Inactive Malware created Win7 system processes I cannot end or delete

SteveTraverse

TS Rookie
Hello I am having some issues. This is probably not the right forum, but I have tried to create accounts on various malware removal related forums but the capcha or security questions will not display, making it impossible to report this issue or ask about it. This is a Windows forum. At the very least can anyone verify they have the scaimhk and dwrmeusvc processes and these are not gibberish virus files?

(TLDR: What I need: A way to end a system process called dwrmeusvc.exe that cannot be found online, and delete the application in my windows system32 folder. Access denied, wont let me end or delete it.)

I am running Windows 7 Home Edition 64 bit on an Acer Aspire 57357 Laptop

Jan 26, 2018, at 9:10 PM I downloaded and opened a bad file that infected my PC with various malware and/or viruses, nearly all of which I've removed manually, and with the help of UnHackMe and Malwarebytes, but in my Windows and Windows System 32 folder are new files that were created the same time and day, which to me is a red flag they are malware and need to be removed.

The problem is... I can't. Everything I have tried and read about such as going into the Security tab and changing permissions does not work. The Malware has installed new Windows System files and I cannot delete them.

In Particular, there is a process called dwrmeusvc.exe that is always running in Task Manager, and it will not let me end this process. I have carefully typed the name of this process exactly as shown and cannot find it at all online, or in any process library. If this were a legitimate windows system process I would think it should exist somewhere on the Web.

As well, I have found no posted results anywhere online about the Virus/Malware I got, so I am going to list them here. Apparently I am the first person to get this brand new virus and it has become my burden to report, but where do I report it?

Effect of Malware:
1. Opens 20-30 applications called EVH and OVH, which I cannot find anywhere online, except that they are named after surgical procedures.
2. Continually installs a bunch of unwanted programs, such as HdWallPaper, Cloud7, SystemHealer, AwesomeSearch, ShutdowenTimeand others. Reinstalls them if removed via control panel.
3. Created a bunch of gibberish named processes, programs, and hidden folders I have ended and removed in Programs86 folder.
4. Continually creates multiple copies of Processes called PERSONIFY.EVE and ABRAMS.EXE, which reload after you end them in taskmanager. They are connected to the OVH and EVH applications as while I would continue to end them, I would sometimes get messages saying that Abrams and Personify have failed.
5. Folders and a hidden folder in Programs86 containing Personify.exe and Abrams.exe.
6. Abrams and Personify loaded into Startup folder.
7. Corruption to Windows FIles including Registry, fixed with Unhackme.
8. 732 Malicious items found and removed with Malwarebytes.
9. The program ShutDownTime creates a fake windows update that upon shutdown loads a restore point of when all the virus programs first installed. I can tell it was a restore point, because I changed the volume level from 100 to 83 before shutting down and that always resumes where I left it. I had to delete everything all over again, and then run Malwarebytes again, and remove all the 732 Malware again.
10. Luckily I was able to find and remove ShutDownTime. I also got rid of SystemHealer before it had a chance to kick in, which is probably a fake anti virus ransomware program.
11. With show hidden files on, I removed files in Temp, and basically anything gibberish that was created on Jan 26, 9:10 Pm, 2018.

Ongoing Problems
1. Two Applications named Client.Exe appear in Taskmanager applications area, but nowhere else on screen, as well as the vmxclient.exe. This one IS a well known virus that supposedly changes browser settings, but it did nothing to mine. These ONLY appear when I'm using the full blown free open wifi at Safeway. I live in a section 8 HUD housing complex where the Internet security is so strick, you can't load many webpages, forums, can't ever download anything, can't watch youtube videos, and at home these 3 applications DO NOT APPEAR.
2. I use a program called VUZE to download Torrent files. This program never gave me any trouble but now suddenly I get a BSD (BLUE SCREEN OF DEATH.) and Crash sometimes when opening it, using it, or even uninstalling it.
3. There is the dwrmeusvc.exe process it consumes 4,084k memory at home, and over 7000k at the Safeway Wifi where the three programs appear. This process is always running, it is modified and updated even when I'm at home, and was created the same date as the malware. I am worried its some kind of Keylogger, it obviously uses P2P connections with remote users that is probably the reason Vuze is now causing BSD crash, or overloading a driver, as Vuze also uses P2P connections. But sometimes I get the crash when first loading vuze, or when trying to uninstall it, with nothing attempting to download.

Normally, I would using restore or backup, but I got this laptop cheap on Craigslist, it didn't come with disks, and to my surprise system restore would not load on start menu, it does load with startup repair on boot, but no system restore points were found.

Since UnHackMe has recently created a number of restore points, or at least claimed to, I want to try my luck in deleting the remaining ones, or at least the dwrmeusvc.exe


Other suspicious programs created on 1/26/2018 9:03+

scaimhk.exe (Originally crated on Jan 26, but now it says Created Feb 5, the last time I went to use the Safeway Wifi to download youtubes videos so I could watch them at home.) Cannot find online, does not exist in process library.

If I can't find these processes listed online, surely they can't be legitimate Windows System processes, and it should be okay to delete them, right?

48e932ed2b9dea9a1c86929529b7307c.dll (Created 1/26/2018 9:03 Pm

unclog, and uninstaller.dat (these were created 1/26/2018 4:26 am, and 7:43 PM before I got the virus at 9 PM. I don't know what they are, or why they appeared at this time.)

MEMORY.DMP (date created 1/29/2018 8:43 Pm, about when I first opened the malware file. But has been modified as recent as 2/6/2018 7:44 Pm, likely when laptop crashed due to Vuze at Safeway. This seems to the be file created during the BSD so I will leave it alone.)

nbtlog txt (claims it was created on 1/26/2018 10:14 PM, but is legit file) a list of drivers that loaded as well as drivers that could not be loaded. (Service Pack 1 1 26 2018 22:14:00 359 (Apparently installed with a windows update I got at 4:30 in the morning, from one of those updates that reboot windows.)
This text is very long and the majority of the 500+ drivers listed did not load.

In Windows System 32

osloader exe (1/26/2018 9:24 PM, prime time while the virus was being installed.)
ntkrnlmp exe (1/26/2018 9:24 PM created, last modified same date, 9:33 PM)
dwrmeusvc.exe (1/26/18 9:24 PM)
Partizan exe (claims it was created 1/26, but was last modified 12/28/2015 so I guess its okay)

How can a file be created LONG AFTER it was last modified?

So I guess I can't just delete that says it was created 1/26/2018 at 9:03-9:24 PM, but dwrmeusvc.exe and Scaimhk.exe programs, and processes cannot be found at all online, and I am at my wits end as to what is causing the vmxclient and other 2 clients to load at Safeway, and Vuze to cause my PC to crash.

So I want to delete these two files, or at the very least end them in processes tab even if it causes me to crash.

I could probably go through downloading dozens of programs to try and fix my malware problem, but more then likely some of them are malware themselves. Even if these programs are recommend by tech support guys in various forums, Its hard to know if the website is suspicious and may be an imposter.

So I would really appreciate a way to end these processes or delete the files without having to download an additional program, or I absolutely must, please provide a proper link as to where I can find it, as google search results are always going to start with the highest paid ad space.
 
Last edited:

SteveTraverse

TS Rookie
Thank you. I thought there was such a forum, but did not see it when looking for it.

Note: I Am posting this on my much better Desktop at home, I only got the laptop so that I could download stuff to watch or play, since I can't even watch a video with the internet here. It might be the reason why the security questions and capcha do not load, and I am unable to create accounts on most forums.
 
Last edited:

Broni

Malware Annihilator
Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/topics/updated-4-step-viruses-spyware-malware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=======================================

Rule of a thumb....when Google doesn't yield any results for some particular file like dwrmeusvc.exe, most likely it's not legit.
 

