[7SP1HomePre x64] IE11/Chrome runs up very high memory usage in Task Manager

T

TKARI

Member
Joined
Jan 11, 2018
Posts
16
I have Windows 7 SP1 64 bit. When I use either browser the memory usage runs up to 98% and locks or seriously bogs down the computer. If I have only one tab open three instances show up in Processes. I understand that there is always one more instance than there are open tabs. at 95% the highest instance is running over1,000,000K. If I end this process or process tree total usage drops as low as 24% but begins to climb again until 20 - minutes we're back up to 95%+, so I do it all over again. Also when running MS Office Excel which is what I use most it appears there are two instances of it running because when I close the program by clicking on the X the window closes and for a brief moment there is a blank window behind it.
In October I spent numerous days with MS Support attempting to get this fixed. They went in and looked around, tried some things, we did a reinstall and then a clean reinstall but the same problem persists. I also have Account Unknown (S-1-15-2-1) in the security tab on some of my files, some also have CREATOR/OWNER. This is strange since I am the only user of this machine. I have a regular user account I normally use and an Administrator account these should be the only two accounts on here. Occaisionally when I use Excel and try to save a file I have changed I get an error message that it can't be saved because my changes can't be merged with changes made by others. There should be no others making changes. I hope you can help me out with this. Here are the requested logs.

SAL Log

Result of Security Analysis by Rocket Grannie (x86) Updated: 29th December, 2017
Running from:C:\Users\Tim K\Downloads (08:55:53 - 01/12/2018)
***---------------------------------------------------------***
Microsoft Windows 7 Home Premium X64 Service Pack 1
UAC is Enabled
Internet Explorer 11
Default Browser: Internet Explorer
***------------Antivirus - Antispyware - Firewall-----------***
Microsoft Security Essentials (Disabled - up to Date)
Microsoft Security Essentials (Disabled - up to Date)
Windows Defender (Disabled - Not up to Date)
Windows Firewall (Enabled)
No other Firewall Installed
***-------Security Programs - Browsers - Miscellaneous------***
Adobe Flash Player NPAPI is not installed
Google Chrome (63.0.3239.132)
Microsoft Security Essentials (4.10.209.0)
Microsoft Silverlight (5.1.50907.0)
***----------------Analysis Complete-------------------------***

