Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

very persistent internet tracking cookies

This is a discussion on very persistent internet tracking cookies within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, my long time friend--Tech Support Forum! It's been six years since I last posted anything here and I always


 
 
Thread Tools Search this Thread
Old 06-17-2016, 08:59 PM   #1
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



Hello, my long time friend--Tech Support Forum!

It's been six years since I last posted anything here and I always remember this place. Thank you for making me feel at home.

I need some quick help please, I have ongoing online classes which require my computer to work properly every week. But I am now stuck with these very persistent internet tracking cookies, removed by superantispyware everyday and kept on coming back everyday. So below is my log. Your help is highly appreciated!

SUPERAntiSpyware Scan Log
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 06/17/2016 at 07:08 PM

Application Version : 6.0.1218
Database Version : 12767

Scan type : Complete Scan
Total Scan Time : 01:09:57

Operating System Information
Windows 10 Home 64-bit (Build 10.00.10586)
UAC On - Limited User

Memory items scanned : 873
Memory threats detected : 0
Registry items scanned : 65810
Registry threats detected : 0
File items scanned : 26365
File threats detected : 20

Adware.Tracking Cookie
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\UJA87YBT.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\UJA87YBT.txt [ /adnxs.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\4UVPXPGH.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\4UVPXPGH.txt [ /bluekai.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\53CYJCRW.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\53CYJCRW.txt [ /sp.adbrn.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\ITH9IV1K.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\ITH9IV1K.txt [ /dmtry.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\CA3RY43Y.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\CA3RY43Y.txt [ /cdn.at.atwola.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\3DYL15KE.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\3DYL15KE.txt [ /atwola.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\O0XS6ISX.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\O0XS6ISX.txt [ /adsrvr.org ]
atwola.com/.JEB2 [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\3DYL15KE.TXT ]
bluekai.com/.bkdc [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\4UVPXPGH.TXT ]
bluekai.com/.bku [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\4UVPXPGH.TXT ]
sp.adbrn.com/.tuuid [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\53CYJCRW.TXT ]
sp.adbrn.com/.rscscap [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\53CYJCRW.TXT ]
cdn.at.atwola.com/.msnping [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\CA3RY43Y.TXT ]
dmtry.com/.aid [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\ITH9IV1K.TXT ]
adsrvr.org/.TDID [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\O0XS6ISX.TXT ]
adsrvr.org/.TDCPM [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\O0XS6ISX.TXT ]
adnxs.com/.sess [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\UJA87YBT.TXT ]
adnxs.com/.uuid2 [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\UJA87YBT.TXT ]
adnxs.com/.anj [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\UJA87YBT.TXT ]
adnxs.com/.icu [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\UJA87YBT.TXT ]

============
End of Log
============
Tom_q2356 is offline  
Sponsored Links
Advertisement
 
Old 06-19-2016, 10:15 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-22-2016, 04:49 PM   #3
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



# AdwCleaner v5.200 - Logfile created 22/06/2016 at 16:33:35
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-22.1 [Server]
# Operating system : Windows 10 Home (X64)
# Username : Rusheng - RUSHENG-PC
# Running from : C:\Users\Rusheng\Downloads\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen

***** [ Files ] *****

[-] File Deleted : C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}

***** [ Web browsers ] *****

[-] [C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\prefs.js] Deleted : user_pref("[email protected]_hao123_ts", 16974);
[-] [C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : kbfnbcaeplbcioakkpcpgfkobkghlhen

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [23650 bytes] - [02/06/2016 23:04:52]
C:\AdwCleaner\AdwCleaner[C2].txt - [1744 bytes] - [05/06/2016 08:10:26]
C:\AdwCleaner\AdwCleaner[C3].txt - [1890 bytes] - [08/06/2016 08:27:21]
C:\AdwCleaner\AdwCleaner[C4].txt - [2036 bytes] - [09/06/2016 16:12:08]
C:\AdwCleaner\AdwCleaner[C5].txt - [2372 bytes] - [13/06/2016 07:43:59]
C:\AdwCleaner\AdwCleaner[C6].txt - [2406 bytes] - [16/06/2016 14:50:30]
C:\AdwCleaner\AdwCleaner[C7].txt - [2667 bytes] - [17/06/2016 10:14:55]
C:\AdwCleaner\AdwCleaner[C8].txt - [2199 bytes] - [22/06/2016 16:33:35]
C:\AdwCleaner\AdwCleaner[S1].txt - [23102 bytes] - [02/06/2016 22:53:44]
C:\AdwCleaner\AdwCleaner[S2].txt - [1552 bytes] - [05/06/2016 08:01:31]
C:\AdwCleaner\AdwCleaner[S3].txt - [1698 bytes] - [08/06/2016 08:20:52]
C:\AdwCleaner\AdwCleaner[S4].txt - [1844 bytes] - [09/06/2016 16:03:57]
C:\AdwCleaner\AdwCleaner[S5].txt - [2174 bytes] - [13/06/2016 07:36:02]
C:\AdwCleaner\AdwCleaner[S6].txt - [2214 bytes] - [16/06/2016 14:45:57]
C:\AdwCleaner\AdwCleaner[S7].txt - [2469 bytes] - [17/06/2016 10:05:48]
C:\AdwCleaner\AdwCleaner[S8].txt - [2732 bytes] - [22/06/2016 16:27:08]

########## EOF - C:\AdwCleaner\AdwCleaner[C8].txt - [2857 bytes] ##########
Tom_q2356 is offline  
Sponsored Links
Advertisement
 
Old 06-22-2016, 05:09 PM   #4
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01
Ran by Rusheng (administrator) on RUSHENG-PC (22-06-2016 16:53:43)
Running from C:\Users\Rusheng\Downloads
Loaded Profiles: Rusheng (Available Profiles: Rusheng & Administrator & DefaultAppPool)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagenta.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
() C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(IObit) C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Create 8\PDFProFiltSrv.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\Monitor.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
() C:\Program Files (x86)\ClipX\clipx.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Opera Software) C:\Program Files (x86)\Opera\launcher.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Siber Systems Inc.) C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome-nm-host.exe
(Siber Systems) C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2841896 2011-10-28] (Synaptics Incorporated)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirnx.exe [186640 2016-05-18] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [6570256 2016-06-09] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597016 2016-03-31] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [SRS Audio Sandbox] => C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe [3676952 2010-01-07] (SRS Labs, Inc.)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [clipx] => C:\Program Files (x86)\ClipX\clipx.exe [68608 2005-11-30] ()
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [ctfmon] => C:\WINDOWS\system32\ctfmon.exe [10752 2015-10-30] (Microsoft Corporation)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [RoboForm] => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [109784 2015-12-10] (Siber Systems)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-04-20] (SUPERAntiSpyware)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [Advanced SystemCare 9] => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe [2010912 2015-11-06] (IObit)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [avichannel] => C:\Program Files (x86)\Evaer\videochannel.exe [1740776 2015-03-08] (Evaer Technology)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8722136 2016-06-01] (Piriform Ltd)
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\RunOnce: [Uninstall C:\Users\Rusheng\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Rusheng\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
ShellIconOverlayIdentifiers: [GladinetIconOverlay] -> {3C3DC57A-7535-48AF-BB9E-C3576A4F34D0} => C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GlOverlayIcon.dll [2013-03-22] (Gladinet, INC)
ShellIconOverlayIdentifiers: [GladinetUploading] -> {959A18D3-9CC9-41e8-B76F-34ED9A89D4EA} => C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GlOverlayIconU.dll [2013-03-22] (Gladinet, INC)
ShellIconOverlayIdentifiers-x32: [GladinetIconOverlay] -> {3C3DC57A-7535-48AF-BB9E-C3576A4F34D0} => C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GlOverlayIcon32.dll [2013-03-22] (Gladinet, INC)
ShellIconOverlayIdentifiers-x32: [GladinetUploading] -> {959A18D3-9CC9-41e8-B76F-34ED9A89D4EA} => C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GlOverlayIconU32.dll [2013-03-22] (Gladinet, INC)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{64665404-7035-437c-81bc-de4405f59522}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{d1b34654-29c9-4df7-8d5c-394134ad2b7d}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.com/?ocid=OIE9HP
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?pc=UP97&ocid=UP97DHP
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> DefaultScope {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> 3E9DA4AACAA24D4F9A2E99B878955819 URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> 531761E1A6F64E0097A95DE15C997CB9 URL = hxxp://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=ppsbaibu_oem_dg&ch=33
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {391B4B65-4B3A-4B16-BD7E-3C0DF08104AC} URL =
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {44177982-996D-4b79-B29F-5B60E13A5169} URL = hxxp://www.baidu.com/s?wd={searchTerms}&tn=98012088_dg&ch=5&ie=utf-8
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll [2015-12-23] (IObit)
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2015-12-10] (Siber Systems Inc.)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_92\bin\ssv.dll [2016-05-27] (Oracle Corporation)
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_92\bin\jp2ssv.dll [2016-05-27] (Oracle Corporation)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-09-20] (Hewlett-Packard Co.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Create 8\Bin\PlusIEContextMenu.dll [2012-07-19] (Zeon Corporation)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2015-12-10] (Siber Systems Inc.)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> No File
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2015-12-10] (Siber Systems Inc.)
Toolbar: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM-x32 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - No File
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)
Handler: skypec2c - No CLSID Value

FireFox:
========
FF ProfilePath: C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787
FF Homepage: chrome://speeddial/content/speeddial.xul
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-12] ()
FF Plugin: @java.com/DTPlugin,version=11.92.2 -> C:\Program Files\Java\jre1.8.0_92\bin\dtplugin\npDeployJava1.dll [2016-05-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.92.2 -> C:\Program Files\Java\jre1.8.0_92\bin\plugin2\npjp2.dll [2016-05-27] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-12] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @siber.com/RoboForm -> C:\Program Files (x86)\Siber Systems\AI RoboForm\chrome\plugin\np-rf-plugin.dll [2015-12-10] (Siber Systems Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-24] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-24] (Google Inc.)
FF Plugin-x32: [email protected]/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files (x86)\Yahoo!\Common\npyaxmpb.dll [2007-03-09] (Yahoo! Inc.)
FF Plugin-x32: ZEON/PDF,version=2.0 -> C:\Program Files (x86)\Nuance\PDF Create 8\bin\nppdf.dll [2012-07-31] (Zeon Corporation)
FF Plugin HKU\S-1-5-21-2219305202-884981724-1261442642-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Rusheng\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-03-08] (Citrix Online)
FF Plugin HKU\S-1-5-21-2219305202-884981724-1261442642-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Rusheng\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2012-12-07] (Unity Technologies ApS)
FF user.js: detected! => C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\user.js [2016-06-21]
FF SearchPlugin: C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\searchplugins\yahoo-avast.xml [2015-12-31]
FF Extension: Speed Dial - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\{64161300-e22b-11db-8314-0800200c9a66}.xpi [2015-09-14]
FF Extension: COBA - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\[email protected] [2016-02-18]
FF Extension: NoScript - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-04-08]
FF Extension: App Instant - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\[email protected] [2016-04-20]
FF Extension: Easy Access - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\[email protected] [2016-05-19]
FF Extension: Firefox Homepage - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\[email protected] [2016-06-09]
FF Extension: Addons Manager - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\[email protected] [2016-06-09]
FF Extension: Tab Tweak - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\extensions\[email protected] [2016-06-09]
FF Extension: Firefox Migration - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\Extensions\[email protected] [2015-11-16]
FF Extension: WOT - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-12-09]
FF Extension: Adblock Plus - C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-05-09]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-11-16] [not signed]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2015-11-16] [not signed]
FF Extension: Skype - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-05-25]
FF Extension: AddonInstaller - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\[email protected] [2015-11-16] [not signed]
FF Extension: Firefox Migration - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\[email protected] [2015-11-16] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\firefox => not found
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012-05-13] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-04-29] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox
FF Extension: RoboForm Toolbar for Firefox - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox [2015-12-10] [not signed]
FF HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR Profile: C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Translate) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2015-12-16]
CHR Extension: (QuickMark QR Code Extension) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhddglpocgogkbpkbkoieiplhgbjmiim [2016-01-13]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2016-06-22]
CHR Extension: (Adblock Plus) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-06-02]
CHR Extension: (The QR Code Generator) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcmhlmapohffdglflokbgknlknnmogbb [2016-01-13]
CHR Extension: (AdBlock) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-02]
CHR Extension: (Grammarly for Chrome) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen [2016-06-22]
CHR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2016-06-22]
CHR Extension: (Capture Webpage Screenshot Entirely. FireShot) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2016-03-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (RoboForm Password Manager) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob [2016-03-19]
CHR Profile: C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-12-27]
CHR Extension: (Google Docs) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-12-27]
CHR Extension: (Google Drive) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-27]
CHR Extension: (YouTube) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-27]
CHR Extension: (AVG Secure Search) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\chfdnecihphmhljaaejmgoiahnihplgn [2015-12-27]
CHR Extension: (Google Search) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-27]
CHR Extension: (Google Sheets) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-12-27]
CHR Extension: (Google Docs Offline) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-27]
CHR Extension: (Skype) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-12-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-27]
CHR Extension: (Gmail) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-12-27]
CHR Extension: (RoboForm Password Manager) - C:\Users\Rusheng\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob [2015-12-27]
CHR HKLM-x32\...\Chrome\Extension: [cngicmmkocjjbmacacmchjhdimdhfgod] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\chrome\XDictExtension.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]
CHR HKLM-x32\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2015-12-10]