SteveTraverse

TS Rookie
Understood. Ok, I am on the Laptop. I had to go Safeway to download Farbar. Very nice of them to open the text files I need to paste when it finishes.

NOTE: I have IE, I use Firefox, I do NOT have or use Chrome. I installed Avast after the Virus, but it would not start, I got a message saying I can't use it because I have Malwarebytes installed, and well sorry, but Malwarebytes is better. So I uninstalled Avast, but there are still Avast drivers and it added a rating system to my Firefox browser I can't get rid of it.


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by Owner (administrator) on OWNER-PC (10-02-2018 19:47:10)
Running from C:\Users\Owner.Owner-PC\Downloads
Loaded Profiles: Owner (Available Profiles: Owner)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool:

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\dwrmeucsvc.exe
(Wondershare) C:\Program Files (x86)\Wondershare\WAF\2.4.3.224\WsAppService.exe
() C:\Users\Owner.Owner-PC\AppData\Local\avkrind\avkrind.exe
() C:\Users\Owner.Owner-PC\AppData\Local\dwmvlue\scaimhk.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(GreenTree Applications SRL) C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
() C:\Users\Owner.Owner-PC\AppData\Local\avkrind\nvcgiep.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [iSkysoft Helper Compact.exe] => C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\ISHelper.exe [2138272 2016-10-08] (iSkySoft)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-4253610074-1044562520-1105461486-1004\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
BootExecute: autocheck autochk * Partizan
GroupPolicy: Restriction - Chrome <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.65
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{8FF572AD-B649-4D7B-8D4B-4543043CD487}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{8FF572AD-B649-4D7B-8D4B-4543043CD487}: [DhcpNameServer] 192.168.0.1 205.171.3.65
Tcpip\..\Interfaces\{D35FB321-A70A-4442-9B43-0956C324A56C}: [NameServer] 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-4253610074-1044562520-1105461486-1004\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4253610074-1044562520-1105461486-1004 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 0mzeitkt.default
FF ProfilePath: C:\Users\Owner.Owner-PC\AppData\Roaming\Mozilla\Firefox\Profiles\0mzeitkt.default [2018-02-10]
FF user.js: detected! => C:\Users\Owner.Owner-PC\AppData\Roaming\Mozilla\Firefox\Profiles\0mzeitkt.default\user.js [2018-01-26]
FF Homepage: Mozilla\Firefox\Profiles\0mzeitkt.default -> about:home
FF Extension: (Avast Online Security) - C:\Users\Owner.Owner-PC\AppData\Roaming\Mozilla\Firefox\Profiles\0mzeitkt.default\Extensions\wrc@avast.com.xpi [2018-01-29]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_161.dll [2018-02-08] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_161.dll [2018-02-08] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF ExtraCheck: C:\Program Files\mozilla firefox\browser\defaults\preferences\firefox.js [2018-01-26]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\browser\defaults\preferences\firefox.js [2018-01-26]

Chrome:
=======
CHR DefaultProfile: Profile 1
CHR DefaultSearchURL: Profile 1 -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Profile 1 -> hxxp://srch.bar/?s={searchTerms}
CHR Profile: C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Guest Profile [2017-06-17]
CHR Profile: C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1 [2018-01-29]
CHR Extension: (Google Docs) - C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2017-06-17]
CHR Extension: (Google Drive) - C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-06-17]
CHR Extension: (YouTube) - C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-06-17]
CHR Extension: (Google Docs Offline) - C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-06-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-06-17]
CHR Extension: (Gmail) - C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-06-17]
CHR Extension: (Chrome Media Router) - C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-17]
CHR Profile: C:\Users\Owner.Owner-PC\AppData\Local\Google\Chrome\User Data\System Profile [2017-06-17]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

HKLM\SYSTEM\CurrentControlSet\Services\cmxrwo <==== ATTENTION (Rootkit!)

