-23 18:55 - 2009-07-13 21:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-23 18:53 - 2016-10-03 22:17 - 00000000 ____D C:\Program Files\Yahoo!
2017-03-23 18:42 - 2017-02-02 18:48 - 00000000 ____D C:\Program Files\mozilla firefox
2017-03-23 15:55 - 2016-10-04 17:57 - 00000000 ____D C:\Program Files\Common Files\AV
2017-03-23 15:55 - 2016-09-28 21:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton AntiVirus
2017-03-23 15:55 - 2016-08-29 15:00 - 00002270 _____ C:\Users\Public\Desktop\Norton AntiVirus.lnk
2017-03-23 15:55 - 2016-04-13 23:00 - 00000000 ____D C:\Windows\system32\Drivers\NAV
2017-03-22 20:06 - 2016-04-13 19:50 - 00782470 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-22 20:06 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\inf
2017-03-22 19:51 - 2016-04-14 22:04 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-03-10 17:48 - 2016-07-19 20:39 - 00000000 ____D C:\Users\Jim\Documents\Visual Studio 2015
2017-03-10 17:40 - 2016-07-19 22:57 - 00000000 ____D C:\Users\Jim\AppData\Roaming\VisualAssistAtmel
2017-03-10 12:32 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\rescache
2017-03-10 11:54 - 2016-06-07 16:06 - 00000000 ____D C:\ProgramData\SoftMaker
2017-03-08 12:48 - 2016-04-13 19:49 - 00001450 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-03-08 12:45 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\PolicyDefinitions
2017-03-05 21:19 - 2016-04-13 20:21 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-05 03:19 - 2009-07-13 21:33 - 00304736 _____ C:\Windows\system32\FNTCACHE.DAT
2017-03-04 21:06 - 2016-04-14 23:57 - 00000000 ___SD C:\Windows\system32\CompatTel
2017-03-04 21:05 - 2016-04-14 23:57 - 00000000 ____D C:\Windows\system32\appraiser
2017-02-28 02:15 - 2016-04-13 23:02 - 00089296 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT.SYS
2017-02-28 02:15 - 2016-04-13 23:02 - 00008262 _____ C:\Windows\system32\Drivers\SYMEVENT.CAT
2017-02-23 03:08 - 2016-04-13 19:53 - 00000000 ____D C:\Windows\system32\MRT
2017-02-23 03:02 - 2016-04-13 19:53 - 135086848 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-02-21 15:11 - 2016-07-19 19:00 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk

==================== Files in the root of some directories =======

2016-09-29 09:26 - 2016-09-29 09:26 - 130457001 _____ () C:\Program Files\openoffice1.cab
2016-09-29 09:21 - 2016-09-29 09:21 - 2310144 _____ () C:\Program Files\openoffice413.msi
2016-09-29 09:21 - 2016-09-29 09:21 - 0478720 _____ () C:\Program Files\setup.exe
2016-09-29 09:21 - 2016-09-29 09:21 - 0000279 _____ () C:\Program Files\setup.ini
2016-06-11 00:48 - 2016-06-11 00:48 - 0000735 _____ () C:\Users\Jim\AppData\Local\recently-used.xbel
2016-10-04 11:55 - 2016-12-17 19:41 - 0007637 _____ () C:\Users\Jim\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-21 13:59

==================== End of FRST.txt ============================

 

 

Both browsers, Internet Exlorer and Firefox, still seem to use a lot of CPU.  CPU usage ranges from 10% to 90% even when the application window is minimized.



#7 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:25 AM

Posted 24 March 2017 - 04:23 AM

Copy FRST / FSRT64.exe to your desktop!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt




Start
CreateRestorePoint:
CloseProcesses:
Task: {F86C1A23-2071-440B-B662-E512F1465804} - System32\Tasks\{DEE61F46-24C8-4DE9-BE86-D6C2291FBD8B} => pcalua.exe -a C:\Users\Jim\AppData\Local\Temp\jre-8u101-windows-au.exe -d C:\Windows\system32 -cmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
S3 NAVENG; \??\C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160812.008\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160812.008\NAVEX15.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
EmptyTemp:
End
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

----

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 hdleng

hdleng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 24 March 2017 - 04:34 PM

Jo, thank you for your continuing assistance.