FRST Log

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by WareHouse (administrator) on WAREHOUSE-PC (12-01-2018 09:00:47)
Running from C:\Users\Tim K\Desktop
Loaded Profiles: WareHouse & Tim K (Available Profiles: WareHouse & Tim K & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files (x86)\UPS\WSTD\WSDB\MSSQL11.UPSWS2012SERVER\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(United Parcel Service, Inc.) C:\Program Files (x86)\UPS\WSTD\WSTDMessaging.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
() C:\Program Files (x86)\UPS\WSTD\UPSNA1Msgr.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
(Microsoft Corporation) C:\Users\Tim K\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\FileCoAuth.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\SysWOW64\prevhost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [WSUpdater] => C:\PROGRAM FILES (X86)\UPS\WSTD\CF\WorldShipCF.exe [239872 2017-03-08] (UPS)
HKLM-x32\...\Run: [NA1Messenger] => C:\PROGRAM FILES (X86)\UPS\WSTD\UPSNA1Msgr.exe [29952 2017-03-08] ()
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1171480 2017-09-27] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [MSPCLOCK] => rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
HKLM\...\RunOnce: [MSPQM] => rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
HKLM\...\RunOnce: [MSKSSRV] => rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
HKLM\...\RunOnce: [MSTEE.CxTransform] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\Windows\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
HKLM\...\RunOnce: [MSTEE.Splitter] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\Windows\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
HKLM\...\RunOnce: [WDM_DRMKAUD] => rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\Windows\inf\WDMAUDIO.inf,WDM_DRMKAUD. (the data entry has 17 more characters).
HKLM-x32\...\RunOnce: [WorldshipTD] => C:\PROGRAM FILES (X86)\UPS\WSTD\WorldShipTD.exe [32097536 2017-03-08] (UPS) <==== ATTENTION
HKU\S-1-5-21-3776473273-3615072846-71466002-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31682144 2015-03-25] (Skype Technologies S.A.)
HKU\S-1-5-21-3776473273-3615072846-71466002-1000\...\Run: [Google Update] => C:\Users\WareHouse\AppData\Local\Google\Update\1.3.33.5\GoogleUpdateCore.exe [601168 2017-10-26] (Google Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk [2017-10-27]
ShortcutTarget: UPS WorldShip Messaging Utility.lnk -> C:\Program Files (x86)\UPS\WSTD\WSTDMessaging.exe (United Parcel Service, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk [2017-10-27]
ShortcutTarget: UPS WorldShip PLD Reminder Utility.lnk -> C:\Program Files (x86)\UPS\WSTD\wstdPldReminder.exe (UPS)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{8C621D28-A8C7-40D3-A016-D6924B568881}: [DhcpNameServer] 192.168.1.254
Internet Explorer:
==================
HKU\S-1-5-21-3776473273-3615072846-71466002-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL [2017-12-19] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2017-12-19] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL [2017-12-19] (Microsoft Corporation)
DPF: HKLM-x32 {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1509476628579
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-12-19] (Microsoft Corporation)
FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-12-19] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2017-12-19] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3776473273-3615072846-71466002-1000: @tools.google.com/Google Update;version=3 -> C:\Users\WareHouse\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-10-26] (Google Inc.)
FF Plugin HKU\S-1-5-21-3776473273-3615072846-71466002-1000: @tools.google.com/Google Update;version=9 -> C:\Users\WareHouse\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-10-26] (Google Inc.)
Chrome:
=======
CHR Profile: C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default [2017-12-27]
CHR Extension: (Slides) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-26]
CHR Extension: (Docs) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-26]
CHR Extension: (Google Drive) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-10-26]
CHR Extension: (YouTube) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-10-26]
CHR Extension: (Sheets) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-26]
CHR Extension: (Google Docs Offline) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-10-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-26]
CHR Extension: (Gmail) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-10-26]
CHR Extension: (Chrome Media Router) - C:\Users\WareHouse\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-11-03]
CHR HKU\S-1-5-21-3776473273-3615072846-71466002-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
StartMenuInternet: Google Chrome.K6LHS3GY7565OGF3WJL4OV7U4U - C:\Users\WareHouse\AppData\Local\Google\Chrome\Application\chrome.exe
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7761576 2017-12-25] (Microsoft Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R2 MSSQL$UPSWS2012SERVER; C:\PROGRAM FILES (X86)\UPS\WSTD\WSDB\MSSQL11.UPSWS2012SERVER\MSSQL\Binn\sqlservr.exe [163008 2017-07-07] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S4 SQLAgent$UPSWS2012SERVER; C:\PROGRAM FILES (X86)\UPS\WSTD\WSDB\MSSQL11.UPSWS2012SERVER\MSSQL\Binn\SQLAGENT.EXE [448704 2017-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S4 LMIRescue_eafebfad-841f-4624-ecd2-5372714ebc31; "C:\Program Files (x86)\LogMeIn Rescue Applet\LMIR0002.tmp\LMI_Rescue_srv.exe" -service -sid eafebfad-841f-4624-ecd2-5372714ebc31 -wd "C:\Users\WareHouse\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\"
S4 nvUpdatusService; "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe" [X]
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R1 MpKsl22aa16a3; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8F34028E-3400-4E73-8E35-810E9A7A8FA5}\MpKsl22aa16a3.sys [58120 2018-01-11] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R3 WirelessKeyboardFilter; C:\Windows\System32\DRIVERS\WirelessKeyboardFilter.sys [49896 2016-07-22] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-01-12 08:55 - 2018-01-12 08:55 - 000000904 _____ C:\Users\Tim K\Downloads\SALog.txt
2018-01-12 08:54 - 2018-01-12 08:54 - 000899584 _____ C:\Users\Tim K\Downloads\RGSA.exe
2018-01-12 07:22 - 2018-01-12 07:23 - 000024886 _____ C:\Users\Tim K\Desktop\Addition.txt
2018-01-12 07:20 - 2018-01-12 09:01 - 000014598 _____ C:\Users\Tim K\Desktop\FRST.txt
2018-01-12 07:20 - 2018-01-12 07:20 - 000000000 ____D C:\Users\Tim K\Desktop\FRST-OlderVersion
2018-01-12 07:18 - 2018-01-12 09:00 - 000000000 ____D C:\FRST
2018-01-11 11:20 - 2018-01-11 11:20 - 000388608 _____ (Trend Micro Inc.) C:\Users\Tim K\Downloads\HijackThis.exe
2018-01-11 11:03 - 2018-01-11 11:08 - 000000000 ____D C:\sysclean
2018-01-11 11:01 - 2018-01-11 11:01 - 005228804 _____ C:\sysclean.zip
2018-01-08 07:15 - 2018-01-08 07:15 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2018-01-05 09:22 - 2018-01-05 09:22 - 000325383 _____ C:\Users\Tim K\Desktop\AEI TAG P.O. 4500087027.pdf
2018-01-03 09:14 - 2018-01-03 09:14 - 000247333 _____ C:\Users\Tim K\Desktop\TENILLE 4500086701.pdf
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-01-12 08:56 - 2017-11-06 07:12 - 000767792 _____ C:\Windows\ntbtlog.txt
2018-01-12 08:55 - 2009-07-13 22:45 - 000022560 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-12 08:55 - 2009-07-13 22:45 - 000022560 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-12 07:20 - 2017-12-01 13:53 - 002393088 _____ (Farbar) C:\Users\Tim K\Desktop\FRST64.exe
2018-01-11 11:20 - 2017-10-26 03:31 - 000000000 ____D C:\Users\Tim K\AppData\Local\VirtualStore
2018-01-11 07:33 - 2017-10-26 02:09 - 000000000 ___RD C:\Users\Tim K\OneDrive
2018-01-11 07:30 - 2009-07-13 23:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-10 12:10 - 2009-07-13 22:45 - 000024576 _____ C:\Windows\system32\umstartup.etl
2018-01-10 12:09 - 2017-11-03 14:22 - 000000000 ____D C:\Windows\pss
2018-01-10 07:24 - 2017-10-26 08:25 - 000000000 ___HD C:\OneDriveTemp
2018-01-09 07:47 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\system32\NDF
2018-01-09 07:19 - 2017-11-03 11:42 - 000002204 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-09 07:19 - 2017-11-03 11:42 - 000002192 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-01-09 07:06 - 2017-10-25 23:24 - 000000000 ____D C:\Users\WareHouse
2018-01-08 07:16 - 2017-10-26 02:02 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-01-08 07:15 - 2009-07-13 21:20 - 000000000 ____D C:\Program Files\Common Files\Microsoft Shared
2018-01-08 07:13 - 2017-10-26 01:13 - 000000000 ____D C:\Program Files\Microsoft Office
Files to move or delete:
====================
C:\PROGRAM FILES (X86)\UPS\WSTD\WorldShipTD.exe

Some files in TEMP:
====================
2016-12-07 16:17 - 2016-12-07 16:17 - 000076032 ____R (United Parcel Service, Inc.) C:\Users\WareHouse\AppData\Local\Temp\launch.exe
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2018-01-08 13:08
==================== End of FRST.txt ============================