Opera:
=======
OPR Extension: (RoboForm) - C:\Program Files (x86)\Siber Systems\AI RoboForm\Opera [2015-12-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2015-06-15] (Adobe Systems) [File not signed]
R2 AdvancedSystemCareService9; C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe [827680 2015-11-04] (IObit)
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [636312 2016-06-09] (AVG Technologies CZ, s.r.o.)
S2 avgfws; C:\Program Files (x86)\AVG\Av\avgfwsa.exe [1998712 2016-06-09] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5165824 2016-06-09] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1080592 2016-05-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [705528 2016-06-09] (AVG Technologies CZ, s.r.o.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
S3 GladFileMonSvc; C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe [30032 2013-03-22] (Gladinet, INC)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [249344 2009-09-20] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-09-20] (Hewlett-Packard Co.) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2013-12-18] (Intel Corporation)
S3 Kingsoft_WPS_UpdateService; C:\Users\Rusheng\AppData\Local\Kingsoft\WPS Office\10.1.0.5507\wtoolex\wpsupdatesvr.exe [132992 2016-03-10] (Zhuhai Kingsoft Office Software Co.,Ltd)
R2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2960672 2016-05-27] (IObit)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] () [File not signed]
S3 OmniAddrService; C:\Program Files (x86)\SogouInput\Components\AddressSearch\OmniAddr\OmniAddrService.exe [154352 2014-07-10] (Sogou.com Inc)
S3 OS Selector; C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe [2139400 2010-09-29] ()
R2 PDFProFiltSrv; C:\Program Files (x86)\Nuance\PDF Create 8\PDFProFiltSrv.exe [135056 2012-08-15] (Nuance Communications, Inc.)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 SogouUpdate; C:\Program Files (x86)\SogouInput\7.9.0.7576\SogouUpdate.exe [367552 2016-03-21] (Sogou.com Inc.)
S2 SwOffScheduler; C:\Program Files\Airytec\Switch Off\swoff.exe [179712 2010-10-31] (Airytec) [File not signed]
S2 SwOffWeb; C:\Program Files\Airytec\Switch Off\swoff.exe [179712 2010-10-31] (Airytec) [File not signed]
S3 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
S2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe [5836800 2012-05-17] (Broadcom Corporation) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [21632 2016-01-07] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [162592 2016-02-16] (AVG Technologies CZ, s.r.o.)
R1 Avgfwfd; C:\Windows\system32\DRIVERS\avgfwd6a.sys [97208 2015-08-29] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [307456 2016-05-18] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [272304 2016-01-26] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [260352 2016-05-02] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [247040 2016-05-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [51968 2016-05-02] (AVG Technologies CZ, s.r.o.)
R0 avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [71936 2016-05-05] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [315840 2015-12-16] (AVG Technologies CZ, s.r.o.)
R3 bbcap; C:\Windows\system32\DRIVERS\bbcap.sys [4608 2014-05-31] (Windows (R) Codename Longhorn DDK provider)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [7585280 2015-10-30] (Broadcom Corporation)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [129152 2016-04-25] (Samsung Electronics Co., Ltd.)
S3 GeneStor; C:\Windows\system32\DRIVERS\GeneStor.sys [104960 2014-07-07] (GenesysLogic)
R0 kavbootc; C:\Windows\System32\drivers\kavbootc64.sys [31848 2015-07-15] (Kingsoft Corporation)
S3 knbdrv; C:\windows\system32\drivers\KNBDrv.sys [102704 2014-12-17] (Kingsoft Corporation)
S3 LNonPnP; C:\windows\System32\Drivers\LNonPnP.sys [18960 2013-11-07] (Logitech, Inc.)
R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-06-22] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SRS_SSCFilter; C:\Windows\system32\drivers\srs_sscfilter_amd64.sys [346992 2009-12-15] ()
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [221824 2016-04-25] (Samsung Electronics Co., Ltd.)
S1 Uim_IM; C:\Windows\System32\Drivers\Uim_IMx64.sys [633680 2012-11-25] (Paragon)
R3 vm331avs; C:\Windows\System32\Drivers\vm331avs.sys [215168 2010-03-18] (Vimicro Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
U3 idsvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVCx32: dg597 -> no filepath.

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-22 16:53 - 2016-06-22 16:57 - 00033284 _____ C:\Users\Rusheng\Downloads\FRST.txt
2016-06-22 16:53 - 2016-06-22 16:53 - 00000000 ____D C:\FRST
2016-06-22 16:50 - 2016-06-22 16:52 - 02387456 _____ (Farbar) C:\Users\Rusheng\Downloads\FRST64.exe
2016-06-22 16:24 - 2016-06-22 16:26 - 03703360 _____ C:\Users\Rusheng\Downloads\AdwCleaner.exe
2016-06-22 08:15 - 2016-06-22 15:49 - 00000536 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task de9ced53-803b-45d5-9df5-48ebbb42f050.job
2016-06-22 08:15 - 2016-06-22 15:49 - 00000536 _____ C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 153abd94-1361-416b-b4af-3c46e871ab3e.job
2016-06-22 08:15 - 2016-06-22 08:15 - 00003770 _____ C:\WINDOWS\System32\Tasks\SUPERAntiSpyware Scheduled Task de9ced53-803b-45d5-9df5-48ebbb42f050
2016-06-22 08:15 - 2016-06-22 08:15 - 00003688 _____ C:\WINDOWS\System32\Tasks\SUPERAntiSpyware Scheduled Task 153abd94-1361-416b-b4af-3c46e871ab3e
2016-06-21 08:23 - 2016-06-21 08:23 - 00002498 _____ C:\WINDOWS\System32\Tasks\Uninstaller_SkipUac_Rusheng
2016-06-21 08:23 - 2016-06-21 08:23 - 00000304 _____ C:\WINDOWS\Tasks\Uninstaller_SkipUac_Rusheng.job
2016-06-21 08:22 - 2016-06-21 08:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2016-06-21 08:18 - 2016-06-21 08:20 - 13361952 _____ (IObit) C:\Users\Rusheng\Downloads\iobituninstaller.exe
2016-06-20 12:17 - 2016-06-20 12:18 - 04926589 _____ C:\Users\Rusheng\Downloads\acup.pdf
2016-06-17 22:12 - 2016-06-17 22:12 - 00028252 _____ C:\WINDOWS\SysWOW64\Rockey9x.vxd
2016-06-17 22:12 - 2016-06-17 22:12 - 00000000 ____D C:\Program Files (x86)\SinoVoice
2016-06-17 08:59 - 2016-06-14 11:33 - 00828408 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-06-17 08:59 - 2016-06-14 11:33 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-06-17 07:45 - 2016-06-08 18:01 - 00452909 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160617-074523.backup
2016-06-16 07:55 - 2016-06-16 07:55 - 00003960 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1425851610
2016-06-16 07:55 - 2016-06-16 07:55 - 00001120 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-06-14 12:17 - 2016-06-14 12:17 - 24605696 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 22379008 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 19344384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 18674176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 13385728 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 12128256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 07832576 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 04896256 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 03664896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 02921880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 02582016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFMediaEngine.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 02061824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFMediaEngine.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 01534464 _____ (Microsoft Corporation) C:\WINDOWS\system32\LocationFramework.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 01185280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LocationFramework.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00890368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxPackaging.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00784384 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00693600 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00501600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00406528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2016-06-14 12:17 - 2016-06-14 12:17 - 00207360 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00199168 _____ (Microsoft Corporation) C:\WINDOWS\system32\GnssAdapter.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
2016-06-14 12:17 - 2016-06-14 12:17 - 00031744 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dumpsdport.sys
2016-06-14 12:16 - 2016-06-14 12:16 - 22561256 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 11545088 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 09918976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 07474528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 04515264 _____ (Microsoft Corporation) C:\WINDOWS\explorer.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 04387680 _____ (Microsoft Corporation) C:\WINDOWS\system32\setupapi.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 04268880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\setupapi.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 04074160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 03994624 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers_nt.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 03675512 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 03585536 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemSettingsThresholdAdminFlowUI.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 02755584 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 02635776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 02609664 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 02548944 _____ (Microsoft Corporation) C:\WINDOWS\system32\d3d10warp.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 02168320 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 02066432 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01996288 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01799680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01797120 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Immersive.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01730560 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01716736 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRHInproc.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01707520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01582080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Immersive.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01401024 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01390080 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Shell.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01339904 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpsvc.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01322248 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01184960 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 01073152 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXService.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00990208 _____ (Microsoft Corporation) C:\WINDOWS\system32\SharedStartModel.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00965632 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00963072 _____ (Microsoft Corporation) C:\WINDOWS\system32\iphlpsvc.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00957608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00808288 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00730344 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Shell.Broker.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00693760 _____ (Microsoft Corporation) C:\WINDOWS\system32\internetmail.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00690176 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2016-06-14 12:16 - 2016-06-14 12:16 - 00641536 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00636304 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00610816 _____ (Microsoft Corporation) C:\WINDOWS\system32\rastls.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00606208 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00591360 _____ (Microsoft Corporation) C:\WINDOWS\system32\vpnike.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00587776 _____ (Microsoft Corporation) C:\WINDOWS\system32\bisrv.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00555520 _____ (Microsoft Corporation) C:\WINDOWS\system32\SyncController.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00535040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rastls.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00514752 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00511488 _____ (Microsoft Corporation) C:\WINDOWS\system32\newdev.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00485888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\newdev.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00450560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SyncController.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00431296 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcryptprimitives.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00430312 _____ (Microsoft Corporation) C:\WINDOWS\system32\ws2_32.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00428896 _____ (Microsoft Corporation) C:\WINDOWS\system32\hal.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00417792 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmenrollengine.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00414720 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcastdvr.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00392192 _____ (Microsoft Corporation) C:\WINDOWS\system32\IPSECSVC.DLL
2016-06-14 12:16 - 2016-06-14 12:16 - 00388384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ws2_32.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00380416 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemEventsBrokerServer.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00379232 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcryptprimitives.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00332288 _____ (Microsoft Corporation) C:\WINDOWS\system32\polstore.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXTaskFactory.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00303216 _____ (Microsoft Corporation) C:\WINDOWS\system32\LockAppHost.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00291328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\polstore.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00290496 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEEventDispatcher.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00278528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netbt.sys
2016-06-14 12:16 - 2016-06-14 12:16 - 00278016 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Management.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00254656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LockAppHost.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00239104 _____ (Microsoft Corporation) C:\WINDOWS\system32\BrokerLib.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00237056 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srvnet.sys
2016-06-14 12:16 - 2016-06-14 12:16 - 00219136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VEEventDispatcher.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.Management.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00190464 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscsvc.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00176640 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmregistration.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00174080 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers_Privacy.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00173056 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmmigrator.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00162816 _____ (Microsoft Corporation) C:\WINDOWS\system32\enrollmentapi.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00157184 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmcertinst.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00151040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mdmregistration.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\omadmclient.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00131248 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpapi.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00128512 _____ (Microsoft Corporation) C:\WINDOWS\system32\httpprxm.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00118624 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\partmgr.sys
2016-06-14 12:16 - 2016-06-14 12:16 - 00118272 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontsub.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00092352 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdlrecover.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00091136 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserbroker.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00090624 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceEnroller.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00090112 _____ (Microsoft Corporation) C:\WINDOWS\system32\FwRemoteSvr.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00088576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00086528 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppCapture.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00079360 _____ (Microsoft Corporation) C:\WINDOWS\system32\adhsvc.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00053760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FwRemoteSvr.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00046784 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-06-14 12:16 - 2016-06-14 12:16 - 00045568 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2016-06-14 12:16 - 2016-06-14 12:16 - 00019456 _____ (Microsoft Corporation) C:\WINDOWS\system32\httpprxp.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 07977472 _____ (Microsoft Corporation) C:\WINDOWS\system32\mos.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 07200256 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingMaps.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 06973952 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 06295552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mos.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 05323776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 05205504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BingMaps.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 03590144 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 02281472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 02230272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 02195632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d3d10warp.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 01996640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 01594416 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 01500160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 01445888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRHInproc.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 01387520 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 01372312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 01056256 _____ (Microsoft Corporation) C:\WINDOWS\system32\JpMapControl.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00988160 _____ (Microsoft Corporation) C:\WINDOWS\system32\NMAA.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00982016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxPackaging.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00939520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapControlCore.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00853504 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsStore.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\JpMapControl.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00799744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRH.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00794624 _____ (Microsoft Corporation) C:\WINDOWS\system32\winhttp.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00784896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NMAA.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00711680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapControlCore.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-06-14 12:15 - 2016-06-14 12:15 - 00684544 _____ (Microsoft Corporation) C:\WINDOWS\system32\StructuredQuery.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00649792 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxgi.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00630784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MessagingDataModel2.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00614400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00604928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00592896 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppContracts.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00577376 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00567808 _____ (Microsoft Corporation) C:\WINDOWS\system32\MBMediaManager.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00550912 _____ (Microsoft Corporation) C:\WINDOWS\system32\StoreAgent.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00546456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2016-06-14 12:15 - 2016-06-14 12:15 - 00521728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StructuredQuery.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00521664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxgi.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00504320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\system32\tileobjserver.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00499712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MessagingDataModel2.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00467456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppContracts.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00460800 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapConfiguration.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00415232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StoreAgent.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00406528 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00368640 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00357216 _____ (Microsoft Corporation) C:\WINDOWS\system32\mswsock.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00355840 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcore.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00349696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapConfiguration.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00331616 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00316256 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00312160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mswsock.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00293888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcore.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00269824 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshostcore.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcore6.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00258912 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ufx01000.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcore6.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00218624 _____ (Microsoft Corporation) C:\WINDOWS\system32\cdd.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00211296 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tpm.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00199168 _____ (Microsoft Corporation) C:\WINDOWS\system32\InstallAgent.exe
2016-06-14 12:15 - 2016-06-14 12:15 - 00170848 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkUXBroker.exe
2016-06-14 12:15 - 2016-06-14 12:15 - 00166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2016-06-14 12:15 - 2016-06-14 12:15 - 00163328 _____ (Microsoft Corporation) C:\WINDOWS\system32\tetheringservice.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00161632 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00161280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InstallAgent.exe
2016-06-14 12:15 - 2016-06-14 12:15 - 00155136 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hidclass.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\Ndu.sys
2016-06-14 12:15 - 2016-06-14 12:15 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdlrecover.exe
2016-06-14 12:15 - 2016-06-14 12:15 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsBtSvc.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00111104 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00111064 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncryptsslp.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00103424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00097096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncryptsslp.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00093696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontsub.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00089088 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsCSP.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapsBtSvc.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcsvc.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00079872 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptsvc.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngcpopkeysrv.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00074752 _____ (Microsoft Corporation) C:\WINDOWS\system32\MosStorage.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00072704 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshost.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcsvc6.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00066560 _____ (Microsoft Corporation) C:\WINDOWS\system32\MosHostClient.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcsvc.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MosStorage.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00057344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcsvc6.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MosHostClient.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00037376 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00028672 _____ (Microsoft Corporation) C:\WINDOWS\system32\mapsupdatetask.dll
2016-06-14 12:15 - 2016-06-14 12:15 - 00026408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-06-14 09:01 - 2016-06-14 09:01 - 00001009 _____ C:\Users\Public\Desktop\AVG Protection.lnk
2016-06-10 08:21 - 2016-06-10 08:21 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\好压
2016-06-09 17:01 - 2016-06-09 17:01 - 00000000 ____D C:\Users\Rusheng\AppData\Local\CrashRpt
2016-06-09 16:49 - 2016-06-09 16:49 - 00002864 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2016-06-09 16:49 - 2016-06-09 16:49 - 00000865 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-06-09 16:48 - 2016-06-09 16:49 - 00000000 ____D C:\Program Files\CCleaner
2016-06-09 16:40 - 2016-06-09 16:44 - 06893008 _____ (Piriform Ltd) C:\Users\Rusheng\Downloads\ccsetup518.exe
2016-06-08 18:01 - 2016-06-05 19:29 - 00452857 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160608-180154.backup
2016-06-05 19:29 - 2016-06-03 08:48 - 00452857 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160605-192940.backup
2016-06-04 12:13 - 2016-06-04 12:13 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-06-03 09:53 - 2016-06-03 09:53 - 00010496 _____ C:\WINDOWS\system32\.crusader
2016-06-03 08:58 - 2016-06-05 08:23 - 00001962 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2016-06-03 08:58 - 2016-06-03 08:58 - 00000000 ____D C:\Program Files\HitmanPro
2016-06-03 08:57 - 2016-06-03 09:54 - 00000000 ____D C:\ProgramData\HitmanPro
2016-06-03 08:48 - 2016-06-02 07:10 - 00452857 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160603-084802.backup
2016-06-02 22:11 - 2016-06-22 16:33 - 00000000 ____D C:\AdwCleaner
2016-06-02 07:10 - 2016-06-01 08:39 - 00452797 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160602-071023.backup
2016-06-01 08:39 - 2016-05-31 08:14 - 00452797 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160601-083955.backup
2016-05-31 08:14 - 2016-05-26 17:23 - 00452797 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160531-081416.backup
2016-05-28 11:24 - 2016-06-22 16:56 - 00000420 _____ C:\WINDOWS\Tasks\WpsUpdateTask_Rusheng.job
2016-05-28 11:24 - 2016-06-22 16:00 - 00000420 _____ C:\WINDOWS\Tasks\WpsNotifyTask_Rusheng.job
2016-05-27 22:37 - 2016-05-27 22:37 - 00001187 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-05-27 22:37 - 2016-05-27 22:37 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-05-27 22:37 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-05-27 22:37 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-05-27 22:37 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-05-27 18:28 - 2016-05-27 18:22 - 00110144 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2016-05-27 17:24 - 2016-05-27 17:24 - 00061440 _____ C:\WINDOWS\system32\config\SAM.iobit
2016-05-27 17:24 - 2016-05-27 17:24 - 00028672 _____ C:\WINDOWS\system32\config\SECURITY.iobit
2016-05-27 17:23 - 2016-05-27 17:24 - 05640192 _____ C:\WINDOWS\system32\config\DEFAULT.iobit
2016-05-27 17:23 - 2016-05-27 17:23 - 107642880 _____ C:\WINDOWS\system32\config\SOFTWARE.iobit
2016-05-27 17:02 - 2016-06-21 07:13 - 00000000 ____D C:\ProgramData\ProductData
2016-05-27 17:02 - 2016-05-27 17:02 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\ProductData
2016-05-27 17:01 - 2016-05-27 17:01 - 00000000 ____D C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98}
2016-05-27 17:00 - 2016-06-20 22:18 - 00000264 _____ C:\WINDOWS\Tasks\ASC9_SkipUac_Rusheng.job
2016-05-27 17:00 - 2016-05-27 17:03 - 00000000 ____D C:\Users\Rusheng\AppData\LocalLow\IObit
2016-05-27 17:00 - 2016-05-27 17:01 - 00003312 _____ C:\WINDOWS\System32\Tasks\ASC9_PerformanceMonitor
2016-05-27 17:00 - 2016-05-27 17:00 - 00002444 _____ C:\WINDOWS\System32\Tasks\ASC9_SkipUac_Rusheng
2016-05-27 17:00 - 2016-05-27 17:00 - 00000000 ____D C:\WINDOWS\Tasks\ImCleanDisabled
2016-05-27 16:59 - 2016-05-27 16:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare
2016-05-27 16:50 - 2016-05-27 18:17 - 00000000 ____D C:\ProgramData\IObit
2016-05-27 16:50 - 2016-05-27 17:00 - 00000000 ____D C:\Program Files (x86)\IObit
2016-05-27 14:34 - 2016-05-27 21:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-05-27 14:12 - 2016-05-27 14:12 - 00000000 ____D C:\Users\Rusheng\Downloads\advanced-systemcare-setup9
2016-05-26 17:23 - 2016-04-28 15:42 - 00452409 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20160526-172348.backup
2016-05-26 16:46 - 2016-05-26 16:46 - 00001460 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-05-26 16:46 - 2016-05-26 16:46 - 00001448 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2016-05-26 16:46 - 2016-05-26 16:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-05-26 16:46 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2016-05-26 16:44 - 2016-06-14 16:01 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2016-05-26 16:44 - 2016-05-26 16:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
2016-05-26 15:01 - 2016-05-26 15:01 - 00000000 __SHD C:\ProgramData\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2016-05-25 17:57 - 2016-06-17 12:38 - 00002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-24 19:29 - 2016-06-14 09:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-05-24 19:28 - 2016-05-24 19:28 - 00000000 ___HD C:\$AVG
2016-05-24 17:04 - 2016-05-24 17:04 - 00027626 _____ C:\ProgramData\1464134662.bdinstall.bin
2016-05-24 16:58 - 2016-05-24 16:58 - 00235258 _____ C:\ProgramData\1464134137.bdinstall.bin