S2 48e932ed2b9dea9a1c86929529b7307c; C:\Windows\48e932ed2b9dea9a1c86929529b7307c.dll [860160 2018-01-26] () [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.4.3.224\WsAppService.exe [473824 2017-04-20] (Wondershare)
S2 096f8ab1d2e2c39a5210aa414d53bd9e; "C:\Program Files\096f8ab1d2e2c39a5210aa414d53bd9e\0403b10ad89c12cfb8e90be22febbf2b.exe" [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Wondershare Video Converter Ultimate(CPC)\Transfer\DriverInstall.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-26] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [84256 2018-01-27] (Malwarebytes)
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2018-01-29] (Greatis Software)
S1 dbad2511d1db48624f2afac65b05cfb5; \??\C:\Windows\system32\drivers\dbad2511d1db48624f2afac65b05cfb5.sys [X]
R3 ilosvy; system32\drivers\osvybf.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-10 19:47 - 2018-02-10 19:47 - 000008337 _____ C:\Users\Owner.Owner-PC\Downloads\FRST.txt
2018-02-10 19:42 - 2018-02-10 19:47 - 000000000 ____D C:\FRST
2018-02-10 19:13 - 2018-02-10 19:33 - 049590244 _____ C:\Users\Owner.Owner-PC\Documents\~yt32CC.tmp
2018-02-10 19:07 - 2018-02-10 19:13 - 089112518 _____ C:\Users\Owner.Owner-PC\Documents\~yt6C04.tmp
2018-02-10 19:07 - 2018-02-10 19:07 - 070521216 _____ C:\Users\Owner.Owner-PC\Documents\Dragon Drive Episode 7 English Dubbed.mp4
2018-02-10 19:06 - 2018-02-10 19:06 - 060098415 _____ C:\Users\Owner.Owner-PC\Documents\Dragon Drive Episode 6 English Dubbed.mp4
2018-02-10 19:05 - 2018-02-10 19:05 - 063763576 _____ C:\Users\Owner.Owner-PC\Documents\Dragon Drive Episode 5 English Dubbed.mp4
2018-02-10 19:04 - 2018-02-10 19:04 - 067514988 _____ C:\Users\Owner.Owner-PC\Documents\Dragon Drive Episode 4 English Dubbed Watch cartoons online, Watch anime online, English dub anime.mp4
2018-02-10 19:03 - 2018-02-10 19:03 - 062509652 _____ C:\Users\Owner.Owner-PC\Documents\Dragon Drive Episode 3 English Dubbed Watch cartoons online, Watch anime online, English dub anime.mp4
2018-02-10 19:01 - 2018-02-10 19:01 - 049154256 _____ C:\Users\Owner.Owner-PC\Documents\Dragon Drive Episode 2 English Dubbed.mp4
2018-02-10 19:00 - 2018-02-10 19:00 - 404686714 _____ C:\Users\Owner.Owner-PC\Documents\Theologia X ~ Satan.mp4
2018-02-10 18:55 - 2018-02-10 18:56 - 188752261 _____ C:\Users\Owner.Owner-PC\Downloads\[www.watchDBZSuper.com]_127_HD.zip
2018-02-10 18:54 - 2018-02-10 18:54 - 122014299 _____ C:\Users\Owner.Owner-PC\Downloads\[WatchBoruto.com]_44_HD.zip
2018-02-10 18:49 - 2018-02-10 18:49 - 002393088 _____ (Farbar) C:\Users\Owner.Owner-PC\Downloads\FRST64.exe
2018-02-08 13:36 - 2018-02-08 13:36 - 000142672 ____N C:\Windows\system32\Drivers\svoaehkn.sys
2018-02-07 00:02 - 2018-02-07 00:02 - 259317862 _____ C:\Users\Owner.Owner-PC\Documents\400,000 Year Old Siberian Cave Discovery That Changes Everything We Know About Human Origins.mp4
2018-02-06 23:49 - 2018-02-06 23:49 - 112308183 _____ C:\Users\Owner.Owner-PC\Documents\Ancient Aliens - Review of the History Channel Documentary Series.mp4
2018-02-06 23:45 - 2018-02-06 23:45 - 104867894 _____ C:\Users\Owner.Owner-PC\Documents\The Medieval Knights Armour as Exoskeleton for Other Races.mp4
2018-02-06 23:42 - 2018-02-06 23:42 - 412177537 _____ C:\Users\Owner.Owner-PC\Documents\Were Leonardo da Vinci's Pantings Actually Prints_ Renaissance Masterpieces Sfumato Alchemy.mp4
2018-02-06 23:36 - 2018-02-06 23:36 - 203188523 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 26 (Eng Dub) Full.mp4
2018-02-06 23:32 - 2018-02-06 23:32 - 189068441 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 25 (Eng Dub) Full.mp4
2018-02-06 23:29 - 2018-02-06 23:29 - 202523484 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 24 (Eng Dub) Full.mp4
2018-02-06 23:25 - 2018-02-06 23:26 - 203672553 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 23 (Eng Dub) Full.mp4
2018-02-06 23:22 - 2018-02-06 23:22 - 186665081 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 22 (Eng Dub) Full.mp4
2018-02-06 23:19 - 2018-02-06 23:19 - 207633341 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 21 (Eng Dub) Full.mp4
2018-02-06 23:16 - 2018-02-06 23:16 - 178119291 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 20 (Eng Dub) Full.mp4
2018-02-06 23:12 - 2018-02-06 23:12 - 199274774 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 19 (Eng Dub) Full.mp4
2018-02-06 23:09 - 2018-02-06 23:09 - 194899397 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 18 (Eng Dub) Full.mp4
2018-02-06 23:06 - 2018-02-06 23:06 - 176030878 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 17 (Eng Dub) Full.mp4
2018-02-06 23:03 - 2018-02-06 23:03 - 181456506 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 16 (Eng Dub) Full.mp4
2018-02-06 22:59 - 2018-02-06 22:59 - 178241924 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 15 (Eng Dub) Full.mp4
2018-02-06 22:56 - 2018-02-06 22:56 - 164799705 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 14 (Eng Dub) Full.mp4
2018-02-06 22:53 - 2018-02-06 22:53 - 200189482 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 13 (Eng Dub) Full.mp4
2018-02-06 22:49 - 2018-02-06 22:50 - 169690626 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 12 (Eng Dub) Full.mp4
2018-02-06 22:46 - 2018-02-06 22:46 - 181246112 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 11 English Dub.mp4
2018-02-06 22:43 - 2018-02-06 22:43 - 170161548 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 10 (Eng Dub) Full.mp4
2018-02-06 22:39 - 2018-02-06 22:39 - 168131219 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 9 (Eng Dub) Full.mp4
2018-02-06 22:36 - 2018-02-06 22:36 - 070532043 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 8 (Eng Dub) FULL.mp4
2018-02-06 22:32 - 2018-02-06 22:32 - 165200971 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 7 (Eng Dub) Full.mp4
2018-02-06 22:30 - 2018-02-06 22:30 - 002848936 _____ (BitTorrent Inc.) C:\Users\Owner.Owner-PC\Downloads\uTorrent.exe
2018-02-06 22:28 - 2018-02-06 22:29 - 163707608 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 6 (Eng Dub) Full.mp4
2018-02-06 22:24 - 2018-02-06 22:24 - 162043772 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 4 (Eng Dub) Full.mp4
2018-02-06 22:24 - 2018-02-06 22:24 - 061658090 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 5 (Eng Dub) FULL.mp4
2018-02-06 22:20 - 2018-02-06 22:20 - 161850179 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 3 (Eng Dub) Full.mp4
2018-02-06 22:16 - 2018-02-06 22:16 - 063264884 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 2 (Eng Dub) FULL.mp4
2018-02-06 22:13 - 2018-02-06 22:14 - 102625915 _____ C:\Users\Owner.Owner-PC\Documents\Theologia X ~ Azazel.mp4
2018-02-06 19:44 - 2018-02-06 19:44 - 000276976 _____ C:\Windows\Minidump\020618-31247-01.dmp
2018-02-06 19:42 - 2018-02-06 19:43 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Roaming\Azureus
2018-02-06 19:40 - 2018-02-06 19:41 - 206087003 _____ C:\Users\Owner.Owner-PC\Downloads\[www.watchDBZSuper.com]_126_HD_2.zip
2018-02-06 19:40 - 2018-02-06 19:40 - 117095150 _____ C:\Users\Owner.Owner-PC\Downloads\[WatchBoruto.com]_43_HD.zip
2018-02-06 19:40 - 2018-02-06 19:40 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Local\dwmvlue
2018-02-03 18:50 - 2018-02-03 18:50 - 000011998 _____ C:\Users\Owner.Owner-PC\Downloads\index.jpeg
2018-01-29 23:38 - 2018-01-29 23:38 - 000276984 _____ C:\Windows\Minidump\012918-22370-01.dmp
2018-01-29 23:37 - 2018-01-29 23:37 - 048762233 _____ C:\Users\Owner.Owner-PC\Documents\~yt8A55.tmp
2018-01-29 23:01 - 2018-01-29 23:01 - 120373989 _____ C:\Users\Owner.Owner-PC\Documents\Max Igan on The Jordan Maxwell Show.mp4
2018-01-29 22:30 - 2018-02-08 13:37 - 000001558 _____ C:\Windows\SysWOW64\PARTIZAN.TXT
2018-01-29 21:51 - 2018-01-29 21:51 - 000040304 _____ (Greatis Software) C:\Windows\SysWOW64\Drivers\Partizan.sys
2018-01-29 21:21 - 2018-01-29 21:21 - 000276976 _____ C:\Windows\Minidump\012918-21372-01.dmp
2018-01-29 21:20 - 2018-01-29 22:51 - 000000000 ____D C:\ProgramData\RegRun
2018-01-29 21:19 - 2018-02-10 19:00 - 000000000 ____D C:\Users\Owner.Owner-PC\Documents\RegRun2
2018-01-29 21:19 - 2018-02-08 21:37 - 000000000 ____D C:\Users\Public\Documents\regruninfo
2018-01-29 21:19 - 2018-02-08 13:33 - 000000000 ____D C:\Program Files (x86)\UnHackMe
2018-01-29 21:19 - 2018-01-29 21:19 - 000003324 _____ C:\Windows\System32\Tasks\UnHackMe Task Scheduler
2018-01-29 21:19 - 2018-01-29 21:19 - 000001011 _____ C:\Users\Owner.Owner-PC\Desktop\UnHackMe.lnk
2018-01-29 21:19 - 2018-01-29 21:19 - 000000002 RSHOT C:\Windows\winstart.bat
2018-01-29 21:19 - 2018-01-29 21:19 - 000000002 RSHOT C:\Windows\SysWOW64\CONFIG.NT
2018-01-29 21:19 - 2018-01-29 21:19 - 000000002 RSHOT C:\Windows\SysWOW64\AUTOEXEC.NT
2018-01-29 21:19 - 2018-01-29 21:19 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
2018-01-29 21:19 - 2018-01-26 21:22 - 000001320 _____ C:\Windows\system32\Drivers\etc\hosts.old
2018-01-29 21:19 - 2017-12-13 17:47 - 000014984 _____ (Greatis Software, LLC.) C:\Windows\SysWOW64\Drivers\UnHackMeDrv.sys
2018-01-29 21:19 - 2015-12-28 11:32 - 000049968 _____ (Greatis Software) C:\Windows\system32\partizan.exe
2018-01-29 21:15 - 2018-01-29 21:17 - 019087578 _____ C:\Users\Owner.Owner-PC\Downloads\unhackmeb.zip
2018-01-29 21:05 - 2018-01-29 21:05 - 000276976 _____ C:\Windows\Minidump\012918-21559-01.dmp
2018-01-29 21:01 - 2018-01-29 21:01 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Roaming\AVAST Software