 

I have followed your instructions, and I will paste fixlog.txt below.

 

When I look at task manager, I find that firefox uses 5 to 30% CPU even when it is minimized and only one tab with this website is open.  I also noticed that firefox begins at 220 MB of memory usage, and the usage increases at about 2 MB per minute.  When the memory usage reaches 380 MB, it abruptly returns to 220 MB.

 

fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by Jim (24-03-2017 13:37:20) Run:1
Running from C:\Users\Jim\Desktop
Loaded Profiles: Jim (Available Profiles: Jim)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
Task: {F86C1A23-2071-440B-B662-E512F1465804} - System32\Tasks\{DEE61F46-24C8-4DE9-BE86-D6C2291FBD8B} => pcalua.exe -a C:\Users\Jim\AppData\Local\Temp\jre-8u101-windows-au.exe -d C:\Windows\system32 -cmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1881147041-2859140212-2274230566-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
S3 NAVENG; \??\C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160812.008\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160812.008\NAVEX15.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
EmptyTemp:
End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F86C1A23-2071-440B-B662-E512F1465804} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F86C1A23-2071-440B-B662-E512F1465804} => key removed successfully.
C:\Windows\System32\Tasks\{DEE61F46-24C8-4DE9-BE86-D6C2291FBD8B} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{DEE61F46-24C8-4DE9-BE86-D6C2291FBD8B} => key removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-1881147041-2859140212-2274230566-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4BAAC1B8-0800-42C9-8FA6-08B211F356B8} => value removed successfully.
HKCR\CLSID\{4BAAC1B8-0800-42C9-8FA6-08B211F356B8} => key not found.
HKLM\System\CurrentControlSet\Services\NAVENG => could not remove key. Access Denied.
HKLM\System\CurrentControlSet\Services\NAVEX15 => could not remove key. Access Denied.
HKLM\System\CurrentControlSet\Services\Synth3dVsc => key removed successfully.
Synth3dVsc => service removed successfully.
HKLM\System\CurrentControlSet\Services\tsusbhub => key removed successfully.
tsusbhub => service removed successfully.
HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully.
VGPU => service removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 21163177 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 0 B
Firefox => 169230995 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 552 B
LocalService => 66228 B
NetworkService => 692 B
Jim => 9216118 B

RecycleBin => 3436637 B
EmptyTemp: => 201.8 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 24-03-2017 13:41:52)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\NAVENG => key removed successfully.
HKLM\System\CurrentControlSet\Services\NAVEX15 => key removed successfully.

==== End of Fixlog 13:41:52 ====



#9 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:25 AM

Posted 24 March 2017 - 05:38 PM

Download ComboFix from the following location:
Link

* IMPORTANT- Save ComboFix.exe to your Desktop
 

***


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link:
How to Disable your Security Programs




***


Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
Enable your antivirus!

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 hdleng

hdleng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 24 March 2017 - 08:35 PM

Jo, this combofix.txt:

 