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-22 16:47 - 2014-05-08 14:27 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-22 16:37 - 2015-05-22 06:56 - 00000924 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-22 16:35 - 2015-12-20 06:11 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-22 16:35 - 2015-12-20 05:36 - 00000031 _____ C:\WINDOWS\system32\bbcap.err
2016-06-22 16:34 - 2015-10-29 23:28 - 02359296 ___SH C:\WINDOWS\system32\config\BBI
2016-06-22 16:31 - 2011-09-21 16:07 - 00000928 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-22 16:26 - 2011-03-02 17:34 - 00000000 _____ C:\Users\Rusheng\AppData\LocalLow\prvlcl.dat
2016-06-22 16:12 - 2012-10-02 12:27 - 00000000 ____D C:\ProgramData\MFAData
2016-06-22 15:57 - 2016-03-26 10:41 - 00004160 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{2B77123C-7007-4759-B6A7-8AD03A8845E7}
2016-06-22 09:36 - 2015-10-30 00:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-22 09:36 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-22 09:33 - 2015-10-30 00:21 - 00000000 ____D C:\WINDOWS\INF
2016-06-22 09:12 - 2015-06-10 11:32 - 00000692 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-2219305202-884981724-1261442642-1001.job
2016-06-22 09:00 - 2013-03-13 12:32 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\HaoZip
2016-06-22 08:15 - 2014-06-03 22:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-06-22 08:09 - 2015-10-29 23:28 - 00065536 ___SH C:\WINDOWS\system32\config\ELAM
2016-06-21 22:29 - 2011-02-13 14:00 - 00000000 ____D C:\Users\Rusheng\AppData\LocalLow\SogouPY
2016-06-21 11:10 - 2011-02-13 15:18 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\Skype
2016-06-21 11:05 - 2015-06-15 17:08 - 00000000 ____D C:\Users\Rusheng\Desktop\shred
2016-06-21 08:35 - 2015-11-16 21:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-06-20 12:23 - 2012-02-09 12:09 - 00000000 ____D C:\Users\Rusheng\AppData\LocalLow\Adobe
2016-06-18 16:00 - 2016-04-08 08:54 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-06-18 08:42 - 2015-06-15 17:09 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\IObit
2016-06-17 22:12 - 2011-01-22 11:57 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-06-17 20:47 - 2011-01-22 12:30 - 00000000 ____D C:\Program Files (x86)\Lenovo
2016-06-17 20:46 - 2016-04-29 15:52 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-06-17 20:46 - 2015-12-31 12:07 - 00000000 ____D C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-06-17 20:46 - 2015-12-20 05:53 - 00000000 ____D C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-06-17 20:46 - 2015-12-20 05:53 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-06-17 20:46 - 2011-02-13 13:07 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-06-17 12:38 - 2012-03-11 20:19 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-17 08:59 - 2015-10-30 00:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-06-16 17:54 - 2011-02-13 15:18 - 00000000 ____D C:\ProgramData\Skype
2016-06-16 17:53 - 2011-02-13 15:18 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-06-16 13:50 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\rescache
2016-06-16 13:29 - 2016-05-18 19:16 - 00000000 ____D C:\Users\Rusheng\Desktop\AVG till 2018
2016-06-16 08:48 - 2013-07-17 12:11 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-06-16 08:15 - 2011-02-13 14:35 - 142482544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-06-16 07:55 - 2015-03-08 14:51 - 00000000 ____D C:\Program Files (x86)\Opera
2016-06-16 07:50 - 2015-12-20 05:41 - 00000000 ____D C:\Users\Rusheng
2016-06-15 07:52 - 2015-09-09 22:42 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-06-15 07:33 - 2015-12-20 05:29 - 00231336 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-06-14 22:50 - 2015-10-30 00:24 - 00000000 ___SD C:\WINDOWS\system32\DiagSvcs
2016-06-14 22:50 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2016-06-14 22:50 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\bcastdvr
2016-06-14 16:02 - 2011-01-22 12:32 - 00000000 ____D C:\ProgramData\Temp
2016-06-14 12:15 - 2015-12-20 05:33 - 02718208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2016-06-14 11:37 - 2016-02-01 23:47 - 00000000 ____D C:\WINDOWS\Minidump
2016-06-13 07:30 - 2011-02-13 14:00 - 00000000 ____D C:\Users\Rusheng\AppData\LocalLow\SogouPY.users
2016-06-10 08:20 - 2013-03-13 12:32 - 00000000 ____D C:\Program Files (x86)\HaoZip
2016-06-09 19:04 - 2015-04-06 13:28 - 00000000 ____D C:\Users\Rusheng\Documents\Evaer
2016-06-09 17:52 - 2013-01-23 13:23 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\KuGou8
2016-06-09 17:43 - 2015-12-20 05:40 - 01669202 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-09 17:43 - 2015-12-20 05:13 - 00495846 _____ C:\WINDOWS\system32\prfh0804.dat
2016-06-09 17:43 - 2015-12-20 05:13 - 00159106 _____ C:\WINDOWS\system32\prfc0804.dat
2016-06-09 16:57 - 2014-12-27 04:08 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\uTorrent
2016-06-09 16:57 - 2011-02-13 23:08 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\TeamViewer
2016-06-09 16:57 - 2011-02-13 13:47 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-06-06 10:11 - 2012-05-28 09:37 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\HpUpdate
2016-06-02 23:05 - 2012-05-13 21:10 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\Yahoo!
2016-06-02 23:05 - 2011-04-07 09:56 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2016-05-28 11:24 - 2016-03-10 23:58 - 00003446 _____ C:\WINDOWS\System32\Tasks\WpsUpdateTask_Rusheng
2016-05-28 11:24 - 2016-03-10 23:58 - 00003446 _____ C:\WINDOWS\System32\Tasks\WpsNotifyTask_Rusheng
2016-05-28 07:00 - 2016-04-29 08:30 - 00000410 _____ C:\WINDOWS\Tasks\DandelionStarter.job
2016-05-28 07:00 - 2015-03-08 15:12 - 00000596 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-2219305202-884981724-1261442642-1001.job
2016-05-28 07:00 - 2014-11-20 23:33 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-05-27 18:47 - 2016-04-29 08:30 - 00003446 _____ C:\WINDOWS\System32\Tasks\DandelionStarter
2016-05-27 18:47 - 2015-12-10 17:15 - 00004244 _____ C:\WINDOWS\System32\Tasks\Open URL by RoboForm
2016-05-27 18:46 - 2011-02-13 15:18 - 00003096 _____ C:\WINDOWS\System32\Tasks\{1F8EB59E-1CCA-4C3F-84B7-E7F6A7B73939}
2016-05-27 18:45 - 2015-03-08 15:12 - 00003818 _____ C:\WINDOWS\System32\Tasks\G2MUpdateTask-S-1-5-21-2219305202-884981724-1261442642-1001
2016-05-27 18:45 - 2014-11-20 23:33 - 00003810 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-05-27 18:28 - 2014-11-04 20:57 - 00000000 ____D C:\Program Files\Java
2016-05-27 18:28 - 2014-11-04 20:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-05-27 18:25 - 2015-09-22 17:36 - 00000000 ____D C:\Users\Rusheng\.oracle_jre_usage
2016-05-27 18:15 - 2011-02-13 14:00 - 00003618 _____ C:\WINDOWS\System32\Tasks\SogouImeMgr
2016-05-27 17:01 - 2013-03-13 14:43 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\Apple Computer
2016-05-27 16:47 - 2016-05-18 16:50 - 00000000 ____D C:\Users\Rusheng\Desktop\Patch_malwarebyts
2016-05-26 17:52 - 2013-01-12 19:17 - 00000000 ____D C:\Program Files (x86)\TuneUp Utilities 2013
2016-05-26 17:15 - 2016-01-01 17:06 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-05-26 16:46 - 2016-01-01 17:06 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-05-26 16:40 - 2013-01-12 19:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TuneUp Utilities 2013
2016-05-26 15:01 - 2012-12-25 10:15 - 00000000 ____D C:\ProgramData\TuneUp Software
2016-05-26 09:02 - 2013-08-07 17:30 - 00000915 _____ C:\Users\Rusheng\AppData\Roaming\coreavc.ini
2016-05-25 09:22 - 2015-10-30 00:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-05-25 08:31 - 2016-05-09 11:29 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\DandelionAssist
2016-05-24 22:33 - 2015-12-07 12:08 - 00000000 ____D C:\Users\Rusheng\AppData\Local\AvgSetupLog
2016-05-24 21:47 - 2016-04-29 15:52 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\AVG
2016-05-24 19:31 - 2015-11-26 10:15 - 00000000 ____D C:\Users\Rusheng\AppData\Local\Avg
2016-05-24 19:29 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\ELAMBKUP
2016-05-24 19:28 - 2015-11-26 10:01 - 00000000 ____D C:\ProgramData\Avg
2016-05-24 19:25 - 2012-10-02 12:30 - 00000000 ____D C:\Program Files (x86)\AVG
2016-05-24 18:26 - 2015-05-22 06:56 - 00003754 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-24 18:26 - 2011-09-21 16:07 - 00003986 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-24 18:04 - 2015-12-10 17:21 - 00002940 _____ C:\WINDOWS\System32\Tasks\Run RoboForm TaskBar Icon
2016-05-24 18:04 - 2013-07-18 08:22 - 00003082 _____ C:\WINDOWS\System32\Tasks\HP online update
2016-05-24 16:56 - 2016-05-09 22:06 - 00009304 _____ C:\bdlog.txt