2018-01-29 20:59 - 2018-01-29 20:59 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2018-01-29 20:58 - 2018-01-29 20:59 - 000457896 _____ (AVAST Software) C:\Windows\system32\Drivers\aswdf723592ef474273.tmp
2018-01-29 20:58 - 2018-01-29 20:59 - 000457896 _____ (AVAST Software) C:\Windows\system32\Drivers\asw96731dcc10b4e8d6.tmp
2018-01-29 20:58 - 2018-01-29 20:59 - 000146648 _____ (AVAST Software) C:\Windows\system32\Drivers\asw8a5a2747d4c8e5a9.tmp
2018-01-29 20:58 - 2018-01-29 20:59 - 000146648 _____ (AVAST Software) C:\Windows\system32\Drivers\asw fed67093ea82847.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\aswafd33346ee328edc.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\asw8372c390340a6bb2.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000457400 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys.151728476799009
2018-01-29 20:58 - 2018-01-29 20:57 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\asw8fdbb308ffba5179.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\asw 174ceb53fc0b465.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\asw85a72ba3d225dfc9.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\asw 84f246b8b4f0eed.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswe767eb572ab1143d.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\asw5a320c9d41575da0.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000146664 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys.151728476799009
2018-01-29 20:58 - 2018-01-29 20:57 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\asw7dc51a1cd2baceb9.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\asw70836114073c4ee0.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\asw5a83534d4ba3b233.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\asw41fa986c3dbe2a13.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswa39257fde1851a46.tmp
2018-01-29 20:58 - 2018-01-29 20:57 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\asw1a929a042cbbefc4.tmp
2018-01-29 20:58 - 2018-01-29 20:56 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswf20a67babf642f38.tmp
2018-01-29 20:58 - 2018-01-29 20:56 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswa9e43fd9e3586a1f.tmp
2018-01-29 20:58 - 2018-01-29 20:56 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswc18edf39577a158c.tmp
2018-01-29 20:58 - 2018-01-29 20:56 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswb717a518244fddb4.tmp
2018-01-29 20:57 - 2018-01-29 20:56 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\aswf25bb50d7b4d726a.tmp
2018-01-29 20:57 - 2018-01-29 20:56 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\asw888ae0bd6f350ebc.tmp
2018-01-29 20:57 - 2018-01-29 20:56 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\asw8c9f3c787ceb0c10.tmp
2018-01-29 20:57 - 2018-01-29 20:56 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\asw6395effe9f5ff950.tmp
2018-01-29 20:57 - 2018-01-29 20:56 - 000149344 _____ (AVAST Software) C:\Windows\system32\Drivers\aswfdaec2c7f92b88d8.tmp
2018-01-29 20:57 - 2018-01-29 20:56 - 000149344 _____ (AVAST Software) C:\Windows\system32\Drivers\asw621d8463963cb45f.tmp
2018-01-29 20:53 - 2018-01-29 20:53 - 000000000 ____D C:\Program Files\AVAST Software
2018-01-29 20:52 - 2018-01-29 20:57 - 000000000 ____D C:\ProgramData\AVAST Software
2018-01-29 20:46 - 2018-01-29 20:46 - 000276968 _____ C:\Windows\Minidump\012918-17737-01.dmp
2018-01-29 20:43 - 2018-02-06 19:44 - 483879981 _____ C:\Windows\MEMORY.DMP
2018-01-29 20:43 - 2018-01-29 20:43 - 000276976 _____ C:\Windows\Minidump\012918-24195-01.dmp
2018-01-29 20:40 - 2018-01-29 20:40 - 066478136 _____ C:\Users\Owner.Owner-PC\Documents\~ytAE58.tmp
2018-01-29 20:27 - 2018-01-29 20:27 - 049789745 _____ C:\Users\Owner.Owner-PC\Documents\Claymore Episode 1 (Eng Dub) FULL.mp4
2018-01-29 20:13 - 2018-01-29 20:13 - 104648925 _____ C:\Users\Owner.Owner-PC\Documents\Theologia X ~ Lucifer.mp4
2018-01-29 20:06 - 2018-01-29 20:06 - 000001293 _____ C:\Users\Public\Desktop\YTD Video Downloader.lnk
2018-01-29 20:06 - 2018-01-29 20:06 - 000000000 ____D C:\ProgramData\YTD Video Downloader
2018-01-29 20:06 - 2018-01-29 20:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader
2018-01-29 20:06 - 2018-01-29 20:06 - 000000000 ____D C:\Program Files (x86)\GreenTree Applications
2018-01-29 04:10 - 2018-01-29 04:10 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Local\CEF
2018-01-28 01:08 - 2018-01-28 01:08 - 244252366 _____ C:\Users\Owner.Owner-PC\Downloads\[www.watchDBZSuper.com]_125_HD.zip
2018-01-26 23:29 - 2018-01-26 23:29 - 000119536 _____ (GreenTree Applications SRL) C:\Users\Owner.Owner-PC\Downloads\YTDSetup(3).exe
2018-01-26 23:26 - 2018-01-26 23:26 - 003449304 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Owner.Owner-PC\Downloads\AVG_Protection_Free_1606.exe
2018-01-26 23:25 - 2018-01-26 23:25 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-26 23:25 - 2018-01-26 23:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-26 23:25 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-01-26 22:21 - 2018-01-26 22:21 - 000000258 __RSH C:\Users\Owner.Owner-PC\ntuser.pol
2018-01-26 22:14 - 2018-01-29 21:21 - 000439444 _____ C:\Windows\ntbtlog.txt
2018-01-26 22:11 - 2018-01-26 22:11 - 000000258 __RSH C:\ProgramData\ntuser.pol
2018-01-26 21:56 - 2018-01-27 01:41 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-01-26 21:49 - 2018-01-26 23:25 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-01-26 21:48 - 2018-01-26 23:25 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-26 21:48 - 2018-01-26 21:48 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-26 21:45 - 2018-01-26 21:47 - 082377272 _____ (Malwarebytes ) C:\Users\Owner.Owner-PC\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3791.exe
2018-01-26 21:25 - 2018-01-26 21:25 - 000000000 ____D C:\Windows\system32\sstmp
2018-01-26 21:24 - 2018-01-26 23:35 - 000000000 ___HD C:\Windows\rss
2018-01-26 21:24 - 2018-01-26 21:33 - 005548264 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlmp.exe
2018-01-26 21:24 - 2018-01-26 21:33 - 000634432 _____ (Microsoft Corporation) C:\Windows\system32\osloader.exe
2018-01-26 21:20 - 2018-02-10 19:17 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Local\upkciwb
2018-01-26 21:09 - 2018-02-10 19:20 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Local\avkrind
2018-01-26 21:08 - 2018-02-08 13:37 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\dwrmeucsvc.exe
2018-01-26 21:08 - 2018-01-26 21:08 - 000000000 ____D C:\Windows\SysWOW64\nvkduzb
2018-01-26 21:08 - 2018-01-26 21:08 - 000000000 ____D C:\Windows\system32\nvkduzb
2018-01-26 21:07 - 2018-01-26 21:07 - 000000020 _____ C:\Windows\b17105034
2018-01-26 21:07 - 2018-01-26 21:07 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Roaming\et
2018-01-26 21:03 - 2018-01-26 21:03 - 000860160 _____ C:\Windows\48e932ed2b9dea9a1c86929529b7307c.dll
2018-01-26 21:01 - 2018-01-26 21:03 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Roaming\AGData
2018-01-26 19:43 - 2018-01-26 19:43 - 000010752 _____ C:\Windows\unclog.exe
2018-01-26 04:26 - 2018-01-26 04:26 - 000035754 _____ C:\Windows\uninstaller.dat
2018-01-25 22:51 - 2018-01-25 22:52 - 099915645 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 4.mp4
2018-01-25 22:48 - 2018-01-25 22:48 - 081080522 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 2.mp4
2018-01-25 22:45 - 2018-01-25 22:45 - 093077085 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 1.mp4
2018-01-25 21:21 - 2018-01-25 21:21 - 091746394 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 3.mp4
2018-01-25 21:18 - 2018-01-25 21:18 - 105471914 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 11 English Dubbed.mp4
2018-01-25 21:14 - 2018-01-25 21:14 - 087624303 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 12 English Dubbed.mp4
2018-01-25 21:11 - 2018-01-25 21:11 - 115286792 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 10.mp4
2018-01-25 21:07 - 2018-01-25 21:07 - 099209105 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 9 English Dubbed.mp4
2018-01-25 21:04 - 2018-01-25 21:04 - 103243015 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 8 English Dubbed.mp4
2018-01-25 21:00 - 2018-01-25 21:00 - 088132574 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 7 English Dubbed.mp4
2018-01-25 20:56 - 2018-01-25 20:56 - 090995231 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 5.mp4
2018-01-25 20:51 - 2018-01-25 20:51 - 097126149 _____ C:\Users\Owner.Owner-PC\Documents\Fairy Tail Zero Episode 6 English Dubbed.mp4
2018-01-25 20:31 - 2018-01-25 20:34 - 156066080 _____ C:\Users\Owner.Owner-PC\Documents\Theologia X ~ The 13th Apostle.mp4
2018-01-25 19:43 - 2018-01-25 19:43 - 117478984 _____ C:\Users\Owner.Owner-PC\Downloads\[WatchBoruto.com]_42_HD.zip
2018-01-22 03:49 - 2018-01-26 09:46 - 000000205 _____ C:\Users\Owner.Owner-PC\Desktop\New Text Document.txt
2018-01-21 15:37 - 2018-01-21 15:37 - 220323640 _____ C:\Users\Owner.Owner-PC\Downloads\[www.watchDBZSuper.com]_124_HD2.zip
2018-01-19 15:13 - 2018-01-19 15:13 - 138759835 _____ C:\Users\Owner.Owner-PC\Downloads\[WatchBoruto.com]_41_HD.zip
2018-01-13 20:38 - 2018-01-13 20:38 - 239199626 _____ C:\Users\Owner.Owner-PC\Downloads\[www.watchDBZSuper.com]_123_HD.zip
2018-01-13 18:43 - 2018-01-13 18:47 - 292003392 _____ C:\Users\Owner.Owner-PC\Documents\Order Out Of Chaos.mp4
2018-01-13 18:20 - 2018-01-13 18:31 - 903015146 _____ C:\Users\Owner.Owner-PC\Documents\Illuminatus.mp4