ComboFix 17-03-21.01 - Jim 03/24/2017  17:02:01.1.1 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2048.1161 [GMT -7:00]
Running from: c:\users\Jim\Desktop\ComboFix.exe
AV: Norton AntiVirus Online *Disabled/Updated* {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
SP: Norton AntiVirus Online *Disabled/Updated* {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\temp\catchme.dll
F:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2017-02-25 to 2017-03-25  )))))))))))))))))))))))))))))))
.
.
2017-03-25 00:52 . 2017-03-25 00:52    --------    d-----w-    c:\users\Jim\AppData\Local\temp
2017-03-25 00:52 . 2017-03-25 00:52    --------    d-----w-    c:\users\Default\AppData\Local\temp
2017-03-23 18:00 . 2017-03-24 01:53    --------    d-----w-    C:\AdwCleaner
2017-03-23 09:43 . 2017-03-23 22:53    --------    d-----w-    c:\windows\system32\drivers\NAV\1609010.00C
2017-03-23 09:19 . 2017-03-23 09:19    --------    d-----w-    c:\programdata\Malwarebytes
2017-03-23 09:18 . 2017-03-24 01:50    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2017-03-23 09:18 . 2017-03-23 23:07    170200    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-03-23 09:17 . 2017-03-23 23:06    94936    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2017-03-23 04:26 . 2017-03-23 04:26    --------    d-----w-    c:\users\Jim\AppData\Roaming\Seagate
2017-03-23 04:25 . 2017-03-23 04:26    --------    d-----w-    c:\programdata\Seagate
2017-03-23 04:25 . 2017-03-23 04:25    214304    ----a-w-    c:\windows\system32\drivers\file_tracker.sys
2017-03-23 04:25 . 2017-03-23 04:25    184136    ----a-w-    c:\windows\system32\drivers\tib_mounter.sys
2017-03-23 04:25 . 2017-03-23 04:25    685160    ----a-w-    c:\windows\system32\drivers\tib.sys
2017-03-23 04:25 . 2017-03-23 04:25    208672    ----a-w-    c:\windows\system32\drivers\snapman.sys
2017-03-23 04:25 . 2017-03-23 04:25    98592    ----a-w-    c:\windows\system32\drivers\fltsrv.sys
2017-03-23 04:25 . 2017-03-23 04:25    --------    d-----w-    c:\program files\Common Files\Acronis
2017-03-23 04:24 . 2017-03-23 04:25    --------    d-----w-    c:\program files\Common Files\Seagate
2017-03-23 04:24 . 2017-03-23 04:24    --------    d-----w-    c:\program files\Seagate
2017-03-22 22:47 . 2017-03-22 22:47    --------    d-----w-    c:\program files\Macrium
2017-03-22 22:45 . 2017-03-22 22:58    --------    d-----w-    c:\programdata\Macrium
2017-03-22 22:38 . 2017-03-22 22:38    --------    d-----w-    c:\windows\xxclone.arc
2017-03-22 03:07 . 2017-03-24 20:41    --------    d-----w-    C:\FRST
2017-03-21 23:47 . 2017-03-21 23:47    527816    ----a-w-    c:\program files\Mozilla Firefox\minidump-analyzer.exe
2017-03-21 20:54 . 2017-02-10 00:04    9992952    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9B9304F3-A931-4F35-ABB5-30D180AB17DA}\mpengine.dll
2017-03-06 10:10 . 2015-12-20 16:16    221184    ----a-w-    c:\windows\system32\rdpudd.dll
2017-03-06 10:10 . 2015-12-20 18:45    2745856    ----a-w-    c:\windows\system32\rdpcorets.dll
2017-03-06 10:10 . 2015-12-20 18:45    13824    ----a-w-    c:\windows\system32\RdpGroupPolicyExtension.dll
2017-03-06 10:10 . 2014-12-11 17:47    74240    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2017-03-06 10:10 . 2015-07-16 19:12    856064    ----a-w-    c:\windows\system32\rdvidcrl.dll
2017-03-06 10:10 . 2015-07-16 19:12    53248    ----a-w-    c:\windows\system32\tsgqec.dll
2017-03-06 10:10 . 2015-07-16 19:12    6131200    ----a-w-    c:\windows\system32\mstscax.dll
2017-03-06 10:10 . 2015-07-16 15:14    355840    ----a-w-    c:\windows\system32\wksprt.exe
2017-03-06 04:42 . 2017-03-06 04:45    --------    d-----w-    c:\program files\Arduino
2017-03-06 03:45 . 2017-03-06 03:45    --------    d-----w-    c:\program files\Atmel
2017-03-05 04:03 . 2012-08-23 14:44    14848    ----a-w-    c:\windows\system32\drivers\rdpvideominiport.sys
2017-03-05 04:03 . 2012-08-23 11:12    192000    ----a-w-    c:\windows\system32\rdpendp_winip.dll