==================== Files in the root of some directories =======

2015-05-22 06:13 - 2015-05-22 06:13 - 6420480 _____ () C:\Program Files (x86)\GUT7688.tmp
2013-02-16 20:27 - 2013-02-16 20:27 - 2174976 _____ (Advanced Micro Devices Inc.) C:\Program Files (x86)\Common Files\atimpenc.dll
2013-08-07 17:30 - 2016-05-26 09:02 - 0000915 _____ () C:\Users\Rusheng\AppData\Roaming\coreavc.ini
2014-12-18 15:31 - 2014-12-18 15:49 - 0000018 _____ () C:\Users\Rusheng\AppData\Roaming\fixcfg.ini
2015-06-10 15:57 - 2015-06-10 15:57 - 0002115 _____ () C:\Users\Rusheng\AppData\Roaming\SAS7_000.DAT
2015-06-15 10:58 - 2015-06-15 10:58 - 0000000 _____ () C:\Users\Rusheng\AppData\Local\{35CD6F9C-7656-4948-AC04-9105EC8FBED4}
2015-08-30 08:57 - 2015-08-30 08:57 - 0000000 _____ () C:\Users\Rusheng\AppData\Local\{69C4E99B-3FC3-4E39-B66B-6A914D1513F8}
2015-03-08 14:46 - 2015-03-08 14:46 - 0000000 _____ () C:\Users\Rusheng\AppData\Local\{C23D0227-0F79-4250-A3E4-198B34ABC557}
2016-05-24 16:58 - 2016-05-24 16:58 - 0235258 _____ () C:\ProgramData\1464134137.bdinstall.bin
2016-05-24 17:04 - 2016-05-24 17:04 - 0027626 _____ () C:\ProgramData\1464134662.bdinstall.bin
2014-07-28 15:07 - 2014-07-28 15:07 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-12-04 09:41 - 2015-12-04 09:46 - 0000217 _____ () C:\ProgramData\debug.log
2011-02-13 15:33 - 2011-02-13 15:33 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2011-01-22 12:26 - 2011-02-13 13:05 - 0000235 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc

Some files in TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\SSUPDATE.EXE
C:\Users\Rusheng\AppData\Local\Temp\libeay32.dll
C:\Users\Rusheng\AppData\Local\Temp\msvcr120.dll
C:\Users\Rusheng\AppData\Local\Temp\SGPYUp.exe
C:\Users\Rusheng\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-14 09:06

==================== End of FRST.txt ============================
Tom_q2356 is offline  
Old 06-22-2016, 05:18 PM   #5
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



here is the addition text... Thanks very much!
Attached Files
File Type: txt Addition.txt (79.6 KB, 29 views)
Tom_q2356 is offline  
Old 06-22-2016, 06:41 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Tom. Tracking cookies aren't generally a problem. Are you experiencing any other issues?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Back up and restore your files - Windows Help

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here and here

I would strongly recommend that you uninstall it. You can do so via Programs and Features(right-click the Windows "logo" button > Programs and Features).

------------------------------------------------------

CCleaner
Advanced SystemCare
TuneUp Utilities


We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling Advanced SystemCare and TuneUp Utilities via Programs and Features(right-click the Windows "logo" button > Programs and Features).

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {143508F1-A39F-4594-BBC0-EF0B0667C8D6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {1ECBDBF5-8826-483F-A9F5-6924DD8A8124} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {3539B823-8DC8-40B3-96F4-F06858FE890C} - System32\Tasks\1215avzUpdateInfo => C:\ProgramData\Avg_Update_1215avz\1215avz_AVG-Secure-Search-Update.exe
    Task: {386F4DAA-C667-4FE6-99F1-6484EA58D02D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {40DD98F2-7639-4DBD-BB92-43C15DD95E37} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {864CE42F-CAAF-4093-9BA2-A558B773B1FF} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {976F3F6A-56ED-47C0-B461-EC834E8D977C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {CD5AC8DA-7031-413C-A6B2-05CDD1F28DB3} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe
    Task: {D61E4BB7-3F28-43D6-BA4D-2BE39336DA58} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {D812C5B8-665C-41C7-AC05-B9891C12071A} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {F44A350B-C99A-41D2-BDF9-3A6106AEB485} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
    Task: {F8AE53E0-BACD-42F2-915D-4C779D10E557} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {FC8F6D85-A163-4F1C-819E-43A1D83AB800} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    AlternateDataStreams: C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe:BDU [0]
    AlternateDataStreams: C:\ProgramData\Temp:0FF263E8 [101]
    AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [86]
    AlternateDataStreams: C:\ProgramData\Temp:A303874F [286]
    AlternateDataStreams: C:\ProgramData\Temp:AEC0AC81 [103]
    AlternateDataStreams: C:\ProgramData\Temp:D1B5B4F1 [76]
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\RunOnce: [Uninstall C:\Users\Rusheng\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Rusheng\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
    GroupPolicy: Restriction - Chrome <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {391B4B65-4B3A-4B16-BD7E-3C0DF08104AC} URL =
    BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
    BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> No File
    Toolbar: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - No File
    Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - No File
    Handler: skypec2c - No CLSID Value
    FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\firefox => not found
    NETSVCx32: dg597 -> no filepath.
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-23-2016, 09:42 AM   #7
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by Rusheng (2016-06-23 09:23:50) Run:1
Running from C:\Users\Rusheng\Downloads
Loaded Profiles: Rusheng (Available Profiles: Rusheng & Administrator & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
Task: {143508F1-A39F-4594-BBC0-EF0B0667C8D6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {1ECBDBF5-8826-483F-A9F5-6924DD8A8124} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {3539B823-8DC8-40B3-96F4-F06858FE890C} - System32\Tasks\1215avzUpdateInfo => C:\ProgramData\Avg_Update_1215avz\1215avz_AVG-Secure-Search-Update.exe
Task: {386F4DAA-C667-4FE6-99F1-6484EA58D02D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {40DD98F2-7639-4DBD-BB92-43C15DD95E37} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {864CE42F-CAAF-4093-9BA2-A558B773B1FF} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {976F3F6A-56ED-47C0-B461-EC834E8D977C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {CD5AC8DA-7031-413C-A6B2-05CDD1F28DB3} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe
Task: {D61E4BB7-3F28-43D6-BA4D-2BE39336DA58} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D812C5B8-665C-41C7-AC05-B9891C12071A} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {F44A350B-C99A-41D2-BDF9-3A6106AEB485} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {F8AE53E0-BACD-42F2-915D-4C779D10E557} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {FC8F6D85-A163-4F1C-819E-43A1D83AB800} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe:BDU [0]
AlternateDataStreams: C:\ProgramData\Temp:0FF263E8 [101]
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [86]
AlternateDataStreams: C:\ProgramData\Temp:A303874F [286]
AlternateDataStreams: C:\ProgramData\Temp:AEC0AC81 [103]
AlternateDataStreams: C:\ProgramData\Temp:D1B5B4F1 [76]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\RunOnce: [Uninstall C:\Users\Rusheng\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Rusheng\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> {391B4B65-4B3A-4B16-BD7E-3C0DF08104AC} URL =
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> No File
Toolbar: HKU\S-1-5-21-2219305202-884981724-1261442642-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - No File
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - No File
Handler: skypec2c - No CLSID Value
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\firefox => not found
NETSVCx32: dg597 -> no filepath.
EmptyTemp:
end
*****************