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-02-10 19:47 - 2009-07-13 19:34 - 013631488 _____ C:\Windows\system32\config\HARDWARE
2018-02-10 06:44 - 2009-07-13 21:45 - 000028352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-02-10 06:44 - 2009-07-13 21:45 - 000028352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-02-09 16:36 - 2017-06-07 19:45 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Roaming\vlc
2018-02-09 15:51 - 2017-06-06 23:23 - 000000000 ____D C:\Users\Owner.Owner-PC\Documents\Vuze Downloads
2018-02-08 21:42 - 2017-07-03 23:49 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-02-08 21:42 - 2017-07-03 23:49 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-02-08 21:42 - 2017-07-03 23:49 - 000004324 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-02-08 21:42 - 2017-07-03 23:49 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-02-08 21:42 - 2017-07-03 23:49 - 000000000 ____D C:\Windows\system32\Macromed
2018-02-08 13:37 - 2009-07-13 22:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-02-06 19:44 - 2017-07-22 16:38 - 000000000 ____D C:\Windows\Minidump
2018-01-31 00:31 - 2017-07-26 02:23 - 000000000 ____D C:\Users\Owner.Owner-PC\Documents\Anime
2018-01-30 12:53 - 2017-08-02 21:49 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Roaming\Anvsoft
2018-01-29 18:13 - 2009-07-13 22:13 - 000781790 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-29 18:13 - 2009-07-13 20:20 - 000000000 ____D C:\Windows\inf
2018-01-28 17:05 - 2009-07-13 20:20 - 000000000 ____D C:\Windows\LiveKernelReports
2018-01-27 09:03 - 2017-06-12 16:42 - 000774404 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-01-27 03:12 - 2017-06-16 17:30 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Local\Microsoft Games
2018-01-26 23:12 - 2017-06-12 16:32 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\Roaming\Free Video Capture New Version Available
2018-01-26 23:04 - 2017-06-06 19:05 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-01-26 22:21 - 2017-04-30 17:45 - 000000000 ____D C:\Users\Owner.Owner-PC
2018-01-26 22:21 - 2009-07-13 22:08 - 000032564 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-01-26 22:11 - 2009-07-13 20:20 - 000000000 ____D C:\Windows\system32\GroupPolicy
2018-01-26 21:43 - 2017-06-06 19:06 - 000000000 ____D C:\Users\Owner.Owner-PC\AppData\LocalLow\Mozilla
2018-01-26 21:25 - 2017-06-06 19:06 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-19 18:57 - 2017-09-15 01:52 - 000000000 ____D C:\Users\Owner.Owner-PC\Documents\Special
2018-01-11 22:40 - 2009-07-13 20:20 - 000000000 ____D C:\Windows\system32\NDF