2017-03-05 04:03 . 2013-10-01 23:45    32256    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2017-03-05 04:03 . 2013-10-02 00:32    12800    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2017-03-05 04:03 . 2013-10-02 00:42    49152    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2017-03-05 04:03 . 2013-10-02 00:30    14336    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2017-03-05 04:03 . 2013-10-02 00:14    50176    ----a-w-    c:\windows\system32\MsRdpWebAccess.dll
2017-03-05 04:03 . 2013-10-02 00:14    17920    ----a-w-    c:\windows\system32\wksprtPS.dll
2017-03-05 04:03 . 2013-10-01 22:34    1068544    ----a-w-    c:\windows\system32\mstsc.exe
2017-03-05 04:00 . 2015-12-16 18:43    6144    ----a-w-    c:\windows\system32\kbdgeoqw.dll
2017-03-05 04:00 . 2015-12-16 18:43    6144    ----a-w-    c:\windows\system32\KBDAZEL.DLL
2017-03-05 04:00 . 2015-08-05 17:40    15872    ----a-w-    c:\windows\system32\icaapi.dll
2017-03-05 04:00 . 2015-08-05 16:58    31232    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
2017-03-05 03:59 . 2017-02-02 16:14    971776    ----a-w-    c:\windows\system32\aeinv.dll
2017-03-05 03:59 . 2017-02-02 14:06    505344    ----a-w-    c:\windows\system32\generaltel.dll
2017-03-05 03:59 . 2016-12-31 15:36    442368    ----a-w-    c:\windows\system32\devinv.dll
2017-03-05 03:59 . 2016-12-31 15:36    1331200    ----a-w-    c:\windows\system32\appraiser.dll
2017-03-05 03:59 . 2017-02-02 16:18    71400    ----a-w-    c:\windows\system32\CompatTelRunner.exe
2017-03-05 03:59 . 2016-12-31 15:36    270848    ----a-w-    c:\windows\system32\invagent.dll
2017-03-05 03:59 . 2016-12-31 15:36    212480    ----a-w-    c:\windows\system32\centel.dll
2017-03-05 03:59 . 2016-12-31 15:36    183808    ----a-w-    c:\windows\system32\aepic.dll
2017-03-05 03:59 . 2016-12-31 15:36    104960    ----a-w-    c:\windows\system32\acmigration.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-02-28 09:15 . 2016-04-14 06:02    89296    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2017-02-23 00:12 . 2017-02-23 00:21    221184    ----a-w-    c:\windows\system32\glut32.dll
2017-01-05 17:46 . 2017-01-14 20:46    67304    ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2017-01-05 17:46 . 2017-01-14 20:46    137960    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2017-01-05 17:43 . 2017-01-14 20:46    172032    ----a-w-    c:\windows\system32\wdigest.dll
2017-01-05 17:43 . 2017-01-14 20:46    99840    ----a-w-    c:\windows\system32\sspicli.dll
2017-01-05 17:43 . 2017-01-14 20:46    65536    ----a-w-    c:\windows\system32\TSpkg.dll
2017-01-05 17:43 . 2017-01-14 20:46    655360    ----a-w-    c:\windows\system32\rpcrt4.dll
2017-01-05 17:43 . 2017-01-14 20:46    254464    ----a-w-    c:\windows\system32\schannel.dll
2017-01-05 17:43 . 2017-01-14 20:46    22016    ----a-w-    c:\windows\system32\secur32.dll
2017-01-05 17:43 . 2017-01-14 20:46    141312    ----a-w-    c:\windows\system32\rpchttp.dll
2017-01-05 17:43 . 2017-01-14 20:46    261120    ----a-w-    c:\windows\system32\msv1_0.dll
2017-01-05 17:43 . 2017-01-14 20:46    223232    ----a-w-    c:\windows\system32\ncrypt.dll
2017-01-05 17:43 . 2017-01-14 20:46    60416    ----a-w-    c:\windows\system32\msobjs.dll
2017-01-05 17:43 . 2017-01-14 20:46    146432    ----a-w-    c:\windows\system32\msaudite.dll
2017-01-05 17:43 . 2017-01-14 20:46    1062912    ----a-w-    c:\windows\system32\lsasrv.dll
2017-01-05 17:43 . 2017-01-14 20:46    553472    ----a-w-    c:\windows\system32\kerberos.dll
2017-01-05 17:43 . 2017-01-14 20:46    17408    ----a-w-    c:\windows\system32\credssp.dll
2017-01-05 17:43 . 2017-01-14 20:46    82432    ----a-w-    c:\windows\system32\bcrypt.dll
2017-01-05 17:42 . 2017-01-14 20:46    690688    ----a-w-    c:\windows\system32\adtschema.dll
2017-01-05 17:23 . 2017-01-14 20:46    50176    ----a-w-    c:\windows\system32\auditpol.exe
2017-01-05 17:19 . 2017-01-14 20:46    226304    ----a-w-    c:\windows\system32\drivers\mrxsmb10.sys
2017-01-05 17:19 . 2017-01-14 20:46    98304    ----a-w-    c:\windows\system32\drivers\mrxsmb20.sys
2017-01-05 17:19 . 2017-01-14 20:46    124416    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2017-01-05 17:19 . 2017-01-14 20:46    36352    ----a-w-    c:\windows\system32\cryptbase.dll
2017-01-05 17:19 . 2017-01-14 20:46    22016    ----a-w-    c:\windows\system32\lsass.exe