Error: (0) Failed to create a restore point.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{143508F1-A39F-4594-BBC0-EF0B0667C8D6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{143508F1-A39F-4594-BBC0-EF0B0667C8D6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1ECBDBF5-8826-483F-A9F5-6924DD8A8124}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1ECBDBF5-8826-483F-A9F5-6924DD8A8124}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3539B823-8DC8-40B3-96F4-F06858FE890C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3539B823-8DC8-40B3-96F4-F06858FE890C}" => key removed successfully
C:\WINDOWS\System32\Tasks\1215avzUpdateInfo => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1215avzUpdateInfo" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{386F4DAA-C667-4FE6-99F1-6484EA58D02D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{386F4DAA-C667-4FE6-99F1-6484EA58D02D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{40DD98F2-7639-4DBD-BB92-43C15DD95E37}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40DD98F2-7639-4DBD-BB92-43C15DD95E37}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{864CE42F-CAAF-4093-9BA2-A558B773B1FF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{864CE42F-CAAF-4093-9BA2-A558B773B1FF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{976F3F6A-56ED-47C0-B461-EC834E8D977C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{976F3F6A-56ED-47C0-B461-EC834E8D977C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CD5AC8DA-7031-413C-A6B2-05CDD1F28DB3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CD5AC8DA-7031-413C-A6B2-05CDD1F28DB3}" => key removed successfully
C:\WINDOWS\System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVGPCTuneUp_Task_BkGndMaintenance" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D61E4BB7-3F28-43D6-BA4D-2BE39336DA58}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D61E4BB7-3F28-43D6-BA4D-2BE39336DA58}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D812C5B8-665C-41C7-AC05-B9891C12071A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D812C5B8-665C-41C7-AC05-B9891C12071A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F44A350B-C99A-41D2-BDF9-3A6106AEB485}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F44A350B-C99A-41D2-BDF9-3A6106AEB485}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F8AE53E0-BACD-42F2-915D-4C779D10E557}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F8AE53E0-BACD-42F2-915D-4C779D10E557}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FC8F6D85-A163-4F1C-819E-43A1D83AB800}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FC8F6D85-A163-4F1C-819E-43A1D83AB800}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe => ":BDU" ADS removed successfully.
C:\ProgramData\Temp => ":0FF263E8" ADS removed successfully.
C:\ProgramData\Temp => ":5C321E34" ADS removed successfully.
C:\ProgramData\Temp => ":A303874F" ADS removed successfully.
C:\ProgramData\Temp => ":AEC0AC81" ADS removed successfully.
C:\ProgramData\Temp => ":D1B5B4F1" ADS removed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Uninstall C:\Users\Rusheng\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64 => value removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKU\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{391B4B65-4B3A-4B16-BD7E-3C0DF08104AC}" => key removed successfully
HKCR\CLSID\{391B4B65-4B3A-4B16-BD7E-3C0DF08104AC} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}" => key removed successfully
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}" => key removed successfully
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
"HKCR\PROTOCOLS\Handler\KuGoo" => key removed successfully
HKCR\CLSID\{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} => key not found.
"HKCR\PROTOCOLS\Handler\KuGoo3" => key removed successfully
HKCR\CLSID\{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} => key not found.
"HKCR\PROTOCOLS\Handler\skypec2c" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\[email protected] => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs dg597 => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 863184 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10695326 B
Java, Flash, Steam htmlcache => 728 B
Windows/system/drivers => 14859377 B
Edge => 0 B
Chrome => 37413410 B
Firefox => 19326737 B
Opera => 2073312 B

Temp, IE cache, history, cookies, recent:
Default => 54957 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 22395392 B
NetworkService => 3612672 B
Rusheng => 29940296 B
Administrator => 152505170 B
DefaultAppPool => 54957 B

RecycleBin => 4926863 B
EmptyTemp: => 284.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 09:27:23 ====
Tom_q2356 is offline  
Old 06-23-2016, 09:50 AM   #8
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



Hello chemist, Thanks for your advices. I have followed your instructions step by step. My computer was running good in general; however, every once in a while the system or web browser got slowed down, or I couldn't use google chrome for transcription, or there would be a problem with skype usually the sound aspect, perhaps all due to the tracking cookies.

I had actually uninstalled TuneUp Utilities a few months ago, and I have just deleted the left over files. I would like to uninstall everything that has to do with kingsoft, but my system won't let me do so, could you please give me advice on this as well, thanks!

lastly, is there any way I can do it once and for all, completely stopped all the internet tracking cookies?
Tom_q2356 is offline  
Old 06-23-2016, 01:32 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Tom. You're very welcome. Did you uninstall uTorrent and Advanced SystemCare?

Quote:
however, every once in a while the system or web browser got slowed down, or I couldn't use google chrome for transcription, or there would be a problem with skype usually the sound aspect, perhaps all due to the tracking cookies
Cookies don't cause those types of problems.

Quote:
lastly, is there any way I can do it once and for all, completely stopped all the internet tracking cookies?
Tracking Cookies FAQ - What Are Tracking Cookies - Tom’s Guide

Quote:
I would like to uninstall everything that has to do with kingsoft, but my system won't let me do so
What happens when you try to uninstall PowerWord2010 Oxford Ultimate and WPS Office (10.1.0.5507)? Error messages? What do they say?

------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs
  • Double-click on the Scan Log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Post that saved log in your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.
  • You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
  • Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
  • Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
  • At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
  • When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
  • Tick the option Enable detection of potentially unwanted applications
  • Click on Advanced settings
  • Make sure that the option Clean threats automatically is unticked.
  • Ensure these options are ticked:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth technology
  • Click Scan
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Please copy/paste the contents of the log in your next reply.
  • To close ESET Online Scanner, select Do not clean then Finish
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-23-2016, 10:22 PM   #10
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



"Did you uninstall uTorrent and Advanced SystemCare? " Done.
"What happens when you try to uninstall PowerWord2010 Oxford Ultimate?" Please see upload image "Only this far", uninstallation never completes.
I might keep WPS for a little while longer unless it's proven a threat to my system. But I would uninstall everything that has to do with powerword.
I have scanned with Malwarebytes' Anti-Malware many times during the last few weeks and it never caught anything. But superantispyware would usually find something each day. Like this one below:


SUPERAntiSpyware Scan Log
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 06/23/2016 at 04:29 PM

Application Version : 6.0.1218
Database Version : 12786

Scan type : Complete Scan
Total Scan Time : 00:55:01

Operating System Information
Windows 10 Home 64-bit (Build 10.00.10586)
UAC On - Limited User

Memory items scanned : 878
Memory threats detected : 0
Registry items scanned : 65715
Registry threats detected : 0
File items scanned : 25023
File threats detected : 9

Adware.Tracking Cookie
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\0SSLYSKU.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\0SSLYSKU.txt [ /adnxs.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\9FO1Z3DG.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\9FO1Z3DG.txt [ /cdn.at.atwola.com ]
C:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\196KHH9F.txtC:\Users\Rusheng\AppData\Local\Microsoft\Windows\INetCookies\196KHH9F.txt [ /atwola.com ]
adnxs.com/.sess [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\0SSLYSKU.TXT ]
adnxs.com/.uuid2 [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\0SSLYSKU.TXT ]
adnxs.com/.anj [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\0SSLYSKU.TXT ]
adnxs.com/.icu [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\0SSLYSKU.TXT ]
atwola.com/.JEB2 [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\196KHH9F.TXT ]
cdn.at.atwola.com/.msnping [ C:\USERS\RUSHENG\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCOOKIES\9FO1Z3DG.TXT ]

============
End of Log
============
Tom_q2356 is offline  
Old 06-23-2016, 10:25 PM   #11
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



"What happens when you try to uninstall PowerWord2010 Oxford Ultimate'
Attached Thumbnails
Click image for larger version

Name:	Only this far.jpg
Views:	142
Size:	67.4 KB
ID:	285962  
Tom_q2356 is offline  
Old 06-24-2016, 08:52 AM   #12
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



So EOS scanned about one hour and then it became frozen (please see attached) "I did not highlight it," and "EOS has stopped working." I have repeated the scan twice and just ended up with the same thing. So the third time I stopped it half way scanning through, please see "scan unfinished." Thanks!
Attached Thumbnails
Click image for larger version

Name:	I did not highlight it.jpg
Views:	45
Size:	41.7 KB
ID:	285986  
Attached Images
 
Attached Files
File Type: txt Scan unfinished.txt (40.8 KB, 15 views)
Tom_q2356 is offline  
Old 06-24-2016, 02:33 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Tom. Did you intentionally create a user.js file in Firefox?

------------------------------------------------------

Not sure about the EOS_v2 error. Those files detected have already been quarantined by AdwCleaner.

If all your other scans only find tracking cookies, you're fine. They're not malicious.

------------------------------------------------------

As far as PowerWord2010, are you sure you waited long enough to see if it completes uninstalling?

If you still have trouble, download and run the Microsoft Fixit from here and follow the prompts to uninstall PowerWord2010:

https://support.microsoft.com/en-us/...led-or-removed

Let me know if you were successful in removing PowerWord2010.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-24-2016, 05:19 PM   #14
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



"Hello again, Tom. Did you intentionally create a user.js file in Firefox? " No. But I use google chrome most of the time.
"Not sure about the EOS_v2 error. Those files detected have already been quarantined by AdwCleaner. " Do you think I can go ahead and click on "Fix" to make sure EOS fix them all anyways?
"As far as PowerWord2010, are you sure you waited long enough to see if it completes uninstalling?" Very long, over an hour...
----------------------------------------------------------------------------------------

I am wondering what else could it be in my computer system that were causing all the glitches, distorted sound, interrupted voice transcription and so on; I still had some of those using Skype yesteraday. I believe there is something else other than nonmalicious tracking cookies, I just don't know how to get them out. It also bothers me keep on seeing Superantispyware with "File threats detected."

Microsoft Fixit could not find PowerWord2010 that I'm trying to uninstall, please see "Microsoft Fixit on the right," in comparison with the list from my computer system on the left. I'm thinking it might have something to do with upgrade from Win 7 to Win 10 that Microsoft Fixit only shows Win 10 information.

Speaking of the windows upgrade, I have one external hard drive that was password encrypted through Windows 7, and now I cannot access my hard drive on Win 10. Any good way to deal with that? Thanks!
Attached Thumbnails
Click image for larger version

Name:	Microsoft Fixit on the right.jpg
Views:	69
Size:	116.6 KB
ID:	286058  
Tom_q2356 is offline  
Old 06-25-2016, 05:55 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Tom. You're very welcome. Yes, you can fix those detections with EOS but they can't do anything while in quarantine.

Quote:
I am wondering what else could it be in my computer system that were causing all the glitches, distorted sound, interrupted voice transcription and so on; I still had some of those using Skype yesteraday. I believe there is something else other than nonmalicious tracking cookies, I just don't know how to get them out. It also bothers me keep on seeing Superantispyware with "File threats detected."
As explained before, cookies don't cause problems like you describe, or infections. Have you noticed most malware tools don't even report cookies?

SUPERAntiSpyware, in my opinion, shouldn't list cookies as 'File threats detected'. They are not threats like true malware.

If MBAM doesn't find anything, you can be pretty assured your machine is not infected. And, not all problems are caused by malware.

Once we are done here, you can seek help for those problems cited in one or more of our other Forums

Quote:
Speaking of the windows upgrade, I have one external hard drive that was password encrypted through Windows 7, and now I cannot access my hard drive on Win 10. Any good way to deal with that?
Unfortunately, it is this our policy to not give password advice, since we have no way to determine whether it is legit or not, not that I don't trust you.

Not sure if the Windows10 Forum could help with that or not, you could ask. All they can say is no.

Quote:
I'm thinking it might have something to do with upgrade from Win 7 to Win 10 that Microsoft Fixit only shows Win 10 information
Did you try the entry 'Not Listed' in the Fixit menu?

If still no luck, and if it is a Windows7/10 problem, we'll just have to uninstall it manually. I'll need some more information:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8/Win10 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :folderfind
    PowerWord*
    
    :regfind
    PowerWord
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-26-2016, 08:03 PM   #16
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



SystemLook 30.07.11 by jpshortstuff
Log created at 19:46 on 26/06/2016 by Rusheng
Administrator - Elevation successful

========== folderfind ==========

Searching for "PowerWord*"
C:\Program Files (x86)\Kingsoft\PowerWord_Oxford d------ [20:49 02/09/2012]
C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010 d-a---- [19:44 27/01/2013]
C:\ProgramData\kingsoft\PowerWord d------ [20:51 02/09/2012]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate d------ [19:45 27/01/2013]
C:\Users\All Users\kingsoft\PowerWord d------ [20:51 02/09/2012]
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate d------ [19:45 27/01/2013]
C:\Users\Rusheng\AppData\Local\VirtualStore\ProgramData\kingsoft\PowerWord d------ [20:51 02/09/2012]
C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWord d------ [20:50 02/09/2012]
C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWordPE d------ [23:37 09/03/2011]