Addition Log

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by WareHouse (12-01-2018 09:02:37)
Running from C:\Users\Tim K\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2017-10-26 05:24:04)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================
Administrator (S-1-5-21-3776473273-3615072846-71466002-500 - Administrator - Disabled)
Guest (S-1-5-21-3776473273-3615072846-71466002-501 - Limited - Disabled)
Tim K (S-1-5-21-3776473273-3615072846-71466002-1001 - Limited - Enabled) => C:\Users\Tim K
UpdatusUser (S-1-5-21-3776473273-3615072846-71466002-1003 - Limited - Enabled) => C:\Users\UpdatusUser
WareHouse (S-1-5-21-3776473273-3615072846-71466002-1000 - Administrator - Enabled) => C:\Users\WareHouse
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
AlignmentUtility (HKLM-x32\...\{4C5E314A-31CA-4223-9A90-CE0C4D5800A4}) (Version: 20.00.0000 - UPS) Hidden
CCC (HKLM-x32\...\{95749C5B-BC37-41E3-8D39-EEF4C21A2825}) (Version: 20.00.0000 - United Parcel Service, Inc.) Hidden
FormsComponent (HKLM-x32\...\{91032FF2-836F-4CCA-A1A3-55B966E82907}) (Version: 20.00.0000 - UPS) Hidden
FOSS (HKLM-x32\...\{267FC070-5271-4768-B33A-33E4EA0E3A74}) (Version: 20.00.0000 - UPS) Hidden
GDR 6251 for SQL Server 2012 (KB4019092) (HKLM-x32\...\KB4019092) (Version: 11.3.6251.0 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Chrome (HKU\S-1-5-21-3776473273-3615072846-71466002-1000\...\Google Chrome) (Version: 62.0.3202.75 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
HP Officejet 4630 series Basic Device Software (HKLM\...\{38037A50-E9F1-41E4-9AA3-2E0A5A2FC4C5}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP Officejet 4630 series Help (HKLM-x32\...\{9F79230F-EE1C-407E-94E1-D69021954C9B}) (Version: 31.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
ICCHelp (HKLM-x32\...\{A5763105-D1D5-4862-A3FE-EC058F9AA73E}) (Version: 20.00.0000 - UPS)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.8730.2165 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3776473273-3615072846-71466002-1000\...\OneDriveSetup.exe) (Version: 17.3.7073.1013 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3776473273-3615072846-71466002-1001\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files (HKLM-x32\...\{D441BD04-E548-4F8E-97A4-1B66135BAAA8}) (Version: 10.1.2731.0 - Microsoft Corporation)
Microsoft SQL Server 2012 (HKLM-x32\...\Microsoft SQL Server SQLServer2012) (Version: - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects (HKLM-x32\...\{7FFF0385-BD04-4047-AA1D-6146A391FD0A}) (Version: 11.3.6020.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client (HKLM\...\{9AE22681-C27C-402A-A136-15854DFF693D}) (Version: 11.3.6020.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Setup (English) (HKLM-x32\...\{7D8178CA-1AC1-4371-AD8B-5AD32C96274D}) (Version: 11.3.6251.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom (HKLM\...\{076FF390-D283-4174-B602-B0B7B72BD024}) (Version: 11.3.6020.0 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{8CE29F52-8FAF-4CFD-89E8-B2D61A6800B1}) (Version: 11.3.6020.0 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft VSS Writer for SQL Server 2012 (HKLM\...\{3E0DD83F-BE4C-4478-86A0-AD0D79D1353E}) (Version: 11.3.6020.0 - Microsoft Corporation)
MSIChecker (HKLM-x32\...\{C9D43B38-34AD-4EC2-B696-46F42D49D174}) (Version: 20.00.0000 - UPS) Hidden
NA1Messenger (HKLM-x32\...\{D44E7219-947E-4F1B-830E-66EF11ACC543}) (Version: 20.00.0000 - Your Company Name) Hidden
NRF (HKLM-x32\...\{99A0F94F-9F09-4F09-B8D9-E8F1BBBEF212}) (Version: 20.00.0000 - UPS) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)
NVIDIA Graphics Driver 309.08 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 309.08 - NVIDIA Corporation)
NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2165 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2165 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.8730.2165 - Microsoft Corporation) Hidden
PolicyManager (HKLM-x32\...\{2329553C-D499-4476-A20F-9C7E82ED122B}) (Version: 20.00.0000 - UPS) Hidden
Product Improvement Study for HP Officejet 4630 series (HKLM\...\{EE629820-EACD-4AAE-966D-DF1560A0ED2D}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
Reconciler (HKLM-x32\...\{98C4DE92-27C8-482C-8431-514828756E80}) (Version: 20.00.0000 - UPS) Hidden
ReportServer (HKLM-x32\...\{C81D8576-F1B1-4E3A-9DC3-DF1B664962F0}) (Version: 20.00.0000 - Your Company Name) Hidden
Service Pack 3 for SQL Server 2012 (KB3072779) (HKLM-x32\...\KB3072779) (Version: 11.3.6020.0 - Microsoft Corporation)
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
SQL Server 2012 Common Files (HKLM-x32\...\{124D51A1-F3C2-45AE-B812-D3CA71247093}) (Version: 11.3.6020.0 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM-x32\...\{7D29ED63-84F9-4EC7-B49F-994A3A3195B2}) (Version: 11.3.6020.0 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM-x32\...\{87D50333-E534-493A-8E98-0A49BC28F64B}) (Version: 11.3.6020.0 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM-x32\...\{C22613C2-C7A4-4761-A906-116ECD4E7477}) (Version: 11.3.6020.0 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM-x32\...\{54F84805-0116-467F-8713-899DFC472235}) (Version: 11.3.6020.0 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM-x32\...\{D0F44C37-A22B-4733-BBA7-86C9F4988725}) (Version: 11.3.6020.0 - Microsoft Corporation) Hidden
SQL Server Browser for SQL Server 2012 (HKLM-x32\...\{4B9E6EB0-0EED-4E74-9479-F982C3254F71}) (Version: 11.3.6020.0 - Microsoft Corporation)
Sql Server Customer Experience Improvement Program (HKLM-x32\...\{30CA21F2-901A-44DB-A43F-FC31CD0F2493}) (Version: 11.3.6020.0 - Microsoft Corporation) Hidden
SupportUtility (HKLM-x32\...\{31AF8802-BF43-4C43-984B-EC597CF51505}) (Version: 20.00.0000 - UPS) Hidden
System (HKLM-x32\...\{DB2C58E0-6284-4B48-97F2-22A980B6360B}) (Version: 20.00.0000 - UPS) Hidden
UnifiedPrinting (HKLM-x32\...\{CF2962CB-E3E7-4AA5-B6CE-EE59A600ECBE}) (Version: 20.00.0000 - UPS) Hidden
UPS WorldShip (HKLM-x32\...\UPS WorldShip) (Version: 20.0 - UPS)
UPSDB (HKLM-x32\...\{837896B9-CACA-44EF-B2F8-F6DB3D743595}) (Version: 20.00.0000 - UPS) Hidden
UPSICC (HKLM-x32\...\{390160B4-D276-4A04-8002-8D3101A0D367}) (Version: 20.00.0000 - UPS) Hidden
UPSlinkHTTP (HKLM-x32\...\{E358CC1E-4953-4E27-ADEB-8B27D8BBC20E}) (Version: 20.00.0000 - UPS) Hidden
UPSVC2013MM (HKLM-x32\...\{D99432A9-099D-4DF0-B3BA-41562C3F8B4C}) (Version: 19.00.0000 - Your Company Name) Hidden
VirusTotal Scanner (HKLM-x32\...\{43C5B500-38EB-456F-8C71-CE7B1F7F9976}) (Version: 6.5 - SecurityXploded) Hidden
VirusTotal Scanner (HKLM-x32\...\VirusTotal Scanner 6.5) (Version: 6.5 - SecurityXploded)
WorldShip (HKLM-x32\...\{05221EA8-BC66-483B-8036-5CAF7B813C10}) (Version: 20.00.0000 - UPS) Hidden
WSShared (HKLM-x32\...\{4D8761F6-BB0D-48B9-81F3-58EC0CDA2090}) (Version: 20.00.0000 - UPS) Hidden
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-3776473273-3615072846-71466002-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\WareHouse\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3776473273-3615072846-71466002-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\WareHouse\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\amd64\FileCoAuthLib64.dll => No File
CustomCLSID: HKU\S-1-5-21-3776473273-3615072846-71466002-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\WareHouse\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3776473273-3615072846-71466002-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Tim K\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\amd64\FileCoAuthLib64.dll => No File
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2015-01-30] (NVIDIA Corporation)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {0EB69665-6F0E-4B7D-9D2F-8F9EBFD376E8} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-12-25] (Microsoft Corporation)
Task: {13C59BE2-ED1D-4D5C-9FB5-CE790401008A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-03] (Google Inc.)