2017-01-05 17:19 . 2017-01-14 20:46    15872    ----a-w-    c:\windows\system32\sspisrv.dll
2016-09-29 16:21 . 2016-09-29 16:21    478720    ----a-w-    c:\program files\setup.exe
2016-09-29 16:21 . 2016-09-29 16:21    2310144    ----a-w-    c:\program files\openoffice413.msi
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2014-09-09 17:59    2637408    ----a-w-    c:\program files\Seagate\DiscWizard\tishell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2014-09-09 17:59    2637408    ----a-w-    c:\program files\Seagate\DiscWizard\tishell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2014-09-09 17:59    2637408    ----a-w-    c:\program files\Seagate\DiscWizard\tishell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2015-09-16 5589976]
"AcronisTibMounterMonitor"="c:\program files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe" [2015-07-20 691056]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2015-09-16 400360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2016-04-15 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CenturyLinkTouchPointAgent]
2015-07-21 19:06    48616    ----a-w-    c:\program files\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvBackend]
2016-04-05 08:11    2397752    ----a-w-    c:\program files\NVIDIA Corporation\Update Core\NvBackend.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-10 04:55    7741440    ----a-w-    c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-10 04:55    81920    ----a-w-    c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2006-10-10 04:55    90191    ----a-w-    c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShadowPlay]
2016-04-05 07:48    1373864    ----a-w-    c:\windows\System32\nvspcap.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2016-06-22 09:13    598552    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
R3 CH341SER;CH341SER;c:\windows\system32\Drivers\CH341SER.SYS [2015-01-26 41472]
R3 libusb0;libusb-win32 - Kernel Driver 01/17/2012 1.2.6.0;c:\windows\system32\DRIVERS\libusb0.sys [2014-02-06 42592]
S0 file_tracker;file_tracker;c:\windows\system32\DRIVERS\file_tracker.sys [2017-03-23 214304]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys [2017-03-23 98592]
S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\BASHDefs\20170317.001\BHDrvx86.sys [2017-03-03 1334424]
S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1609010.00C\ccSetx86.sys [2017-02-20 137888]
S1 IDSVix86;IDSVix86;c:\program files\Norton AntiVirus\NortonData\22.5.2.15\Definitions\IPSDefs\20170324.001\IDSvix86.sys [2017-03-02 798928]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 GfExperienceService;NVIDIA GeForce Experience Service;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [2016-04-05 931384]
S2 MacriumService;Macrium Service;c:\program files\Macrium\Common\MacriumService.exe [2017-02-25 3125408]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\22.9.1.12\NAV.exe [2017-03-16 288512]
S3 atmelwindrvr;atmelwindrvr;c:\windows\system32\drivers\atmelwindrvr.sys [2015-08-12 227528]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2017-01-26 124576]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
utcsvc    REG_MULTI_SZ       DiagTrack
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.yahoo.com/
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\m8djcp2l.default-1482032896170\
FF - prefs.js: browser.startup.homepage - hxxps://www.yahoo.com/
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MBAMService
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\22.9.1.12\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\22.9.1.12\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\NAV\1609010.00C\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\22.9.1.12"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"v5Licence0"="35-9MFV-69X7-M9MV-DKVU-MW4H-KAFMQXW"
"Activated"="Y"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2017-03-24  17:56:47
ComboFix-quarantined-files.txt  2017-03-25 00:56
.
Pre-Run: 963,989,700,608 bytes free
Post-Run: 963,907,563,520 bytes free
.
- - End Of File - - 14BE92B0E6A988BA39CD97A3F8E6108D
A36C5E4F47E84449FF07ED3517B43A31
 