========== regfind ==========

Searching for "PowerWord"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\XDict.exe"="03/09/2011 3:37 PM"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\CBTRANSLATOR.EXE"="03/12/2011 11:13 PM"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\XDict.exe"="01/12/2013 18:41"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\CBAPPENDIX.EXE"="01/12/2013 18:41"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORDPE\XDICT.EXE"="03/09/2011 3:43 PM"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"="09/02/2012 15:01"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\WinPatrol\ActiveRun]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"="Kingsoft PowerWord"
[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\WinPatrol\Run]
"C:\Program Files (x86)\Kingsoft\PowerWord_Oxford\XDict.exe"="11"
[HKEY_CURRENT_USER\SOFTWARE\Kingsoft\PowerWord09PRO]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\39ce5390_0]
@="{0.0.0.00000000}.{d1819e2a-d679-4901-8931-8913a75384e6}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWordPE\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7b2047ac_0]
@="{0.0.0.00000000}.{d1819e2a-d679-4901-8931-8913a75384e6}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWord_Oxford\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\aad49c8f_0]
@="{0.0.0.00000000}.{d1819e2a-d679-4901-8931-8913a75384e6}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ca2da98d_0]
@="{0.0.0.00000000}.{3d92d249-1337-47a0-be26-743b710cb370}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWordPE\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"243"="C:\ProgramData\Microsoft\Windows\Start Menu\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"308"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Data Recover.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDictInstall.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"309"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\NewWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\NewWord2008.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"310"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Plug-in Manager.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\PlugInManager.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"311"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"312"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\ScrollWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\ScrollWord.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"313"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\User Dictionary.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBUserDict.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"390"="C:\ProgramData\Microsoft\Windows\Start Menu\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"455"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Data Recover.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDictInstall.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"456"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\NewWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\NewWord2008.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"457"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Plug-in Manager.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\PlugInManager.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"458"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"459"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\ScrollWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\ScrollWord.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"460"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\User Dictionary.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBUserDict.exe"
[HKEY_CURRENT_USER\SOFTWARE\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Avg\AWL\PerformanceOptimizer]
"tidx"="visualeffects:menuresponsiveness:1;performance:powerplan:1;visualeffects:QuickInfo:1;unusedprograms:UnusedProgram:M32:2345PIC;"unusedprograms:UnusedProgram:M32:HP PHOTO CREATIONS";unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{01FB4998-33C4-4431-85ED-079E3EEFE75D};unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{B2164CCB-C002-4B80-8550-7535D80DF237};unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{D0956C11-0F60-43FE-99AD-524E833471BB};"unusedprograms:UnusedProgram:M32:LENOVO GAMES CONSOLE";unusedprograms:UnusedProgram:M32:POWERWORD2010;unusedprograms:UnusedProgram:M32:STORMPLAYER;"unusedprograms:UnusedProgram:M32:WISDOM-SOFT AUTOSCREENRECORDER 3.1 FREE";"unusedprograms:UnusedProgram:M32:WISDOM-SOFT SCREENHUNTER 6.0 FREE";unusedprograms:UnusedProgram:M32:YOUKUCLIENT;unusedprograms:UnusedProgram:M32:{40BF1E83-20EB-11D8-97C5-0009C5020658};unusedprograms:UnusedProgram:M32:{419512F9-D5E7-4ED2-BF99-E7
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E3FC047-4512-40B7-87D1-98B3D17FBC5D}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy_x64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{504C9986-684A-4D85-AC51-5C570963E23A}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy_x64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5097E93A-B78C-48C6-AFC3-B3D06B3AFC65}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy_x64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC2F061C-B746-40D8-98DD-ED0E99F251B0}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy_x64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{026CDCE3-F67D-4B3B-88DA-6F65618B6DF4}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBParser.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15F92880-E273-49B3-AB13-D00FBA390696}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}\1.0\HELPDIR]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{45E61467-9943-4DC8-850E-5B268685EC35}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6C1E40D8-F46C-4912-8B9F-962F47390A2C}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDynamicDict\CBDynamicDict.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FEAA50B-ED65-4DC2-820C-F368A8B1AE75}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDictSvr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A6E7B9A2-00E9-4593-BABD-C801234EE3B1}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A9183391-9780-4BA3-99A2-929B73B0E6B9}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabConnect_x64.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AB166949-C05C-4076-BB3B-D862ED8A9EF6}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSNetEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AC4A755B-DDE8-4004-B089-26AA147D71D9}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0A6829B-3693-42A4-9F53-4B21569303C6}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764793}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDict08\CBNetDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764794}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDicDict\CBNetDicDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}\1.0\0\win64]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy_x64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}\1.0\HELPDIR]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DC9CA45D-B76F-416F-87FC-29F1D555D473}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\cache.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F0ADA6F2-DB41-4F45-AF81-8F883BA0C2E2}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBPassport.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BEA698C-5A11-4ed0-932F-9FB522F17A9D}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D54B514-EA82-411c-BDBD-439152F3258B}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{219A4CED-000F-4016-AD02-B14DB62F02DB}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22B04A6E-B5BB-4558-9114-46CFF62E0A8A}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22FCF7E4-02F4-4c9a-94C0-46249B33A02B}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2389B536-2A69-4fa6-A11B-3BC990792E7C}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28843C16-21DF-4CDB-81E0-C9A38180EB38}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2FFACBA3-5A9E-4848-B47B-1E0DBB044A99}\LocalServer32]
@=""C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDictSvr.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32441484-FFAD-4fd6-B806-17DD509424E2}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\cache.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{329E43A0-BD23-40a9-A422-EC31FC07E1C1}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBPassport.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EAAA5C6-751B-4EB6-8893-EB9E3FACA3EA}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5067D11A-A2B1-4372-B473-CAD0AAB83651}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53180315-1929-4219-95A6-1D3E46A5E8A4}\LocalServer32]
@=""C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\NewWord2008.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A7}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDict08\CBNetDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A8}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDicDict\CBNetDicDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSNetEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB71C88-078D-4d7e-B887-9D9346619E8E}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AD17EC0-6D2C-454d-8148-7042425ED24C}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B41E623-A4AD-4092-93FE-61642B24BF4A}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D7}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDict08\CBNetDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D8}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDicDict\CBNetDicDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71B1C2DE-117A-49DD-8942-27F819D37F5B}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7292A6EC-9BF2-4199-82BC-848F0865DDE4}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDynamicDict\CBDynamicDict.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A16F3AD-B9FC-47da-A4C2-5A77D3D85144}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BCF5E5C-892A-4216-8415-E44E83C83CA5}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E6401D1-4BCE-4f5f-BC01-EA10700E8DF9}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E9F6322-25D3-4663-8B8E-5021545B2204}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF720B0-9A2D-42f4-88C4-F34AFD8D9517}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F2CB498-3D3D-4F99-84AA-EB406DD67560}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBPassport.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A256A70A-563F-4651-A103-699F1709F72D}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDynamicDict\CBDynamicDict.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3186C32-DE4B-43ce-A8B0-5D2C620BC114}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7CD3954-C1B9-4be5-989D-F5674B3A51D4}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C92BD154-AE46-439c-AD8B-490A28352C28}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBParser.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEBC4EAC-5F6F-421d-B6AE-25CB27AE1538}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8BF2AA8-40FE-4e44-882A-B882713E74CD}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEEAC485-874B-4b73-A03D-2FA915370A39}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{026CDCE3-F67D-4B3B-88DA-6F65618B6DF4}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBParser.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{15F92880-E273-49B3-AB13-D00FBA390696}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}\1.0\HELPDIR]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{45E61467-9943-4DC8-850E-5B268685EC35}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{6C1E40D8-F46C-4912-8B9F-962F47390A2C}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDynamicDict\CBDynamicDict.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{9FEAA50B-ED65-4DC2-820C-F368A8B1AE75}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDictSvr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{A6E7B9A2-00E9-4593-BABD-C801234EE3B1}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{A9183391-9780-4BA3-99A2-929B73B0E6B9}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabConnect_x64.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{AB166949-C05C-4076-BB3B-D862ED8A9EF6}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSNetEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{AC4A755B-DDE8-4004-B089-26AA147D71D9}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{C0A6829B-3693-42A4-9F53-4B21569303C6}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764793}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDict08\CBNetDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764794}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDicDict\CBNetDicDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}\1.0\0\win64]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy_x64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}\1.0\HELPDIR]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{DC9CA45D-B76F-416F-87FC-29F1D555D473}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\cache.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{F0ADA6F2-DB41-4F45-AF81-8F883BA0C2E2}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBPassport.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\cngicmmkocjjbmacacmchjhdimdhfgod]
"Path"="C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\chrome\XDictExtension.crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kingsoft\PowerWord09PRO]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kingsoft\PowerWord09PRO]
"ProductStatistic"="Powerword2009Oxf.25269.4011.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kingsoft\PowerWord10PRO]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kingsoft\PowerWord10PRO]
"PathName"="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kingsoft\PowerWord10PRO]
"ProductStatistic"="PowerWord2010Oxf_Ultimate.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PowerWord2010]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PowerWord2010]
"UninstallString"="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Uninstall.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PowerWord2010]
"InstallLocation"="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PowerWord2010]
"DisplayName"="PowerWord2010 Oxford Ultimate"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PowerWord2010]
"DisplayIcon"="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PowerWord2010]
"ProductKey"="PowerWord 2010"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{0BEA698C-5A11-4ed0-932F-9FB522F17A9D}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{1D54B514-EA82-411c-BDBD-439152F3258B}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{219A4CED-000F-4016-AD02-B14DB62F02DB}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{22B04A6E-B5BB-4558-9114-46CFF62E0A8A}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{22FCF7E4-02F4-4c9a-94C0-46249B33A02B}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{2389B536-2A69-4fa6-A11B-3BC990792E7C}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{28843C16-21DF-4CDB-81E0-C9A38180EB38}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{2FFACBA3-5A9E-4848-B47B-1E0DBB044A99}\LocalServer32]
@=""C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDictSvr.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{32441484-FFAD-4fd6-B806-17DD509424E2}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\cache.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{329E43A0-BD23-40a9-A422-EC31FC07E1C1}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBPassport.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{4EAAA5C6-751B-4EB6-8893-EB9E3FACA3EA}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{5067D11A-A2B1-4372-B473-CAD0AAB83651}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{53180315-1929-4219-95A6-1D3E46A5E8A4}\LocalServer32]
@=""C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\NewWord2008.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A7}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDict08\CBNetDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A8}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDicDict\CBNetDicDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSNetEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{5FB71C88-078D-4d7e-B887-9D9346619E8E}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6AD17EC0-6D2C-454d-8148-7042425ED24C}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6B41E623-A4AD-4092-93FE-61642B24BF4A}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D7}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDict08\CBNetDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D8}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDicDict\CBNetDicDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{71B1C2DE-117A-49DD-8942-27F819D37F5B}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{7292A6EC-9BF2-4199-82BC-848F0865DDE4}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDynamicDict\CBDynamicDict.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8A16F3AD-B9FC-47da-A4C2-5A77D3D85144}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8BCF5E5C-892A-4216-8415-E44E83C83CA5}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8E6401D1-4BCE-4f5f-BC01-EA10700E8DF9}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8E9F6322-25D3-4663-8B8E-5021545B2204}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{9AF720B0-9A2D-42f4-88C4-F34AFD8D9517}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{9F2CB498-3D3D-4F99-84AA-EB406DD67560}\InProcServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBPassport.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{A256A70A-563F-4651-A103-699F1709F72D}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDynamicDict\CBDynamicDict.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{A3186C32-DE4B-43ce-A8B0-5D2C620BC114}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{B7CD3954-C1B9-4be5-989D-F5674B3A51D4}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{C92BD154-AE46-439c-AD8B-490A28352C28}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBParser.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{DEBC4EAC-5F6F-421d-B6AE-25CB27AE1538}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{E8BF2AA8-40FE-4e44-882A-B882713E74CD}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{EEEAC485-874B-4b73-A03D-2FA915370A39}\InprocServer32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{026CDCE3-F67D-4B3B-88DA-6F65618B6DF4}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBParser.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{15F92880-E273-49B3-AB13-D00FBA390696}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\CBOfficePlugin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}\1.0\HELPDIR]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\addins\"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{45E61467-9943-4DC8-850E-5B268685EC35}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDPLayer.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{6C1E40D8-F46C-4912-8B9F-962F47390A2C}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDynamicDict\CBDynamicDict.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{9FEAA50B-ED65-4DC2-820C-F368A8B1AE75}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBDictSvr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{A6E7B9A2-00E9-4593-BABD-C801234EE3B1}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDBCore11.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{A9183391-9780-4BA3-99A2-929B73B0E6B9}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabConnect_x64.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{AB166949-C05C-4076-BB3B-D862ED8A9EF6}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\KSNetEngine.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{AC4A755B-DDE8-4004-B089-26AA147D71D9}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBDict08\CBDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{C0A6829B-3693-42A4-9F53-4B21569303C6}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBNetModule.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764793}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDict08\CBNetDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764794}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\Plugin\CBNetDicDict\CBNetDicDataSet.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}\1.0\0\win64]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBGrabProxy_x64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}\1.0\HELPDIR]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{DC9CA45D-B76F-416F-87FC-29F1D555D473}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\cache.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{F0ADA6F2-DB41-4F45-AF81-8F883BA0C2E2}\1.0\0\win32]
@="C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBPassport.dll"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\XDict.exe"="03/09/2011 3:37 PM"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\CBTRANSLATOR.EXE"="03/12/2011 11:13 PM"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\XDict.exe"="01/12/2013 18:41"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\CBAPPENDIX.EXE"="01/12/2013 18:41"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORDPE\XDICT.EXE"="03/09/2011 3:43 PM"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"="09/02/2012 15:01"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\WinPatrol\ActiveRun]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"="Kingsoft PowerWord"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\WinPatrol\Run]
"C:\Program Files (x86)\Kingsoft\PowerWord_Oxford\XDict.exe"="11"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Kingsoft\PowerWord09PRO]
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\39ce5390_0]
@="{0.0.0.00000000}.{d1819e2a-d679-4901-8931-8913a75384e6}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWordPE\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7b2047ac_0]
@="{0.0.0.00000000}.{d1819e2a-d679-4901-8931-8913a75384e6}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWord_Oxford\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\aad49c8f_0]
@="{0.0.0.00000000}.{d1819e2a-d679-4901-8931-8913a75384e6}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ca2da98d_0]
@="{0.0.0.00000000}.{3d92d249-1337-47a0-be26-743b710cb370}|\Device\HarddiskVolume2\Program Files (x86)\Kingsoft\PowerWordPE\XDict.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"243"="C:\ProgramData\Microsoft\Windows\Start Menu\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"308"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Data Recover.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDictInstall.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"309"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\NewWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\NewWord2008.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"310"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Plug-in Manager.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\PlugInManager.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"311"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"312"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\ScrollWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\ScrollWord.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"313"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\User Dictionary.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBUserDict.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"390"="C:\ProgramData\Microsoft\Windows\Start Menu\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"455"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Data Recover.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDictInstall.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"456"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\NewWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\NewWord2008.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"457"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\Plug-in Manager.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\PlugInManager.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"458"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\PowerWord2010 Oxford Ultimate.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\XDict.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"459"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\ScrollWord.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\ScrollWord.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"460"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate\User Dictionary.lnk C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010\CBUserDict.exe"
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Avg\AWL\PerformanceOptimizer]
"tidx"="visualeffects:menuresponsiveness:1;performance:powerplan:1;visualeffects:QuickInfo:1;unusedprograms:UnusedProgram:M32:2345PIC;"unusedprograms:UnusedProgram:M32:HP PHOTO CREATIONS";unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{01FB4998-33C4-4431-85ED-079E3EEFE75D};unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{B2164CCB-C002-4B80-8550-7535D80DF237};unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{D0956C11-0F60-43FE-99AD-524E833471BB};"unusedprograms:UnusedProgram:M32:LENOVO GAMES CONSOLE";unusedprograms:UnusedProgram:M32:POWERWORD2010;unusedprograms:UnusedProgram:M32:STORMPLAYER;"unusedprograms:UnusedProgram:M32:WISDOM-SOFT AUTOSCREENRECORDER 3.1 FREE";"unusedprograms:UnusedProgram:M32:WISDOM-SOFT SCREENHUNTER 6.0 FREE";unusedprograms:UnusedProgram:M32:YOUKUCLIENT;unusedprograms:UnusedProgram:M32:{40BF1E83-20EB-11D8-97C5-0009C5020658};unusedprograms:Unused
[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Avg\AWL\PerformanceOptimizer]
"tidx"="visualeffects:menuresponsiveness:1;performance:powerplan:1;visualeffects:QuickInfo:1;unusedprograms:UnusedProgram:M32:2345PIC;"unusedprograms:UnusedProgram:M32:HP PHOTO CREATIONS";unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{01FB4998-33C4-4431-85ED-079E3EEFE75D};unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{B2164CCB-C002-4B80-8550-7535D80DF237};unusedprograms:UnusedProgram:M32:INSTALLSHIELD_{D0956C11-0F60-43FE-99AD-524E833471BB};"unusedprograms:UnusedProgram:M32:LENOVO GAMES CONSOLE";unusedprograms:UnusedProgram:M32:POWERWORD2010;unusedprograms:UnusedProgram:M32:STORMPLAYER;"unusedprograms:UnusedProgram:M32:WISDOM-SOFT AUTOSCREENRECORDER 3.1 FREE";"unusedprograms:UnusedProgram:M32:WISDOM-SOFT SCREENHUNTER 6.0 FREE";unusedprograms:UnusedProgram:M32:YOUKUCLIENT;unusedprograms:UnusedProgram:M32:{40BF1E83-20EB-11D8-97C5-0009C5020658};unusedprograms:UnusedProgram:M