Task: {165E11D2-78D5-4858-9325-FB7328A7BA51} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {2003D432-9F93-4988-87B1-C7987760A7BC} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-03] (Google Inc.)
Task: {2AF9FD08-A780-4EFE-B533-64FED7957555} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-05] (Microsoft Corporation)
Task: {3E45CCAC-93E2-4F55-AC07-0C05BDBD20DA} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3776473273-3615072846-71466002-1000UA => C:\Users\WareHouse\AppData\Local\Google\Update\GoogleUpdate.exe [2017-10-26] (Google Inc.)
Task: {524A469C-12BA-404B-9F5A-6350B42D1B36} - System32\Tasks\UPS WorldShip Updater => C:\PROGRAM FILES (X86)\UPS\WSTD\CF\WorldShipCF.exe [2017-03-08] (UPS)
Task: {6562A3E8-EEF7-45F2-A6D0-91A4BAFD8F23} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2018-01-05] (Microsoft Corporation)
Task: {6BF462BC-7E29-4209-90F5-6CB0D4133A0A} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3776473273-3615072846-71466002-1000Core => C:\Users\WareHouse\AppData\Local\Google\Update\GoogleUpdate.exe [2017-10-26] (Google Inc.)
Task: {78D87BAE-97A4-4346-80BC-385C98C2DD1D} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-05] (Microsoft Corporation)
Task: {892B4149-FD37-4F38-9E82-78B7C999585D} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-12-25] (Microsoft Corporation)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\FaxApplications.exe_{35929D7F-5029-4899-8B12-C31D2C6B71E6}.job => C:\Program Files\HP\HP Officejet 4630 series\Bin\FaxApplications.exe
Task: C:\Windows\Tasks\HPCustPartic.exe_{5A290B6C-F86A-4F11-BC0A-F2C9123209D5}.job => C:\Program Files\HP\HP Officejet 4630 series\Bin\HPCustPartic.exe
Task: C:\Windows\Tasks\Toolbox.exe_{9FEBFCD9-74C9-46D8-A6F5-EB77DC04FCC1}.job => C:\Program Files\HP\HP Officejet 4630 series\Bin\Toolbox.exe
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============
2017-10-30 15:23 - 2015-01-30 18:57 - 000086160 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-12-07 15:07 - 2017-03-08 22:36 - 000029952 _____ () C:\Program Files (x86)\UPS\WSTD\UPSNA1Msgr.exe
2017-10-26 01:38 - 2017-12-04 08:38 - 001902776 _____ () C:\Program Files\Microsoft Office\root\Office16\ClientTelemetry.dll
2017-10-26 01:19 - 2017-12-19 08:42 - 001401000 _____ () C:\Program Files\Microsoft Office\Root\Office16\ADDINS\UmOutlookAddin.dll
2017-10-26 01:40 - 2017-12-19 08:43 - 000735400 _____ () C:\Program Files\Microsoft Office\root\Office16\msfad.dll
2017-12-08 07:41 - 2017-12-08 07:41 - 000102088 _____ () C:\Users\Tim K\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\UpdateRingSettings.dll
2017-03-08 22:52 - 2017-03-08 22:52 - 000024832 _____ () C:\Program Files (x86)\UPS\WSTD\UPSResourceManager.dll
2017-07-31 16:31 - 2017-07-31 16:31 - 072940016 _____ () C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LMIRescue_eafebfad-841f-4624-ecd2-5372714ebc31 => ""="Service"
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 20:34 - 2009-06-10 15:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-3776473273-3615072846-71466002-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\WareHouse\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-3776473273-3615072846-71466002-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Tim K\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
MSCONFIG\Services: LMIRescue_eafebfad-841f-4624-ecd2-5372714ebc31 => 2
MSCONFIG\Services: nvUpdatusService => 2
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{7739F33E-775B-45A5-8140-18192E7DA0FA}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{81ACBD10-8009-4160-9C31-4B4211E0A036}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\bin\FaxApplications.exe
FirewallRules: [{2885573F-85BD-4B37-8253-3FE338DE1EFE}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\bin\DigitalWizards.exe
FirewallRules: [{2A47A7AA-21FD-4AA5-AC9F-D9BD048500BF}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\bin\SendAFax.exe
FirewallRules: [{CE699966-45B8-46F5-A6F7-A32D9A4E18F8}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\Bin\DeviceSetup.exe
FirewallRules: [{BFE19CB7-CEDA-4F06-80F3-671667FF6AF5}] => (Allow) LPort=5357
FirewallRules: [{B0A9F3C0-9362-4EA3-9E73-688EA93AE3A4}] => (Allow) C:\Program Files\HP\HP Officejet 4630 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{BA08D83A-6430-49E1-8F9C-A21405BA13C9}] => (Allow) C:\Users\Tim K\AppData\Local\Temp\7zS1476\HPDiagnosticCoreUI.exe
FirewallRules: [{16BCE4A9-24DA-42E9-AD2F-18BDAF3D8AA0}] => (Allow) C:\Users\Tim K\AppData\Local\Temp\7zS1476\HPDiagnosticCoreUI.exe
FirewallRules: [{786BA01B-9E19-4F11-B135-A28C0B5B1016}] => (Allow) C:\Users\Tim K\AppData\Local\Temp\7zS4146\HPDiagnosticCoreUI.exe
FirewallRules: [{1A8A97E0-B0EC-42D0-84F9-6A1C87EE0296}] => (Allow) C:\Users\Tim K\AppData\Local\Temp\7zS4146\HPDiagnosticCoreUI.exe
FirewallRules: [{3B9E822B-B88D-40CB-A812-F0F826E30AAA}] => (Block) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{9B7EB4DE-4702-4532-8DD9-EFDF2885F480}] => (Block) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{B94D255F-B9E6-4146-BE28-DAA38AE1677E}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{B8AF5335-9495-4095-AD8A-FAC2154DAFC0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Restore Points =========================
22-12-2017 12:11:14 Windows Update
27-12-2017 13:09:09 Windows Update
02-01-2018 07:20:24 Windows Update
08-01-2018 07:21:37 Windows Update
11-01-2018 14:39:54 Windows Update
==================== Faulty Device Manager Devices =============
Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
Name: MpKslc9a34405
Description: MpKslc9a34405
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: MpKslc9a34405
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================
Application errors:
==================
Error: (01/11/2018 12:56:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18838 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 23c
Start Time: 01d38b046423bc70
Termination Time: 47
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Report Id:
Error: (01/11/2018 07:31:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (01/10/2018 12:12:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (01/10/2018 11:54:35 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (01/10/2018 07:03:45 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (01/09/2018 01:25:50 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.18838 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: d54
Start Time: 01d389556e823990
Termination Time: 218
Application Path: C:\Program Files\Internet Explorer\iexplore.exe
Report Id: d9d3e931-f572-11e7-8020-f80f4103818a
Error: (01/09/2018 01:23:19 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program OUTLOOK.EXE version 16.0.8730.2165 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 164
Start Time: 01d3894c99fabab0
Termination Time: 0
Application Path: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Report Id: 5261f5f1-f572-11e7-8020-f80f4103818a
Error: (01/09/2018 10:05:25 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18838 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 105c
Start Time: 01d3896347115c20
Termination Time: 40
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Report Id:
Error: (01/09/2018 08:55:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.18838, time stamp: 0x59e1a862
Faulting module name: MSHTML.dll, version: 11.0.9600.18838, time stamp: 0x59e1b8ff
Exception code: 0xc0000005
Fault offset: 0x00fbd389
Faulting process id: 0xad4
Faulting application start time: 0x01d389556e9c68b0
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\Windows\system32\MSHTML.dll
Report Id: 14cb09b8-f54d-11e7-8020-f80f4103818a
Error: (01/09/2018 07:52:02 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18838 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: f4
Start Time: 01d38950b93416c0
Termination Time: 16
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Report Id:

System errors:
=============
Error: (01/12/2018 08:39:40 AM) (Source: DCOM) (EventID: 10016) (User: WareHouse-PC)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
and APPID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
to the user WareHouse-PC\Tim K SID (S-1-5-21-3776473273-3615072846-71466002-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Error: (01/11/2018 10:53:06 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.
Error: (01/11/2018 07:49:10 AM) (Source: DCOM) (EventID: 10016) (User: WareHouse-PC)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
and APPID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
to the user WareHouse-PC\Tim K SID (S-1-5-21-3776473273-3615072846-71466002-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Error: (01/10/2018 01:00:41 PM) (Source: DCOM) (EventID: 10016) (User: WareHouse-PC)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
and APPID
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
to the user WareHouse-PC\Tim K SID (S-1-5-21-3776473273-3615072846-71466002-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Error: (01/10/2018 12:02:18 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Software Protection service terminated with the following error:
The system cannot find the file specified.
Error: (01/10/2018 12:00:18 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
MpFilter
spldr
Error: (01/10/2018 12:00:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Error: (01/10/2018 12:00:17 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Link-Layer Topology Discovery Responder service failed to start due to the following error:
The driver was not loaded because the system is booting into safe mode.
Error: (01/10/2018 12:00:17 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Link-Layer Topology Discovery Mapper I/O Driver service failed to start due to the following error:
The driver was not loaded because the system is booting into safe mode.
Error: (01/10/2018 10:49:28 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

==================== Memory info ===========================
Processor: AMD Athlon(tm) II X2 220 Processor
Percentage of memory in use: 68%
Total physical RAM: 1791.37 MB
Available physical RAM: 571.63 MB
Total Virtual: 4322.73 MB
Available Virtual: 1872.84 MB
==================== Drives ================================
Drive c: (eMachines) (Fixed) (Total:451.66 GB) (Free:343.34 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1B0C91ED)
Partition 1: (Not Active) - (Size=14 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=451.7 GB) - (Type=07 NTFS)
==================== End of Addition.txt ============================
 
Re: IE 11 or Chrome runs up very high memory usage in Task Manager Processes

Hi, TKARI.

Regarding the user accounts:

  • UpdatusUser: UpdatusUser folder is automatically created during Nvidia graphics driver installer and it is user for the updation of graphics driver whenever new drivers are available.
  • Creator Owner:The generic user Creator Owner is a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces the SID for Creator Owner with the SID for the object's current owner.
  • S-1-15-2-1: S-1-15-2-1 is all applications running in an app package context.

Seeing that you have SQL Server 2012 installed on your computer, is this is a business machine or your personal computer? If this is a business machine, please consult your IT Department or System Administrator. It is further advisable that you consult your employer's "Acceptable Usage Policy" to ensure that you are not in breach of Company rules by attempting to fix a business asset.

If this is your personal computer, please note that although you have SP3 installed, Service Pack 4 for SQL Server 2012 was released in October (See SQL Server 2012 Service Pack 4 (SP4) Released! | SQL Server Release Services).
 
Re: IE 11 or Chrome runs up very high memory usage in Task Manager Processes

Corrine said:
Hi, TKARI.

Regarding the user accounts:

  • UpdatusUser: UpdatusUser folder is automatically created during Nvidia graphics driver installer and it is user for the updation of graphics driver whenever new drivers are available.
  • Creator Owner:The generic user Creator Owner is a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces the SID for Creator Owner with the SID for the object's current owner.
  • S-1-15-2-1: S-1-15-2-1 is all applications running in an app package context.

Seeing that you have SQL Server 2012 installed on your computer, is this is a business machine or your personal computer? If this is a business machine, please consult your IT Department or System Administrator. It is further advisable that you consult your employer's "Acceptable Usage Policy" to ensure that you are not in breach of Company rules by attempting to fix a business asset.

If this is your personal computer, please note that although you have SP3 installed, Service Pack 4 for SQL Server 2012 was released in October (See SQL Server 2012 Service Pack 4 (SP4) Released! | SQL Server Release Services).
Click to expand...

Thank you for your fast response. This is my computer I do work on. I have a stand alone DSL line.
Thanks for addressing my concerns over the different accounts. Have you seen anything that would give a clue as to why the RAM usage keeps ramping up while browsing ? It doesn't do this unless there is a browser open but I do still have the issue with what appears to be multiple instances of Excel and Browsers running at the same time. Can you tell if SQL server is part of the UPS Worldship program ? I believe it is, but if there's anotherSQL server on here I don't think I need it.
 
Re: IE 11 or Chrome runs up very high memory usage in Task Manager Processes

What exactly does SQL Server do ? If it's not part of UPS Worldship do I need it ?
 
It's most likely part of that program (i.e., ups worldship needs SQL server, that's another program), especially if you don't know where it comes from.
It seems there's a new version of it: WorldShip 2018.
In the installation guide for the 2017 version, it is written: "Enable Microsoft ® SQL Server ® 2012 Express with WorldShip".
 
Last edited:
Since it is your personal computer, please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The log is available throughout History ->Application logs. Please post it contents in your next reply.
 
I downloaded Malwarebytes and ran it as instructed but I cannot find the log. I can get a scan report in the program but cannot find the log. No threats were found.
 
Hi, TKARI.

Since Chrome is not my preferred browse and very seldom launched, I did a bit of research and learned that Chrome's high memory use is a common complaint. As I understand it, Chrome splits every tab, plugin, and extension into its own process. This way, if one thing crashes (e.g., Flash), the page or even Chrome itself doesn't crash. However. because this results in duplicating some tasks for everytab. it can lead to higher memory usage. This from How To Find A Tab With High CPU Usage On Chrome And Firefox may be helpful:

Chrome has its very own task manager. On Windows, if you open the task manager you will probably see multiple instances of Chrome running. There is an instance for each tab. In the unlikely event that Windows isn’t reporting memory or CPU usage correctly, or you don’t see all your tabs you can use the Chrome Task Manager.

Open a Chrome window and tap the Shift+Esc shortcut to open the task manager. You will see a list of all tabs you have open, and all extensions you have installed in your browser. You can sort them by high-to-low usage. Pick out the tab with high CPU usage and click End Process to close it.
Click to expand...

Please do the following to run FRST:

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End", including both lines. Right-click and select "Copy ".
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
S4 nvUpdatusService; "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe" [X]
CustomCLSID: HKU\S-1-5-21-3776473273-3615072846-71466002-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\WareHouse\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\amd64\FileCoAuthLib64.dll => No File
EmptyTemp:
End::
  • Please right-click on FRST/FRST64 to run as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST/FRST64.exe
  • Please post the log in your next reply.
 
I copied the code and opened the FRST64 as instructed. Not being familiar with this process I clicked the Fix button thinking it would open a window to paste the code in, it didn't but ran anyway. I soon realized I should have pasted the code in the Search box after the fact.
I have been having this memory run up problem with both Chrome and IE 11. However MS Essentials ran a sca and found a Trojan Win32/Feurboos.B!cl. It quarantined it and said to remove it right away, so I did. Since then I have not had the memory run up problem with IE 11, but I have not used Chrome since then. I am using Chrome now to see what happens. Chrome does not appear to be running up as before. This may have fixed the memory run up problems but bot Chrome and IE 11 are very sluggish to open and hang up when scrolling. If I need to do a system restore and go back and run the code you sent only let me know. I will check and see if there is any improvement in Excel and Outlook in the meantime.

Thank You.

Fixlog

Fix result of Farbar Recovery Scan Tool (x64) Version: 17.01.2018 01
Ran by WareHouse (17-01-2018 13:06:34) Run:1
Running from C:\Users\Tim K\Desktop
Loaded Profiles: WareHouse & Tim K (Available Profiles: WareHouse & Tim K & UpdatusUser)
Boot Mode: Normal
==============================================


fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
S4 nvUpdatusService; "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe" [X]
CustomCLSID: HKU\S-1-5-21-3776473273-3615072846-71466002-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\WareHouse\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\amd64\FileCoAuthLib64.dll => No File
EmptyTemp:


*****************


Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\" => removed successfully
"HKLM\System\CurrentControlSet\Services\nvUpdatusService" => removed successfully
nvUpdatusService => service removed successfully
"HKU\S-1-5-21-3776473273-3615072846-71466002-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}" => removed successfully


=========== EmptyTemp: ==========


BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11524245 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 215277700 B
Edge => 0 B
Chrome => 85961350 B
Firefox => 0 B
Opera => 0 B


Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66228 B
systemprofile32 => 66356 B
LocalService => 0 B
NetworkService => 10484702 B
WareHouse => 5924953487 B
Tim K => 939882213 B
UpdatusUser => 0 B


RecycleBin => 30046895 B
EmptyTemp: => 6.7 GB temporary data Removed.


================================




The system needed a reboot.


==== End of Fixlog 13:10:14 ====
 
It probably won't hurt that 6.7 GB of temporary data was removed. :smile9:

To clean up the tools/log used, please download Delfix from here.

Ensure the following boxes are checked:
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore
    delfix.jpg
  • Click Run
The program will run for a few moments and then notepad will open with a log.
 
Ran Delfix. I saw that it freed up 6.7 G that in itself should speed things up.

Delfix Log

# DelFix v1.013 - Logfile created 17/01/2018 at 14:07:08
# Updated 17/04/2016 by Xplode
# Username : WareHouse - WAREHOUSE-PC
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)


~ Removing disinfection tools ...


Deleted : \FRST
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis


~ Creating registry backup ... OK


~ Cleaning system restore ...


Deleted : RP #35 [Windows Update | 01/08/2018 13:21:37]
Deleted : RP #36 [Windows Update | 01/11/2018 20:39:54]
Deleted : RP #37 [Windows Update | 01/12/2018 18:00:31]
Deleted : RP #38 [Windows Update | 01/16/2018 20:55:11]
Deleted : RP #40 [Restore Point Created by FRST | 01/17/2018 19:06:39]


New restore point created !


########## - EOF - ##########
 
One instance of Chrome is still running up memory use to 1,500,000k then it closes the page. This happens on MSN.com. This tab was open at the same time and is not effected.
 
Follow up info:

This morning I tried to come to this site and IE 11 would not go here when I typed the address in the address box. It did nothing. To get here I had to go to Favorites and click on this site which opened a new tab. While Chrome is still running up memory use it appears that it is still happening on IE 11 but not as bad. With two tabs open I have three instances showing in Task Manager, The highest is 123,260k and slowly coming up PID 3112 User Name TimK, second running at 15,480 staying steady User Name TimK PID 5768, third 4,496 steady PID 5024 Username TimK.
I checked Internet Options and this site is not showing in the Restricted Sites on the Security Tab or in the Privacy Tab. It appears that whatever is in here is trying to prevent me from coming here. I unplug the network cable from the router when I shut down and if I start up without plugging into the router everything is fast and memory use stays low but once I plug into the router memory use goes up and things slow down. I have noticed that programs take a long time to close, especially Office Programs like Excel and Outlook, others are slow but much faster shutting down than these two. When I shut down sometimes but not always I get a screen that says "These Programs Need To Close" and they will show programs I do have open but sometimes I get this message and there are no programs in the list.
 
Hi, TKARI.

There really isn't anything unusual with increased memory usage when opening another website. If you look at Task Manager, what you're seeing as 123,260 k is only 123.6 MB and definitely not high for a browser. Merely opening MSN on my old desktop with 4G RAM, Microsoft Edge jumped over 2000 MB in memory usage. From what I'm seeing in the log, your processor is eight years old on an emachine that has ~2G RAM.

Since you had no problem getting here from your bookmark, it sounds as though you may have mistyped the site name in the address bar.

To be sure, however, that I didn't miss something in your logs, please do the following:

Please do a scan with ESET Online Scanner

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then allow ESET to clean anything it found. Place a checkmark at Delete application's data on close, click Finish and close the program.
Don't forget to re-enable previously switched-off protection software!
 
Ran ESET. Six threats found. Selected all to clean and it cleaned two and went to the Finish screen and reported 6 found 2 cleaned. Hit the Back button and it showedtwo cleaned and the other 4 working. Have not hit the finish button yet. Awaiting further instructions.
Reenabled MS Security Essentials. Is Windows Defender part of MS Essentials ? If so it has been turned off for a while. Also while searching for the Malwarebytes log the other day I looked for it in the event viewer and there were no entries under Applications a few under System. This seemed odd since there are usually pages of entries there. ESET Log.txt does not show up on the desktop I had to locate it with Windows Explorer in Desktop to open and send it. Still not showing on Desktop with all the other logs.

ESET Log:

C:\Windows.old\Documents and Settings\Warehouse\AppData\Local\Temp\7zS14D3\Optional\HP_IPG_Toolbar_installer.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows.old\Documents and Settings\Warehouse\Downloads\OJ4630_198.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows.old\Documents and Settings\Warehouse\Local Settings\Temp\7zS14D3\Optional\HP_IPG_Toolbar_installer.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows.old\Users\Warehouse\AppData\Local\Temp\7zS14D3\Optional\HP_IPG_Toolbar_installer.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows.old\Users\Warehouse\Downloads\OJ4630_198.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows.old\Users\Warehouse\Local Settings\Temp\7zS14D3\Optional\HP_IPG_Toolbar_installer.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
 
Hi, TKARI.

First of all, what ESET found was located in Windows.old. The Windows.old folder was created by Windows when you either chose a custom installation or upgraded from a previous Windows version (e.g., Windows Vista). The folder contains the files, folders and drivers from the previous Windows version. Since four of the findings were in Temp locations, most likely the two that were removed were in the Downloads folder. Unless you're planning on retrieving files from Windows.old, nothing to be concerned with so go ahead and proceed.

On Windows 7, Microsoft Security Essentials is the antivirus and Windows Defender is the anti-spyware program. You can read more about it here: What's New in Windows Defender. It certainly wouldn't hurt to enable it.

Sorry, I you could only find the ESET log on the Desktop by going through Windows Explorer, although I have seen where Windows Explorer (File Explorer on Windows 10) tends to provide faster access to the Desktop than using the Desktop shortcut in the task bar.
 
I went to look at the Event Viewer and under Windows Logs->Setup I saw some Error listings, there were ten of them for the same two KBs KB2999266x64 with error code 2359302 and KB2999266x86 with error code 2149842967. These both tried to install one after the other on all ten occasions 11/17/17, 12/7/17, 12/21/17, 1/8/18, 1/17/18 however none of these showed up in the Update History as failed updates.
Can I delete the Windows.old folder ? It was from a clean reinstall I did with MS Support back in Oct. I spent about 12 days with them trying to fix my issues. We did a clean reinstall and I knew something was wrong after the install I checked my Update History and found updates from 2009install date still on there. Things appear to be better. IE 11 is not running up as before. With two tabs open the highest IE is running 67,000k. When it and Chrome were running up before they would get me to 95 - 97% usage and when I ended the process of the highest one usage would drop to 24 - 34%. That 1,250,000k as you said in itself is not much but when it was ended freed up 60 - 70 % usage. That seems to me quite a bit for one part of one program. I haven't tried Chrome yet to see if it's still running up or not.
One reason I was sure I had a bug is when you open up Windows Explorer and minimize it when you reopen it it takes you to the last window you were in. Mine would sometimes reopen to Documents, which I had not gone to in or out of Explorer and there would be a folder named Custom Office Templates. This was an empty folder and to my knowlege served no purpose at all.
Thank you for all your help. I hope this has fixed things. I will follow up with the Chrome results once I get it checked out.
 
Went to Control Panel->Administrator Tools->Services ran as Administrator and tried to turn on Windows Defender. Kept getting a message that said WD has started and stopped. This happens sometimes when a service is not being used by another program. Thought maybe Malwarebytes was preventing it from running so I stopped that service and tried to start WD again and got the same message. Set the Start on WD to Automatic and tied to start it again with the same result.
Chrome seems to be holding steady at 68,000k. Wit this tab and MSN.com open it's climbing Chrome is the top three and the fifth with 110,800, 94,700, 70,100 and 64,800 but the highest is still nowhere near what it was at 1,500,000.
 
Hi, TKARI.

1. Regarding the information in Event Viewer and Windows Update History: Error code 2359302 means the update is already installed, therefore the installation of the update was skipped, which is by design. KB2999266 appears to be an update for the Windows Server 2012 you have installed. What is more important is whether those KBs are listed in Windows Update History. To check, go to Start -> Control Panel -> System and Security -> Windows Update. Click on the View Update History link and Click on the Installed Updates link. Are both KB numbers listed?

2. Yes, you can delete the Windows.old folder. Note, however, that the folder contains all the files and data from your previous Windows installation and can also be used if you need to restore any files from that previous install. If you decide to remove the Windows.old folder, see the instructions at Tips to free up drive space on your PC - Windows Help for using Disk Cleanup.

3. Of course Windows Defender won't start since you are using Microsoft Security Essentials! At the time I wrote that, was thinking you had a different antivirus software installed rather than MSE which includes the Real-time protection against spyware. People who choose to use a different anti-virus software other than MSE can use Windows Defender for protection against spyware. Sorry for the confusion.

4. Again, with Chrome, if you find that it does start using a lot of memory, it may be due to extensions installed. "Open a Chrome window and tap the Shift+Esc shortcut to open the task manager. You will see a list of all tabs you have open, and all extensions you have installed in your browser. You can sort them by high-to-low usage. Pick out the tab with high CPU usage and click End Process to close it."
 
KB2999266 does appear in the Update History but only once as that KB#. There is no x64 or x86 with it. There are some items listed that do not have a KB #, are these suspicious ? It does not show up in the Installed Updates. I have one update with no version# or publisher name KB2565063 under Microsoftvisual C++ 2010 x86 redistributable 10.0.40219 I have the same KB just above that everything is the same except it's x64 but this one includes version and publisher. Both installed on 10/27/17.

I also have an installed Update for Adobe Acrobat Reader DC with no KB#, version, or publisher installed on 11/30/17.

KB971033 no version or publisher installed 1/12/18

Service Pack 3 for Microsoft SQL Server Browser KB3072779 no version or publisher installed 10/27/17.
Both IE11 and Chrome seem to be keeping memory use down and steady. The computer is working faster. We are making progress.

This morning I opened a PDF file and noticed in Task Manager there were , with only one tab open, 2 instances of AcroRd32.exe and 3 instances of RdrCEF.exe*32 all running on the Standard user account, TimK. I have long sensed that at least part of my problems involved Acrobat Reader and Flash Player.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top