Some files in TEMP:
====================
2018-01-29 20:42 - 2018-01-29 23:37 - 000079904 _____ () C:\Users\Owner.Owner-PC\AppData\Local\Temp\i4jdel0.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\svoaehkn.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION


nointegritychecks: ==> "IntegrityChecks" is disabled. <==== ATTENTION

BCD (recoveryenabled=No -> recoveryenabled=Yes) <==== restored successfully

LastRegBack: 2018-02-07 07:46

==================== End of FRST.txt ============================
 

SteveTraverse

TS Rookie
addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Owner (10-02-2018 19:48:24)
Running from C:\Users\Owner.Owner-PC\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2016-07-07 20:24:27)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4253610074-1044562520-1105461486-500 - Administrator - Disabled)
Guest (S-1-5-21-4253610074-1044562520-1105461486-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4253610074-1044562520-1105461486-1002 - Limited - Enabled)
Owner (S-1-5-21-4253610074-1044562520-1105461486-1004 - Administrator - Enabled) => C:\Users\Owner.Owner-PC

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 28 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Any Video Converter 6.1.6 (HKLM-x32\...\Any Video Converter) (Version: 6.1.6 - Anvsoft)
Apowersoft Online Launcher version 1.6.1 (HKU\S-1-5-21-4253610074-1044562520-1105461486-1004\...\{20BF67A8-D81A-4489-8225-FABAA0896E2D}_is1) (Version: 1.6.1 - APOWERSOFT LIMITED)
Free PC Audio Recorder 3.0 (HKLM-x32\...\Free PC Audio Recorder_is1) (Version: 3.0 - Cok Free Software)
Free Video Capture 8.8.1 (HKLM-x32\...\Free Video Capture_is1) (Version: - SightFiesta Co., Ltd.)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 4.7.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Mozilla Firefox 55.0 (x64 en-US) (HKLM\...\Mozilla Firefox 55.0 (x64 en-US)) (Version: 55.0 - Mozilla)
Mozilla Firefox 55.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 55.0.3 (x86 en-US)) (Version: 55.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 55.0.3 - Mozilla)
NaturalReader 14 Free (HKLM-x32\...\{773ED0E5-538E-4E86-8E00-719630613290}) (Version: 1.00.0000 - Naturalsoft)
RyanTrial (HKLM-x32\...\{9DA0275F-01C1-4E8C-8644-E4B8C1AA0C5B}) (Version: 1.00.0000 - Naturalsoft)
UnHackMe 9.50 (HKLM-x32\...\UnHackMe_is1) (Version: - Greatis Software, LLC.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
Vuze (HKLM\...\8461-7759-5462-8226) (Version: 5.7.5.0 - Azureus Software, Inc.)
Windows Movie Maker (HKLM\...\Windows Movie Maker) (Version: 6.0.6002.18005 - Microsoft Corporation)
YTD Video Downloader 5.9.2 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 5.9.2 - GreenTree Applications SRL) <==== ATTENTION

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {18E51BF8-3B22-4198-ABBA-6E46185B9A85} - System32\Tasks\{684982CE-702B-4646-A964-A9E16C8E6032} => C:\Windows\system32\pcalua.exe -a C:\Users\Owner.Owner-PC\Downloads\YouTubeDownloaderSetup.exe -d C:\Users\Owner.Owner-PC\Downloads
Task: {54F4CAC2-8C80-4697-9A04-08B9A439D10C} - System32\Tasks\UnHackMe Task Scheduler => C:\Program Files (x86)\UnHackMe\hackmon.exe [2018-01-03] (Greatis Software)
Task: {A297B530-48D8-400A-94AC-FE925F85D3C5} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-02-08] (Adobe Systems Incorporated)
Task: {B45C35B9-6823-4903-88E8-E947667A8AD5} - \oaq9UvkTLEFc -> No File <==== ATTENTION
Task: {E83CE412-E3A4-4563-9089-BAAE6BEC64C9} - \Sak9040058k9040058 -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2016-06-28 06:50 - 2016-06-28 06:50 - 000113664 _____ () C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll
2016-06-28 06:50 - 2016-06-28 06:50 - 002341888 _____ () C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll
2016-06-28 06:50 - 2016-06-28 06:50 - 000047616 _____ () C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Owner.Owner-PC\Documents\EgyptOrn.avi:TOC.WMV [130]
AlternateDataStreams: C:\Users\Owner.Owner-PC\Documents\yhwhmarduk.avi:TOC.WMV [130]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2018-01-29 21:19 - 000007217 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 cpm.paneladmin.pro
127.0.0.1 publisher.hmdiadmingate.xyz
127.0.0.1 hmdicrewtracksystem.xyz
127.0.0.1 mydownloaddomain.com
127.0.0.1 linkmate.space
127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 doctorlink.space
127.0.0.1 plugpackdownload.net
127.0.0.1 texttotalk.org
127.0.0.1 gambling577.xyz
127.0.0.1 htagdownload.space
127.0.0.1 mybcnmonetize.com
127.0.0.1 360devtraking.website
127.0.0.1 dscdn.pw
127.0.0.1 bcnmonetize.go2affise.com
127.0.0.1 beautifllink.xyz
0.0.0.0 12finance.com
0.0.0.0 12kotov.ru
0.0.0.0 144.76.201.175
0.0.0.0 1dnscontrol.com
0.0.0.0 adsrvr.org
0.0.0.0 adsymptotic.com
0.0.0.0 advertising.com
0.0.0.0 akisho.ru
0.0.0.0 altocloudmedia.com
0.0.0.0 amtomil.ru
0.0.0.0 appchucklegift.com
0.0.0.0 asedownloadgate.com
0.0.0.0 atwola.com

There are 229 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4253610074-1044562520-1105461486-1004\Control Panel\Desktop\\Wallpaper -> C:\Users\Owner.Owner-PC\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{06DFC159-D46F-4E3D-8983-59A5C8EB55F3}C:\program files\crucial\crucial storage executive\java\bin\javaw.exe] => (Allow) C:\program files\crucial\crucial storage executive\java\bin\javaw.exe
FirewallRules: [UDP Query User{7A28E75C-3C38-444C-AF3C-76392E3EC122}C:\program files\crucial\crucial storage executive\java\bin\javaw.exe] => (Allow) C:\program files\crucial\crucial storage executive\java\bin\javaw.exe
FirewallRules: [{79141A91-745B-45C5-809A-1BFB3C884028}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{0A33BD29-AAA2-4451-800C-344A2B7CD182}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{2FB32ACA-5BA5-46B1-9891-C1A2490B93F4}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{7ED7FD3D-4C64-465A-B34F-6745B7F192C0}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{3AC2CD18-6EB4-43F6-8965-F5C52912AC3A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{694237B3-E07C-4FDE-8C11-C3D0B5E5D70D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{8F1625E6-1C0A-4E59-8920-B45C0D257259}] => (Allow) C:\Program Files\Vuze\Azureus.exe
FirewallRules: [{417EF4E2-6085-4CE9-A65A-AE5DFAE169D0}] => (Allow) C:\Program Files\Vuze\Azureus.exe
FirewallRules: [TCP Query User{16029735-D315-4CE5-8300-702BC8594007}C:\program files\vuze\azureus.exe] => (Allow) C:\program files\vuze\azureus.exe
FirewallRules: [UDP Query User{32151FB7-6CAF-462E-9DB8-78BD617F1BA0}C:\program files\vuze\azureus.exe] => (Allow) C:\program files\vuze\azureus.exe
FirewallRules: [{9A29CE7F-E515-40F4-8421-E60570247784}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{91518B1B-EC8F-4ACE-8F4C-26DE4530D3E5}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{FE3428C5-3DEC-4200-8526-F5DE43FA1EF6}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{05D6B6B7-B68B-4489-ACD1-BF237F33C4CB}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{B716BC4F-8C53-453E-BE01-5D69DC6C4E7E}] => (Allow) C:\Program Files (x86)\Obstreperous\personify.exe
FirewallRules: [{478617B3-9D6C-472B-8C24-6EF12BAEBB30}] => (Allow) C:\Program Files (x86)\Rudman\personify.exe
FirewallRules: [{D1CB66AD-994B-4428-B5FC-B1CD3E084EFC}] => (Allow) C:\Program Files (x86)\dunwoody\abrams.exe
FirewallRules: [{E6034CCC-3421-4328-A1C6-8F84C7C80FAC}] => (Allow) C:\Program Files (x86)\Rudman\abrams.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============

Name: dbad2511d1db48624f2afac65b05cfb5
Description: dbad2511d1db48624f2afac65b05cfb5
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: dbad2511d1db48624f2afac65b05cfb5
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/08/2018 04:56:32 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Owner.Owner-PC\Documents\audacity-win-2.1.3\audacity.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (02/08/2018 01:39:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/08/2018 01:38:53 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Owner.Owner-PC\Documents\audacity-win-2.1.3\audacity.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (02/08/2018 01:38:52 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Owner.Owner-PC\Documents\audacity-win-2.1.3\audacity.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (02/07/2018 01:08:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ytd.exe, version: 5.9.2.1, time stamp: 0x5a3934b1
Faulting module name: ntdll.dll, version: 6.1.7601.23543, time stamp: 0x57d2f8a2
Exception code: 0xc0000005
Fault offset: 0x0004f4c5
Faulting process id: 0xf0c
Faulting application start time: 0x01d39fd221ad0a1f
Faulting application path: C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: 0c0c4286-0bde-11e8-bc06-001d72cf9c58

Error: (02/06/2018 10:11:31 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Owner.Owner-PC\Documents\audacity-win-2.1.3\audacity.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (02/06/2018 07:46:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/30/2018 12:52:47 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Owner.Owner-PC\Documents\audacity-win-2.1.3\audacity.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (01/29/2018 11:40:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/29/2018 11:10:13 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program reanimator.exe version 9.50.0.650 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 116c

Start Time: 01d3998e3ca93721

Termination Time: 29

Application Path: C:\Program Files (x86)\UnHackMe\reanimator.exe

Report Id:


System errors:
=============
Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (02/10/2018 07:44:19 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.


==================== Memory info ===========================

Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz
Percentage of memory in use: 57%
Total physical RAM: 3000.87 MB
Available physical RAM: 1276.63 MB
Total Virtual: 5999.92 MB
Available Virtual: 4012.77 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.95 GB) (Free:58 GB) NTFS
Drive g: () (Fixed) (Total:59.61 GB) (Free:13.02 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: DFF80688)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 59.6 GB) (Disk ID: AD8696F8)
Partition 1: (Not Active) - (Size=59.6 GB) - (Type=0C)

==================== End of Addition.txt ============================
 

SteveTraverse

TS Rookie
These are the Malware programs and I need to remove their ALLOW from Windows Firewall:

FirewallRules: [{B716BC4F-8C53-453E-BE01-5D69DC6C4E7E}] => (Allow) C:\Program Files (x86)\Obstreperous\personify.exe
FirewallRules: [{478617B3-9D6C-472B-8C24-6EF12BAEBB30}] => (Allow) C:\Program Files (x86)\Rudman\personify.exe
FirewallRules: [{D1CB66AD-994B-4428-B5FC-B1CD3E084EFC}] => (Allow) C:\Program Files (x86)\dunwoody\abrams.exe
FirewallRules: [{E6034CCC-3421-4328-A1C6-8F84C7C80FAC}] => (Allow) C:\Program Files (x86)\Rudman\abrams.exe

I have already deleted them in Program Files

...I checked. They do not appear in Windows Firewall.
 

SteveTraverse

TS Rookie
Thank you... The Barracuda web security wont even let me access the link. I have to go back to Safeway just to LOOK at it, and they WONT let me use the Power Outlet there. The problem is that my battery is very bad. It will only last 10 minutes if I can't plug in.

If possible, could you please copy paste the text from the article here?
 

Broni

Malware Annihilator
If your computer does not have the Windows Recovery Environment installed and available you can use the following method to run the Recovery Environment from a bootable USB disk.

NOTE: This USB disk needs to be created from a clean computer. You cannot use an infected computer for this process

NOTE: An 8GB USB 2.0 stick is required or at least recommended. In some cases a USB 3.0 disk can be used but some computers have issues booting from USB 3.0 disks.

Example drive (no endorsement implied, example only) - This drive example has not been tested by me. It is an older 2015 model with many good reviews though.
Amazon: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)
NewEgg: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)


STEP 1
Download a Windows 10 ISO image from Microsoft.

Method A: Using the Microsoft Media Creation Tool
https://www.microsoft.com/en-gb/software-download/windows10
Download the Media Creation Tool: https://go.microsoft.com/fwlink/?LinkId=691209

Follow the instructions displayed on the tool to download the Windows 10 ISO image.

In my testing I was not prompted for a license key to download the latest Windows 10 ISO image.
At the time of this writing 2017/12/21 there was only one ISO image offered. Windows 10

32-bit x86 or 64-bit x64

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit


Method B: If Method A: above is not working for you then you can try the following method
Microsoft Windows and Office ISO Download Tool (this is not an authorized Microsoft tool, but appears to be legal)
https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-and-office-iso-download-tool
Download: https://www.heidoc.net/php/Windows ISO Downloader.exe

STEP 2
If you were unable to use the Windows Media Creation Tool in STEP 1 to create a USB disk then you can use this tool to burn the Windows 10 ISO image from STEP 1 above.

Download the Windows USB/DVD Download Tool from Gitbub and save to your computer.
English version: https://github.com/mantas-masidlauskas/wudt/raw/master/Downloads/Windows7-USB-DVD-Download-Tool-Installer-en-US.exe

Then install the Windows USB/DVD Download Tool and run it to burn a bootable USB disk from the ISO image. Browse to the location where you saved the Windows 10 ISO image in STEP 1
Note: This tool should work on XP, Vista, Windows 7, or Windows 10 - it is simply used to make a bootable USB disk. Remember, all of this needs to be done on a clean computer.












STEP 3
Please download the Farbar Recovery Scan Tool and save it to your desktop or other location you know where it's saved to. Then copy it to the USB disk you just created.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

STEP 4
Shut down the infected computer. Do Not insert the USB disk you created until the infected computer has been shut down.
Once the computer is shut down then insert the newly created Windows 10 USB disk into the infected computer and power it back on and press the appropriate key to bring up the boot menu. The link below will help show you which key for various computers manufacturers is used to bring up the boot menu. Most will be either USB or UEFI depending on hardware and settings. If the computer boots up into the Normal Windows instead of the USB stick it may become infected and need to be completely redone again. Make sure you select the correct boot option.

How to Boot Your Computer from a USB Flash Drive

STEP 5
Once the computer starts to boot up from the USB disk, follow the screens and directions below.









You will need to open NOTEPAD.EXE to help find out which drive is your Windows drive and which drive is your USB disk drive you just created





For the more advanced user you could also use DISKPART to help locate which drive is mapped to your USB disk. In most cases the USB disk will be either D: or E: but depending on hardware the drive could be a much higher level such as H: or higher.

Example only - your hardware will look different

DISKPART> list volume

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 Z DVD-ROM 0 B No Media
Volume 1 C NTFS Partition 931 GB Healthy System
Volume 2 Q SEA-USB-4.0 NTFS Partition 3725 GB Healthy
Volume 3 D NTFS Removable 7636 MB Healthy
Go back to the DOS Command Prompt (if you used DISKPART type in Exit and press the Enter key) and type in the following and press the Enter key.

CD /D D: (or E: or whichever drive letter the USB stick is on)

Then type in CD\
and press the Enter key to get to the root or top of the USB disk.

Then type in FRST or FRST64 (depending on which version your computer uses) and click the Scan button.

A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

If all went well you should now be able to boot into Normal Mode and run Malwarebytes and run a Threat Scan to have it finish the removal process.
 

SteveTraverse

TS Rookie
Thanks. What is showing on the logs as Drive G: is a 59 gig USB drive, I also have 1000 gig external drive. If it is necessary, I CAN remove all the files on the USB stick and make a temporary boot disc from my desktop, which is also Windows 7 Home Premium 64 bit. Of course the computers are not identical, but the Desktop is clean.

In the instructions, you would mean download a Windows 7 ISO right? Because I am running Windows 7, not windows 10.
 

Broni

Malware Annihilator
With Windows 7 you don't even need any disk...

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
 

SteveTraverse

TS Rookie
At some point on the night of Jan 26, I was unable to start Windows in ANY mode, due to missing or corrupted registry. After running Startup repair, it said it could not fix the problem, but Windows started normally anyway. Remember, I got this Laptop used, and for some reason System Restore doesn't work. Seems I can't create restore points. Even where programs like UnHackMe say they have created Restore Points, as you see in the FRST Log, there aren't any.

1) Your first idea seems to be, put a Windows 10 ISO on a USB, and run Malwarebytes out of windows, and that will somehow detect and fix the problem. While MB is usually the best, UnHackMe detected 50 problems it could not, and removed malware from Registry entries. The other problem with this is, I don't want to turn my San Cruzur 64 gig into a permanent boot disc. There is some tiny files that came with it, which I assumed should not be deleted. I dont want to reformat it. Right now, I don't even have an income, so it would be a while before I could buy an 8 Gig. But most of all, I don't think this will fix my problem.

2) What you just advised I seem to have already done. I may have just messed up, but can't seem to open the F8 boot menu, I only got into it last time because Windows was unable to start. If I have any USB drive plugged in when I start PC, it will not load Windows, I have to remove and restart. My system treats any USB prior to loading Windows as a boot disc without my having to specify anything.

3) One Idea. In the FRST Log it said: (Under Processes)

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
() C:\Users\Owner.Owner-PC\AppData\Local\dwmvlue\scaimhk.exe

Could we try putting this item in the "FixList" to see if it will close the ScamDisk and DownloadWormService processes?
The only problem I'm having at this point is those two processes it wont let me end, and the 2 clients and vmxclient that
appears when I run normal internet, and whatever is causing Vuze to crash with BSD if I try to even so much as uninstall it.

dwrmeusvc.exe is not coming up as a problem in the FRST, Addition, Malwarebytes, or UnHackMe, but I'm sure this processes didn't exist prior to 1/26/18 9:03 Pm, and that it somehow got installed with the Virus.

UnHackMe has a rootkit detecting process that is uses. In the beginning it gave me some messages before starting Windows about rootkits, but it didn't stay on screen long enough to read it.

I don't think somehow running Malwarebytes on my system out of Windows is going to remove the problem. It's not as though Malwarebytes is detecting problems it can't fix, it just isn't detecting the problem at all. I have UnHackMe Trial for another 16 days, it has a feature where it can do a threat scam BEFORE Windows starts. I have used, and restarted, and got a long list of messages that immediately ended, before Windows started again, but it's the same situation. The two processes, Download Worm Service, and Scam Disk, are still running, and probably the Clients and VmxClient as well, that as I said only show up in Applications tab in the Task Manager when I'm connected to the Safeway Wifi or Wifi that isn't super tight like the one at home.

I could test this. There are two other places I sometimes go with the Laptop, one of which is a public Library. These Wifi allow for youtube, but not for torrents, which I barely use these days anyway. If I keep the problem the way it is, it just means I can't mess with Vuze at all, and if I change any passwords I have to change them by copy pasting letters, rather then typing in case of keyloggers. Curretly typing this reply on the Desktop. I don't even have a bank account right now, the only thing KeyLoggers could potentially do is get into my youtube channel, which I do need to protect. Fortunately there is security, I will be sent Gmail if my youtube channel is ever accessed from a new device or odd location.

4) Is there something else you'd like me to download and try, or paste logs from?

5) I can try tapping the F8 and see if I get into repair computer, as per your second idea, but how does that go along with the first instructions to get a USB and Windows 10 Iso, for the purpose of running Malwarebytes out of Windows? I'm a little confused, but if you just want to try doing the system repair I will.

6) You're dead sure I have the Smart Service rootkit? Because it isn't any doing any of the things I've read about for it. Except in the very beginning of the Virus, I had to reinstall Malwarebytes because it would not start. But there is nothing stopping me from running antivirus programs now, or changing around my browser settings in Firefox, or making popups appear online or offline.

In the FRST and Addition logs, where it says <<<<< ATTENTION, next to an item, this is indicating a problem. Is that correct?
 
Last edited:

Broni

Malware Annihilator
You don't run MBAM out of Windows. You'll run it from Windows later after we fix main issue from outside Windows.

Let's summarize.

On you good computer you download FRST. You put it on USB flash drive.
Then, on bad computer using F8 method you boot to System Recovery Options.
At this point insert USB flash drive with FRST on it.
On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note:
    Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

SteveTraverse

TS Rookie
Ok I think I can do that using my 64 gig USB stick without reformatting it.

Do you mean download FRST, and custom install it on the USB, or just copy it after I download it?
Do I absolutely have to use another computer to download it?

I only have the infected laptop, and my desktop. The internet here doesn't allow me to download anything.
I dont think the computers at library let me download anything, and I cant use the plugs at safeway anymore.
I am alone, there isn't anyone who can help me with this. Even staff here only have mobile phones, not computers.

I would have to actually take apart my desktop, monitor, etc and bring all the equipment somewhere. But where?
Also my only vehicle is a mobility scooter with a bad battery. So it can't be too far away.

Cant I just uninstall FRST and reinstall on the USB?
If I cant use the laptop im going to have to ask around, but there might be no way to access a clean computer I can download with.
 

SteveTraverse

TS Rookie
Stupid edit timer...

There must be a lot of people who only have one computer. I mean, if the solution requires us to buy a new computer anyway, then U might as well throw away the infected one. That isn't much of a solution, now is it? I guess money and popularity really are everything.

Its like... I went to have some malware removed, and the most they could tell me was buy another computer.
 
Last edited:

Broni

Malware Annihilator
You don't install FRST. You just put it on USB drive.
Yes, you have to use good computer because this type of infection will immediately corrupt FRST when it sees it on bad computer.
I don't quite understand why you can't download FRST from your desktop computer.
 

SteveTraverse

TS Rookie
Neither do I. The barracuda wifi security here is so strict it doesn't permit any downloads, it doesn't allow watching any videos. Even a lot of forums and other webpages aren't allowed to load. I can use Gmail, but I can't use my Gmx.

Ok, maybe I can download it on the library computer to USB. I know those public computers wont allow anything to be downloaded and installed to the desktop, otherwise people could potentially install viruses and other unwanted programs on library PCS.

I have some other issues going on right now. I may be a couple days.
 

SteveTraverse

TS Rookie
I live in Section 8 HUD housing complex. I was able to download the FRST at their computer lab. The Wifi I mentioned is used for their networks and the three public computers in each housing complex, but they also have a computer lab.

They gave me a spare USB for it too. It's only 1 gig though. Will that do?
If I were to use my 64 gig, would I have to remove all the files.
I should be able to follow your most recent instructions now, and I keep this forum open on my desktop.
 

SteveTraverse

TS Rookie
Ok, I have made several attempts over the last two days, but the system recovery options menu will NOT load. I begin tapping F8 off and on very fast immediately when I turn on the laptop, I have also tried holding it down. Every time in boots into windows no matter what. It is Acer Aspire with Windows 7 Home Permium. From past experiences, I also cannot turn it on with a USB plugged in, it assumes it is a boot disk.

I was able to get into a menu with startup repair and system restore as options once before, but only because Windows failed to start. If I immediately turn off power in windows, I can probably get the screen that gives me the option to start windows normally or go into safe mode. I think that has command prompt available as well, though I could be wrong.
 
Last edited:

SteveTraverse

TS Rookie
I did a bit of searching online about this issue. The best I can do is use Msconfig, and change the boot options. If Safe boot is checked, I have the following options: Minimal (loads windows into safe mode) Alternative shell, active directory repair, and network (probably safemode with networking) What I want is for it to load the options and not boot into windows.

The other options I have are no gui boot, boot log, base video, and os boot information. Timeout is set to 0 seconds. There is a box make all boot settings permanent. I have windows 7 (C:\) and Windows Fast Mode (C:\Windows): current Os; default os.

I had my first computer back in the 90s. A 386 Packard Bell, I remember how in the old days we would boot into DOS and not even start Windows until we manually decided to. Scratch that, my very first computer was a Commodore 64.

Anyways let me know what MSconfig options to use, or if there is another solution. F8 won't work.
 

Broni

Malware Annihilator
You can't access System Recovery Options through msconfig options. Unfortunately.

The only other option is by using Windows 7 installation disk.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.