#11 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:25 AM

Posted 25 March 2017 - 09:54 AM

Hello again,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

---


:step4: How the computer is running now?


---


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 hdleng

hdleng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 25 March 2017 - 05:33 PM

Jo, I have followed your instructions.  The log from Malwarebytes Anti-Malware:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/25/17
Scan Time: 2:49 PM
Logfile: Anti-MalwareScanLog.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1595
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: jimw7\Jim

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 290248
Time Elapsed: 13 min, 1 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

FSS.txt:

 

Farbar Service Scanner Version: 27-01-2016
Ran by Jim (administrator) on 25-03-2017 at 15:14:27
Running from "C:\Users\Jim\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed


**** End of log ****

 

Firefox still uses a lot of CPU.  If I open a new browser tab or change websites, CPU usage goes to 100% for 2 to 5 minutes.  I have tried numerous sites, and they all do this.



#13 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:25 AM

Posted 26 March 2017 - 05:17 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(it takes a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
 

createsrpoint;
filesrcm; 
uninstall-list;
iedefaults;
ffdefaults;
chrdefaults;
resetIEproxy;
emptyclsid;
emptyalltemp;
autoclean;
resethosts;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Copy and paste the log to your next reply please.

---

Uninstall Firefox completely using this manual: http://kb.mozillazine.org/Uninstalling_Firefox
NOTE. Use MozBackup: http://mozbackup.jasnapaka.com/ to backup your bookmarks and passwords.
Do NOT backup anything else.
Install fresh copy.

Install ony plugins, that you really need!

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 hdleng

hdleng
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 26 March 2017 - 07:51 PM

Jo, I have tried to follow your instructions 3 times, but I have a problem.  When I turn off Norton Antivirus, it turns itself back on.  I turn it off by right clicking its icon in the task bar and selecting disable.  It then has a red X over the icon.  When I first ran zoek.exe, I heard a lot of CPU fan noise; so, I checked task manager process tab and saw 100% CPU, and nav.exe had most of the CPU use.  The task bar icon still had a red X.  I selected nav.exe in the process tab, right clicked, and selected end process.  But, the nav.exe starts up again by itself.

 

Kindly tell me what to do next.

 

Thank You



#15 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:25 AM

Posted 27 March 2017 - 05:24 AM

Perhaps you have a problem with Norton Antivirus

Can you uninstall it, restart the pc and then reinstall Norton Antivirus?


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users