-= EOF =-
Tom_q2356 is offline  
Old 06-26-2016, 08:15 PM   #17
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



So what should I do with "user.js file in Firefox"?

Thank you for your advices about "other Forums" and "Windows 10 forums." I will try that later.
Tom_q2356 is offline  
Old 06-27-2016, 09:17 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Tom. You're very welcome. This last fix will take care of the user.js file, and other remnants, as well as PowerWord.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad(don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\XDict.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\CBTRANSLATOR.EXE"=-

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\XDict.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\CBAPPENDIX.EXE"=-

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORDPE\XDICT.EXE"=-

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"=-

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\WinPatrol\ActiveRun]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"=-

[HKEY_CURRENT_USER\SOFTWARE\BillP Studios\WinPatrol\Run]
"C:\Program Files (x86)\Kingsoft\PowerWord_Oxford\XDict.exe"=-

[-HKEY_CURRENT_USER\SOFTWARE\Kingsoft\PowerWord09PRO]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\39ce5390_0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7b2047ac_0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\aad49c8f_0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ca2da98d_0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"243"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"308"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"309"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"310"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"311"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"312"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"313"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"390"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"455"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"456"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"457"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"458"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"459"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"460"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E3FC047-4512-40B7-87D1-98B3D17FBC5D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{504C9986-684A-4D85-AC51-5C570963E23A}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5097E93A-B78C-48C6-AFC3-B3D06B3AFC65}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC2F061C-B746-40D8-98DD-ED0E99F251B0}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{026CDCE3-F67D-4B3B-88DA-6F65618B6DF4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{15F92880-E273-49B3-AB13-D00FBA390696}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{45E61467-9943-4DC8-850E-5B268685EC35}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6C1E40D8-F46C-4912-8B9F-962F47390A2C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FEAA50B-ED65-4DC2-820C-F368A8B1AE75}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A6E7B9A2-00E9-4593-BABD-C801234EE3B1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A9183391-9780-4BA3-99A2-929B73B0E6B9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AB166949-C05C-4076-BB3B-D862ED8A9EF6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AC4A755B-DDE8-4004-B089-26AA147D71D9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0A6829B-3693-42A4-9F53-4B21569303C6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764793}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764794}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DC9CA45D-B76F-416F-87FC-29F1D555D473}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F0ADA6F2-DB41-4F45-AF81-8F883BA0C2E2}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BEA698C-5A11-4ed0-932F-9FB522F17A9D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D54B514-EA82-411c-BDBD-439152F3258B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{219A4CED-000F-4016-AD02-B14DB62F02DB}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22B04A6E-B5BB-4558-9114-46CFF62E0A8A}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22FCF7E4-02F4-4c9a-94C0-46249B33A02B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2389B536-2A69-4fa6-A11B-3BC990792E7C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28843C16-21DF-4CDB-81E0-C9A38180EB38}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2FFACBA3-5A9E-4848-B47B-1E0DBB044A99}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32441484-FFAD-4fd6-B806-17DD509424E2}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{329E43A0-BD23-40a9-A422-EC31FC07E1C1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EAAA5C6-751B-4EB6-8893-EB9E3FACA3EA}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5067D11A-A2B1-4372-B473-CAD0AAB83651}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53180315-1929-4219-95A6-1D3E46A5E8A4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A7}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A8}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB71C88-078D-4d7e-B887-9D9346619E8E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AD17EC0-6D2C-454d-8148-7042425ED24C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B41E623-A4AD-4092-93FE-61642B24BF4A}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D7}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D8}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71B1C2DE-117A-49DD-8942-27F819D37F5B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7292A6EC-9BF2-4199-82BC-848F0865DDE4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A16F3AD-B9FC-47da-A4C2-5A77D3D85144}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BCF5E5C-892A-4216-8415-E44E83C83CA5}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E6401D1-4BCE-4f5f-BC01-EA10700E8DF9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E9F6322-25D3-4663-8B8E-5021545B2204}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF720B0-9A2D-42f4-88C4-F34AFD8D9517}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F2CB498-3D3D-4F99-84AA-EB406DD67560}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A256A70A-563F-4651-A103-699F1709F72D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3186C32-DE4B-43ce-A8B0-5D2C620BC114}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7CD3954-C1B9-4be5-989D-F5674B3A51D4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C92BD154-AE46-439c-AD8B-490A28352C28}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEBC4EAC-5F6F-421d-B6AE-25CB27AE1538}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8BF2AA8-40FE-4e44-882A-B882713E74CD}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEEAC485-874B-4b73-A03D-2FA915370A39}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{026CDCE3-F67D-4B3B-88DA-6F65618B6DF4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{15F92880-E273-49B3-AB13-D00FBA390696}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{45E61467-9943-4DC8-850E-5B268685EC35}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{6C1E40D8-F46C-4912-8B9F-962F47390A2C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{9FEAA50B-ED65-4DC2-820C-F368A8B1AE75}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{A6E7B9A2-00E9-4593-BABD-C801234EE3B1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{A9183391-9780-4BA3-99A2-929B73B0E6B9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{AB166949-C05C-4076-BB3B-D862ED8A9EF6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{AC4A755B-DDE8-4004-B089-26AA147D71D9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{C0A6829B-3693-42A4-9F53-4B21569303C6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764793}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764794}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{DC9CA45D-B76F-416F-87FC-29F1D555D473}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{F0ADA6F2-DB41-4F45-AF81-8F883BA0C2E2}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\cngicmmkocjjbmacacmchjhdimdhfgod]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kingsoft\PowerWord09PRO]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kingsoft\PowerWord10PRO]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PowerWord2010]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{0BEA698C-5A11-4ed0-932F-9FB522F17A9D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{1D54B514-EA82-411c-BDBD-439152F3258B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{219A4CED-000F-4016-AD02-B14DB62F02DB}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{22B04A6E-B5BB-4558-9114-46CFF62E0A8A}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{22FCF7E4-02F4-4c9a-94C0-46249B33A02B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{2389B536-2A69-4fa6-A11B-3BC990792E7C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{28843C16-21DF-4CDB-81E0-C9A38180EB38}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{2FFACBA3-5A9E-4848-B47B-1E0DBB044A99}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{32441484-FFAD-4fd6-B806-17DD509424E2}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{329E43A0-BD23-40a9-A422-EC31FC07E1C1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{4EAAA5C6-751B-4EB6-8893-EB9E3FACA3EA}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{5067D11A-A2B1-4372-B473-CAD0AAB83651}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{53180315-1929-4219-95A6-1D3E46A5E8A4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A7}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{589CD46B-16C0-47df-A1E3-A42EAC2D18A8}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{5FB71C88-078D-4d7e-B887-9D9346619E8E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6AD17EC0-6D2C-454d-8148-7042425ED24C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6B41E623-A4AD-4092-93FE-61642B24BF4A}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D7}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{6B55654E-A209-4c26-92C5-ADCFABC024D8}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{71B1C2DE-117A-49DD-8942-27F819D37F5B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{7292A6EC-9BF2-4199-82BC-848F0865DDE4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8A16F3AD-B9FC-47da-A4C2-5A77D3D85144}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8BCF5E5C-892A-4216-8415-E44E83C83CA5}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8E6401D1-4BCE-4f5f-BC01-EA10700E8DF9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{8E9F6322-25D3-4663-8B8E-5021545B2204}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{9AF720B0-9A2D-42f4-88C4-F34AFD8D9517}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{9F2CB498-3D3D-4F99-84AA-EB406DD67560}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{A256A70A-563F-4651-A103-699F1709F72D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{A3186C32-DE4B-43ce-A8B0-5D2C620BC114}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{B7CD3954-C1B9-4be5-989D-F5674B3A51D4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{C92BD154-AE46-439c-AD8B-490A28352C28}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{DEBC4EAC-5F6F-421d-B6AE-25CB27AE1538}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{E8BF2AA8-40FE-4e44-882A-B882713E74CD}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID\{EEEAC485-874B-4b73-A03D-2FA915370A39}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{026CDCE3-F67D-4B3B-88DA-6F65618B6DF4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{15F92880-E273-49B3-AB13-D00FBA390696}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{16DB8C16-BD3F-4DF3-AACA-626DAA667CE3}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{45E61467-9943-4DC8-850E-5B268685EC35}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{6C1E40D8-F46C-4912-8B9F-962F47390A2C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{9FEAA50B-ED65-4DC2-820C-F368A8B1AE75}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{A6E7B9A2-00E9-4593-BABD-C801234EE3B1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{A9183391-9780-4BA3-99A2-929B73B0E6B9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{AB166949-C05C-4076-BB3B-D862ED8A9EF6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{AC4A755B-DDE8-4004-B089-26AA147D71D9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{C0A6829B-3693-42A4-9F53-4B21569303C6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764793]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{CF01F816-5E27-4115-A0C9-2EE09A764794}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{D26F7A3C-EEDE-4616-8BF5-8BCB32D92F6E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{DC9CA45D-B76F-416F-87FC-29F1D555D473}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{F0ADA6F2-DB41-4F45-AF81-8F883BA0C2E2}]

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\XDict.exe"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORDPE\CBTRANSLATOR.EXE"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\XDict.exe"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\ActiveTasks]
"C:\PROGRAM FILES (X86)\Kingsoft\POWERWORD_OXFORD\CBAPPENDIX.EXE"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORDPE\XDICT.EXE"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\Detected\Startup]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\WinPatrol\ActiveRun]
"C:\PROGRAM FILES (X86)\KINGSOFT\POWERWORD_OXFORD\XDICT.EXE"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\BillP Studios\WinPatrol\Run]
"C:\Program Files (x86)\Kingsoft\PowerWord_Oxford\XDict.exe"=-

[-HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Kingsoft\PowerWord09PRO]

[-HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\39ce5390_0]

[-HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7b2047ac_0]

[-HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\aad49c8f_0]

[-HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ca2da98d_0]

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"243"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"308"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"309"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"310"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"311"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"312"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"313"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"390"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"455"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"456"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"457"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"458"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"459"=-

[HKEY_USERS\S-1-5-21-2219305202-884981724-1261442642-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC]
"460"=-
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    TuneUp Utilities Language Pack (zh-CN) (x32 Version: 13.0.2020.135 - TuneUp Software) Hidden
    FirewallRules: [TCP Query User{F827F584-8723-431B-86E6-1CA7A58BC3A0}C:\users\rusheng\appdata\local\temp\sgpyup.exe] => (Block) C:\users\rusheng\appdata\local\temp\sgpyup.exe
    FirewallRules: [UDP Query User{E556A60B-4325-490E-B448-BA0B3436E0B5}C:\users\rusheng\appdata\local\temp\sgpyup.exe] => (Block) C:\users\rusheng\appdata\local\temp\sgpyup.exe
    FirewallRules: [{3B80B404-15AA-4F65-876B-CC95EDC0BB89}] => (Allow) C:\Users\Rusheng\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{67A38327-9680-402F-A6C3-303041CCD3E0}] => (Allow) C:\Users\Rusheng\AppData\Roaming\uTorrent\uTorrent.exe
    (IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
    (IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\Monitor.exe
    (IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe
    HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [Advanced SystemCare 9] => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe [2010912 2015-11-06] (IObit)
    FF user.js: detected! => C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\user.js [2016-06-21]
    FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\firefox => not found
    CHR HKLM-x32\...\Chrome\Extension: [cngicmmkocjjbmacacmchjhdimdhfgod] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\chrome\XDictExtension.crx <not found>
    R2 AdvancedSystemCareService9; C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe [827680 2015-11-04] (IObit)
    U3 idsvc; no ImagePath
    2016-05-27 17:02 - 2016-06-21 07:13 - 00000000 ____D C:\ProgramData\ProductData
    2016-05-27 17:02 - 2016-05-27 17:02 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\ProductData
    2016-05-27 17:01 - 2016-05-27 17:01 - 00000000 ____D C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98}
    2016-05-27 17:00 - 2016-06-20 22:18 - 00000264 _____ C:\WINDOWS\Tasks\ASC9_SkipUac_Rusheng.job
    2016-05-27 17:00 - 2016-05-27 17:03 - 00000000 ____D C:\Users\Rusheng\AppData\LocalLow\IObit
    2016-05-27 17:00 - 2016-05-27 17:01 - 00003312 _____ C:\WINDOWS\System32\Tasks\ASC9_PerformanceMonitor
    2016-05-27 17:00 - 2016-05-27 17:00 - 00002444 _____ C:\WINDOWS\System32\Tasks\ASC9_SkipUac_Rusheng
    2016-05-27 17:00 - 2016-05-27 17:00 - 00000000 ____D C:\WINDOWS\Tasks\ImCleanDisabled
    2016-05-27 16:59 - 2016-05-27 16:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare
    2016-05-27 14:12 - 2016-05-27 14:12 - 00000000 ____D C:\Users\Rusheng\Downloads\advanced-systemcare-setup9
    2016-06-09 16:57 - 2014-12-27 04:08 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\uTorrent
    C:\Program Files (x86)\Kingsoft\PowerWordDict
    C:\Program Files (x86)\IObit\Advanced SystemCare
    C:\Program Files (x86)\Kingsoft\PowerWord_Oxford
    C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010
    C:\ProgramData\kingsoft\PowerWord
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate
    C:\Users\All Users\kingsoft\PowerWord
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate
    C:\Users\Rusheng\AppData\Local\VirtualStore\ProgramData\kingsoft\PowerWord
    C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWord
    C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWordPE
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-28-2016, 11:17 PM   #19
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2016
Ran by Rusheng (2016-06-28 22:53:08) Run:2
Running from C:\Users\Rusheng\Downloads
Loaded Profiles: Rusheng (Available Profiles: Rusheng & Administrator & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
TuneUp Utilities Language Pack (zh-CN) (x32 Version: 13.0.2020.135 - TuneUp Software) Hidden
FirewallRules: [TCP Query User{F827F584-8723-431B-86E6-1CA7A58BC3A0}C:\users\rusheng\appdata\local\temp\sgpyup.exe] => (Block) C:\users\rusheng\appdata\local\temp\sgpyup.exe
FirewallRules: [UDP Query User{E556A60B-4325-490E-B448-BA0B3436E0B5}C:\users\rusheng\appdata\local\temp\sgpyup.exe] => (Block) C:\users\rusheng\appdata\local\temp\sgpyup.exe
FirewallRules: [{3B80B404-15AA-4F65-876B-CC95EDC0BB89}] => (Allow) C:\Users\Rusheng\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{67A38327-9680-402F-A6C3-303041CCD3E0}] => (Allow) C:\Users\Rusheng\AppData\Roaming\uTorrent\uTorrent.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\Monitor.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\...\Run: [Advanced SystemCare 9] => C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe [2010912 2015-11-06] (IObit)
FF user.js: detected! => C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\user.js [2016-06-21]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\firefox => not found
CHR HKLM-x32\...\Chrome\Extension: [cngicmmkocjjbmacacmchjhdimdhfgod] - C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\chrome\XDictExtension.crx <not found>
R2 AdvancedSystemCareService9; C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe [827680 2015-11-04] (IObit)
U3 idsvc; no ImagePath
2016-05-27 17:02 - 2016-06-21 07:13 - 00000000 ____D C:\ProgramData\ProductData
2016-05-27 17:02 - 2016-05-27 17:02 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\ProductData
2016-05-27 17:01 - 2016-05-27 17:01 - 00000000 ____D C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98}
2016-05-27 17:00 - 2016-06-20 22:18 - 00000264 _____ C:\WINDOWS\Tasks\ASC9_SkipUac_Rusheng.job
2016-05-27 17:00 - 2016-05-27 17:03 - 00000000 ____D C:\Users\Rusheng\AppData\LocalLow\IObit
2016-05-27 17:00 - 2016-05-27 17:01 - 00003312 _____ C:\WINDOWS\System32\Tasks\ASC9_PerformanceMonitor
2016-05-27 17:00 - 2016-05-27 17:00 - 00002444 _____ C:\WINDOWS\System32\Tasks\ASC9_SkipUac_Rusheng
2016-05-27 17:00 - 2016-05-27 17:00 - 00000000 ____D C:\WINDOWS\Tasks\ImCleanDisabled
2016-05-27 16:59 - 2016-05-27 16:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare
2016-05-27 14:12 - 2016-05-27 14:12 - 00000000 ____D C:\Users\Rusheng\Downloads\advanced-systemcare-setup9
2016-06-09 16:57 - 2014-12-27 04:08 - 00000000 ____D C:\Users\Rusheng\AppData\Roaming\uTorrent
C:\Program Files (x86)\Kingsoft\PowerWordDict
C:\Program Files (x86)\IObit\Advanced SystemCare
C:\Program Files (x86)\Kingsoft\PowerWord_Oxford
C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010
C:\ProgramData\kingsoft\PowerWord
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate
C:\Users\All Users\kingsoft\PowerWord
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate
C:\Users\Rusheng\AppData\Local\VirtualStore\ProgramData\kingsoft\PowerWord
C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWord
C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWordPE
EmptyTemp:
end
*****************

Error: (0) Failed to create a restore point.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\\SystemComponent => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{F827F584-8723-431B-86E6-1CA7A58BC3A0}C:\users\rusheng\appdata\local\temp\sgpyup.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{E556A60B-4325-490E-B448-BA0B3436E0B5}C:\users\rusheng\appdata\local\temp\sgpyup.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3B80B404-15AA-4F65-876B-CC95EDC0BB89} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{67A38327-9680-402F-A6C3-303041CCD3E0} => value not found.
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe => No running process found
C:\Program Files (x86)\IObit\Advanced SystemCare\Monitor.exe => No running process found
C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe => No running process found
HKU\S-1-5-21-2219305202-884981724-1261442642-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced SystemCare 9 => value not found.
C:\Users\Rusheng\AppData\Roaming\Mozilla\Firefox\Profiles\oqev575i.default-1394995071787\user.js => moved successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\[email protected] => value not found.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cngicmmkocjjbmacacmchjhdimdhfgod => key not found.
AdvancedSystemCareService9 => service not found.
idsvc => service removed successfully
C:\ProgramData\ProductData => moved successfully
C:\Users\Rusheng\AppData\Roaming\ProductData => moved successfully
C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98} => moved successfully
"C:\WINDOWS\Tasks\ASC9_SkipUac_Rusheng.job" => not found.
C:\Users\Rusheng\AppData\LocalLow\IObit => moved successfully
"C:\WINDOWS\System32\Tasks\ASC9_PerformanceMonitor" => not found.
"C:\WINDOWS\System32\Tasks\ASC9_SkipUac_Rusheng" => not found.
C:\WINDOWS\Tasks\ImCleanDisabled => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare" => not found.
C:\Users\Rusheng\Downloads\advanced-systemcare-setup9 => moved successfully
"C:\Users\Rusheng\AppData\Roaming\uTorrent" => not found.
"C:\Program Files (x86)\Kingsoft\PowerWordDict" => not found.
"C:\Program Files (x86)\IObit\Advanced SystemCare" => not found.
C:\Program Files (x86)\Kingsoft\PowerWord_Oxford => moved successfully
C:\Program Files (x86)\Kingsoft\PowerWord_Oxford2010 => moved successfully
C:\ProgramData\kingsoft\PowerWord => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate => moved successfully
"C:\Users\All Users\kingsoft\PowerWord" => not found.
"C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\PowerWord2010 Oxford Ultimate" => not found.
C:\Users\Rusheng\AppData\Local\VirtualStore\ProgramData\kingsoft\PowerWord => moved successfully
C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWord => moved successfully
C:\Users\Rusheng\AppData\Roaming\kingsoft\PowerWordPE => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 583648 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 1097064 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 4975167 B
Edge => 0 B
Chrome => 20948019 B
Firefox => 8739943 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 28859846 B
NetworkService => 0 B
Rusheng => 450439 B
Administrator => 0 B
DefaultAppPool => 0 B

RecycleBin => 13928026 B
EmptyTemp: => 75.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 22:57:14 ====
Tom_q2356 is offline  
Old 06-28-2016, 11:22 PM   #20
Registered Member
 
Join Date: Jul 2009
Posts: 34
OS: Winxp SP3



Thanks very much, Chemist! So it looks like I'm going to go to a different forum soon for further fixing. I hope you can be there to check on me every once in a while, perhaps things will go more smoothly too. :)
Tom_q2356 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Selection Links
Hi, I've ended up with Selection Links attached to Google Chrome. I've tried to remove it in the usual, low-tech savvie ways and it's not worked. It is not listed in the Programs and Features/Uninstall a Program section of the Control Tab. Under Chrome Extensions, it is listed but...
mthwrd Resolved HJT Threads 42 04-05-2013 06:36 PM
Probable rootkit virus
Hi there,I have followed the instructions for initial posting and my biggest issue is 'website cannot be displayed' messages when going to various websites (i.e., Outlook mail webpages always work, Google search result pages rarely do, youtube links never works). I have attached the DDS.txt and...
Rivenspur Virus/Trojan/Spyware Help 55 06-19-2012 02:26 PM
search netsite virus
I am having trouble with the browser redirect virus. When I click a website on the google search page it takes me to search netsite webpage. If I paste that url directly there is no issue. Tried all anti virus, malware, spyware, combifix and so on.. nothing works pls help
amy123a Inactive Malware Help Topics 25 03-20-2012 10:58 PM
Internet Explorer & Dr.Watson has encountered...
Hello, I can't open most of my folders without my computer freezing up and my computer telling me that "Internet Explorer has encountered a problem and needs to close" and "Dr. Watson Postmortem Debugger has encountered a problem and needs to close". Now, I've been using Google...
JCVerkler Virus/Trojan/Spyware Help 3 11-18-2011 12:27 PM
Computer Virus/Trojan Problems
Amateur. First may I thank you for responding to my request for help. I have compiled the following List of Problems that I am aware of on my computer. Windows is being stopped from updating. Trend Micro is being stopped from updating.
Jack Willday Inactive Malware Help Topics 65 07-13-2011 12:57 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:23 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts